Cyber Security Weekly Briefing, 17 — 23 September

ElevenPaths    23 September, 2022
Photo: Christina

Quantum and BlackCat ransomware use Emotet as entry vector

Researchers at AdvIntel have published the results of an investigation reporting that ransomware operators Quantum and BlackCat have adopted the use of Emotet as a dropper in their operations among their TTPs.

Specifically, Emotet emerged in 2014 classified as a banking trojan, however, its evolution eventually turned it into a botnet that Conti ransomware operators used in their operations until June 2022, when it was disbanded.

The methodology currently adopted by Quantum and BlackCat to use Emotet is to install a Cobalt Strike beacon that deploys a payload that allows them to take control of networks and execute ransomware operations.

According to experts, Emotet has increased its activity since the beginning of the year by distributing itself via .lnk files, and it is estimated that more than 1.2 million computers are infected. This increase has also been corroborated by other research teams such as ESET and Agari.

More info

* * *

Revolut suffers data breach with more than 50,000 users exposed

The online bank Revolut, which has a banking licence in Lithuania, has been the victim of a cyber-attack in which the personal information of more than 50,000 customers has been compromised.

The incident, which occurred a week ago, has been described as “highly targeted”. According to the Lithuanian Data Protection Agency, 50,150 customers have been affected, 20,687 of them belonging to the European Economic Area.

At this stage, details of how the attacker gained access to the bank’s database have not been disclosed, but all indications are that the threat actor relied on a social engineering attack as an entry vector.

The Agency notes that the information exposed includes: email addresses, first and last names, postal addresses, phone numbers, limited payment card details and account details.

Revolut has issued a statement saying that the personal data compromised varies from customer to customer and that no card details or passwords have been accessed.

More info

* * *

Critical vulnerabilities in industrial control system environments

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a total of eight security advisories warning of vulnerabilities in industrial control systems (ICS), including critical flaws affecting Dataprobe iBoot-PDU products.

It should be noted that power distribution units (PDUs) are used to remotely manage the power supply of systems commonly used in critical infrastructures. Claroty security researchers discovered a total of seven vulnerabilities in the Dataprobe product, including CVE-2022-3183 and CVE-2022-3184 with a CVSS of 9.8.

These security flaws could allow malicious actors to access unauthenticated users and remotely execute code on affected systems.

David Weiss, CEO of Dataprobe, has indicated that the security issues have been patched in version 1.42.06162022 and that others are fixed by proper configuration such as disabling SNMP, telnet and HTTP.

More info

* * *

Old Python vulnerability affects thousands of repositories

Researchers at Trellix have released details of the exploitation of a vulnerability in the Python programming language that has been overlooked for 15 years.

The bug could affect more than 350,000 open-source repositories and could lead to code execution.

The report explains that they rediscovered the vulnerability while reviewing other unrelated bugs, concluding that it was CVE-2007-4559, already documented in an initial report in August 2007, and which has remained unpatched to this day.

Only during the year 2022, from the Python Bug Tracker, was an update provided to the documentation that only warned developers about the risk. For its part, Trellix points out that the bug persists, providing explanatory videos on how to exploit it.

The vulnerability is in the extract and extractall functions of the tarfile module, which would allow an attacker to overwrite arbitrary files by appending the sequence “…” to filenames in a TAR file.

In addition, Trellix has announced patches for just over 11,000 projects, although, for the moment, the Python Software Foundation has not commented on the vulnerability, so extreme caution is recommended as this is a bug that represents a clear risk to the software supply chain.

More info

* * *

​ Chromeloader malware increases its activity and boosts its capabilities

Researchers from Microsoft and VMware have reported a malicious campaign by the Chromeloader malware, a malicious extension for the Chrome browser, aimed at infecting victims’ devices with multiple malicious programs.

During the first quarter of 2022, Chromeloader came to the limelight in the form of adware and later became a stealer specialising in stealing data stored in the browsers of targeted users.

However, according to Microsoft, there is currently an ongoing campaign attributed to the threat actor tracked as DEV-0796, which makes use of this malware to launch much more powerful and targeted payloads.

Chromeloader has been found to be deployed in ISO files that are distributed via malicious advertisements and YouTube video comments.

In addition, as VMware also details in its report, there are at least 10 variants of this malware camouflaged under utilities intended to manage movie subtitles, music players and, more worryingly, a variant of Chromeloader that implements the Enigma ransomware in an HTML file.

More info

Leave a Reply

Your email address will not be published. Required fields are marked *