WEEKLY TOP TEN | SEPTEMBER 06, 2023 15:59 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- 80% Of Security Incidents Are the Result of the Top Three Malware Loaders (1) (2)
According to the Reliaquest report, there were a total of seven that it observed in customer environments:
- Qbot: 30%
- SocGholish: 27%
- Rasberry Robin: 23%
- Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware (1) (2)
Other than being dropped on infected systems, there is no mention of a goal. This post-exploitation malware is named Smoke Loader.
- Domain-Wide Ransomware Caused by HTML Smuggling (1) (2)
The DFIR Report has released a new report with a deep analysis of an attack chain ending in Nokoyawa Ransomware. According to the report, there were two threat actors that included the distributor and the hands-on keyboard actor.
- CVE-2023-38831 WinRAR Zero Day (1) (2)
CVE-2023-38831 is a zero-day vulnerability in WinRAR exploited by cybercriminals to target traders. The vulnerability was actively employed to install malware when a target clicked on a seemingly innocuous file in an archive. In this way, it allowed hackers to breach online cryptocurrency trading accounts.
- Ransomware With an Identity Crisis Targets Small Businesses, and individuals (1) (2)
Researchers have discovered TZW, a brand-new strain of Adhubllka ransomware. It is known to target individuals and small businesses. Unlike the typical hundreds of thousands to millions of dollars demanded by large conglomerates, this threat actor will only demand a small ransom.
- Two Men Arrested Following Poland Railway Hacking (1) (2)
Polish police have arrested two suspects in the recent incident involving a hack of the Polish national railway’s communications network, causing disruption to 20 trains. According to Poland’s railway infrastructure operator, the attack forced the cancellation of 20 trains nationwide and caused hours of traffic delays over the weekend.
- Researchers Discover Reply URL Takeover Issue in Azure (1) (2)
Secureworks security researchers had discovered an abandoned reply URL address in the low-code Power Platform application for Azure AD. By redirecting the codes to themselves, attackers could use this URL to exchange access tokens for authorization codes. The threat actor could then use a middle-tier service to access the Power Platform API and gain elevated privileges.
- Lazarus Exploits ManageEngine to Deploy QuiteRAT (1) (2)
By exploiting a vulnerability in ManageEngine ServiceDesk (CVE-2022-47966), the North Korean Advanced Persistent Threat (APT) group known as Lazarus has begun a new campaign that targets internet backbone infrastructure and healthcare organizations located in Europe and the United States.
- The Hacking Group Kittensec Promises to “Pwn Anything We See” to Reveal Corruption (1) (2)
KittenSec is a newly emerged hacking collective that has been attacking government and private targets worldwide as part of their hacktivism. They have announced that they “plan on attacking many more NATO countries in the future.
- Qakbot Malware Disrupted in an International Cyber Takedown (1) (2)
In order to stop the Qakbot malware botnet and destroy its infrastructure, a global operation was announced in a press release by the US Attorney’s Office for the Central District of California. This is the largest U.S.-led financial and technical disruption of a botnet infrastructure.