Admins urged to fix Citrix NetScaler flaw ASAP

Citrix has urged system administrators to apply patches addressing a critical vulnerability that has been exploited in the wild. Tracked as CVE-2023-4966, the flaw is a buffer overflow issue that could lead to remote code execution. Successful exploitation of the bug requires that the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or as AAAvirtualserver. According to cybersecurity firm Mandiant, CVE-2023-4966 has been exploited as a zero-day vulnerability since late August of this year.

Cisco discloses another IOS XE zero-day

Cisco has updated its security advisory on the previously disclosed CVE-2023-20198 zero-day vulnerability affecting its IOS XE product to warn of a new critical bug that has been exploited to deploy a malicious LUA implant onto compromised devices.

Tracked as CVE-2023-20273, the new flaw resides in the web UI feature and allows a remote non-authenticated attacker to create an account with privilege level 15 access using a specially crafted HTTP request.

NCC Group's Fox-IT team reported that they observed the backdoor on infected devices being modified to check for an Authorization HTTP header value before responding.

VMware warns of a dangerous vCenter Server RCE bug

Virtualization services provider VMware released security updates to fix a critical vulnerability in the vCenter Server that could result in remote code execution on impacted systems.

Tracked as CVE-2023-34048, the flaw is an out-of-bounds write issue in the DCERPC protocol implementation. A remote non-authenticated attacker can send a specially crafted RPC request to the vCenter Server, trigger an out-of-bounds write and execute arbitrary code on the target system.

VMware said that there are no workarounds to mitigate the vulnerability and urged customers to apply the fixed versions of software: VMware vCenter Server 8.0 (8.0U1d or 8.0U2), VMware vCenter Server 7.0 (7.0U3o), VMware Cloud Foundation 5.x and 4.x.

Hackers used stolen credentials to access Okta’s support system

Identity services provider Okta revealed that unknown attackers gained access to its support case management system using stolen credentials. The intruders were able to view files uploaded by certain Okta customers as part of recent support cases. The files in question were uploaded during recent support cases. Hackers were able to gain access to stolen credentials through HTTP Archive (HAR) files uploaded by users for troubleshooting purposes.

The Okta breach is said to have impacted nearly 200 of the company's clients, including identity management company BeyondTrust and the popular password manager 1Password.

CCleaner confirms it was hit with MOVEit attack

Piriform, a company behind the popular system optimization software CCleaner, confirmed it was impacted in the zero-day MOVEit data breach. The company said the exposed customer information included name, email address and phone number, as well as information on the purchased products. No banking details, credit card numbers or high-risk data such as log-in information or account details were stolen, Piriform said.

Ragnar Locker ransomware dev arrested in France

The developer of the Ragnar Locker ransomware has been arrested in Paris, France, as part of an international law enforcement effort to dismantle the Ragnar Locker ransomware operation known for targeting critical infrastructure across the world, including hospitals. As part of the law enforcement operation, carried out between 16 and 20 October, the authorities conducted raids in Czechia, Spain and Latvia. Five suspects were detained in Spain and Latvia. Additionally, Ukrainian cyber cops conducted searches at a suspect’s home in Kyiv and seized laptops, mobile phones and “electronic storage devices.”

The ransomware’s infrastructure was also seized in the Netherlands, Germany and Sweden and the associated data leak website on Tor was taken down in Sweden.

34 members of phishing gang that stole the personal data of 4M people arrested in Spain

Spain's National Police arrested 34 people allegedly involved in a cybercrime organization that made more than €3 million through various online scams such as smishing, phishing and vishing, 'son in distress' scams, and scams impersonating delivery companies and electric firms.

The group gained access to databases of various financial and credit organizations, altered amounts in client accounts and then contacted those individuals informing them of an erroneous deposit and asking them to return the money by visiting a phishing site that captured their banking details.

The criminals also hacked into corporate databases and stole the personal data of millions of people, which they sold or used to perpetrate vishing campaigns impersonating electricity supply companies, phishing campaigns posing as banks, and other scams.

Nigerian police shut down cybercrime training and operational hub

Nigerian police announced it dismantled a cybercrime recruitment and training center in Abuja, the country’s capital. The hub is said to have been involved in a cybercrime syndicate that conducted various cybercrimes, including Business Email Compromise (BEC), romance scams, and high-yield investment program fraud.

The police arrested six suspects and seized gadgets used to perpetrate cyber crimes.

New iLeakage side-channel attack targets Apple devices

A team of researchers discovered a new side-channel attack they dubbed ‘iLeakage’ which exploits a security weakness in Apple's A- and M-series CPUs found in iOS, iPadOS, and macOS devices. The new technique allows to extract sensitive information from the Safari web browser by manipulating Safari to render a specific webpage, using speculative execution to recover sensitive data within it.

This vulnerability could be used to retrieve Gmail inbox content and autofilled passwords using malicious web pages. iLeakage is the first Spectre-style speculative execution attack against Apple Silicon CPUs. It affects all third-party web browsers on iOS and iPadOS.

Russian cybercriminals increasingly targeting Ukraine with SmokeLoader malware

Suspected Russian cybercrime groups have been increasingly targeting state and financial institutions in Ukraine with the SmokeLoader malware. The attacks have been ongoing since May 2023, with hackers using meticulously crafted phishing emails focused on financial themes to lure victims. In some cases, the intruders managed to hijack money transfers by swapping the legitimate account details and re-routing funds to attacker-controlled accounts, according to the report.

Winter Vivern APT exploits Rouncube zero-day in attacks on European entities

Cyberespionage group Winter Vivern (UAC-0114, TA473) has been observed exploiting a zero-day XSS flaw in the Roundcube Webmail server in attacks targeting Roundcube Webmail servers belonging to Europe-based governmental entities and a think tank, according to ESET researchers. Tracked as CVE-2023-5631, the targeted vulnerability is a cross-site scripting issue that can be used by a remote attacker to execute arbitrary HTML and script code in the user's browser in the context of a vulnerable website.

Besides CVE-2023-5631, which Winter Vivern has been exploiting since October 11, 2023, the threat actor has also taken advantage of another Rouncube XSS vulnerability (CVE-2020-35730). ESET has linked “with low confidence” Winter Vivern to MoustachedBouncer, a sophisticated Belarus-aligned group first detailed in August 2023.

Native English-speaking Octo Tempest switches from SIM swapping to ransomware

Microsoft has published a lengthy analysis of Octo Tempest (aka Scattered Spider, 0ktapus, UNC3944), a native English-speaking cybercrime group, which the tech giant described as “one of the most dangerous financial criminal groups” operating today.

In recent campaigns, Octo Tempest has used a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data. Octo Tempest leverages SMS phishing, SIM swapping, and advanced social engineering techniques. In mid-2023, Octo Tempest became an affiliate of ALPHV/BlackCat and lately has focused their deployments primarily on VMWare ESXi servers.

France’s ANSSI releases a report on activities of Russian APT28 hackers

France's cybersecurity agency (Agence Nationale de la sécurité des systèmes d'information, ANSSI) published a report detailing the activities of Russia-linked cyberespionage group APT28, which has been targeting government entities, businesses, universities, research institutes, and think tanks in France since the second half of 2021.

Kazakhstan-linked YoroTrooper cyber spies target CIS countries

Cisco’s Talos threat intelligence team released a report detailing a cyber espionage group called “YoroTrooper” that has been targeting multiple state-owned websites and accounts belonging to government officials in Commonwealth of Independent States (CIS) countries.

Over the recent months, YoroTrooper has evolved its tactics. In particular, the group has moved away from using commodity malware and is increasingly relying on new custom tools written in various programming languages such as Python, PowerShell, GoLang, and Rust.

The researchers observed the threat actor constantly attempting to buy new tools, such as VPN connections. It also relies on vulnerability scanners, such as Acunetix, and open-source data, such as the information available on Shodan, to locate and infiltrate the public-facing servers of their targets.