Russia’s APT28 Exploited Windows Print Spooler Flaw to Deploy ‘GooseEgg’ Malware

The Russia-linked nation-state threat actor tracked as APT28 weaponized a security flaw in the Microsoft Windows Print Spooler component to deliver a previously unknown custom malware called GooseEgg.
The post-compromise tool, which is said to have been used since at least June 2020 and possibly as early as April 2019, leveraged a now-patched flaw that allowed for privilege escalation (CVE-2022-38028, CVSS score: 7.8).
It was addressed by Microsoft as part of updates released in October 2022, with the U.S. National Security Agency (NSA) credited for reporting the flaw at the time.

Source – https://thehackernews.com/2024/04/russias-apt28-exploited-windows-print.html

DPRK hacking groups breach South Korean defense contractors

The National Police Agency in South Korea issued an urgent warning today about North Korean hacking groups targeting defense industry entities to steal valuable technology information.
The police discovered several instances of successful breaches of defense companies in South Korea involving the hacking groups Lazarus, Andariel, and Kimsuky, all part of the North Korean hacking apparatus.
According to the announcement, the attackers breached the organizations by leveraging vulnerabilities in targets’ or their subcontractors’ environments to plant malware capable to exfiltrate data.
The National Police Agency and the Defense Acquisition Program Administration conducted a special inspection earlier this year between January 15 and February 16 and implemented protective measures to secure critical networks.

Source – https://www.bleepingcomputer.com/news/security/dprk-hacking-groups-breach-south-korean-defense-contractors/

Synlab Italia suspends operations following ransomware attack

Synlab Italia has suspended all its medical diagnostic and testing services after a ransomware attack forced its IT systems to be taken offline.
Part of the Synlab group that is present in 30 countries worldwide, the Synlab Italia network operates 380 labs and medical centers across Italy. It has an annual turnover of $426 million and carries out 35 million analyses every year.
Late last week, the company announced that it had suffered a security breach in the early hours of April 18, which forced it to shut down all computers to limit the damaging activity.
Although the company has not confirmed, some sensitive medical data may have been exposed to the attackers.

Source – https://www.bleepingcomputer.com/news/security/synlab-italia-suspends-operations-following-ransomware-attack/

Double-extorted Change Healthcare says “a substantial proportion” of Americans exposed

In the latest statement, UnitedHealth said that files exfiltrated by cybercriminals contain protected health information (PHI) or personally identifiable information (PII). They could “cover a substantial proportion of people in America.”
The press release states that 22 screenshots, supposedly taken from stolen files, were shared on the dark web by a malicious actor. Some of these screenshots included personal health information (PHI) and personally identifiable information (PII). However, as of now, there hasn’t been any additional sharing of PHI or PII.
While the company continues to monitor the dark web for leaks, it has not seen evidence of exfiltration of materials such as doctors’ charts or full medical histories among the data.
It’s not clear how many Americans are exposed, and they have no way of knowing if they’re affected.

Source – https://cybernews.com/news/change-healthcare-substantial-proportion-americans-exposed/

Multi-year Volkswagen breach points to Chinese hackers

Attackers successfully targeted the German automotive giant Volkswagen, for at least five years, ZDF reports. Internal documents seen by journalists show that between 2010 and 2015, malicious actors infiltrated Volkswagen’s systems, exfiltrating intellectual property several times over the period.
Attackers mostly focused on the company’s development of gasoline engines, transmission development, and dual-clutch transmission research. Additionally, attackers focused a lot of effort on Volkswagen’s electric vehicle research.
According to the German report, at least 19,000 documents were stolen from the automaker. The company’s security team successfully recovered files exfiltrated from Volkswagen, which means that the true extent of the attack could be more significant.
Experts to whom journalists discussed the hack mention that attackers’ IP addresses, the software they used, and the time zone they operate in point to the hack originating from China.

Source – https://cybernews.com/news/volkswagen-breach-china-hackers/

Major Security Flaws Expose Keystrokes of Over 1 Billion Chinese Keyboard App Users

Security vulnerabilities uncovered in cloud-based pinyin keyboard apps could be exploited to reveal users’ keystrokes to nefarious actors.

The findings come from the Citizen Lab, which discovered weaknesses in eight of nine apps from vendors like Baidu, Honor, iFlytek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. The only vendor whose keyboard app did not have any security shortcomings is that of Huawei’s.
The disclosure builds upon prior research from the interdisciplinary laboratory based at the University of Toronto, which identified cryptographic flaws in Tencent’s Sogou Input Method last August.
Collectively, it’s estimated that close to one billion users are affected by this class of vulnerabilities, with Input Method Editors (IMEs) from Sogou, Baidu, and iFlytek accounting for a huge chunk of the market share.

Source – https://thehackernews.com/2024/04/major-security-flaws-expose-keystrokes.html

Threat Report – Zero-Day Vulnerabilities Discovered in Cisco ASA and FTD

Three vulnerabilities have been discovered in Cisco ASA and FTD.
The cybercriminals, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, initiated their attack on vulnerable edge devices in November 2023 as part of a cyber-espionage campaign named ArcaneDoor.
Although Cisco hasn’t determined the initial attack vector, they have addressed and patched two vulnerabilities—CVE-2024- 20353, causing denial of service, and CVE-2024-20359, allowing persistent local code execution—that were leveraged as zero-days in these attacks.
Cisco first became aware of the ArcaneDoor campaign in January 2024 and discovered evidence suggesting the attackers had been developing and testing exploits for these zero-days since at least July 2023.

Source – https://www.smarttech247.com/news/zero-day-vulnerabilities-discovered-in-cisco-asa-and-ftd/

New Brokewell malware takes over Android devices, steals data

Security researchers have discovered a new Android banking trojan they named Brokewell that can capture every event on the device, from touches and information displayed to text input and the applications the user launches.
The malware is delivered through a fake Google Chrome update that is shown while using the web browser. Brokewell is under active development and features a mix of extensive device takeover and remote control capabilities.
Researchers at fraud risk company ThreatFabric found Brokewell after investigating a fake Chrome update page that dropped a payload, a common method for tricking unsuspecting users into installing malware.

Source – https://www.bleepingcomputer.com/news/security/new-brokewell-malware-takes-over-android-devices-steals-data/

Apache Cordova App Harness Targeted in Dependency Confusion Attack

Researchers have identified a dependency confusion vulnerability impacting an archived Apache project called Cordova App Harness.
Dependency confusion attacks take place owing to the fact that package managers check the public repositories before private registries, thus allowing a threat actor to publish a malicious package with the same name to a public package repository.
This causes the package manager to inadvertently download the fraudulent package from the public repository instead of the intended private repository. If successful, it can have serious consequences, such as installing all downstream customers that install the package.

Source – https://thehackernews.com/2024/04/apache-cordova-app-harness-targeted-in.html

Smarttech247