Cybercriminals Leverage Cloud Mining Services for Cryptocurrency Laundering
Ransomware perpetrators and cryptocurrency fraudsters have actively turned towards the exploitation of cloud mining services to launder illicitly gained digital assets, a recent investigation has uncovered. Blockchain analytics corporation Chainalysis has reported this significant shift in criminal modus operandi within the digital currency landscape, recognizing the appeal of cloud mining to cyber crooks due to its ability to procure funds with a “clean” on-chain source. Earlier this year, APT43, a North Korean cyber-espionage group, utilized hash rental and cloud mining services to conceal their tracks and launder stolen cryptocurrency. This operation, reported by Google Mandiant, demonstrates the increasing appeal of these services to cybercriminals beyond nation-state hacking circles.
Generally, cloud mining services enable users to lease computer resources to mine digital currencies without owning and operating the hardware personally. The case study by Chainalysis disclosed that mining pools and wallets associated with ransomware operators have transferred substantial sums to a highly active deposit address at an undisclosed mainstream crypto exchange. This involved $19.1 million from four ransomware-related wallet addresses and $14.1 million from three mining pools, significant portions of which were channeled through a network of intermediary wallets and pools.
Fortinet Discloses Exploitation of FortiOS and FortiProxy Vulnerability – Urges Immediate Patching
Fortinet, the cybersecurity giant, has revealed a recently rectified critical vulnerability in FortiOS and FortiProxy that has likely been exploited in limited instances. The attacks were mainly targeting sectors such as government, manufacturing, and critical infrastructure. The vulnerability, code-named XORtigate and tracked as CVE-2023-27997, involves a heap-based buffer overflow vulnerability in FortiOS and FortiProxy SSL-VPN that could permit a remote attacker to execute arbitrary code or commands through specially designed requests.
The discovery and reporting of this flaw are credited to LEXFO security researchers Charles Fol and Dany Bach. Fortinet rolled out the patches on June 9, 2023, which are applicable to a series of FortiOS and FortiProxy versions. In an independent disclosure, Fortinet stated that this issue was concurrently identified during a prudently initiated code audit following the exploitation of a similar flaw in the SSL-VPN product in December 2022.
Fortinet has urged users to update to the latest firmware versions to mitigate potential risks. The company has also been proactively communicating to customers and urging them to follow the provided mitigation guidance promptly.
Microsoft Released Patch Updates to Counter Major Security Weaknesses in Windows and Other Software
As part of its June 2023 Patch Tuesday updates, Microsoft has launched a series of fixes for its Windows operating system and other software components to address significant security shortfalls. Among the 73 flaws identified, six are deemed critical, 63 are rated important, two are moderate, and one is low in severity. Notably, three issues rectified by Microsoft involved its Chromium-based Edge browser.
In addition to these patches, Microsoft also fixed another 26 flaws in the Edge browser rooted in Chromium itself since the release of the May Patch Tuesday updates. CVE-2023-3079, a zero-day bug disclosed by Google as actively exploited in the wild the previous week, was also addressed.
The June 2023 updates mark a significant milestone as it’s the first time in many months when no zero-day flaw in Microsoft products was known or actively exploited at the time of release. Of the resolved issues, the most noteworthy is CVE-2023-29357, a privilege escalation flaw in SharePoint Server. This flaw could be exploited by a threat actor to seize administrative privileges. As per Microsoft, an attacker wielding spoofed JWT authentication tokens can execute a network attack bypassing authentication, thereby gaining unauthorized access.
Microsoft also resolved three critical remote code execution bugs in Windows Pragmatic General Multicast (PGM) and two affecting Exchange Server. These vulnerabilities could potentially be exploited by attackers to execute malicious code remotely.
Progress Software Discloses Another Flaw in MOVEit Transfer Amid Cl0p Ransomware Mass Attack
Progress Software reported a third vulnerability in its MOVEit Transfer application amidst the aggressive exploitation tactics deployed by the Cl0p cybercrime gang. This newly disclosed vulnerability, tagged as CVE-2023-35708, pertains to an SQL injection vulnerability that could lead to unauthorized environment access and escalated privileges.
To safeguard their environments, the company urges customers to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 until a fix is in place. This latest revelation comes on the heels of another set of SQL injection vulnerabilities, disclosed by the company. The Cl0p ransomware gang had been exploiting these vulnerabilities to access the application’s database content. Microsoft has identified this group as Lace Tempest, with evidence pointing to its testing of the exploit as early as July 2021.
Urgent Patching Advised Following the Discovery of Critical RCE Flaw in Fortinet FortiGate Firewalls
Fortinet has rolled out patches to remedy a critical security flaw in its FortiGate firewalls, which a threat actor could potentially exploit to carry out remote code execution. The vulnerability, tracked as CVE-2023-27997, can be accessed before authentication on any SSL VPN appliance.
Olympe Cyberdefense, a French cybersecurity firm, independently noted that the flaw, which has been patched in versions 6.2.15, 6.4.13, 7.0.12, and 7.2.5, could allow a hostile agent to interfere via the VPN, even if the MFA is activated. Given the increasing appeal of Fortinet flaws for cybercriminals, it’s highly recommended that users apply the fixes as soon as possible to mitigate potential risks.
Chinese Threat Group UNC3886 Leverages VMware Zero-Day to Plant Backdoors in Windows and Linux Systems
UNC3886, a Chinese state-sponsored group, has been discovered exploiting a zero-day flaw in VMware ESXi hosts to implant backdoors in Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867, enables the execution of privileged commands across guest VMs without authentication from a compromised ESXi host and with no default logging on guest VMs.
Mandiant initially documented UNC3886 in September 2022 as a cyber espionage actor infecting VMware ESXi and vCenter servers with backdoors named VIRTUALPITA and VIRTUALPIE. Earlier this year, the group was linked to the exploitation of a now-patched medium-severity security flaw in the Fortinet FortiOS operating system to deploy implants on the network appliances. Mandiant researchers have classified the group as a highly adept adversary targeting defense, technology, and telecommunication organizations in the U.S., Japan, and the Asia-Pacific region.