Cyber Security Weekly Recap (05-11 Dec.)

Cyber Security Weekly Recap 05 11.12.2022 1024x690

A SiriusXM flaw allows hackers to remotely unlock and start vulnerable vehicles

Researchers in the field of cyber security have uncovered a flaw in the SiriusXM vehicle service that leaves Honda, Nissan, Infiniti, and Acura vehicles vulnerable to remote attacks.

Last week, researcher Sam Curry warned on Twitter that the vulnerability could be used to get unauthorized access to any automobile by just knowing its vehicle identification number (VIN).

From what has been explained, an attacker can get sensitive information about a victim and tell the car what to do by sending a carefully crafted HTTP request including the VIN number to a SiriusXM endpoint.

SiriusXM and Hyundai have released updates to fix the vulnerabilities in response to the revelations.

A variant of Cryptonite Toolkit turns into Wiper Malware

Researchers have discovered a variant of the open-source ransomware toolkit Cryptonite with wiper capabilities in the wild, citing the toolkit’s “poor design and programming.”

The main malware is written in Python and encrypts files with a “.cryptn8” suffix using the Fernet module of the cryptography package.

Fortinet FortiGuard Labs, however, has discovered a new sample that locks files without a way to decrypt them, functioning as a devastating data wiper.

As Fortinet researcher Gergely Revay said in a blog post, the issue with this new malware is that, owing to the simplicity of the architecture of the ransomware, if the software crashes — or is merely closed — there is no way to restore the encrypted data.

A new Zerobot botnet uses dozens of IoT vulnerabilities to rapidly grow its infrastructure

Zerobot, a new Go-based botnet, has been seen to spread in the wild and take advantage of security holes in IoT devices and other apps.

As per the information that has been revealed by Fortinet FortiGuard Labs, the botnet contains numerous modules, including self-replication, assaults on multiple protocols, and self-propagation. The malware uses the WebSocket protocol to communicate with its control server.

The attack campaigns are believed to have begun after November 18, 2022, and they focus mostly on exploiting security holes in Windows and Linux installations.

So far, researchers have found two versions of Zerobot in the wild: one with basic features and one that has been updated with a self-propagating module that can take advantage of 21 vulnerabilities to get into more endpoints.

Experts have found a Dark Web Service That Hackers Can Use to Trojanize Legitimate Android Apps

A new hybrid malware operation that simultaneously attacks Android and Windows devices has recently been revealed. According to a ThreatFabric report, the attackers behind the campaign deploy a variety of viruses, including ERMAC, Erbium, Aurora, and Laplas.

The Dutch cybersecurity firm claimed that thousands of victims were affected by this campaign.

According to their findings, the operators used a number of malicious applications that were trojanized copies of legal apps like Instagram as droppers for various obfuscated harmful payloads.

Hackers Use a Flaw in Netwrix’s Auditor Software and the Raspberry Robin Worm to Create a New Type of TrueBot Malware

A rise in TrueBot infections has been detected by cybersecurity experts, with Mexico, Brazil, Pakistan, and the United States being the primary targets.

According to Cisco Talos, the hackers behind the operation are no longer relying on malicious emails as a delivery mechanism and are now employing other ways, such as exploiting a remote code execution (RCE) hole in Netwrix auditor and the Raspberry Robin worm.

Data theft and the use of Clop ransomware were among the activities that occurred “post-compromise,” according to a study published by security researcher Tiago Pereira.

Group-IB attributes the TrueBot Windows malware downloader to a threat actor known as Silence, a Russian-speaking group said to have ties to Evil Corp (aka DEV-0243) and TA505.

The most recent research from Cisco Talos indicates that the Silence APT launched a limited number of attacks between the middle of August and the beginning of September 2022, exploiting a critical RCE vulnerability in the Netwrix auditor to download and execute TrueBot.

Cobalt Strike, FlawedGrace, and Teleport are just some of the second-stage payloads that TrueBot may deliver after compromising the host and gathering information from it.

Cisco Issues Urgent Security Alert Over Critical Firmware Flaw In IP Phones

A new security advisory issued by Cisco warns of a critical vulnerability in the firmware of the IP Phone 7800 and 8800 Series, which may be exploited by an attacker from a remote location to execute arbitrary code or cause a denial of service (DoS) attack.

The flaw tracked as CVE-2022-20968 (CVSS score: 8.1) comes from the way input validation of incoming Cisco Discovery Protocol (CDP) packets is handled. The networking equipment giant has said that it is working on a fix to solve this issue.

The company published a warning on December 8, 2022, in which it stated that an attacker might exploit this vulnerability by sending crafted Cisco Discovery Protocol traffic to an affected device. So far, there has been no visible evidence of this vulnerability being exploited in the wild.

A New Attack Method Against Common Web Application Firewalls Is Described in Depth by Researchers

New research reveals that attackers now have a new method for compromising systems and evading the web application firewalls (WAFs) of a wide variety of vendors, which might lead to the theft of sensitive company and user data.

The method of circumventing WAFs in general involves attaching JSON syntax to SQL injection payloads that a WAF is unable to interpret. As per what has been explained, attackers may use this new method to get access to a database in the backend and then use other vulnerabilities and exploits to steal data from the server or the cloud.

Protecting a web application against threats like cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection requires a multilayered security strategy that includes a firewall as a key element. Security professionals are concerned that the increased use of methods that can successfully bypass the firewall’s protection exposes everyone to high risk, particularly as more enterprises continue to shift their business and functions to the cloud.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment