In today’s digital age, cybersecurity concerns are on the rise. In 2021, there were around 714 million attempted ransomware assaults recorded, a 134 percent increase over 2020. Criminals are finding new chances to identify easy targets as individuals spend more time online for business creation. Using the correct bait is one of the simplest methods for crooks to locate their victims.
In the last week, there are several cybersecurity data breaches and hacks which have happened globally. This article seeks to explore the latest cybersecurity news over the last week.
- Spider-Man pirated downloads containing Crypto-Mining Malware
ReasonLabs, a renowned supplier of cybersecurity prevention and detection software, has uncovered a new kind of malware that is infiltrating client PCs under the pretense of the upcoming Spiderman film. ReasonLabs discovered the virus following a normal check of their large database of files, the report flooded the Hacker’s News website on 24th December.
Spiderman; maybe the most talked-about film in a long time, is a tremendous chance for hackers. It’s an opportunity to connect with millions of prospective targets and hack into computers all across the world. All today’s malevolent actors need to do is offer their victims access to the newest movie, and they have full access to their computers.
ReasonLabs uncovered bitcoin mining malware that masquerades as a torrent for the Spiderman: No Way Home film, urging people all across the globe to download the file and expose their computers to criminals. However, according to ReasonLabs, this is far from the first-time thieves have attempted to dupe people into believing they are downloading something they desire.
When a user downloads the file, the code adds Windows Defender exclusions to prevent you from monitoring its activity, runs watchdogs for protection, and generates persistence. The malware’s main goal is to mine a kind of cryptocurrency known as Monero (XMR) – one of the most untraceable and anonymous cryptocurrencies often utilized on the dark web.
Users who have been infected with malware may not notice any changes to their machines right away. However, when the technology consumes your CPU power, you may notice a decrease in performance and issues with general computer operation. Furthermore, the harm is likely to be reflected in the energy bill, since mining machines need additional power.
ReasonLabs is currently actively investigating where this virus originated and hopes to share new information soon.
- macOS Bug that allows malware Bypass Gatekeeper Security
Apple has patched a security flaw in the macOS operating system that could be used by a threat actor to bypass a “myriad of core macOS security features” and execute arbitrary code.
On December 24th, security researcher Patrick Wardle reported the finding in a series of tweets. The problem, tracked as CVE-2021-30853 (CVSS score: 5.5), refers to a situation in which a malicious macOS software might bypass Gatekeeper checks, which guarantee that only trusted applications can be executed and that they have passed an automatic procedure known as “app notarization.”
Such flaws are often especially harmful to ordinary macOS users since they allow adware and malware producers to circumvent macOS security features. The flaw, in particular, bypasses not just Gatekeeper, but also File Quarantine and macOS’s notarization restrictions, potentially enabling a benign PDF file to infect the whole system merely by being opened.
Threat actors can exploit this flaw by tricking their targets into opening a rogue app disguised as Adobe Flash Player updates or trojanized versions of legitimate apps such as Microsoft Office, which can then be delivered via a method known as search poisoning, in which attackers artificially increase the search engine ranking of websites hosting their malware to lure potential victims.
- BLISTER, New malware using code signing certificate to escape Detection
On 24th December according to The Hacker News, Researchers in cybersecurity have revealed details of an elusive malware campaign that uses genuine code signing certificates to bypass security defenses and remain undetected, to distribute Cobalt Strike and BitRAT payloads on infected computers.
Blister poses as a legal library called “colorui.dll” and is distributed with a dropper called “dxpo8umrzrrr1w6gm.exe.” Following the execution, the loader is meant to slumber for 10 minutes, most likely to avoid sandbox analysis, before establishing persistence and decrypting an embedded malware payload such as Cobalt Strike or bitrate.
Once decrypted, the embedded payload is loaded into the current process or injected into a newly generated WerFault.exe [Windows Error Reporting] process.
- FBI, NSA, and CISA Log4J Vulnerability Joint Advisory Report
Australia, Canada, New Zealand, the United States, and the United Kingdom issued a joint advisory on Wednesday 23rd December in response to the widespread exploitation of multiple vulnerabilities in Apache’s Log4j software library by malicious adversaries. An attacker can use Log4Shell (CVE-2021-44228) to execute arbitrary code by sending a specially crafted request to a vulnerable system.
According to the FBI’s assessment of the attacks, threat actors maybe incorporate the flaws into “existing cybercriminal schemes that are looking to adopt increasingly sophisticated obfuscation techniques.” Organizations are being urged to identify, mitigate, and update affected assets as soon as possible, given the severity of the vulnerabilities and the likelihood of increased exploitation.
To that end, the United States Cybersecurity and Infrastructure Security Agency (CISA) has released a scanner utility to detect systems vulnerable to the Log4Shell vulnerability, mirroring a similar tool released by the CERT Coordination Center (CERT/CC).
However, an assessment published this week by Israeli cybersecurity firm Rezilion discovered that commercial scanning tools were ill-equipped to detect all formats of the Log4j library in an environment since the instances are frequently deeply nested in other code, revealing the “blind spots” in such utilities and the limitations of static scanning.
Log4Shell’s public disclosure has also prompted several technology vendors to release patches for software that contains the flaw. NVIDIA and HPE are the most recent companies to issue updates, joining a long list of vendors who have published security advisories outlining the products affected by the vulnerability.
- Ubisoft Just Dance Video Game Data Breach
After unknown perpetrators attacked its famous video game series, Just Dance, Ubisoft has reported a data breach. According to The Daily Swing news released on 21st December, Customer information may have been acquired when attackers took advantage of a “misconfiguration” to grab data.
According to Ubisoft, the breach was confined to ‘technical identifiers’ such as GamerTags, profile IDs, and device IDs, as well as recordings of Just Dance videos submitted to be shared publicly with the in-game community and/or on social network accounts.
This issue was the consequence of a misconfiguration, which, once found, was promptly remedied, but allowed unauthorized persons to view and maybe copy certain personal player data.
According to the inquiry, no Ubisoft account information has been compromised as a consequence of this incident. Ubisoft has recommended that all Just Dance users update their passwords and implement two-factor authentication.
- More than half a million patients record Data Breach at Texas ENT Healthcare Facility in the US.
A data breach at Texas Ear, Nose, and Throat Specialists in the United States has affected over 535,000 patients.
Texas ENT found that unauthorized persons obtained access to their computer systems and took copies of Texas ENT information including patient names, dates of birth, medical record numbers, and procedure codes used for billing reasons. Social Security numbers were compromised.
According to Texas ENT, the unauthorized intruders did not get access to the company’s electronic medical records system. Texas ENT has 15 sites throughout Harris and the adjacent counties and offers specialized treatment for all ear, nose, and throat ailments.
On December 10, impacted people received data breach notification letters in the mail, according to the healthcare provider. In the aftermath of the incident, it also reminded consumers to be wary of fraudsters. It is always good to examine the statements from healthcare providers for accuracy.
Texas ENT said that it is providing free identity monitoring services to victims whose Social Security numbers have been hacked. Additionally, Texas ENT is enhancing its current privacy and information security program by introducing new protections and technological security measures to secure and monitor its systems to help avoid a similar incident in the future.
- Active Directory Bugs that could compromise Windows Domain Controllers
Following the December 12 release of a proof-of-concept (POC) tool, Microsoft has been pushing users to repair two security vulnerabilities in Active Directory domain controllers that it addressed in November. On December 21st, Hacker News released a detailed report about the vulnerability.
The two flaws, identified as CVE-2021-42278 and CVE-2021-42287, have a severity rating of 7.5 out of a possible 10 and are related to a privilege escalation problem in the Active Directory Domain Services (AD DS) component. Andrew Bartlett of Catalyst IT is credited with detecting and reporting both problems.
Active Directory is a directory service used for identification and access management that runs on Microsoft Windows Server. Although the tech behemoth rated the flaws as “exploitation Less Likely” in its evaluation, the public exposure of the PoC has spurred demands for the remedies to be implemented to limit any possible exploitation by threat actors.
While CVE-2021-42278 allows an attacker to tamper with the SAM-Account-Name property, which is used to log a user into Active Directory domain systems, CVE-2021-42287 allows an attacker to impersonate domain controllers. This allows a bad actor with domain user credentials to get access to the domain as a domain admin user.
When these two vulnerabilities are combined, an attacker may establish a simple route to a Domain Admin account in an Active Directory environment that hasn’t implemented these new fixes. Once an attacker compromises an ordinary user in the domain, this escalation technique enables them to simply raise their power to that of a Domain Admin.
The Redmond-based business has also offered a step-by-step guide to assist users in determining if the vulnerabilities were exploited in their settings. Microsoft team highly recommends implementing the most recent fixes on domain controllers as quickly as possible.
Sources
https://thehackernews.com/2021/12/spider-man-no-way-home-pirated.html
https://thehackernews.com/2021/12/expert-details-macos-bug-that-could-let.html
https://www.virustotal.com/gui/file/ed241c92f9bc969a160da2c4c0b006581fa54f9615646dd46467d24fe5526c7a
https://www.fileinspect.com/fileinfo/colorui-dll/
https://thehackernews.com/2021/12/cisa-fbi-and-nsa-publish-joint-advisory.html
https://portswigger.net/daily-swig/ubisoft-confirms-just-dance-video-game-data-breach
https://thehackernews.com/2021/12/active-directory-bugs-could-let-hackers.html
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.