Cyber security news June 2023

This posting is here to collect cyber security news in June 2023.

I post links to security vulnerability news to comments of this article.

You are also free to post related links to comments.


  1. Tomi Engdahl says:

    Sergiu Gatlan / BleepingComputer:
    US law enforcement seized BreachForums’ domain on June 22, after arresting the data leak site’s alleged admin, Conor Fitzpatrick, aka Pompompurin, on March 15 — U.S. law enforcement today seized the clear web domain of the notorious BreachForums (aka Breached) hacking forum three months …

    FBI seizes BreachForums after arresting its owner Pompompurin in March

    U.S. law enforcement today seized the clear web domain of the notorious BreachForums (aka Breached) hacking forum three months after apprehending its owner Conor Fitzpatrick (aka Pompompurin), under cybercrime charges.

    Hosted at Breached[.]vc, the domain now shows a seizure banner saying the website was taken down by the FBI, the Department of Health and Human Services, the Office of Inspector General, and the Department of Justice based on a warrant issued by the U.S. District Court for the Eastern District of Virginia.

    Other law enforcement authorities worldwide were also part of this action, including the U.S. Secret Service, Homeland Security Investigations, the N.Y. Police Department, the U.S. Postal Inspection Service, the Dutch National Police, the Australian Federal Police, the U.K. National Crime Agency, and Police Scotland.

    As is common with domain seizure messages, law enforcement displayed the logo for the site. However, in a unique display, law enforcement took an unconventional approach by also featuring handcuffs added to Pompompurin’s avatar in the seizure banner.

    BleepingComputer has learned that law enforcement also seized the pompur[.]in domain, which was Pompompurin’s personal site, as part of this operation.

  2. Tomi Engdahl says:

    PoC Exploit Published for Cisco AnyConnect Secure Vulnerability

    A security researcher has published proof-of-concept (PoC) exploit code targeting a recent high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure.

  3. Tomi Engdahl says:

    VMware Patches Code Execution Vulnerabilities in vCenter Server
    VMware published software updates to address multiple memory corruption vulnerabilities in vCenter Server that could lead to remote code execution.

  4. Tomi Engdahl says:

    CISA Tells US Agencies to Patch Exploited Roundcube, VMware Flaws

    The US government’s cybersecurity agency adds VMware and Roundcube server flaws to its Known Exploited Vulnerabilities (KEV) catalog.

    The already exploited vulnerabilities affect users of the open-source Roundcube webmail server and VMware Aria Operations for Networks.

  5. Tomi Engdahl says:

    Zyxel patches critical vulnerability in NAS devices
    Zyxel released patches for a critical-severity pre-authentication command injection vulnerability (CVE-2023-27992) impacting some NAS models, warning that unauthenticated attackers could exploit the bug via HTTP requests to execute operating system (OS) commands remotely.
    Zyxel security advisory for pre-authentication command injection vulnerability in NAS products

  6. Tomi Engdahl says:

    Tsunami botnet hits Linux SSH servers
    AhnLab Security Emergency Response Center (ASEC) discovered an attack campaign that consists of the Tsunami DDoS bot being installed on “inadequately managed” Linux SSH servers. According to AhnLab, hackers managed to install the Tsunami bot malware, along with various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner.

    Tsunami DDoS Malware Distributed to Linux SSH Servers

    AhnLab Security Emergency response Center (ASEC) has recently discovered an attack campaign that consists of the Tsunami DDoS Bot being installed on inadequately managed Linux SSH servers. Not only did the threat actor install Tsunami, but they also installed various other malware such as ShellBot, XMRig CoinMiner, and Log Cleaner.

    When looking at the attack cases against poorly managed Linux SSH servers, most of them involve the installation of DDoS bots or CoinMiners. DDoS bot has been covered here in the ASEC Blog before through the attack cases where ShellBot [1] and ChinaZ DDoS Bot [2] were installed. The installation of XMRig CoinMiner was covered in tandem with the SHC malware [3] and the KONO DIO DA attack campaign[4].

    Tsunami is a DDoS bot that is also known as Kaiten. It is one of the several malware strains that have been consistently distributed together with Mirai and Gafgyt when targeting IoT devices that are generally vulnerable. While they all share the common ground of being DDoS bots, Tsunami stands out from the others in that it operates as an IRC bot, utilizing IRC to communicate with the threat actor.

    1. Dictionary Attack Against Linux SSH Servers

    Poorly managed services are one of the prime examples of attack vectors used to target server environments such as Linux servers. The Secure Shell (SSH) service is installed in most Linux server environments, can easily be used for attacks, and is prone to poor management. SSH allows administrators to log in remotely and control the system, but they must log into the user account registered to the system to do so.

    2. Attack Flow

    After successfully logging in, the threat actor executes a command like the one below to download and run various malware.

    3. Malware Analysis

    3.1. Tsunami

    As DDoS bot malware also known as Kaiten, Tsunami is used by various threat actors since its source code is publicly available. Threat actors often modify the source code of the existing Kaiten to add more features, and the Tsunami used in this attack is a variant of Kaiten called Ziggy.

    3.2. ShellBot

    The “bot” and “logo” that are installed through the initial execution command and Bash downloader “key” are actually the same ShellBot malware. ShellBot is a DDoS bot developed in Perl and it is also an IRC Bot that utilizes the IRC protocol like Tsunami. Previously on the ASEC Blog, the ShellBot malware that were used to attack poorly managed Linux SSH servers had been categorized and analyzed. [5]The ShellBot strains used in this attack are not identical to any of the ones covered in that previous post, but they are undeniably variants of ShellBot.

    The ShellBots used in this attack all operate by receiving the C&C server address and port number as arguments.

    3.3. Log Cleaner

    Log Cleaner malware exists among the malware that are installed by the threat actor. In Linux server environments, there are various types of log files that record the activities of users or threat actors. Log Cleaner is a tool that enables the deletion or modification of specific logs within these log files. It is believed that the threat actor installed Log Cleaner with the intention of hindering any subsequent analysis of their breach.

    Among the files that are installed, “cls” is “MIG Logcleaner v2.0” and “clean” is “0x333shadow Log Cleaner”. For starters, MIG LogCleaner is capable of receiving various options as arguments, like the ones shown below, to delete desired logs from Linux, Unix, and BSD systems.

    3.4. Privilege Escalation Malware

    The “ping6” file is an ELF malware with the following simple structure. The setuid() and setgid() functions are used to set the user ID and group ID as the root account before executing the shell.

    3.5. XMRig CoinMiner

    In this particular attack campaign, a CoinMiner is also installed alongside the DDoS bots. The command that is executed after logging in through a dictionary attack downloads and decompresses a compressed file called tar. The resulting “go” file is then executed. As a simple Bash script, “go” executes the “televizor” file which is located in the same path. “televizor” is also a Bash script and it executes the “telecomanda” Bash script.

    4. Conclusion

    Attack campaigns on poorly managed Linux SSH servers have been occurring persistently for quite some time. The threat actor installed XMRig CoinMiner alongside DDoS bots like Tsunami and ShellBot on infected systems.

    In environments where the CoinMiner is installed, the infected system’s resources are used to mine Monero coins for the threat actor. Infected systems can also be used for DDoS attacks due to the DDoS bots that are also installed, allowing additional malicious commands to be executed. Even if these malware are deleted, the threat actor can regain access to the system using the SSH backdoor account they had also installed.

  7. Tomi Engdahl says:

    Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers

    Microsoft has disclosed that it’s detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard.

    The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant’s threat intelligence team said.

    Midnight Blizzard, formerly known as Nobelium, is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes.

  8. Tomi Engdahl says:

    Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks

    The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest.

    The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda.

    Volt Typhoon, as known as Bronze Silhouette, is a cyber espionage group from China that’s been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations.

  9. Tomi Engdahl says:

    Anatsa Android trojan now steals banking info from users in US, UK

    A new mobile malware campaign since March 2023 pushes the Android banking trojan ‘Anatsa’ to online banking customers in the U.S., the U.K., Germany, Austria, and Switzerland.

    Anatsa collects financial information such as bank account credentials, credit card details, payment information, etc., by overlaying phishing pages on the foreground when the user attempts to launch their legitimate bank app and also via keylogging.

  10. Tomi Engdahl says:

    New PindOS JavaScript dropper deploys Bumblebee, IcedID malware

    Security researchers discovered a new malicious tool they named PindOS that delivers the Bumblebee and IcedID malware typically associated with ransomware attacks.

    PindOS is a simple JavaScript malware dropper that appears to be built specifically to fetch the next-stage payloads that deliver the attackers’
    final payload.

    In a report from cybersecurity company DeepInstinct, researchers note that the new PindOS malware dropper has only one function that comes with four parameters for downloading the payload, be it Bumblebee or the IcedID banking trojan that turned malware loader.

  11. Tomi Engdahl says:

    Suncor Energy cyberattack impacts Petro-Canada gas stations

    Petro-Canada gas stations across Canada are impacted by technical problems preventing customers from paying with credit card or rewards points as its parent company, Suncor Energy, discloses they suffered a cyberattack.

    Suncor Energy is the 48th-largest public company in the world, and one of Canada’s largest synthetic crude producers, having an annual revenue of $31 billion.

    The company says it has taken measures to mitigate the attack and informed the authorities of the situation. At the same time, it expects transactions with customers and suppliers to be negatively impacted until the incident is resolved.

  12. Tomi Engdahl says:

    Malware & Threats
    CISA Says Critical Zyxel NAS Vulnerability Exploited in Attacks

    CISA has warned users of Zyxel NAS products that the recently patched critical vulnerability CVE-2023-27992 has been exploited in attacks.

  13. Tomi Engdahl says:

    American Airlines, Southwest Airlines Impacted by Data Breach at Third-Party Provider

    The personal information of American Airlines and Southwest Airlines pilots was exposed in a data breach at a third-party services provider.

  14. Tomi Engdahl says:

    JP Morgan accidentally deletes evidence in multi-million record retention screwup >

    Opps.. totally on accident…

  15. Tomi Engdahl says:

    A Japanese #cryptocurrency exchange fell victim to a recent cyberattack, deploying the stealthy JokerSpy backdoor on Apple #macOS.

    Find out how this sophisticated toolkit targets macOS machines:

    #cybersecurity #hacking

  16. Tomi Engdahl says:

    Siemens Energy confirms data breach after MOVEit data-theft attack

    Siemens Energy has confirmed that data was stolen during the recent Clop ransomware data-theft attacks using a zero-day vulnerability in the MOVEit Transfer platform.

    Today, Clop listed Siemens Energy on their data leak site, indicating that data was stolen during a breach on the company.

    The impact of Clop’s MOVEit attacks is still unfolding, as new victims are being disclosed on the gang’s website, and data published daily.

  17. Tomi Engdahl says:

    New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain

    Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems.

    “The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed,” software supply chain security firm Phylum said in a report released last week.

    To that end, the order in which the pair of packages are installed is paramount to pulling off a successful attack, as the first of the two modules are designed to store locally a token retrieved from a remote server. The campaign was first discovered on June 11, 2023.

  18. Tomi Engdahl says:

    Hundreds of devices found violating new CISA federal agency directive

    Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive.

    An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies.

    All Internet-exposed management interfaces found by Censys on the networks of U.S. federal agencies have to be secured according to CISA’s Binding Operational Directive 23-02 within 14 days after being identified.

  19. Tomi Engdahl says:

    New Mockingjay process injection technique evades EDR detection

    A new process injection technique named ‘Mockingjay’ could allow threat actors to bypass EDR (Endpoint Detection and Response) and other security products to stealthily execute malicious code on compromised systems.

    Researchers at cybersecurity firm Security Joes discovered the method, which utilizes legitimate DLLs with RWX (read, write, execute) sections for evading EDR hooks and injecting code into remote processes.

    Process injection is a method of executing arbitrary code in the address space of another running process that is trusted by the operating system, hence giving threat actors the ability to run malicious code without being detected.

  20. Tomi Engdahl says:

    Gas Stations Impacted by Cyberattack on Canadian Energy Giant Suncor

    Some services at Petro-Canada gas stations have been disrupted following a cyberattack on parent company Suncor, one of North America’s largest energy companies.

    Some services at Petro-Canada gas stations have been disrupted following a cyberattack on parent company Suncor, one of the largest energy companies in North America.

    Suncor is a Canada-based company that produces oil and runs several refineries in North America. The organization owns a network of more than 1,800 Petro-Canada retail and wholesale locations.

    In a brief statement issued on June 25, Suncor said it had experienced a cybersecurity incident that may impact some transactions with suppliers and customers. The company said it brought in third-party experts to aid investigation and response efforts, and noted that authorities have been notified.

  21. Tomi Engdahl says:

    Hundreds of Devices With Internet-Exposed Management Interface Found in US Agencies

    Censys identified hundreds of devices within US federal agencies’ networks that expose their management interface to the internet.

  22. Tomi Engdahl says:

    Chrome 114 Update Patches High-Severity Vulnerabilities
    Google says it handed out $35,000 in bug bounty rewards for three high-severity vulnerabilities in Chrome 114.

  23. Tomi Engdahl says:

    Dan Goodin / Ars Technica:
    Analysis: the Clop ransomware group has breached 122 organizations and obtained the data of ~15M people to date by exploiting a critical zero-day flaw in MOVEit — The dramatic fallout continues, with as many as 122 organizations now breached. — The dramatic fallout continues …

    Casualties keep growing in this month’s mass exploitation of MOVEit 0-day
    The dramatic fallout continues, with as many as 122 organizations now breached.

    The dramatic fallout continues in the mass exploitation of a critical vulnerability in a widely used file-transfer program, with at least three new victims coming to light in the past few days. They include the New York City Department of Education and energy companies Schneider Electric and Siemens Electric.

    To date, the hacking spree appears to have breached 122 organizations and obtained the data of roughly 15 million people, based on posts the crime group has published or victim disclosures, Brett Callow, a threat analyst at the antivirus company Emsisoft, said in an interview.

    Mass exploitation of critical MOVEit flaw is ransacking orgs big and small
    Microsoft has tied the attacks to Clop, a Russian-speaking ransomware syndicate. The hacks are all the result of Clop exploiting what had been a zero-day vulnerability in MOVEit, a file-transfer service that’s available in both cloud and on-premises offerings.

  24. Tomi Engdahl says:

    Detecting Popular Cobalt Strike Malleable C2 Profile Techniques

    Unit 42 researchers identified two Cobalt Strike Team Server instances hosted on the internet and uncovered new profiles that are not available on public repositories. We will highlight the distinct techniques attackers use to exploit the Cobalt Strike platform and circumvent signature-based detections.

    We identified Team Server instances connected to the internet that host Beacon implants and provide command-and-control (C2) functionality. We have also extracted the Malleable C2 profile configuration from the Beacon binary to help us understand the various methods used to evade conventional detections.

  25. Tomi Engdahl says:

    Andariel’s silly mistakes and a new malware family

    Andariel, a part of the notorious Lazarus group, is known for its use of the DTrack malware and Maui ransomware in mid-2022. During the same period, Andariel also actively exploited the Log4j vulnerability as reported by Talos and Ahnlab. Their campaign introduced several new malware families, such as YamaBot and MagicRat, but also updated versions of NukeSped and, of course, DTrack.

    While on an unrelated investigation recently, we stumbled upon this campaign and decided to dig a little bit deeper. We discovered a previously undocumented malware family and an addition to Andariel’s set of TTPs.

  26. Tomi Engdahl says:

    NPM ecosystem at risk from “Manifest Confusion” attacks

    The NPM (Node Package Manager) registry suffers from a security lapse called “manifest confusion,” which undermines the trustworthiness of packages and makes it possible for attackers to hide malware in dependencies or perform malicious script execution during installation.

  27. Tomi Engdahl says:

    Alert: New Electromagnetic Attacks on Drones Could Let Attackers Take Control

    Drones that don’t have any known security weaknesses could be the target of electromagnetic fault injection (EMFI) attacks, potentially enabling a threat actor to achieve arbitrary code execution and compromise their functionality and safety.

    The research comes from IOActive, which found that it is “feasible to compromise the targeted device by injecting a specific EM glitch at the right time during a firmware update.”

  28. Tomi Engdahl says:

    2,700 People Tricked Into Working for Cybercrime Syndicates Rescued in Philippines

    Philippine police backed by commandos staged a massive raid and rescued more than 2,700 workers who were allegedly swindled into working for cybercrime groups.

    Philippine police backed by commandos staged a massive raid on Tuesday and said they rescued more than 2,700 workers from China, the Philippines, Vietnam, Indonesia and more than a dozen other countries who were allegedly swindled into working for fraudulent online gaming sites and other cybercrime groups.

    The number of human trafficking victims rescued from seven buildings in Las Pinas city in metropolitan Manila and the scale of the nighttime police raid were the largest so far this year and indicated how the Philippines has become a key base of operations for cybercrime syndicates.

    Cybercrime scams have become a major issue in Asia with reports of people from the region and beyond being lured into taking jobs in countries like strife-torn Myanmar and Cambodia. However, many of these workers find themselves trapped in virtual slavery and forced to participate in scams targeting people over the internet.

    In May, leaders from the Association of Southeast Asian Nations agreed in a summit in Indonesia to tighten border controls and law enforcement and broaden public education to fight criminal syndicates that traffic workers to other nations, where they are made to participate in online fraud.

  29. Tomi Engdahl says:

    Siemens Energy, Schneider Electric Targeted by Ransomware Group in MOVEit Attack

    Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

  30. Tomi Engdahl says:

    Sensitive Information Stolen in LetMeSpy Stalkerware Hack

    Emails, phone numbers, calls logs, and collected messages stolen in data breach at Android stalkware LetMeSpy.

  31. Tomi Engdahl says:

    Dozens of Businesses Hit Recently by ‘8Base’ Ransomware Gang

    The 8Base ransomware gang has hit roughly 30 small businesses over the past month, reaching a total of approximately 80 victims since March 2022.

  32. Tomi Engdahl says:

    “Brave is the only browser that will block requests to localhost resources from both secure and insecure public sites, while still maintaining a compatibility path for sites that users trust,” pledges the Brave team.

    Brave Browser boosts privacy with new local resources restrictions

  33. Tomi Engdahl says:

    Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts

    Since the majority of threat actor operations cross the virtualization barrier between ESXi host and connected guest VMs, both successful and failed actions will have some sort of remnants available across both layers. The first section of this blog post will describe log options and configurations available on both ESXi hosts and guest VMs to identify when a threat actor performs successful guest operations.

  34. Tomi Engdahl says:

    MITRE releases new list of top 25 most dangerous software bugs

    MITRE shared today this year’s list of the top 25 most dangerous weaknesses plaguing software during the previous two years.
    Software weaknesses encompass a wide range of issues, including flaws, bugs, vulnerabilities, and errors in software solutions’ code, architecture, implementation, or design.

    In a collaborative effort involving cybersecurity authorities worldwide, a comprehensive compilation of the top 15 vulnerabilities commonly exploited in attacks throughout 2021 was released in April 2022. This joint endeavor involved notable organizations such as the NSA and the FBI.

  35. Tomi Engdahl says:

    Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data

    A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts.

    Fortinet FortiGuard Labs, which made the discovery, said it found the malware in an executable that masqueraded as a PDF file with a Russian name “CMK Правила оформления больничных листов.pdf.exe,” which translates to “CMK Rules for issuing sick leaves.pdf.exe.”

    The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign.

  36. Tomi Engdahl says:

    Critical Security Flaw in Social Login Plugin for WordPress Exposes Users’

    A critical security flaw has been disclosed in miniOrange’s Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known.

    Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023.

  37. Tomi Engdahl says:

    Serious Vulnerability Exposes Admin Interface of Arcserve UDP Backup Solution

    Researchers publish PoC for a high-severity authentication bypass vulnerability in the Arcserve UDP data backup solution

  38. Tomi Engdahl says:

    Researchers Detail 4 SAP Bugs, Including Flaw in ABAP Kernel: by @jaivijayan


Leave a Comment

Your email address will not be published. Required fields are marked *