CyberSecurity Newsletter September 2nd 2024
In this week’s news: Corvus Insurance releases Q2 ransomware stats, security flaw in TSA allows skipping security screening, Columbus Ohio sues security researcher for researching security, Atlassian Confluence targeted by cryptominers, North Korean hackers deliver malware using Chrome bug, Cicada APT encrypts VMware and Github comments are abused to distribute malware.
Corvus Insurance released some Q2 ransomware stats:
Key Takeaways:
Ransom leak site activity has the second-highest quarter by volume of victims posted
Corvus observed a 102% QoQ increase in Average Ransom Demand
Corvus claims saw a 19% YoY increase in Third-Party Breaches
https://www.corvusinsurance.com/blog/q2-2024-cyber-threat-report
A new ransomware-as-a-service (RaaS) operation named Cicada3301 has already listed 19 victims on its extortion portal, quickly attacking companies worldwide. Cicada3301 conducts double-extortion tactics where they breach corporate networks, steal data, and then encrypt devices.Cicada3301 is a Rust-based ransomware operation with both Windows and Linux/VMware ESXi encryptors:
https://www.bleepingcomputer.com/news/security/cicada3301-ransomwares-linux-encryptor-targets-vmware-esxi-systems/
A recently patched security flaw in Google Chrome and other Chromium web browsers was exploited as a zero-day by North Korean actors in a campaign designed to deliver the FudModule rootkit. Microsoft, which detected the activity on August 19, 2024, attributed it to a threat actor it tracks as Citrine Sleet (formerly DEV-0139 and DEV-1222), which is also known as AppleJeus, Labyrinth Chollima, Nickel Academy, and UNC4736. It's assessed to be a sub-cluster within the Lazarus Group (aka Diamond Sleet and Hidden Cobra):
https://thehackernews.com/2024/08/north-korean-hackers-deploy-fudmodule.html
A newly identified malware campaign, dubbed “Voldemort,” has been spreading stealthily across the globe, targeting organizations in various sectors, including insurance, aerospace, transportation, and education. The campaign, which began on August 5, 2024, has already sent over 20,000 phishing emails to more than 70 organizations, with a peak of 6,000 emails daily. The malicious activity is thought to be part of a sophisticated cyber espionage effort, according to a recent report by Proofpoint:
https://hackread.com/voldemort-malware-uses-google-sheets-target-sectors/
Security researchers have found a vulnerability in a key air transport security system that allowed unauthorized individuals to bypass airport security screenings and access aircraft cockpits. Researchers Ian Carroll and Sam Curry discovered the vulnerability in FlyCASS, a third-party web-based service that some airlines use to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). KCM is a Transportation Security Administration (TSA) initiative that allows pilots and flight attendants to skip security screening, and CASS enables authorized pilots to use jumpseats in cockpits when travelling:
https://www.bleepingcomputer.com/news/security/researchers-find-sql-injection-to-bypass-airport-tsa-security-checks/
The City of Columbus, Ohio, has filed a lawsuit against security researcher David Leroy Ross, aka Connor Goodwolf, accusing him of illegally downloading and disseminating data stolen from the City's IT network and leaked by the Rhysida ransomware gang:
https://www.bleepingcomputer.com/news/security/researcher-sued-for-sharing-data-stolen-by-ransomware-with-media/
Threat actors actively exploit a critical flaw in the Atlassian Confluence Data Center and Confluence Server in cryptocurrency mining campaigns. The critical vulnerability CVE-2023-22527 (CVSS score 10.0) in the Atlassian Confluence Data Center and Confluence Server is being actively exploited for crypto jacking campaigns:
https://securityaffairs.com/167813/cyber-crime/atlassian-confluence-data-center-confluence-server-cryptocurrency-mining-campaigns.html
Cybersecurity and automation company Fortra released patches for two vulnerabilities in FileCatalyst Workflow. One of the vulnerabilities is a critical issue, tracked as CVE-2024-6633 (CVSS score of 9.8) described as Insecure Default in FileCatalyst Workflow Setup:
https://securityaffairs.com/167838/security/fortra-filecatalyst-critical-workflow.html
GitHub is being abused to distribute the Lumma Stealer information-stealing malware as fake fixes posted in project comments. The campaign was first reported by a contributor to the teloxide rust library, who noted on Reddit that they received five different comments in their GitHub issues that pretended to be fixed but were instead pushing malware.:
https://www.bleepingcomputer.com/news/security/github-comments-abused-to-push-password-stealing-malware-masked-as-fixes/
A WhatsApp hoax message has reportedly resurfaced, raising concern among users who have received what appear to be different versions of fake chain messages that have been circulating for a few years:
https://www.infosecurity-magazine.com/news/dont-fall-for-the-whatsapp-gold/
Roblox developers are the target of a persistent campaign that seeks to compromise systems through bogus npm packages:
https://thehackernews.com/2024/09/malicious-npm-packages-mimicking.html
Companies and government agencies in Southeast Asia — especially Thailand, Japan, South Korea, Singapore, Taiwan, and Indonesia — have experienced a significant increase in attacks, outpacing the rate of ransomware growth in European nations, according to telemetry data from Trend Micro:
https://www.darkreading.com/cyber-risk/ransomware-gangs-pummel-southeast-asia