Microsoft fixes 3 Windows zero-days

Microsoft released its November 2023 Patch Tuesday security updates that address nearly 60 vulnerabilities in the company’s products, including three Windows zero-day vulnerabilities said to have been actively exploited in the wild.

The three zero-days are:

CVE-2023-36036 - Windows Cloud Files Mini Filter Driver elevation of privilege vulnerability. The flaw exists due to a boundary error in Windows Cloud Files Mini Filter Driver. A local user trigger can memory corruption and execute arbitrary code with SYSTEM privileges. The vulnerability affects Windows versions 10 - 11 23H2, and Windows Server 2008 - 2022 23H2.

CVE-2023-36033 - Windows DWM Core Library elevation of privilege vulnerability, which can be used by a local attacker to execute arbitrary code with SYSTEM privileges. Impacted software includes Windows 10 - 11 23H2, and Windows Server 2019 - 2022 23H2.

CVE-2023-36025 - Windows SmartScreen security feature bypass vulnerability. The flaw allows a remote hacker to execute arbitrary code on the system by tricking the victim into clicking on a specially crafted .url file. The vulnerability affects Windows 10 - 11 23H2, and Windows Server 2008 - 2022 23H2.

Russian hackers used WinRAR zero-day to spy on embassies across Europe

APT29, a nation-state cyberespionage group linked to Russia’s Foreign Intelligence Service (SVR), has been observed abusing a zero-day vulnerability in WinRAR file archiver utility to infiltrate embassies across Europe, including Azerbaijan, Greece, Romania, and Italy. Besides diplomatic missions, the group has also targeted major international organizations and internet service providers.

APT29’s phishing attacks involved lures in the form of enticing BMW car sale photos and documents, designed to draw in unsuspecting victims. The lure documents contained malicious content that exploited the WinRAR RCE flaw (CVE-2023-38831), granting attackers access to the compromised systems.

DarkCasino joins the list of hacker groups exploiting WinRAR zero-day

Cybersecurity firm NSFOCUS released a report on DarkCasino, a new economically motivated threat actor that has been observed leveraging a WinRAR zero-day vulnerability (CVE-2023-38831) in attacks targeting cryptocurrency trading platforms, online casinos and network banks worldwide.

Four hacker groups were caught exploiting a Zimbra zero-day

Google’s Threat Analysis Group (TAG) said it observed four different hacker groups exploiting a now-patched zero-day vulnerability (CVE-2023-37580) in Zimbra Collaboration Suite to steal email data, user credentials, and authentication tokens. In three cases the bug was exploited before the patch became available, and one campaign began after the hotfix was initially made public.

The first campaign by an unidentified threat actor targeted a government organization in Greece and deployed a malicious framework designed to steal users’ mail data, such as emails and attachments and to set up an auto-forwarding rule to an attacker-controlled email address.

The second campaign, which was attributed to the Winter Vivern APT (aka UNC4907), was aimed at government organizations in Moldova and Tunisia, and the third campaign phished for credentials belonging to a government organization in Vietnam.

More than 20 Danish energy firms compromised in a large-scale cyberattack

22 companies that operate parts of the Danish energy infrastructure were hit in an extensive coordinated cyberattack in May of this year, with the attackers gaining access to some of the firms' industrial control systems. To gain access to the victims’ networks the threat actors exploited several RCE vulnerabilities in Zyxel firewalls (CVE-2023-28771, CVE-2023-33009 and CVE-2023-33010).

In some cases, the attackers used access to compromised firewalls to ensnare the devices in the Mirai Moobot botnet and conduct DDoS attacks. In another instance, the threat actor exploited the victim’s infrastructure to participate in a brute force attack via SSH against a firm in Canada. The experts have also noticed signs that nation-state hackers, namely the Russia-linked military hacking division Sandworm, were attempting to take advantage of vulnerable Zyxel firewalls.

Russia’s Sandworm hackers behind power blackouts in Ukraine amid massive missile strikes

A Russian military hacking unit known as Sandworm orchestrated a coordinated disruptive cyberattack on one of the power plants in Ukraine that coincided with massive missile strikes on the Ukrainian electrical grid and contributed to power outages across the country.

The threat actor somehow gained access to the OT environment of the power station via a hypervisor hosting a supervisory control and data acquisition (SCADA) management instance for the plant's substations.

The attackers then used an optical disc (ISO) image named “a.iso” to execute a native MicroSCADA binary in a likely attempt to execute malicious control commands to switch off substations.

Latest adversary campaign impersonates Ukrainian security agency to deliver Remcos spyware

Ukraine’s CERT team has shared technical details and Indicators of Compromise (IoCs) associated with a new phishing campaign that impersonates the Security Service of Ukraine (SBU) to deploy remote access software onto target systems.

A ransomware gang behind MOVEit hacks caught exploiting a SysAid 0Day

A new malicious campaign is taking advantage of a zero-day vulnerability in the popular SysAid IT helpdesk software to deploy the Clop ransomware.

Tracked as Lace Tempest (aka DEV-0950, FIN11 and TA505), the threat actor is believed to be an affiliate of the Clop ransomware gang, previously linked to a large-scale hacking campaign that exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software's MOVEit file transfer app to deploy ransomware.

The new campaign involves CVE-2023-47246, a path traversal issue in the SysAid software that can lead to remote code execution. Microsoft’s threat intelligence team said that Lace Tempest issued commands via the SysAid software to deliver a malware loader for the Gracewire malware, which is typically followed by human-operated activity, including lateral movement, data theft, and ransomware deployment.

LockBit ransomware gang is exploiting CitrixBleed bug for mass attacks worldwide

The LockBit ransomware group is mass-exploiting a critical vulnerability in Citrix NetScaler to hack into large organizations like Boeing, China’s largest bank ICBC, Emirati port operator DP World and the London-based international law firm Allen & Overy worldwide, cybersecurity researchers have warned.

According to cybersecurity firm Mandiant, the remote code execution vulnerability (CVE-2023-4966 aka CitrixBleed) in Citrix NetScaler ADC and NetScaler Gateway products has been exploited as a zero-day vulnerability since late August of this year. Citrix released security patches and later updated its advisory to warn that it had observed exploitation in the wild.

CISA and FBI release advisories on Rhysida ransomware, Scattered Spider cybercrime group TTPs

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) shared Indicators of Compromise along with tactics, techniques, and procedures (TTPs) of the Rhysida ransomware gang.

Observed as a ransomware-as-a-service (RaaS) model, Rhysida actors have compromised organizations in education, manufacturing, information technology, and government sectors and any ransom paid is split between the group and affiliates. Rhysida actors leverage external-facing remote services, such as virtual private networks (VPNs), Zerologon vulnerability (CVE-2020-1472), and phishing campaigns to gain initial access and persistence within a network.

Separately, the security agencies released an advisory detailing TTPs and IoCs associated with the Scattered Spider cybercriminal group that was linked by security researchers to the September 2023 cyberattack on the casino and hotel chain MGM Resorts International.

Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs.

ALPHV/BlackCat takes extortion to a new level

The ALPHV/BlackCat ransomware operation has upped the ante by filing a complaint against US financial software company MeridianLink for a failure to disclose a data breach to the authorities. According to media reports, the group has filed the complaint with the US Securities and Exchange Commission, alleging the company's failure to disclose a purported cyber incident within the SEC's four-day breach notification limit, to put more pressure on the firm.

MeridianLink has confirmed it is investigating the gang’s claims but said it currently has “no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption.”

In a separate report, researchers with eSentire warned that ALPHV/BlackCat affiliates are using malvertising campaigns to establish an initial foothold in their victims' systems.

The attacks involve Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP and Cisco AnyConnect, to entice victims into visiting malicious websites serving Nitrogen, the initial-access malware that leverages Python libraries for stealth.

Google Workspace and Cloud Platform could be abused for cyberattacks

Bitdefender researchers said they identified novel attack methods that allow to expand access from a single machine to an organization's Google Workspace environment.

The attacks rely on an organization's use of Google Credential Provider for Windows (GCPW), which offers both mobile device management (MDM) and single sign-on (SSO) capabilities. Google has been notified about the findings but refused to address the issue “as it is outside of their specific threat model.”

Crypto exchange Poloniex hacked for more than $100M

Cryptocurrency trading platform Poloniex lost over $100 million worth of Bitcoin and Ethereum after hackers compromised its hot wallet. Poloniex said it would pay 5% of the stolen amount as a bounty to the hacker in exchange for the return of the funds.

Czech and Ukrainian police take down multi-million euro phishing gang

A joint international effort involving Czech and Ukrainian law enforcement agencies, assisted by Europol and Eurojust, has dismantled a prolific phishing gang responsible for defrauding victims across Europe, with the total losses estimated in the tens of millions of euros. The criminal operation primarily targeted Czech victims, with estimated financial losses exceeding EUR 8 million (CZK 195,000,000).

Admin of the Darkode dark web marketplace gets 18 months in prison

An administrator of the now-defunct cyberforum Darkode has been sentenced to 18 months in prison and 36 months of supervised release. Thomas Kennedy McCormick, aka “fubar,” was initially a member of Darkode but eventually became the forum’s administrator. He developed and sold data-stealing malware that collected personal and financial data.

McCormick was arrested in December 2018, during the searches at his home the police found the stolen credit card information of almost 30,000 people. As part of McCormick’s guilty plea, he admitted his involvement in causing about $679,000 in financial losses through these offenses.

IPStorm botnet infrastructure dismantled, operator pleads guilty

The US Department of Justice revealed that the FBI dismantled the IPStorm malware botnet infrastructure, along with the guilty plea of the service’s operator Sergei Makinin.

Makinin, who is a Russian and Moldovan national, developed and deployed malware to compromise thousands of Internet-connected devices across the globe. The primary purpose of the botnet was to turn infected devices into proxies as part of a for-profit scheme.

Police shut down BulletProftLink PaaS operation

Malaysian police in cooperation with the Australian Federal Police (AFP) and the US Federal Bureau of Investigation (FBI) dismantled a major phishing-as-a-service (PhaaS) operation called BulletProftLink (aka BulletProofLink and Anthrax). The Malaysian authorities arrested 8 people aged between 29 and 56 across the country, including an alleged mastermind behind the operation. Alongside the arrests, the police confiscated servers, computers, jewelry, vehicles, and cryptocurrency wallets containing approximately 965,808 Malaysian ringgit (~$213,000).