China-linked APT group spotted exploiting a VMware ESXi zero-day
Researchers at Mandiant have observed a China-linked cyberespionage group, which they are tracking as UNC3886, exploiting a VMware ESXi zero-day vulnerability. tracked as CVE-2023-20867. They first started tracking the group in September 2022 when they discovered a malware persistence technique within VMware ESXi Hypervisors. As detailed in Madiant’s analysis paper, “the attacker utilized the zero-day vulnerability to execute commands and transfer files to and from guest VMs from a compromised ESXi host without the need for guest credentials,” adding, “the vulnerability does not generate an authentication log event on the guest VM when commands are executed from the ESXi host.”
(Security Affairs and Mandiant)
Hundreds of thousands of ecommerce sites impacted by critical plugin vulnerability
A critical vulnerability in the WooCommerce Stripe Payment Gateway plugin, tracked as CVE-2023-34000, has been identified as an unauthenticated insecure direct object reference (IDOR) bug, which can lead to information disclosure. “The flaw allows an unauthenticated attacker to view any information that a user provides when placing an order, including name, address, and email address.” The problem was fixed on May 30 following the release of WooCommerce Stripe Payment Gateway version 7.4.1., but according to the official WordPress web store, the plugin has more than 900,000 active installations, and hundreds of thousands of them could be vulnerable to attacks based on available version use data.
7-Nation LockBit report shows US paid over $90m in ransoms since 2020
Seven nations – the US, Australia, Canada, the UK, Germany, France, and New Zealand jointly issued an alert yesterday with protection tips and information about LockBit. The advisory includes details of common tools and exploits used by the criminals, along with recommendations to avoid ransomware infections or reduce the impact of future ones. It adds that the group’s affiliates remains a global scourge, costing US victims alone more than $90 million from roughly 1,700 attacks since 2020. The alert does not encourage payment of ransoms, but does urge that ransomware incidents be reported.
Hackers create fake GitHub profiles to deliver malware through repositories
Hackers devised a campaign to deceive cybersecurity professionals who use GitHub, trying to trick them into downloading malware. This is according to research published by cybersecurity company VulnCheck on Wednesday. They stated, “the group created fake profiles of real security researchers to promote code repositories that appear to house exploits for popular products like Chrome, Exchange, and Discord.” According to VulnCheck, the creators of these repositories have spent much time and effort making them appear authentic by creating “a network of Twitter accounts, masquerading as members of a fictitious company called High Sierra Cyber Security. They even used headshots of genuine researchers employed by major cybersecurity companies.”
Thanks to this week’s episode sponsor, Conveyor
EU passes landmark Artificial Intelligence Act
The European Parliament has adopted the latest draft of the legislation with an overwhelming majority. First introduced in April 2021, the AI Act aims to regulate AI services and mitigate its risks. The first draft, which included measures such as adding safeguards to biometric data exploitation, mass surveillance systems and policing algorithms, was prepared before the surge in generative AI tool adoption that occurred in late 2022. The latest draft includes a “tiered approach for AI models, from ‘low and minimal risk’ through ‘limited risk,’ ‘high risk’ and ‘unacceptable risk’ AI practices.”
Cyber Command reshuffles force expansion due to Navy readiness woes
This includes growing its main warfighting corps, known as the Cyber Mission Force (CMF), by 14 teams. Four new teams to be provided by the Navy will focus on training the service’s existing cyber operators first, not acting as additional cyber warriors as originally intended, according to multiple military, civilian and congressional sources with direct knowledge of the process. In all, two Cyber Combat Mission Teams, which conduct digital operations to support U.S. military commands around the world, and two Combat Support Teams that aid the combat teams and others, will bolster the existing teams and lay the groundwork for future squads with the intention that, one day, they will protect computer networks from foreign hackers as intended.
Twitter evicted from its Boulder office over unpaid rent
Twitter currently owes three months’ rent to its landlord in Boulder, CO., and a judge has now signed the eviction notice, according to court documents. In May the Chicago-based LLC that owns the offices at 3401 Bluff St in Boulder took Twitter to court, and on May 31 the judge issued an order that the sheriff should assist in the eviction within the next 49 days. According to TechCrunch, “as many as 300 employees once worked in Twitter’s Boulder offices, but between layoffs, other firings, and resignations, it is probably less than half of that now.”
Hackers can steal cryptographic keys by video-recording power LEDs 60 feet away
Researchers can now recover secret encryption keys stored in smart cards and smartphones “by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on.” This is another example of a side-channel attack, one that measures the physical signals that leak from a device as it performs a cryptographic operation. As described by ArsTechnica, “by carefully monitoring characteristics such as power consumption, sound, electromagnetic emissions, or the amount of time it takes for an operation to occur, attackers can assemble enough information to recover secret keys that underpin the security and confidentiality of a cryptographic algorithm.”