Cyber Security Weekly Recap (07-13 Nov.)

Cyber Security Weekly Recap 07 13 Nov 1024x649

URLScan, a popular security scanner, was discovered to be leaking sensitive URLs and data.

According to security specialists, there is “a treasure of sensitive information” seeping via the internet scanner

A study published by Positive Security co-founder Fabian Bräunlein on November 2, 2022, reveals that a lot of sensitive URLs to shared documents, password reset sites, team invitations, payment invoices, and more are publicly disclosed and searchable.

Bräunlein warned that spammers may exploit this data to harvest email addresses and other private information. He also noted that cybercriminals might exploit this data to hijack accounts and launch convincing phishing attacks.

Following the disclosure, has issued a call to action to its users to understand the different scan visibilities, review their own scans for non-public information, review their automated submission workflows, and enforce maximum scan visibility for their accounts.

The security scanner company claims that it has set up domain and URL pattern blocklists to restrict scanning of specified websites and has implemented deletion procedures to routinely remove previous and future scans matching the search patterns.

Medibank refuses to pay ransom after a ransomware attack exposed 9.7 million customers.

The Australian health insurance company Medibank said that a ransomware attack had put the personal information of about 9.7 million current and former clients at risk.

On October 12, the company reported suspicious activity in its IT network, forcing it to isolate its systems, but not before the attackers exfiltrated the data.

Health information for around 160,000 Medibank clients, approximately 300,000 ahm customers, and approximately 20,000 customers located abroad was stolen in the attack.

After the refusal of Medibank to pay the ransom, the threat actor responsible for the security attack uploaded files containing client data taken from its systems on the dark web.

According to the information that has been revealed, personal information such as names, addresses, dates of birth, phone numbers, email addresses, and Medicare numbers for ahm clients was compromised.

However, Medibank claims that no financial or identification papers, such as driver’s licenses, have been stolen as a result of the security breach and that there has been no suspicious activity since October 12, 2022.

The Australian firm has not yet identified who was responsible for the attack, although information published on a dark web domain associated it with REvil, which resumed operations in May.

Laplas Clipper malware steals cryptocurrency credentials with the help of SmokeLoader.

A new strain of clipper malware called Laplas, which targets cryptocurrency users, has been spreading with the help of the SmokeLoader malware.

An analysis published by Cyble reveals that since October 24, 2022, the company has detected 180 Laplas samples, which indicates widespread use.

SmokeLoader, which is spread through weaponized documents attached to spear-phishing emails, typically serves as a gateway for commodity trojans like SystemBC and Raccoon Stealer 2.0. The malware has been seen in the wild since 2013 and is widely used to distribute additional payloads onto infected computers, including data-stealing malware and other implants.

A New Variant of the Malware Loader IceXLoader Has Affected Thousands of Users Worldwide

Thousands of home and business Windows computers may have been infected with an updated version of a malware loader, codenamed IceXLoader.

IceXLoader is a piece of malware that can be purchased for $118 on dark web marketplaces with a permanent license. Its primary use is to infect compromised systems with even more malicious software.

A variant of the malware designed to evade analysis and detection was reportedly discovered by Fortinet FortiGuard Labs in June.

Cybersecurity researcher Natalie Zargarov from Minerva Labs stated in a study that although the version detected in June (v3.0) seemed to be a work-in-progress, a newer v3.3.3 loader has been spotted that seems to be fully functional and has a multi-stage delivery chain.

In the past, IceXLoader was spread through phishing campaigns by attaching malicious ZIP packages to emails. These malicious ZIP packages were used to spread DarkCrystal RAT and bitcoin miners.

Browser extensions are used for spying on users via the Cloud9 Chrome Botnet Network

The Keksec threat actor is suspected of being behind a yet unreported malware outbreak that has been seen in the wild disguised as a browser extension for Chromium-based browsers.

The malicious browser add-on was discovered by security company Zimperium and is called Cloud9. According to the information that is available, the malware can steal cookies, track keystrokes, inject arbitrary JavaScript code, mine cryptocurrency, and even enlist the host to launch distributed denial of service (DDoS) operations.

A recent analysis by Zimperium researcher Nipun Gupta indicates that the extension not only steals the information accessible during the browser session but also may install malware on a user’s computer and later take control of the device entirely.

In relation to the discovery, Google reminds Chrome users that they should always use the most recent stable release to take advantage of the newest security fixes. Users may stay even safer against harmful programs and websites by turning on Enhanced Protection in Chrome’s security settings, which will immediately alert them to any unsafe websites they visit or downloads they attempt to download.

Multiple Lenovo Notebooks Are Reported to Have New UEFI Firmware Flaws

Laptop manufacturer Lenovo has fixed three issues in the UEFI firmware of several of its Yoga, IdeaPad, and ThinkBook laptops.

Tracked as CVE-2022-3430, CVE-2022-3431, and CVE-2022-3432 these are vulnerabilities that might be exploited by an adversary to disable UEFI Secure Boot, a security tool that is supposed to prevent malicious applications from loading during the boot process. 

This is the third time since the start of this year that Lenovo has patched flaws in its UEFI firmware. Users are advised to get the latest updates as soon as possible to prevent possible exploitation. 

A Xenomorphic Bank Trojan was discovered in a malicious app found in the Google Play Store.

Google has removed two dangerous dropper applications (Todo: Day manager com.todo.daymanager and 経費キーパー com.setprice.expenses) from the Android Play Store. One of them was spreading Xenomorph financial malware while pretending to be a lifestyle app.

According to the details that were revealed, both programs were serving as “droppers”, which means they don’t do any damage but instead operate as a channel via which the real payload may be retrieved.

A report by Zscaler ThreatLabz researchers noted that Xenomorph is malware that can steal credentials from banking apps installed on users’ devices. The threat can also read SMS messages from users and use this to steal one-time passwords and requests for multi-factor authentication. 

About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment