Cyber Security Weekly Recap (27.Feb-05.March)

Cyber Security Weeky Recap 27.02 05.03.2023 1024x642

Billions of IoT and business devices are in danger from new flaws in the TPM 2.0 library.

Two critical vulnerabilities (tracked as CVE-2023-1017 and CVE-2023-1018) in the Trusted Platform Module (TPM) 2.0 reference library specification have been made public. These vulnerabilities might allow for the exposure of sensitive data or the elevation of privileges. The first one relates to out-of-bounds writes, whereas the second concerns out-of-bounds reads.

The Trusted Computing Group (TCG) issued a security advisory where it explained that the vulnerabilities might be exploited by sending malicious commands to TPM 2.0 firmware.

Quarkslab said that the vulnerabilities “may affect billions of devices”, impacting large technology companies and businesses employing enterprise computers, servers, IoT devices, and embedded systems with a TPM.

To fix the vulnerabilities and lessen the chances of supply chain disruptions, users should install the patches made available by TCG and other manufacturers.

A malware known as BlackLotus is the first of its kind to bypass Windows 11’s Secure Boot.

BlackLotus, a stealthy Unified Extensible Firmware Interface (UEFI) bootkit, is the first publicly documented malware capable of evading Secure Boot protections.

The Slovak cybersecurity firm ESET reported that this bootkit can execute even on completely up-to-date Windows 11 PCs with UEFI Secure Boot enabled.

Security professionals explain that UEFI bootkits are typically installed in the system firmware and provide complete control over the OS boot process, which allows them to deactivate OS-level security features and distribute arbitrary payloads during startup with elevated rights.

BlackLotus, in particular, bypasses UEFI Secure Boot safeguards and sets up persistence by exploiting a security weakness identified as CVE-2022-21894 (also known as Baton Drop). Microsoft patched this issue in their January 2022 Patch Tuesday release.

Hackers steal proprietary data and software by exploiting containerized environments.

An advanced attack campaign known as SCARLETEEL is focusing on containerized environments with the purpose of stealing confidential information and software.

A recent report from Sysdig reveals that attackers have exploited a containerized workload and have used it to conduct privilege escalation into an Amazon account in order to steal proprietary software and credentials.

The cybersecurity firm also noted that crypto miner software was deployed as part of the sophisticated cloud attack, which they interpreted as an effort to earn illegal profits or a tactic to confuse defenders.

As per what has been revealed, the initial infection vector relied on exploiting a weak externally facing service in a privately managed Kubernetes cluster running on Amazon Web Services (AWS).

The United States Cybersecurity Agency warns about the dangerous potential of Royal Ransomware.

U.S. government cybersecurity agency CISA has issued a new warning on the Royal ransomware strain that first appeared in 2017.

According to CISA, after infiltrating a victim’s network, “Royal actors” deactivate antivirus software, steal sensitive information, and then spread ransomware.

Since September 2022, the custom ransomware has been targeting businesses in the United States and around the world. It is thought to have developed from versions of a malware known as Zeon.

Royal ransomware may now infect both Windows and Linux computers as of February 2023. The ransomware gang uses call-back phishing to infect users’ computers with the malware, which is a tactic extensively used by criminal groups that split out of the Conti operation that was shut down last year.

The New MQsTTang Backdoor: A China Cyber Attack on Europe.

A social engineering campaign, operated by the China-aligned actor “Mustang Panda, has been discovered to make use of a hitherto custom backdoor known as MQsTTang. According to a recent analysis by ESET, MQsTTang doesn’t seem to be based on existing families or public projects.

As a result of Russia’s sweeping invasion of Ukraine last year, the group’s attack chains have ramped up their focus on European targets, but the victimology of the present activity is unclear.

Although Mustang Panda has historically relied on a remote access trojan known as PlugX to accomplish its goals, the gang has recently expanded its malware arsenal to include custom malware tools like TONEINS, TONESHELL, and PUBLOAD.

Full-fledged information-stealing malware has been found in the PyPI Python package.

An advanced information stealer and remote access trojan was discovered inside a malicious Python package that had been posted to the Python Package Index (PyPI). Kroll’s Cyber Threat Intelligence team discovered the malicious package (known as colourfool) and named it as Colour-Blind.

Similar to previous malicious Python modules identified in recent months, colourfool hides in a Discord-hosted ZIP download containing the malicious payload. The file consists of a Python script (code.py), which contains modules to steal cookies, record keystrokes, and even disable security programs.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment