Cyber Security Weekly Recap (15-21 May)

Cyber Security Weekly Recap 15 21 May 1024x637

AI Tool Seekers Beware: Rogue Sites Distributing RedLine Malware

Users seeking AI tools such as OpenAI’s ChatGPT and Midjourney need to remain vigilant, as cyber threat actors exploit the popularity of these tools to spread RedLine Stealer malware. Criminals are utilizing the absence of standalone apps for these AI services to direct users to imposter websites.

Cybersecurity firm eSentire’s analysis revealed that BATLOADER, a loader malware, is used in drive-by downloads, luring users with bogus ads related to their search keywords. Clicking these ads leads users to rogue websites hosting the malware. Despite the drop in Google Search ad abuse since early 2023, indicating Google’s proactive steps, phishing and scam campaigns are still rampant. These attacks capitalize on the increasing use of AI tools to distribute malware and other rogue apps.

MichaelKors RaaS Sets Sights on Linux and VMware ESXi Systems

April 2023 saw a new ransomware-as-service (RaaS) operation named MichaelKors target Linux and VMware ESXi systems. Cybersecurity firm CrowdStrike stated that cybercriminals are increasingly focusing on ESXi, despite VMware’s claims that third-party agents or antivirus software isn’t required.

This trend, along with ESXi’s popularity and widespread use, makes it an attractive target for modern adversaries. Hypervisor jackpotting is a notable technique used by ransomware groups, involving ransomware attacks on VMware ESXi hypervisors to enhance campaign scaling. To mitigate hypervisor jackpotting, organizations are advised to review their security postures, apply security updates, backup ESXi datastore volumes, and enable two-factor authentication.

NPM Packages Concealing TurkoRat Malware Raise Alert

Open-source libraries are fundamental components in the development of modern software. Node.js, in particular, has become a popular ecosystem with numerous packages distributed via npm (Node Package Manager). Unfortunately, open-source libraries also provide fertile ground for cybercriminals who inject malicious code into these packages. The latest victim of this strategy involves two npm packages found to contain an open-source information stealer malware called TurkoRat.

The packages identified were nodejs-encrypt-agent and nodejs-cookie-proxy-agent, both of which were downloaded approximately 1,200 times over a two-month period before their removal from the npm package repository. TurkoRat, the hidden malicious agent, is an information stealer capable of harvesting login credentials, website cookies, and cryptocurrency wallet data, thereby posing a significant threat to unsuspecting developers and users.

This incident underscores the persistent risk of supply chain attacks that cyber threat actors carry out via open-source packages. Developers must be vigilant in scrutinizing the features and behaviors of third-party code they rely on to detect potential malicious payloads. This event also highlights a broader pattern of increasing attacker interest in open-source software supply chains, showcasing the growing sophistication of threat actors.

US Slaps $10 Million Bounty on Russian Ransomware Operator

In an unprecedented move to combat the global ransomware epidemic, the U.S. Department of Justice has charged and indicted a Russian national believed to be responsible for a series of high-profile ransomware attacks worldwide. The individual, Mikhail Pavlovich Matveev, is believed to be a central figure in the development and deployment of the LockBit, Babuk, and Hive ransomware variants. These ransomware strains have collectively inflicted significant damage, with ransom demands estimated at around $400 million.

Matveev’s operation has not spared critical sectors such as law enforcement agencies, hospitals, and schools. His complex modus operandi involves the exfiltration of valuable data followed by a ransomware attack on the compromised networks. If victims fail to meet the ransom demands, the threat actor threatens to publicize the stolen information on a data leak site.

The U.S. Department of State has set a bounty of up to $10 million for information leading to the arrest and/or conviction of Matveev, sending a strong signal to international cybercriminals. The fight against the ransomware-as-a-service (RaaS) model, a lucrative framework for cybercriminals, continues to be challenging due to the high profit margins it offers, as well as its ability to empower even novice cybercriminals to carry out attacks.

Security Flaw Exposed in Samsung Devices

The digital landscape is constantly evolving, with new security threats emerging regularly. The latest warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reveals a medium-severity flaw affecting select Samsung devices running Android versions 11, 12, and 13. This vulnerability, tracked as CVE-2023-21492, exposes Samsung users to potential information disclosure exploits that could bypass address space layout randomization (ASLR) protections.

ASLR is a security technique designed to deter memory corruption and code execution flaws by making the location of an executable in a device’s memory unpredictable. Despite Samsung’s swift action in releasing an advisory after the disclosure of the flaw, concerns remain due to its potential for active exploitation. This vulnerability represents yet another example of how cybercriminals are continuously seeking to leverage weaknesses in widely-used devices to deploy malicious software.

Apple Patched Three New Zero-Day Vulnerabilities in WebKit

Apple has addressed a series of security vulnerabilities in WebKit, the engine behind the Safari web browser, with three emergency patches. These zero-day vulnerabilities, tracked as CVE-2023-2151, CVE-2023-2152, and CVE-2023-2153, were discovered to be under active exploitation, prompting swift action from Apple.

These flaws, which affect iPhones, iPads, Macs, and Apple Watches, allow for arbitrary code execution that can lead to an attacker taking control over an affected device. Specifically, CVE-2023-2151 and CVE-2023-2153 are use-after-free issues that can cause memory corruption, while CVE-2023-2152 is a buffer overflow vulnerability. All three have the potential to be exploited when a user visits a maliciously crafted webpage.

Apple’s security updates — iOS 15.3.1, macOS Monterey 12.3.1, and watchOS 8.4.1 — include the necessary patches to fix these vulnerabilities. Users are strongly advised to update their devices as soon as possible to protect themselves from these security risks.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment