ZeroFox Weekly Threat Bulletin: 09/01/2023 - 09/07/2023

ZeroFox Daily Intelligence:

ZeroFox Daily Intelligence Brief - September 8, 2023

Brief Highlights

• Hackers Attack Security Researchers with New Zero-Day
• Multiple Nation-State Threat Actors Breached American Aeronautical Organization
• Zero-Click Zero-Days Exploited to Attack iPhones and Macs
• Data broker / initial-access broker / hacktivist group: The Five Families and Radis the Cyber Otter (Operator of TeslaBot)
• Vulnerabilities: CVE-2023-40953 and CVE-2022-48571
• Exploit: CVE-2022-21999
• BreachForums/HydraMarket: NaPopravku Data Breach and BreachForums: UAE Investment Users Data Leak

Report: https://zerofox.com/advisories/21770

ZeroFox Daily Intelligence Brief - September 4, 2023

Brief Highlights

• Golf Gear Giant Callaway Data Breach Exposes Info of 1.1 Million
• Q2 2023 Public Sector Quarterly Threat Landscape Report
• VMware Issues Patches for Aria Operations After Exploit Code Surfaces
• Data broker / initial-access broker / hacktivist group: Anonymous Sudan and Cyb3r Drag0nz
• Vulnerabilities: CVE-2023-38521 and CVE-2023-37220
• Exploits: CVE-2021-31166 and CVE-2021-20038
• Telegram: Plato Online Data Breach (170,303 Records) and XSS: The Chin Forum Data Breach (58,089 Records)

Report: https://zerofox.com/advisories/21708

ZeroFox Daily Intelligence Brief - September 01, 2023

Brief Highlights

• CISA and International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware
• Hackers Release Advanced Variants of Popular Open-Source Infostealer
• Researchers Take Down Telescopes after Suspicious Activity in Systems
• Data broker / initial-access broker / hacktivist group: BreachForums user LegendShadow and Türk Hack Team
• Vulnerabilities: CVE-2023-4698 and CVE-2023-41163
• Exploits: CVE-2021-43798 and CVE-2020-5260
• BreachForums/XSS: Hitfinex Data Leak and Combolist: '70k Hulu CLoud.txt'

Report: https://zerofox.com/advisories/21691

Breach Disclosures:

НаПоправку

An alleged data breach at НаПоправку – a Russia-based medical online platform to book for doctor consultation – exposed 695,373 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21785

Event

An alleged data breach at Event – a U.K.-based event merchandise company – exposed 64,647 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21769

Overclockzone

An alleged data breach at Overclockzone – a Thailand-based open source library – exposed 675,371 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21768

Juma Al Majid Holding Group

An alleged data breach at Juma Al Majid Holding Group – a Dubai-based conglomerate industry – exposed 33,205 email addresses which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21753

UK Consumer Data 2023

An alleged data breach of UK Consumer Data 2023 – exposed 9,601 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21752

Praakritik

An alleged data breach at Praakritik – an India-based online natural and organic retail store – exposed 81,974 email addresses which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21746

Plato

An alleged data breach at Plato – an India-based educational platform – exposed 170,303 email addresses and/or usernames which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21740

Duolingo

An alleged data breach at Duolingo – a U.S.-based online language learning platform – exposed 2,685,777 email addresses and/or usernames which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21736

Saadet

An alleged data breach at Saadet – a Turkey-based nonprofit organization – exposed 544 email addresses which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21729

ApexSMS

An alleged data breach of ApexSMS – exposed 23,917,055 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21721

Kolkata Women Job Seekers Database

An alleged data breach of an Kolkata Women Job Seekers Database – exposed 37,900 email addresses which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21716

DC-Unlocker forum

An alleged data breach at DC-Unlocker forum – a Lithuania-based discussion forum – exposed 108,648 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21704

The Chin Forum

An alleged data breach at The Chin Forum – a U.S.-based track event discussion forum – exposed 58,089 email addresses, which were subsequently shared on a deep web platform.

Report: https://zerofox.com/advisories/21703

Breaking News:

Dozens of Unpatched Flaws Expose Security Cameras Made by Defunct Company Zavio

Dozens of vulnerabilities have been found in widely used security cameras made by defunct Chinese company Zavio. Seven of the vulnerabilities can be exploited for unauthenticated remote code execution with root privileges. These types of flaws can typically enable attackers to take complete control of the targeted device.

See the full report here: https://www.securityweek.com/dozens-of-unpatched-flaws-expose-security-cameras-made-by-defunct-company-zavio/

New Agent Tesla Variant Uses Excel Exploit to Infect Windows PCs

Researchers have detected a new variant of the notorious Agent Tesla malware family used in a phishing campaign. They revealed that the malware can steal “credentials, keylogging data, and active screenshots” from the victim’s device. Stolen data is transferred to the malware operator through email or SMTP protocol. The malware mainly infects Windows devices.

See the full report here: https://www.hackread.com/agent-tesla-variant-excel-exploit-windows-pc/

Google's Souped-up Chrome Store Review Process Foiled by Data-Stealer

Researchers have discovered that despite Google's adoption of the Manifest V3 security standard to protect against malicious plug-ins, attackers can still get bad extensions past its review process.

See the full report here: https://www.darkreading.com/application-security/google-chrome-store-review-process-data-stealer

Mirai Botnet Variant "Pandora" Hijacks Android TVs for Cyberattacks

A Mirai botnet variant called Pandora has been observed infiltrating inexpensive Android-based TV sets and TV boxes and using them as part of a botnet to perform distributed denial-of-service (DDoS) attacks. Reseachers said the compromises are likely to occur either during malicious firmware updates or when applications for viewing pirated video content are installed.

See the full report here: https://thehackernews.com/2023/09/mirai-botnet-variant-pandora-hijacks.html

CISA Seeks Vendor Commitments to Boost Cybersecurity in K-12 Schools

The CISA Director issued a statement pledging to address K-12 cybersecurity issues and help ensure schools and administrators “have access to technology and software that is safe and secure right out of the box.”

See the full report here: https://www.nextgov.com/cybersecurity/2023/09/cisa-seeks-vendor-commitments-boost-cybersecurity-k-12-schools/390001/?&web_view=true

Outlook Breach: Microsoft Reveals How a Crash Dump Led to a Major Security Breach

Microsoft revealed that a China-based threat actor known as Storm-0558 acquired the inactive consumer signing key to forging tokens to access Outlook by compromising an engineer’s corporate account. This enabled the adversary to access a debugging environment that contained a crash dump of the consumer signing system that took place in April 2021 and steal the key.

See the full report here: https://thehackernews.com/2023/09/outlook-breach-microsoft-reveals-how.html

MITRE and CISA Release Open Source Tool for OT Attack Emulation

The new Caldera for OT tool is the result of a collaboration between the Homeland Security Systems Engineering and Development Institute (HSSEDI) and CISA, to help improve the resilience of critical infrastructure.

See the full report here: https://www.securityweek.com/mitre-and-cisa-release-open-source-tool-for-ot-attack-emulation/?&web_view=true

Ukraine's CERT Thwarts APT28's Cyberattack on Critical Energy Infrastructure

The Computer Emergency Response Team of Ukraine (CERT-UA) said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country.

See the full report here: https://thehackernews.com/2023/09/ukraines-cert-thwarts-apt28s.html?&web_view=true

Mooncake buyers lose over SGD 300,000 to Android malware scams

At least 27 victims in Singapore have fallen to mooncake scams perpetrated on social media platforms and involving a malicious Android mobile application. Victims would come across advertisements for the sale of mooncakes on Facebook and Instagram in this new scam variant. They would then be contacted by scammers on WhatsApp and directed to malicious links to make payments.

See the full report here: https://www.channelnewsasia.com/singapore/mooncake-scams-android-malware-facebook-instagram-3747371

Chipmaker NXP confirms data breach involving customers’ information

Dutch chipmaker NXP Semiconductors has alerted customers to a data breach involving their personal information. Those affected appear to be individuals with an online NXP account, which provides access to technical content and community support. This data includes customers’ full names, email addresses, postal addresses, business phone numbers, mobile phone numbers, company names, job titles and descriptions, and communication preferences.

See the full report here: https://techcrunch.com/2023/09/05/chipmaker-nxp-confirms-data-breach-involving-customers-information/

Xiaomi users report they found browser hacking malware on their phones

Xiaomi users are making a controversial claim about the company’s smartphones. According to these users, their Xiaomi smartphones have malware named Mintnav installed, which purportedly hacks the Chrome browser.

See the full report here: https://www.gizmochina.com/2023/09/04/xiaomi-users-report-they-found-browser-hacking-malware-on-their-phones/

Coffee Meets Bagel says recent outage caused by destructive cyberattack

The Coffee Meets Bagel dating platform confirms last week's outage was caused by hackers breaching the company's systems and deleting company data.

See the full report here: https://www.bleepingcomputer.com/news/security/coffee-meets-bagel-says-recent-outage-caused-by-destructive-cyberattack/

Atlas VPN zero-day vulnerability leaks users' real IP address

An Atlas VPN zero-day vulnerability affecting the Linux client leaks a user's real IP address simply by visiting a website due to insufficient authentication for it's API endpoint. The flaw essentially strips the protection services offered by the VPN.

See the full report here: https://www.bleepingcomputer.com/news/security/atlas-vpn-zero-day-vulnerability-leaks-users-real-ip-address/

ASUS routers vulnerable to critical remote code execution flaws

Three critical-severity remote code execution vulnerabilities impact ASUS RT-AX55, RT-AX56U_V2, and RT-AC86U routers, potentially allowing threat actors to hijack devices if security updates are not installed. These three WiFi routers are popular high-end models within the consumer networking market, currently available on the ASUS website, favored by gamers and users with demanding performance needs.

See the full report here: https://www.bleepingcomputer.com/news/security/asus-routers-vulnerable-to-critical-remote-code-execution-flaws/

Chaes malware now uses Google Chrome DevTools Protocol to steal data

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol.

See the full report here: https://thehackernews.com/2023/09/new-python-variant-of-chaes-malware.html

New BLISTER Malware Update Fuelling Stealthy Network Infiltration

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments.

See the full report here: https://thehackernews.com/2023/09/new-blister-malware-update-fuelling.html

TissuPath hack: patient data possibly exposed in cyber-attack on Melbourne pathology clinic

Ten years worth of pathology referral letters may have been exposed in a cybersecurity incident affecting the Victorian pathology clinic TissuPath in Australia. The company stated that it is investigating the potential exposure of referral letters, patient names, contact details and Medicare numbers

See the full report here: https://www.theguardian.com/technology/2023/sep/05/tissupath-hack-patient-data-breach-cyber-attack-melbourne-pathology-clinic

Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges

Okta, an identity services provider, has issued a warning about social engineering attacks in which threat actors manipulate IT service desk personnel to reset authentication factors for privileged users. These attacks, dubbed Muddled Libra, involve the use of a commercial phishing kit called 0ktapus to harvest credentials and multi-factor authentication (MFA) codes. The attacks, occurring between July 29 and August 19, 2023, highlight the need for improved authentication practices and stronger identity verification processes.

See the full report here: https://thehackernews.com/2023/09/okta-warns-of-social-engineering.html

Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers.

See the full report here: https://thehackernews.com/2023/09/hackers-exploit-minio-storage-system.html?&web_view=true

Chinese-Speaking Cybercriminals Launch Large-Scale iMessage Smishing Campaign in U.S.

A new large-scale smishing campaign is targeting the U.S. by sending iMessages from compromised Apple iCloud accounts with an aim to conduct identity theft and financial fraud.

See the full report here: https://thehackernews.com/2023/09/chinese-speaking-cybercriminals-launch.html

Ransomware Attack on Fencing Systems Maker Zaun Impacts UK Military Data

British mesh fencing systems maker Zaun disclosed a LockBit ransomware attack which could have potentially impacted data related to the UK military and intelligence sites.

See the full report here: https://www.securityweek.com/ransomware-attack-on-fencing-systems-maker-zaun-impacts-uk-military-data/

University of Sydney suffered a security breach caused by a third-party service provider

The University of Sydney (USYD) announced that a data breach suffered by a third-party service provider exposed the personal information of recently applied and enrolled international applicants. The University of Sydney immediately launched an investigation into the incident and determined that only a limited number of recently applied and enrolled international applicants had their personal data compromised.

See the full report here: https://securityaffairs.com/150310/hacking/university-of-sydney-security-breach.html

Fake YouPorn Extortion Scam Threatens to Leak Your Sex Tape

A new sextortion scam is making the rounds that pretends to be an email from the adult site YouPorn, warning that a sexually explicit video of you was uploaded to the site and suggesting you pay to have it taken down.

See the full report here: https://www.bleepingcomputer.com/news/security/fake-youporn-extortion-scam-threatens-to-leak-your-sex-tape/?&web_view=true

Freecycle Users Told to Change Passwords After Data Breach

Freecycle, an online community that encourages sharing unwanted items with eachother than chucking them in the bin or taking them to landfill, has told users to change their passwords after it suffered a data breach. An announcement on the Freecycle website was the first I knew about the security breach, as – at the time of writing – despite being a member of the site I still haven’t received any other notification from the community.

See the full report here: https://grahamcluley.com/freecycle-users-told-to-change-passwords-after-data-breach/?&web_view=true

Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising

Victims are approached through various platforms ranging from Facebook and LinkedIn to WhatsApp and freelance job portals like Upwork. Another known distribution mechanism is the use of search engine poisoning to boost bogus software.

See the full report here: https://thehackernews.com/2023/09/vietnamese-cybercriminals-targeting.html?&web_view=true

Chrome Extensions can Steal Plaintext Passwords From Website Source Code

A team of researchers from the University of Wisconsin-Madison uploaded to the Chrome Web Store a proof-of-concept extension that can steal plaintext passwords from a website's source code. An examination of the text input fields in web browsers revealed that the coarse-grained permission model underpinning Chrome extensions violates the principles of least privilege and complete mediation.

See the full report here: https://www.bleepingcomputer.com/news/security/chrome-extensions-can-steal-plaintext-passwords-from-websites/?&web_view=true

Russia-linked hackers target Ukrainian military with Infamous Chisel Android malware

Russia-linked threat actors have been targeting Android devices of the Ukrainian military with a new malware dubbed Infamous Chisel. GCHQ’s National Cyber Security Centre and international partners reported that Russia-linked threat actors are using a new malware to target the Ukrainian military.

See the full report here: https://securityaffairs.com/150167/cyber-warfare-2/infamous-chisel-malware-targets-ukraine.html

LogicMonitor customers hacked in reported ransomware attacks

Network monitoring company LogicMonitor confirmed that some users of its SaaS platform have fallen victim to cyberattacks. The company says that the hacking campaign has hit what it describes as a "small number" of users and is working with those affected to mitigate the attacks' impact.

See the full report here: https://www.bleepingcomputer.com/news/security/logicmonitor-customers-hacked-in-reported-ransomware-attacks/

North Korean hackers behind malicious VMConnect PyPI campaign

North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector.

See the full report here: https://www.bleepingcomputer.com/news/security/north-korean-hackers-behind-malicious-vmconnect-pypi-campaign/

Sourcegraph website breached using leaked admin access token

AI-powered coding platform Sourcegraph revealed that its website was breached this week using a site-admin access token accidentally leaked online on July 14 2023.

See the full report here: https://www.bleepingcomputer.com/news/security/sourcegraph-website-breached-using-leaked-admin-access-token/

Good news for Key Group ransomware victims: Free decryptor out now

Even ransomware operators make mistakes, and in the case of ransomware gang the Key Group, a cryptographic error allowed a team of security researchers to develop and release a decryption tool to restore scrambled files.

See the full report here: https://go.theregister.com/feed/www.theregister.com/2023/08/31/key_group_ransomware_decryptor/

Cigna Health Data Leak: 17 Billion Records Exposed

Researchers have unearthed a concerning incident involving a non-password-protected database containing over a staggering 17 billion records. The extensive records were traced back to Cigna Health, a major player in the health insurance industry. The company’s effort to bolster transparency inadvertently led to this massive data leak.

See the full report here: https://www.hackread.com/cigna-health-data-leak-17-billion-records-exposed/

Classiscam Scam-as-a-Service Raked USD 64.5 Million During the COVID-19 Pandemic

The Classiscam scam-as-a-service program has reaped the criminal actors USD 64.5 million in illicit earnings since its emergence in 2019. Classiscam campaigns initially started out on classified sites, on which scammers placed fake advertisements and used social engineering techniques to convince users to pay for goods by transferring money to bank cards.

See the full report here: https://thehackernews.com/2023/09/classiscam-scam-as-service-raked-645.html

New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists

A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called SuperBear. The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization.

See the full report here: https://thehackernews.com/2023/09/new-superbear-trojan-emerges-in.html

ZeroFox Intelligence Reports:

ZeroFox Intelligence – Eastern Europe Regional Assessment

In this regional assessment, ZeroFox researchers establish the key geopolitical and security risks currently impacting Eastern Europe, an overview of some of the major issues facing the region, and provide forward-looking statements on how these will likely impact the region in the coming months.

Report: https://zerofox.com/advisories/21786

ZeroFox Intelligence Event Assessment - G20 Summit

In this ZeroFox Event Assessment on the upcoming G20 Summit, ZeroFox geopolitical researchers provide an overview of the event itself, expected topics and outcomes, and key risks and threats associated with the event.

Report: https://zerofox.com/advisories/21774

ZeroFox Intelligence Geopolitical Brief for September 2023

In this ZeroFox Intelligence Geopolitical Brief for September 2023, ZeroFox geopolitical researchers cover spreading insecurity and democratic backsliding after another coup at the end of August. With Delhi and Jakarta hosting the G-20 and ASEAN summits in quick succession, world leaders have their last opportunity to meet together in 2023. Following developments at the G-7 and BRICS meetings in August, there could be more supply chain rearrangements in particular. Ukrainian forces are finally seeing some progress in their counteroffensive. Both Europe and Latin America are preparing for a slew of fall elections that will have implications for business operations in Europe and physical security in Latin America.

Report: https://zerofox.com/advisories/21700