Cybersecurity Newsletter

                June 19, 2023

            Cybersecurity Newsletter

                 19th June 2023

            In this week’s news: A new trojan called Pikabot, In February BlackCat attacked Reddit, GhostSec and SeigedSec have attacked Cuba and Columbia, A Fortinet vulnerability causes havoc, the early June Microsoft interruptions were a result of a cyberattack and the DoJ arrest a hacker using LockBit.

Thanks for reading Bagheera’s Newsletter! Subscribe for free to receive new posts and support my work.

Pikabot operates as a backdoor, enabling unauthorized remote access to compromised systems. It receives commands from a command-and-control (C2) server, which can range from injecting arbitrary shellcode, DLLs, or executable files, to distributing other malicious tools such as Cobalt Strike:
https://news.sophos.com/en-us/2023/06/12/deep-dive-into-the-pikabot-cyber-threat/
The BlackCat (ALPHV) ransomware gang is behind a February cyberattack on Reddit, where the threat actors claim to have stolen 80GB of data from the company:
https://www.bleepingcomputer.com/news/security/reddit-hackers-threaten-to-leak-data-stolen-in-february-breach/
GhostSec have targeted Cuba:

SeigedSec has attached Colombia:

.Zip and .Mov Top Level Domain Abuse: One Month After Being Made:
https://www.netskope.com/blog/zip-and-mov-top-level-domain-abuse-one-month-after-being-made-public
Fortinet Warns Customers of Possible Zero-Day Exploited in Limited Attacks:
https://www.securityweek.com/fortinet-warns-customers-of-possible-zero-day-exploited-in-limited-attacks/
The US Department of Justice (DoJ) has announced the arrest and charges filed against a Russian national accused of participating in cyber-attacks using the LockBit ransomware:
https://www.infosecurity-magazine.com/news/russian-arrested-us-connection/
The Hacker News reports that a proof-of-concept exploit for an actively exploited high-severity Win32k driver vulnerability, tracked as CVE-2023-29336:
https://www.scmagazine.com/brief/vulnerability-management/exploit-for-actively-abused-windows-flaw-issued
Microsoft says early June disruptions to Outlook, cloud platform, were cyberattacks:
https://techxplore.com/news/2023-06-microsoft-early-june-disruptions-outlook.html
Fake GitHub Repos Delivering Malware as PoCs:
https://www.hackread.com/fake-github-repos-drop-malware-pocs/
A new information-stealing malware named 'Mystic Stealer,' has been promoted on hacking forums and darknet markets since April 2023, quickly gaining traction in the cybercrime community:
https://www.bleepingcomputer.com/news/security/new-mystic-stealer-malware-increasingly-used-in-attacks/
A newly discovered ChatGPT-based attack technique, dubbed AI package hallucination, lets attackers publish their own malicious packages in place of an unpublished package. In this way, attackers can execute supply chain attacks through the deployment of malicious libraries to known repositories:
https://securityboulevard.com/2023/06/chatgpt-spreads-malicious-packages-in-ai-package-hallucination-attack/
Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away:
https://arstechnica.com/information-technology/2023/06/hackers-can-steal-cryptographic-keys-by-video-recording-connected-power-leds-60-feet-away/
A new Golang-based information stealer called Skuld has compromised Windows systems across Europe, Southeast Asia, and the U.S:
https://thehackernews.com/2023/06/new-golang-based-skuld-malware-stealing.html
St. Margaret’s Health in Illinois is the first hospital to cite a cyberattack as a reason for its closure:
https://securityaffairs.com/147430/cyber-crime/st-margarets-health-closes-cyberattack.html
Ingenious Hackers Used iPhone 13 To Steal Samsung Galaxy Crypto Key:
https://www.forbes.com/sites/daveywinder/2023/06/16/hackers-use-iphone-to-steal-crypto-key-from-samsung-galaxy-heres-how/?sh=6f8c4a637e4c
Illicit funds gained from the $35 million Atomic Wallet hack are on the move again, with sanctioned Russian-based crypto exchange Garantex reportedly becoming the latest to come in contact with the hacked crypto:
https://cointelegraph.com/news/atomic-wallet-hackers-ofac-sanctioned-garantex-elliptic
Websites for mental health crisis resources across the country—which promise anonymity for visitors, many of whom are at a desperate moment in their lives—have been quietly sending sensitive visitor data to Facebook:
https://themarkup.org/pixel-hunt/2023/06/13/suicide-hotlines-promise-anonymity-dozens-of-their-websites-send-sensitive-data-to-facebook
VMware patched today a VMware ESXi zero-day vulnerability exploited by a Chinese-sponsored hacking group to backdoor Windows and Linux virtual machines and steal data:
https://www.bleepingcomputer.com/news/security/chinese-hackers-used-vmware-esxi-zero-day-to-backdoor-vms/
A UK agency for freelance doctors has potentially exposed personal details relating to 3,200 individuals via unsecured S3 buckets:
https://www.theregister.com/2023/06/12/lantum_s3_bucket_leak/
The Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa) continues to carry out attacks against entities in Ukraine, including security services, military, and government organizations. The group recently used new variants of the Pteranodon implant that are distributed using a new PowerShell script:
https://securityaffairs.com/147497/apt/gamaredon-targets-ukraine-new-ttps.html
 Microsoft identifies new hacking unit within Russian military intelligence
Dubbed "Cadet Blizzard," the hacking group carried out operations targeting Ukrainian infrastructure in the run-up to the Russian invasion:
https://cyberscoop.com/microsoft-gru-russia-ukraine-hacking/
Deobfuscating a VBS Script With Custom Encoding:
https://isc.sans.edu/diary/29940

Share Bagheera’s Newsletter

                Don't miss what's next. Subscribe to BagheeraAltered's CyberSecurity Newsletter: