Zero-days: Adobe ColdFusion, Zimbra, Citrix

Adobe released out-of-band security updates this week for ColdFusion versions 2023, 2021 and 2018 to address critical and moderate vulnerabilities that could lead to remote code execution and security feature bypass. The security update fixes three vulnerabilities (CVE-2023-38204, CVE-2023-38205, CVE-2023-38206), including a new ColdFusion zero-day flaw said to have been exploited by hackers.

Zimbra warned of a critical security issue affecting its collaboration software and email platform that is being actively exploited in real-world attacks. The vulnerability is a cross-site scripting (XSS) issue that allows a remote attacker to steal potentially sensitive information, change the appearance of the web page, perform phishing and drive-by-download attacks.

Networking equipment maker Citrix has also issued security updates to fix three flaws in its NetScaler ADC and NetScaler Gateway products, including a zero-day vulnerability actively exploited by hackers. Tracked as CVE-2023-3519, said zero-day is a code injection issue that can lead to remote code execution.

According to the US Cybersecurity and Infrastructure Security Agency (CISA) the Citrix zero-day has been exploited against a critical infrastructure organization. Threat actors exploited this vulnerability to drop a web shell on a non-production environment NetScaler ADC appliance. The web shell enabled the actors to perform discovery on the victim’s active directory (AD) and collect and exfiltrate AD data.

Multiple DDoS botnets weaponize a recent Zyxel vulnerability

Fortinet says it observed several DDoS botnets targeting the recent Zyxel command injection vulnerability (CVE-2023-28771) to take over vulnerable systems. The list of botnets includes Mirai botnet variants such as Dark.IoT as well as a botnet known as Katana.

US adds two European spyware vendors to economic blacklist

The US Commerce Department’s Bureau of Industry and Security (BIS) has added two European commercial spyware manufacturers, Cytrox and Intellexa, to its economic trade blacklist, citing risks to US national security. The sanctioned entities include Hungary-based Cytrox Holdings Crt, North Macedonia-based Cytrox AD, Greece-based Intellexa S.A., and Ireland-based Intellexa Limited. This means that the companies are now under export and licensing restrictions and any American firm wanting to sell software to Cytrox or Intellexa will be required to obtain a license from BIS to do so.

FIN8 uses an updated backdoor to deploy BlackCat ransomware

A financially-motivated cybercrime group known as FIN8 has been observed using an updated version of the Sardonic backdoor to deploy the BlackCat (ALPH, Noberus) ransomware.

The group has been active since at least 2016 and is known for its attacks on organizations in the hospitality, retail, entertainment, insurance, technology, chemicals, and finance sectors. The threat actor leverages living-off-the-land tactics, making use of built-in tools and interfaces such as PowerShell and WMI, and abusing legitimate services to disguise its activity. Initial access to the targeted networks is usually achieved via spear-phishing and social engineering attacks.

VirusTotal leak exposes data of over 5K registered users

Google-owned malware-scanning platform VirusTotal has reportedly suffered a leak that exposed the names and email addresses of 5,600 of its registered users, including information about employees of US and German intelligence agencies.

The exposed information included accounts from the US Cyber Command, the FBI, the US National Security Agency, the German secret service, Dutch, Taiwanese, British, and Austrian government employees.

VirusTotal apologized for the incident and explained that the leak was the result of a human error and wasn’t caused by a cyberattack or vulnerability. According to the company, an employee accidentally uploaded a CSV file containing limited info on Premium account customers to the VirusTotal platform. The file was removed from the platform within one hour of its posting.

JumpCloud supply-chain attack linked to North Korean hackers

SentenelLabs researchers have linked a recent JumpCloud cyberattack to a known North Korean state-sponsored group. The attribution was made based on Indicators of Compromise shared by JumpCloud.

Separately, Reuters reported that the JumpCloud clients targeted by the hackers were cryptocurrency companies. Cybersecurity firm CrowdStrike identified the hacker group as Labyrinth Chollima (aka UNC4736) believed to be a Lazarus sub-group. This threat actor was previously linked to the March 3CX software supply chain attack.

GitHub warns customers of North Korean hacker attacks

Microsoft-owned GitHub has published an alert warning its customers about a low-volume social engineering campaign that targets the personal accounts of employees of technology firms. Many of the targeted accounts are said to be connected to the blockchain, cryptocurrency, or online gambling sectors. No GitHub or npm systems were compromised in this campaign, the company assured.

Microsoft has attributed these attacks to a previously unreported North Korea-based threat actor it tracks as Jade Sleet (CISA tracks the group as TraderTraitor). Jade Sleet mostly targets users associated with cryptocurrency and other blockchain-related organizations but also targets vendors used by those firms.

WyrmSpy and DragonEgg spyware attributed to Chinese espionage group APT41

Cybersecurity firm Lookout published a report linking the sophisticated Android surveillanceware known as WyrmSpy and DragonEgg to a Chinese threat actor known as APT41 (Double Dragon, BARIUM and Winnti).

Both tools come with sophisticated data collection and exfiltration capabilities and hide those functions in additional modules that are downloaded after they are installed. WyrmSpy primarily masquerades as a default operating system app, while DragonEgg pretends to be third-party keyboard or messaging apps.

The stealth strategies of Chinese APT groups

Google-owned Mandiant released a technical write-up highlighting Chinese threat groups’ attack methods, including the use of zero-days in security, networking, and virtualization software.

Microsoft shares more details on the Chinese Storm-0558 attack

Microsoft published technical details on a recently disclosed cyber-espionage campaign by a China-based threat actor it tracks as Storm-0558 in which the group breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US.

The Wall Street Journal reported that the Chinese cyber-espionage campaign hacked the email account of the US ambassador to China Nicholas Burns.

Turla hackers target the defense sector in Ukraine and Eastern Europe

The Computer Emergency Response Team of Ukraine (CERT-UA) and Microsoft’s threat intelligence team warned of a new series of attacks by a Russia-linked threat actor Turla targeting the defense sector in Ukraine and Eastern Europe with CapiBar (DeliveryCheck, Gameday) and Kazuar spyware.

CERT-UA also released a technical analysis of cyber-espionage attacks against Ukraine by the Kremlin-linked threat actor Gamaredon.

Ukraine dismantles massive bot farm spreading Russian propaganda

Ukrainian cyber police took down a massive bot farm that was used to disseminate pro-Russian disinformation about the war in Ukraine.

The farm operators used special equipment and software to create thousands of fake accounts on social media sites through which they spread Russian narratives, as well as unlawfully distributed the personal data of Ukrainians. The fake accounts were also used as part of online fraud schemes.

Scareware dev involved in large-scale fraud op arrested in Spain

The Spanish National Police arrested a Ukrainian national wanted internationally for over 10 years for his involvement in a large-scale scareware operation that took place from 2006 to 2011. The operation affected thousands of computers worldwide, causing more than $70 million in losses.

New BundleBot info stealer is spreading under the radar

Check Point Research (CPR) published an in-depth analysis of a new info stealer they dubbed ‘BundleBot.’ The malware is abusing the dotnet bundle (single-file), a self-contained format that results in very low or no static detection at all. It is commonly distributed via Facebook Ads and breached accounts leading to websites masquerading as regular program utilities, AI tools, and games.