Cyber Security Weekly Briefing, 21 – 27 January

Telefónica Tech    27 January, 2023

Killnet targeting victims in Spain

This week, the hacktivist group Killnet announced a campaign of attacks against Germany, leading to Distributed Denial of Service (DDoS) attacks that rendered the websites of the German government, the Bundestag, several banks and airports in the country inoperative on Wednesday.

Following these attacks, the group posted a comment on its Telegram channel directly pointing to Spain as a possible target for its next attacks, leaving the following message “Spain – f*** you too, but with you everything will be easier and faster”.

Following this message, other participants within the Telegram channel explicitly singled out two Spanish companies, stating that they would be supposedly “easy” to attack. No attacks against Spanish critical infrastructure companies or government agencies have been reported so far.

* * *

Apple fixes 0-day vulnerability affecting older iPhones and iPads

Apple has issued a security advisory addressing patches for an actively exploited 0-day vulnerability in older iPhones and iPads.

The vulnerability, listed as CVE-2022-42856 with a CVSSv3 of 8.8, could allow an attacker to process maliciously crafted web content to achieve arbitrary code execution, due to a type confusion in Apple’s WebKit web browser engine. This vulnerability was published in December for other Apple products, and is now available for older versions, specifically the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).

Apple’s advisory states that there is evidence of active exploitation of this vulnerability in iOS versions prior to iOS 15.1. Also, on 14 December, CISA included this vulnerability in its catalogue of exploited vulnerabilities.

More info

* * *

​​​​​​VMware vulnerabilities fixed

VMware has released security patches to address a number of vulnerabilities in vRealize Log Insight, now known as VMware Aria Operations for Logs. The first vulnerability, identified as CVE-2022-31703 and CVSS 7.5, addresses a directory traversal flaw whereby attackers can inject files into the affected system and achieve remote code execution.

On the other hand, CVE-2022-31704, with CVSS 9.8, is an access control vulnerability that can be exploited for remote code execution.

The company has also fixed a deserialisation vulnerability, identified as CVE-2022-31710 and CVSS 7.5, which can trigger a DoS, and CVE-2022-31711, with CVSS 5.3, which addresses an information disclosure flaw.

More info

* * *

​​​PY#RATION: a new Python-based RAT

The Securonix research team has discovered a new Python-based malware attack campaign with Remote Access Trojan (RAT) capabilities. This malware, named PY#RATION, is actively evolving, having moved from version 1.0 to 1.6.0 since its detection in August 2022.

PY#RATION is distributed via phishing containing .ZIP attachments, inside which there are two .lnk shortcut files in the guise of images (front.jpg.lnk and back.jpg.lnk). When these shortcuts are executed, the victim sees the image of a British driving licence on the front and back, but also executes the malicious code to contact the C2, which in turn downloads two additional files to the user’s temporary directory.

Once executed, PY#RATION is able to perform network enumeration, perform file transfers, keylogging, steal data from the clipboard, extract passwords and cookies from web browsers or execute shell commands, among other capabilities. According to Securonix, this campaign is mainly targeted at victims in the UK or North America.

More info

* * *

​​​​Microsoft plans to block XLL files from the Internet

After disabling macros in Office files downloaded from the Internet to prevent the spread of malware, Microsoft’s next step in its fight against malicious files will be to block XLL files coming from the Internet, mainly attached to e-mails.

XLL files are dynamic Excel libraries that provide additional features to Excel (dialogue boxes, toolbars, etc.). Since these are executable files, they are very useful for threat actors who include them in their phishing campaigns to download malware onto the victim’s computer with a single click.

According to Microsoft, the measure is being rolled out and will be generally available to users in March.

More info

Featured photo: Arnel Hasanovic / Unsplash

Leave a Reply

Your email address will not be published.