Cyber Security Weekly Recap (29.05-04.06)

Cyber Security Weekly Recap (29.05-04.06)

Beware of .ZIP Domains As Phishing Attackers Are Now Weaponizing Them In A New Scheme

Cybercriminals have recently leveraged a new phishing technique known as “file archiver in the browser,” which creates realistic-looking phishing landing pages with HTML and CSS that emulate legitimate file archive software. Hosted on .zip domains, these malicious sites can effectively trick victims into revealing sensitive data.

Upon visiting these .ZIP domains, users find themselves in an environment that appears to be a file archiver software like WinRAR, thus raising the success rate of social engineering campaigns. A potentially dangerous scenario arises when these threat actors redirect users to a credential-harvesting page upon clicking a file within the fake ZIP archive. The introduction of new top-level domains (TLDs) like “.zip” and “.mov” by Google has heightened this risk, since .ZIP and .MOV are both legitimate file extensions.

Phishing campaigns have become more sophisticated over time, with the number of unique phishing kits detected increasing by 25% in 2022. Cybersecurity company Group-IB also reported an uptick in the use of Telegram to collect stolen data, making online security more challenging than ever before.

Critical SQL Injection Flaw in MOVEit Transfer: Active Exploitation Underway

A critical SQL injection vulnerability has been identified in Progress Software’s MOVEit Transfer, a managed file transfer application. The flaw, assigned the CVE identifier CVE-2023-34362, can potentially allow unauthenticated attackers to access MOVEit Transfer’s database and gain unauthorized access to the environment. Successful exploitation can lead to escalated privileges and alteration or deletion of database elements.

Progress Software has released patches for the bug in several versions of the application. However, as of May 31, 2023, approximately 2,500 instances of MOVEit Transfer were exposed to the public internet, with the majority of them located in the U.S. Cyber threat intelligence firm GreyNoise has observed scanning activity for the login page of MOVEit Transfer as early as March 3, 2023, pointing to active exploitation of the flaw. With over 3,000 exposed hosts utilizing the MOVEit Transfer service found, this vulnerability puts a wide range of industries across various countries at risk.

Millions of Deviceas At Risk Due to A Firmware Vulnerability In Gigabyte Systems

Cybersecurity researchers have discovered backdoor-like behavior within Gigabyte systems that can drop a Windows executable and retrieve updates in an unsecure manner. This anomaly has been traced back to the UEFI firmware of the devices, with the firmware security firm Eclypsium first detecting the issue in April 2023. The Windows executable embedded in UEFI firmware is written to disk by the firmware as part of the system boot process and is then launched as an update service.

This update service application is configured to download and execute a payload from Gigabyte update servers over an insecure HTTP connection, exposing it to potential adversary-in-the-middle (AitM) attacks. A rough estimate suggests that around 364 Gigabyte systems, amounting to nearly 7 million devices, could be impacted by this issue. With threat actors constantly seeking new ways to infiltrate systems undetected, vulnerabilities in such privileged firmware update mechanisms could lead to stealthy UEFI bootkits and implants that can bypass security controls operating at the system level.

Warning: Barracuda Email Security Gateway Zero-Day Flaw Exploited for Seven Months

Cybersecurity firm Barracuda has recently reported an extensive misuse of a zero-day flaw in its Email Security Gateway (ESG) appliances. This flaw, known as CVE-2023-2868, was exploited by unidentified threat actors who infiltrated the devices, leaving behind a backdoor for seven months before it was discovered. Patched only recently, the vulnerability was severe enough to allow remote attackers to execute commands on the compromised installations.

Barracuda’s investigation revealed three distinct types of malware: SALTWATER, SEASPY, and SEASIDE. SALTWATER served as a trojanized module capable of uploading or downloading files and tunneling malicious traffic. SEASPY, a powerful backdoor, ensured persistent access, while SEASIDE established reverse shells via specific commands sent from the malware’s command-and-control server.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) promptly listed this bug in its Known Exploited Vulnerabilities catalog, urging federal agencies to apply the patches released by Barracuda. While Barracuda has not disclosed the exact number of organizations affected, they have communicated mitigation strategies directly to those compromised, and continue to investigate potential additional breaches.

Stealthy Root-Privilege Malware Targets iOS Users in A Zero-Click Hack

A newly discovered advanced persistent threat (APT) is quietly compromising iOS devices as part of a sophisticated campaign known as Operation Triangulation. According to cybersecurity firm Kaspersky, this long-running mobile campaign has been using zero-click exploits via the iMessage platform to infect targets, granting the malware complete control over the device and user data.

Once the device receives an infected iMessage, the attachment embedded in the message triggers the exploit, enabling code execution without user interaction. Further, the malware retrieves additional payloads for privilege escalation and drops a final-stage malware that Kaspersky described as a “fully-featured APT platform.”

Despite the absence of persistence in the malicious toolset, Kaspersky noted that multiple devices were reinfected after rebooting. While the full scale and scope of the campaign are not yet clear, it is evident that the attacks continue unabated, affecting even devices running iOS 15.7.

New BrutePrint Attack Strategy Enables Smartphone Breach Using Fingerprint Brute-Force

In an alarming development, researchers have identified a cost-effective attack technique, dubbed BrutePrint, which can brute-force fingerprints on smartphones to override user authentication and gain device control. This method weaponizes two zero-day vulnerabilities in the smartphone fingerprint authentication (SFA) framework, the Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL) flaws.

These vulnerabilities take advantage of logical defects within the SFA framework, due to weak protection of fingerprint data in the Serial Peripheral Interface (SPI) of fingerprint sensors. This results in a hardware-based man-in-the-middle attack possibility for fingerprint image hijacking, thereby allowing unlimited fingerprint image submissions until a match is found.

However, this attack technique requires that the adversary has physical access to the target device and a fingerprint database. Despite the barriers, this attack strategy has been tested successfully on various smartphone models across different operating systems.

As we see an increasing reliance on biometric data for authentication, these findings highlight the urgent need for more robust and secure authentication frameworks to safeguard user data and devices.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment