Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Proof of Concept Developed for Ghostscript CVE-2023-36664 Code Execution Vulnerability
Ghostscript, an open-source interpreter for the PostScript language and PDF files, recently disclosed a vulnerability prior to the 10.01.2 version. This vulnerability CVE-2023-36664 was assigned a CVSS score of 9.8 that could allow for code execution caused by Ghostscript mishandling permission validation for pipe devices (with the %pipe% or the | pipe character prefix). Read more.
PhonyC2: Revealing a New Malicious Command & Control Framework by MuddyWater
Source: deep instinct
MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection, as can be seen throughout the blog and in the investigation of the leaked code of PhonyC2. MuddyWater uses social engineering as its’ primary initial access point so they can infect fully patched systems. Organizations should continue to harden systems and monitor for PowerShell activity. Read more.
LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros
LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015. It primarily targets Windows systems and aims to gather sensitive information from infected machines. Read more.
Malicious campaigns target government, military and civilian entities in Ukraine, Poland
Source: CISCO TALOS
The activity we analyzed occurred as early as April 2022 and as recently as earlier this month, demonstrating the persistent nature of the threat actor. Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government. Read more.
Routers From The Underground: Exposing AVrecon
Lumen Black Lotus Labs® identified another multi-year campaign involving compromised routers across the globe. This is a complex operation that infects small-office/home-office (SOHO) routers, deploying a Linux-based Remote Access Trojan (RAT) we’ve dubbed “AVrecon.” Read more.
Facebook and Microsoft Are the Most Impersonated Brands in Phishing Attacks
Source: CISION PR Newswire
The research reveals the top 10 most impersonated brands in phishing in H1 2023 and details phishing and malware trends in the first half of the year. Facebook landed in the No. 1 spot for the most impersonated brand in H1, followed by Microsoft. Rounding out the top 5 are Crédit Agricole, SoftBank and Orange. Read more.
Malicious Injection Redirects Traffic via Parked Domain
Source: SUCURI Blog
During a recent investigation, our malware remediation team encountered a variant of a common malware injection that has been active since at least 2017. The malware was found hijacking the website’s traffic, redirecting visitors via a parked third-party domain to generate ad revenue. Read more.
Detecting BPFDoor Backdoor Variants Abusing BPF Filters
Source: TREND MICRO
Advanced persistent threat (APT) groups have broadened their focus to include Linux and cloud servers in the past few years. Noticeable examples include ransomware groups targeting VMware ESXi servers, Mirai botnet variants, and groups targeting the cloud with stealers and cryptomining malware. Read more.
VPN gateways, security appliances, and NAS boxes enter the top 20 riskiest enterprise devices
A new study analyzed 19 million real world enterprise devices for risk factors such as known vulnerabilities, open ports, legacy operating systems, endpoint protection, internet exposure and more across different industries and device use categories like IT, IoT, operational technology or industrial IoT and medical devices (IoMT). Read more.
Creating a Patch Management Playbook: 6 Key Questions
Source: DARK Reading
In fact, a Ponemon Institute study found that 42% of organizations that suffered a data breach knew that patches were available but struggled to apply them. Now, more than ever, having the right patch management playbook (or strategy) is crucial to protecting data, employees, partners, and the broader business. Read more.
Brand Impersonation Scams in Middle East & Africa See Massive Growth
Source: DARK Reading
Defined as the number of instances in which a brand’s image and logo were appropriated, the research by Group-IB discovered an increase by 162% of brand impersonation scam detections overall in the region. Read more.
Unnamed APT eyes vulnerabilities in Rockwell Automation industrial contollers (CVE-2023-3595 CVE-2023-3596)
Source: HELP NET SECURITY
Rockwell Automation has fixed two vulnerabilities (CVE-2023-3595, CVE-2023-3596) in the communication modules of its ControlLogix industrial programmable logic controllers (PLCs), ahead of expected (and likely) in-the-wild exploitation. Read more.
Cisco Flags Critical SD-WAN Vulnerability
Source: DARK Reading
A critical security vulnerability in Cisco’s SD-WAN vManage software could allow a remote, unauthenticated attacker to gain read and limited write permissions, and access data. Read more.
Six Best Practices for a Pragmatic Approach to Phishing Resistance
In fact, one study found that phishing attacks have increased up to 350% in the post-COVID remote workforce. A Forbes article noted there were over 500 million phishing attacks reported in 2022, more than double that in 2021. Read more.