VMware bugs abused to deliver Mirai malware
According to researchers at Barracuda, “a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild,” who are using them to deliver Mirai denial-of-service malware and to exploit the Log4Shell vulnerability. The researchers “analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960,” says a report from Barracuda. CISA has released an emergency bulletin that requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates or remove the affected software from their network until the updates can be applied.
(Threatpost and CISA)
Microsoft to debut of zero trust GDAP tool
In an effort to make it harder for criminal elements to attack through MSPs and resellers, through its current “delegated administration privileges” (DAP) program that let them manage a customer’s services, software, or subscriptions, Microsoft is replacing it with granular delegated admin privileges (GDAP). As the name implies, GDAP offers finer controls and a zero-trust model. GDAP authorizations can last from a day to two years, can’t be auto-renewed, and do not permit partners to take actions such as administering external identities in Active Directory.
Bank of Zambia refuses to pay ransom to cyberattack group Hive
“All of our core systems are still up and running,” said Greg Nsofu, information and communications technology director at the Bank of Zambia, speaking to reporters in Lusaka. “Not much sensitive data has actually been shipped out. Knowing that we had protected our core systems, it wasn’t really necessary for us to even engage” in a ransom conversation, Nsofu said. “So we pretty much told them where to get off.” Hive ransomware has already “made its mark as one of the most prolific and aggressive ransomware families today,” according to Trend Micro Inc.
North Korean developers pose as US freelancers to aid DRPK hackers
A warning from the U.S. government regarding agents from North Korea who are being sent to apply for freelance jobs at companies across the world, in order to win privileged access to client networks. The agents pretend to be teleworkers located in the U.S. or in another non-sanctioned country. They change their names, use virtual private network (VPN) connections, or use IP addresses from other regions. The US Treasury has published an advisory that helps organizations identify these workers. A link to the advisory is included in the show notes to this episode at CISOSeries.com.
(Bleeping Computer and Treasury advisory)
Thanks to our episode sponsor, Torq
Not true. Any business that attempts to automate security will quickly find that most high-stakes security issues are far too complex to be detected and remediated by automation tools alone. Human security professionals need to take the lead delivering nuanced insight about the business impact of a large-scale breach. To learn more about the realities of automation, head to torq.io.
Microsoft warns of new type of attack targeting SQL servers
Microsoft Security Intelligence this week dispatched a warning over Twitter regarding about an attack campaign that targets SQL servers using a new approach to evade PowerShell monitoring. Instead of using PowerShell, the threat actors use sqlps.exe, “a utility that comes standard with every version of SQL and functions as a wrapper for running SQL-built CMDlets, to run commands and change the start mode of the SQL service to LocalSystem.” The warning continues, “the new campaign starts with a brute-force attack and ultimately allows attackers to take over the targeted servers and deploy malware such as coin miners.”
Microsoft warns of the rise of cryware targeting hot wallets
Cryware is malicious software used to steal info and funds from non-custodial cryptocurrency wallets, also known as hot wallets, which are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions. Data stolen from this kind of malware includes private keys, seed phrases, and wallet addresses, that could be used by threat actors to initiate fraudulent transactions. Microsoft recommends users and organizations lock hot wallets when not actively trading, disconnect sites connected to the wallet, never store private keys in plaintext, ensure that browser sessions are terminated after every transaction, enable MFA for wallet authentication, double-check hot wallet transactions and approvals, use hardware wallets to store private keys offline.
Wizard Spider reinvests its revenues into growth and development
On Wednesday, researchers at PRODAFT published the results of its investigation into Wizard Spider, which is believed to either be associated with the Grim Spider and Lunar Spider hacking groups. According to the report, Wizard Spider is likely Russian and runs as a set of sub-teams and groups. “[It] has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo.” Although none of their techniques such as BEC or cold-calling victims for payment are novel, Wizard Spider appears to demonstrate an above average corporate approach to running the many arms of its business.
(ZDNet)
Your data is auctioned off up to 747 times a day, NGO reports
According to The Register, “the average American has their personal information shared in an online ad bidding war 747 times a day. For the average EU citizen, that number is 376 times a day. In one year, 178 trillion instances of the same bidding war happen online in the US and EU.” This is based on data shared by the Irish Council on Civil Liberties in a report detailing the extent of real-time bidding (RTB). RTB drives almost all online advertising and relies on sharing of personal information without user consent. “Real-time bidding involves the sharing of information about internet users, and it happens whenever a user lands on a website that serves ads. The report includes activities by Google, but not Amazon or Facebook. Suggesting that this activity may be illegal in many areas, it goes on to describe RTB as the biggest data breach ever recorded.”