WEEKLY TOP TEN | SEPTEMBER 25, 2023 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Critical Vulnerability in Cisco IOS XE Leads to Over 30k Compromised Devices
Cisco released a security advisory detailing an authentication bypass vulnerability in IOS XE devices, which include switches, routers, access points, etc. The vulnerability (CVE-2023-20198, with a CVSS score of 10) resides in the Web UI and allows for attackers to create new administrative users. Two days after the announcement by Cisco, over 30,000 devices with public-facing access to the Web UI have been compromised.
- Vulnerability in Synology DSM Allows for Admin Account Takeover
In June, Synology, the producer of many celebrated Network Attached Storage (NAS) items, brought to light a security flaw in their Disk Station Manager (DSM) programming. Presently, the security warning still says that rectification is ‘continuing’. This vulnerability (CVE-2023-2729, with a CVSS score of 7.5) permits aggressors to reassemble the arbitrary seed utilized to make the administrator secret phrase when the gadget was set up, giving the assailant the capacity to decode the secret phrase itself and access the executive account.
- Threat Actors Abuse Google Ads to Deliver Malware
MalwareBytes recently wrote about a method that bad people use called “malvertizing.” In this method, they pay Google Ads to show up as the first search result for popular, safe software like Notepad++. Despite having misleading titles, these URLs lead to sites with malicious downloads. Should an unsuspecting user click through, they may be exposed to a variety of malware types, ranging from spyware to info-stealers and command & control.
- QR Codes Used to Spread Malware and Steal Passwords
As QR codes become more popular, threat actors are using them to spread malware (Quishing) and steal credentials (QRLJacking). Malicious QR codes escape anti-phishing training since users don’t see the URL before visiting the website. Users must be taught to check the destination URL after clicking a link or scanning a QR code to verify the page.
- Coordinated Law Enforcement Effort Takes Down RagnarLocker Ransomware Gang
Early on October 19th, Europol seized the dark web negotiation and leak site for the RagnarLocker Ransomware group. It now displays the emblems of multiple law enforcement agencies and a message stating “This service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group.”
- Fake Browser Update Malware Employs Blockchain for Defense Evasion
- Ukrainian Cyber Alliance Destroys the Infrastructure of Trigona Ransomware Group
The Ukrainian Cyber Alliance infiltrated the Trigona ransomware network, completely replacing their dark web site with the UCA logo. Additionally, they state they have taken out three complete server backups, crypto wallets, source code, and data from various programs such as Rocket Chat, Confluence, and Jira. Moreover, they eradicated all the data, forcing the ransomware gang to reconstruct their whole system from the beginning. There is an opportunity that the exfiltrated data includes victim decryption keys.
- ShellBot Linux Malware Uses New Methods to Avoid Detection
Threat actors exploited a vulnerability in the HTTP/2 protocol to perform the largest ever DDoS attack to date. Google recorded 398 million requests per second, which is seven and a half times more than the previous record-holder, Cloudflare, who recorded 46 million requests per second. The target companies mostly mitigated these attacks, which did not appear to result in any service outages.
- Hackers Use Scripts to Deliver Several Types of Malware at Once
The FBI released an advisory this year about scripts used by attackers to download different types of malware at the same time. The scripts are called “multi-tooling” and allow the attackers to make money while gathering data for further compromise or to sell. Kaspersky has stated that they see multi-tooling scripts being used often.
- Attackers Continue to Exploit Critical WinRAR Vulnerability
In August, a critical vulnerability was found in WinRAR. This allows for remote code execution when users try to view a file in a zip archive. Patches have been available, but Google’s TAG (Threat Analysis Group) says that Russian state-sponsored APTs still use this vulnerability. Make sure the latest WinRAR patches are applied to prevent exploitation.