Cyber security news March 2023

This posting is here to collect cyber security news in March 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    A look at a Magecart skimmer using the Hunter obfuscator
    Today, we look at a Magecart skimmer that uses Hunter, a PHP Javascript obfuscator. During our investigation, we were able to discover a number of domains all part of the same infrastructure with custom skimmers for several Magento stores

  2. Tomi Engdahl says:

    The Unintentional Leak: A glimpse into the attack vectors of APT37
    At Zscaler ThreatLabz, we have been closely monitoring the tools, techniques and procedures (TTPs) of APT37 (also known as ScarCruft or
    Temp.Reaper) – a North Korea-based advanced persistent threat actor.
    This threat actor has been very active in February and March 2023 targeting individuals in various South Korean organizations. In this blog, we will provide a high-level technical analysis of the infection chain, the new loaders we identified and a detailed analysis of the themes used by this APT group, discovered while reviewing the GitHub commit history. Even though the threat actor routinely deletes the files from the repository, we were able to retrieve all the deleted files and do an analysis of them

  3. Tomi Engdahl says:

    WooCommerce Credit Card Skimmer Reveals Tampered Gateway Plugin
    WooCommerce is an excellent and highly customizable eCommerce platform used by over 40% of all known online stores. It can be used in conjunction with a wide variety of payment gateways, including one such popular gateway Both the plugin and payment gateway are generally considered to be secure for processing payments and safe to use, however in this blog post we will explore how even the most secure software applications can be tampered with by malicious actors to suit their own criminal goals

  4. Tomi Engdahl says:

    Another One Bites the Dust: The (Apparent) End of Breach Forums
    On March 21, 2023, in a Telegram message within the Breach Forums channel, the administrator baphomet announced that they would be closing the forum. Following pompompurins arrest, the admin initially claimed they had access to the infrastructure and would keep the forum online. However, their most recent message indicates that it may not be worthwhile to keep the forum online

  5. Tomi Engdahl says:

    IcedIDs VNC Backdoors: Dark Cat, Anubis & Keyhole
    In this blog-post we will share insights into IcedIDs VNC backdoor(s) as seen from an attackers perspective, insights we obtained by extracting and reassembling VNC (RFC6143) traffic embedded within private and public captures published by Brad Duncan. In this post we introduce the three variants we observed as well as their
    capabilities: Dark Cat, Anubis and Keyhole. Well follow by exposing common techniques employed by the operators before revealing information they leaked through their clipboard data

  6. Tomi Engdahl says:

    North Korean hackers using Chrome extensions to steal Gmail emails
    A joint cybersecurity advisory from the German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) warn about Kimsuky’s use of Chrome extensions to steal target’s Gmail emails. While the current campaign targets people in South Korea, the techniques used by Kimsuky can be applied globally, so raising awareness is vital

  7. Tomi Engdahl says:

    FakeGPT #2: Open-Source Turned Malicious in Another Variant of the Facebook Account-Stealer Chrome Extension
    Following our discovery of FakeGPT, the Facebook Ad Accounts stealer masquerading as a Chat-GPT Chrome Extension, Guardios security team uncovered another variant in a new campaign already hitting thousands a day. In this write-up we will share our insights on this latest variant activities, how it abuses open-source as well as the effective propagation using Google services

  8. Tomi Engdahl says:

    The “Acropalypse” bug, which allows content you’ve cropped out of your Android screenshot to be partially recovered (and poses a problem if you’ve edited out sensitive information), has now been ported to PC, it seems.

    “Acropalypse” Android screenshot bug turns into a 0-day Windows vulnerability
    Unpatched bug can be exploited with modified versions of the Android scripts.

    Earlier this week, programmer and “accidental security researcher” Simon Aarons disclosed a bug in Google’s Markup screenshot editing tool for its Pixel phones. Dubbed “acropalypse,” the bug allows content you’ve cropped out of your Android screenshot to be partially recovered, which can be a problem if you’ve cropped out sensitive information.

    Today, Aarons’ collaborator, David Buchanan, revealed that a similar bug affects the Snipping Tool app in Windows 11. As detailed by Bleeping Computer, which was able to verify the existence of the bug, PNG files all have an “IEND” data chunk that tells software where the image file ends. A screenshot cropped with Snipping Tool and then saved over the original (the default behavior) adds a new IEND chunk to the PNG image but leaves a bunch of the original screenshot’s data after the IEND chunk.

  9. Tomi Engdahl says:

    “The DEA Quietly Turned Apple’s AirTag Into A Surveillance Tool”

    The DEA Quietly Turned Apple’s AirTag Into A Surveillance Tool

    Apple’s quarter-size location tracker was hidden in a pill press by the DEA to conduct surveillance. The AirTag’s small size and reliability could make it an attractive tool for cops.

  10. Tomi Engdahl says:

    Journalist plugs in unknown USB drive mailed to him – it exploded in his face
    As reported by the Agence France-Presse (via CBS News) on Tuesday, five Ecuadorian journalists have received USB drives in the mail from Quinsaloma. Each of the USB sticks was meant to explode when activated. Upon receiving the drive, Lenin Artieda of the Ecuavisa TV station in Guayaquil inserted it into his computer, at which point it exploded. According to a police official who spoke with AFP, the journalist suffered mild hand and face injuries, and no one else was harmed

  11. Tomi Engdahl says:

    Windows 11, Tesla, Ubuntu, and macOS hacked at Pwn2Own 2023
    On the first day of Pwn2Own Vancouver 2023, security researchers successfully demoed Tesla Model 3, Windows 11, and macOS zero-day exploits and exploit chains to win $375,000 and a Tesla Model 3

  12. Tomi Engdahl says:

    New Kritec Magecart skimmer found on Magento stores
    Threat actors often compete for the same resources, and this couldn’t be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once. In this blog post, we show how the newly found Kritec skimmer was found along side one of its competitors

  13. Tomi Engdahl says:

    Emotet Resumes Spam Operations, Switches to OneNote
    Emotet resumed spamming operations on March 7, 2023, after a months-long hiatus. Initially leveraging heavily padded Microsoft Word documents to attempt to evade sandbox analysis and endpoint protection, the botnets switched to distributing malicious OneNote documents on March 16. Since returning, Emotet has leveraged several distinct infection chains, indicating that they are modifying their approach based on their perceived success in infecting new systems.
    The initial emails delivered to victims are consistent with what has been observed from Emotet over the past several years

  14. Tomi Engdahl says:

    Google Suspends Chinese E-Commerce App Pinduoduo Over Malware
    Google says it has suspended the app for the Chinese e-commerce giant Pinduoduo after malware was found in versions of the software. The move comes just weeks after Chinese security researchers published an analysis suggesting the popular e-commerce app sought to seize total control over affected devices by exploiting multiple security vulnerabilities in a variety of Android-based smartphones

  15. Tomi Engdahl says:

    New loader on the bloc – AresLoader
    AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild. Most users are pushing a variety of information stealers with the service. The service offers a binder tool that allows users to masquerade their malware as legitimate software

  16. Tomi Engdahl says:

    Attackers hit Bitcoin ATMs to steal $1.5 million in crypto cash
    Unidentified miscreants have siphoned cryptocurrency valued at more than $1.5 million from Bitcoin ATMs by exploiting an unknown flaw in digicash delivery systems. According to General Bytes, the outfit that sold the ATMs and had managed some of them with a cloud service, the attackers used an interface designed to upload videos to instead inject a malicious Java application, and then subverted ATM user privileges. They drained at least 56 Bitcoin about $1.5 million as of publication time – from crypto wallets

  17. Tomi Engdahl says:

    Operation Tainted Love | Chinese APTs Target Telcos in New Attacks
    In collaboration with QGroup GmbH, SentinelLabs recently observed initial threat activities targeting the telecommunication sector. We assess it is highly likely that these attacks were conducted by a Chinese cyberespionage actor related to the Operation Soft Cell campaign. The initial attack phase involves infiltrating Internet-facing Microsoft Exchange servers to deploy webshells used for command execution. Once a foothold is established, the attackers conduct a variety of reconnaissance, credential theft, lateral movement, and data exfiltration activities. The deployment of custom credential theft malware is central to this new campaign. The malware implemented a series of Mimikatz modifications on closed-source tooling. This post details the multi-component architecture and functionality of a sample, referred to as mim221

  18. Tomi Engdahl says:

    Nexus: A New Rising Android Banking Trojan Targeting 450 Financial Apps
    An emerging Android banking trojan dubbed Nexus has already been adopted by several threat actors to target 450 financial applications and conduct fraud. “Nexus appears to be in its early stages of development,” Italian cybersecurity firm Cleafy said in a report published this week. “Nexus provides all the main features to perform ATO attacks (Account Takeover) against banking portals and cryptocurrency services, such as credentials stealing and SMS interception.” also:

  19. Tomi Engdahl says:

    Malicious JavaScript Injection Campaign Infects 51k Websites
    Unit 42 researchers have been tracking a widespread malicious JavaScript (JS) injection campaign that redirects victims to malicious content such as adware and scam pages. This threat was active throughout 2022 and continues to infect websites in 2023

  20. Tomi Engdahl says:

    Saitko lapseltasi tällaisen viestin? Varo, kyseessä on törkeä huijaus
    Tietoja kalastelevia huijaustekstiviestejä on edelleen liikenteessä.
    Tekstiviestit voivat tulla jopa salattuihin numeroihin.
    Tuntemattomasta numerosta saapuvaa linkkiä ei kuulu avata. – Tapauksissa ei ole ollut jälkeläisellä nimeä. Viestejä ovat saaneet myös lapsettomat ja alaikäiset lapset, Kyberturvallisuuskeskuksen erityisasiantuntija Juha Tretjakov kertoo

  21. Tomi Engdahl says:

    Vaaralliset vinkit leviävät Youtubessa – Tekoälyn ohjeita noudattava saa haittaohjelman
    Maksullisten ohjelmien ilmaislatauksia mainostaviin videoihin kuuluu suhtautua varauksella.

    Tekoälyllä tuotettu haittaohjelmasisältö on kasvanut Googlen omistamassa videopalvelu Youtubessa kuukausittain 200–300 prosenttia. Kasvua on havaittu viime vuoden marraskuusta lähtien. Asiasta kertoi tekoälyyn erikoistunut tietoturvayhtiö CouldSEK.

    Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware

  22. Tomi Engdahl says:

    Cisco Patches High-Severity Vulnerabilities in IOS Software

    Cisco’s semiannual security updates for IOS and IOS XE software resolve high-severity DoS, command injection, and privilege escalation vulnerabilities.

    Cisco this week published its semiannual IOS and IOS XE software security advisory bundle, which addresses ten vulnerabilities, including six rated ‘high severity’.

    The most important are three security bugs that can be exploited by remote, unauthenticated attackers to cause a denial-of-service (DoS) condition.

    Tracked as CVE-2023-20080, the first of these flaws impacts the IPv6 DHCP version 6 (DHCPv6) relay and server features of IOS and IOS XE software. Insufficient validation of data boundaries allows an attacker to send crafted DHCPv6 messages to an affected device and cause it to reload unexpectedly.

    The second vulnerability, CVE-2023-20072, impacts the fragmentation handling code of tunnel protocol packets and can be exploited by sending crafted fragmented packets to an affected system.

    Cisco also addressed CVE-2023-20027, an issue in the implementation of the IPv4 Virtual Fragmentation Reassembly (VFR) feature of IOS and IOS XE software, which exists because large packets are not properly reassembled when VFR is enabled.

  23. Tomi Engdahl says:

    Chrome 111 Update Patches High-Severity Vulnerabilities
    The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.
    Google this week announced a Chrome 111 update that brings patches for eight vulnerabilities, including seven flaws that were reported by external researchers.
    All seven of the externally reported issues are high-severity memory safety bugs, with four of them described as use-after-free vulnerabilities, a type of bug that could lead to arbitrary code execution, data corruption, or denial of service.
    The latest Chrome release is now rolling out as version 111.0.5563.110 for Mac and Linux and as versions 111.0.5563.110/.111 for Windows.

  24. Tomi Engdahl says:

    Dole Says Employee Information Compromised in Ransomware Attack

    Dole has admitted in an SEC filing that its investigation into the recent ransomware attack found that the hackers had accessed employee information.

  25. Tomi Engdahl says:

    High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian

    Cisco Talos researchers found two high-severity vulnerabilities in WellinTech’s KingHistorian industrial data historian software.

    Cisco’s Talos threat intelligence and research unit this week disclosed the details of two high-severity vulnerabilities discovered last year in WellinTech’s KingHistorian industrial data historian software.

    China-based industrial automation software company WellinTech designed KingHistorian for collecting and processing a ‘massive amount’ of industrial control system (ICS) data.

    Talos researchers discovered that the historian is impacted by two flaws. One of them, tracked as CVE-2022-45124, can allow an attacker who can intercept an authentication packet to obtain the username and password of the legitimate user who logged in to the system.

  26. Tomi Engdahl says:

    BreachForums Shut Down Over Law Enforcement Takeover Concerns

    The popular cybercrime forum BreachForums is being shut down following the arrest of Conor Brian Fitzpatrick, who is accused of running the website.

  27. Tomi Engdahl says:

    Linus Tech tips YouTube channel was deleted

  28. Tomi Engdahl says:

    GitHub publishes RSA SSH host keys by mistake, issues update
    Getting connection failures? Don’t panic. Get new keys

  29. Tomi Engdahl says:

    Learn How to bypass windows user password without any software or Reset Windows 11 User login password

  30. Tomi Engdahl says:

    Tesla Hacked Twice at Pwn2Own Exploit Contest

    Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing at the annual Pwn2Own contest.

  31. Tomi Engdahl says:

    Google Leads $16 Million Investment in raised $16 million in Series A funding for its fly-direct Secure Web Gateway (SWG). this week announced that it has raised $16 million in a Series A funding round that brings the total investment in the company to $20 million.

    While the company may have a somewhat juvenile name, it is attracting serious investors. The new funding round was led by Google Ventures (GV), with additional investment from Boldstart Ventures and Preface.

    Founded in 2021 and emerging from stealth mode in September 2022, Mountain View, California-based offers a Secure Web Gateway (SWG) that delivers security directly on the endpoint, even for remote users and hybrid environments.

    The company claims that, without routing traffic through data centers, its solution provides organizations with improved performance and reliability, while ensuring that decrypted data remains on the device.

    The solution enforces endpoint-driven security controls, including anti-malware, cloud application controls, URL categorizations, and user-based policies. Functioning as an on-device proxy, the fly-direct SWG also performs SSL inspection directly on the endpoint.

  32. Tomi Engdahl says:

    CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections

    The U.S. government’s cybersecurity agency ships a new tool to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.

    The U.S. government’s cybersecurity agency CISA has jumped into the fray to help network defenders hunt for signs of compromise in Microsoft’s Azure and M365 cloud deployments.

    The agency rolled out a free hunt and incident response utility called Untitled Goose Tool that offers novel authentication and data gathering methods to manage a full investigation against enterprise deployments of Microsoft Azure, Azure Active Directory (AAD) and Microsoft 365 (M365).

    In a note documenting the release, CISA said the Untitled Goose Tool can also gather additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

  33. Tomi Engdahl says:

    Critical WooCommerce Payments Vulnerability Leads to Site Takeover
    A critical-severity flaw in the WooCommerce Payments WordPress plugin could allow attackers to take over site administrator accounts.

  34. Tomi Engdahl says:

    PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw

    Proof-of-concept code to exploit a just-patched security hole in the Veeam Backup & Replication product has been published online.

  35. Tomi Engdahl says:

    UK creates fake DDoS-for-hire sites to identify cybercriminals
    The U.K.’s National Crime Agency (NCA) revealed today that they created multiple fake DDoS-for-hire service websites to identify cybercriminals who utilize these platforms to attack organizations.
    DDoS-for-hire services, also known as ‘booters,’ are online platforms offering to generate massive garbage HTTP requests towards a website or online service in exchange for money that overwhelm the webserver and take it offline. These illegal services are bought by people aiming to take down a site or disrupt an organization’s operations for various reasons, including espionage, revenge, extortion, and political reasons

  36. Tomi Engdahl says: rotates its exposed private SSH key
    GitHub has rotated its private SSH key for after the secret was was accidentally published in a public GitHub repository. The software development and version control service says, the private RSA key was only “briefly” exposed, but that it took action out of “an abundance of caution.” In a succinct blog post published today, GitHub acknowledged discovering this week that the RSA SSH private key for had been ephemerally exposed in a public GitHub repository

  37. Tomi Engdahl says:

    BlackGuard stealer now targets 57 crypto wallets, extensions
    A new variant of the BlackGuard stealer has been spotted in the wild, featuring new capabilities like USB propagation, persistence mechanisms, loading additional payloads in memory, and targeting additional crypto wallets. In conclusion, the latest version of BlackGuard demonstrates the continuous evolution of the malware which competes in the MaaS space, adding mostly meaningful features that pose an even more significant risk to users. To keep the risk of BlackGuard infections at bay, avoid downloading executables from untrustworthy websites, do not launch files arriving as email attachments from unknown senders, and keep your system and AV tools updated

  38. Tomi Engdahl says:

    Researchers Uncover Chinese Nation State Hackers’ Deceptive Attack Strategies
    A recent campaign undertaken by Earth Preta indicates that nation-state groups aligned with China are getting increasingly proficient at bypassing security solutions. The threat actor, active since at least 2012, is tracked by the broader cybersecurity community under Bronze President, HoneyMyte, Mustang Panda, RedDelta, and Red Lich. Attack chains mounted by the group commence with a spear-phishing email to deploy a wide range of tools for backdoor access, command-and-control (C2), and data exfiltration

  39. Tomi Engdahl says:

    Viranomainen varoittaa Posti-huijauksesta näin vältät ansan
    Liikenne- ja viestintävirasto Traficomin Kyberturvallisuuskeskus varoittaa Postin nimissä tapahtuvasta aktiivisesta pankkitunnusten kalastelusta. Keskus on saanut huijarien tekstiviesteistä kymmeniä ilmoituksia. Viestit eivät vaikuta tietyille vastaanottajille kohdennetuilta. Postin osalta viestit ovat joskus olleet siitä ilkeitä, että ne ovat osuneet saumaan, jolloin huijausviestin vastaanottaja on todella odottanut tietoa todellisesta saapuvasta paketista. Lisäksi viestit voivat näkyä samassa ketjussa Postin oikeiden tekstiviestien kanssa

  40. Tomi Engdahl says:

    How hackers took over Linus Tech Tips
    The hackers were able to take over three Linus Media Group YouTube channels by targeting session tokens. YouTube channel Linus Tech Tips and two other Linus Media Group YouTube channels have been restored after a major hack allowed a bad actor to do things like livestream crypto scam videos, change channel names, and even delete videos. In a new video, owner Linus Sebastian explains that the breach bypassed things like password and two-factor protections because the bad actor targeted the session tokens that keep you logged in to websites

  41. Tomi Engdahl says:

    Guidance for investigating attacks using CVE-2023-23397
    This guide provides steps organizations can take to assess whether users have been targeted or compromised by threat actors exploiting CVE-2023-23397. A successful exploit of this vulnerability can result in unauthorized access to an organizations environment by triggering a
    Net-NTLMv2 hash leak. Understanding the vulnerability and how it has been leveraged by threat actors can help guide the overall investigative process. This vulnerability triggers a Net-NTLMv2 hash leak. Abuse of the leaked Net-NTLMv2 hash is post-exploitation activity. In this blog, we emphasize specific observed post-exploitation activity that targeted Microsoft Exchange Server.
    However, there are numerous ways that a leaked Net-NTLMv2 hash could be used by a threat actor

  42. Tomi Engdahl says:

    Google Play varoittaa sisältä löytyneistä haittaohjelmista
    Teknologiajätti Googlen mukaan useat kiinalaisen Pinduoduo-verkkomarkkinajätin kehittämät sovellukset sisältävät haittaohjelmia. Google varoittaa sovelluksia ladanneita Android-käyttäjiä. Asiasta uutisoi verkkojulkaisu TechCrunch.
    Pinduoduo on kasvanut muutamassa vuodessa yhdeksi suurimmista Alibaban kilpailijoista. 903 miljoonan käyttäjän Alibaba tunnetaan suurimpana kiinalaisena verkkomarkkina-alustana

  43. Tomi Engdahl says:

    Windows, Ubuntu, and VMWare Workstation hacked on last day of Pwn2Own
    On the third day of the Pwn2Own hacking contest, security researchers were awarded $185,000 after demonstrating 5 zero-day exploits targeting Windows 11, Ubuntu Desktop, and the VMware Workstation virtualization software. The highlight of the day was the Ubuntu Desktop operating system getting hacked three times by three different teams, although one of them was a collision with the exploit being previously known


Leave a Comment

Your email address will not be published. Required fields are marked *