WEEKLY TOP TEN | November 20, 2023 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Juniper RCE Vulnerability Added to CISAs KEV Catalog
CISA recently added a remote code execution vulnerability in Juniper networking devices to their KEV catalog (Known Exploited Vulnerabilities). This vulnerability is currently being tracked as CVE-2023-36851 (with a CVSS score of 5.3); this flaw occurs pre-authentication and allows attackers to upload arbitrary files, leading to remote code execution via a chain of several exploits. - Security Flaw in Google Workspace Allows Attackers to Exfiltrate Plaintext Passwords
Researchers at BitDefender have discovered a new method that attackers could leverage to steal plaintext credentials from Google Workspace. As of writing, Google states they have no intention of fixing this flaw, as it is out of the scope of Google’s services, since it relies on an already compromised device to be effective. This attack specifically impacts the Google Credential Provider for Windows (GCPW), which provides several authentication-related services. - Ransomware Group “Royal Ransomware” Possibly ReBranding to “Blacksuit Ransomware”
Royal Ransomware is a threat actor that is responsible for more than 350 high-profile ransomware deployments. Recently, CISA and the FBI updated their existing advisory with new TTPs (Tactics Policies and Procedures) related to Royal Ransomware, with a note that a very similar malware strain named Blacksuit has been discovered and may even be a rebrand the same group with new capabilities. - Maine State Census Breached via MOVEit Vulnerabilities
The state of Maine has disclosed a data breach regarding its 2022 census, with an estimated 1.3 million people impacted, which covers nearly the entire population. This attack was performed using the known MOVEit Transfer vulnerabilities made infamous by the Cl0p ransomware gang. Nearly all personal information is provided to the census, and therefore is compromised. The leak of this information could lead to significant fraud, identity theft, and highly targeted phishing campaigns. - SSH Flaw Allows for Key Decryption
Asymmetric key pairs have long been considered the standard for secure authentication via SSH, however recently researchers have published a paper detailing a security flaw, which allows for the decryption of these keys, and the abstraction of private keys. These errors take place in the signature generation function that occurs when a client connects to a server. This vulnerability does not impact all instances. Best practices of rotating keys and protecting them with passphrases will continue to stifle this type of attack. - Denmark’s Critical Infrastructure Targeted in a Series of Cyberattacks
The critical infrastructure security firm SektorCERT has published details of a campaign of cyber-attacks targeting the critical infrastructure of Denmark. SektorCERT states that at least 22 companies have been breached due to unpatched vulnerabilities in Zyxel firewalls. Several threat actors are seemingly involved in this campaign, most notably Russia’s Sandworm group. SektorCERT believes these attacks were intentionally and specifically targeted at Danish infrastructure, because the Zyxel firewalls are not present on search engines such as Shodan. - Zero Days in Zimbra Webmail Client Used to Target Government Emails
Several threat actors have been observed targeting government emails via a zero-day vulnerability in Zimbria Collaboration Suite. These attackers have targeted emails, credentials, and authentication tokens in Greece, Moldova, Vietnam, and Pakistan. The vulnerability being used is CVE-2023-37580; it allows cross-site scripting (XXS) on ZCS web clients. - Researchers Discover Critical Flaws in Open AI Models Leading to Takeover
Protect AI, a security firm for artificial intelligence, has uncovered several major security flaws in the networks employed to deploy and manage big language models (LLM). These vulnerabilities let attackers take over the model, changing the AI to serve their own goals, like stealing intellectual property and using it as a pivot into the rest of the model’s network. - Randstorm Vulnerability Allows for Crypto Wallet Theft
A bug has been found in a deprecated function of BitcoinJS; researchers have discovered a JavaScript library for cryptocurrency platforms, allowing for the takeover and theft of cryptocurrency wallets. The vulnerable function was used from 2011-2015, and all wallets generated during that timeframe are still at risk. This vulnerability lies in a pseudo-randomization function that did not perform enough randomization to prevent guessing attacks. - BulletProftLink Phishing-as-a-Service Group Taken Down by Authorities
The Malaysian authorities, FBI, and Austrian Federal Police have arrested eight individuals and seized servers, cryptocurrency wallets and computers in a coordinated takedown of the BulletProftLink Phishing-as-a-Service group. This threat actor has provided initial access into networks via phasing campaigns for allowing for further malicious activity from their clients, such as ransomware deployments. They are also infamous for using the Evilginx2 reverse proxy to bypass MFA via man-in-the-middle attacks.