VMware bugs abused to deliver Mirai malware
Researchers say a GitHub proof-of-concept exploitation of recently announced VMware bugs is being abused by hackers in the wild who are focused on using them to deliver Mirai denial-of-service malware and exploit the Log4Shell vulnerability. “Researchers analyzed the attacks and payloads detected by Barracuda systems between April to May and found a steady stream of attempts to exploit two recently uncovered VMware vulnerabilities: CVE-2022-22954 and CVE-2022-22960”says a report from Barracuda.
CISA has released an emergency bulletin that requires emergency action from Federal Civilian Executive Branch agencies to either immediately implement the updates or remove the affected software from their network until the updates can be applied.
(Threatpost and CISA)
Microsoft to debut of zero trust GDAP tool
In an effort to make it harder for criminal elements to attack through MSPs and resellers, through its current “delegated administration privileges” (DAP) program that let them manage a customer’s services, software, or subscriptions, Microsoft is replacing it with granular delegated admin privileges (GDAP). As the name implies, GDAP offers finer controls and a zero-trust model. GDAP authorizations can last from a day to two years, can’t be auto-renewed, and do not permit partners to take actions such as administering external identities in Active Directory.
Bank of Zambia refuses to pay ransom to cyberattack group Hive
“All of our core systems are still up and running,” Greg Nsofu, information and communications technology director at the Bank of Zambia, told reporters in Lusaka, the capital. “Not much sensitive data has actually been shipped out. Knowing that we had protected our core systems, it wasn’t really necessary for us to even engage” in a ransom conversation, Nsofu said. “So we pretty much told them where to get off.” Hive ransomware has already “made its mark as one of the most prolific and aggressive ransomware families today,” according to Trend Micro Inc.
North Korean devs pose as US freelancers to aid DRPK govt hackers
The U.S. government is warning that the Democratic People’s Republic of Korea (DPRK) is dispatching its IT workers to get freelance jobs at companies across the world to obtain privileged access that is sometimes used to facilitate cyber intrusions. To get into the desired position, the North Korea’s IT workers often pretend to be teleworkers located in the U.S. or other non-sanctioned country. To obfuscate their true identity and pass as an individual from a non-sanctioned country, North Korean IT workers often change their names, use virtual private network (VPN) connections, or use IP addresses from other regions. The US Treasury has published an advisory that helps organizations identify these workers. A link to the advisory is included in the show notes to this episode at CISOSeries.com: https://home.treasury.gov/system/files/126/20220516_dprk_it_worker_advisory.pdf
Thanks to our episode sponsor, Torq
Not true. Any business that attempts to automate security will quickly find that most high-stakes security issues are far too complex to be detected and remediated by automation tools alone. Human security professionals need to take the lead delivering nuanced insight about the business impact of a large-scale breach. To learn more about the realities of automation, head to torq.io.
Microsoft warns of new type of attack targeting SQL servers
Microsoft Security Intelligence this week tweeted a warning about an attack campaign targeting SQL servers and using a new approach to evade PowerShell monitoring. Instead of PowerShell, these threat actors are using sqlps.exe, a utility that comes standard with every version of SQL and functions as a “wrapper for running SQL-built CMDlets, to run commands and change the start mode of the SQL service to LocalSystem,” Microsoft explained in a tweet thread. The new campaign starts with a brute-force attack and ultimately allows attackers to take over the targeted servers and deploy malware such as coin miners.
Microsoft warns of the rise of cryware targeting hot wallets
Cryware is malicious software used to steal info and funds from non-custodial cryptocurrency wallets, also known as hot wallets, which are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions. Data stolen from this kind of malware includes private keys, seed phrases, and wallet addresses, that could be used by threat actors to initiate fraudulent transactions. Microsoft recommends users and organizations lock hot wallets when not actively trading, disconnect sites connected to the wallet, never store private keys in plaintext, ensure that browser sessions are terminated after every transaction, enable MFA for wallet authentication, double-check hot wallet transactions and approvals, use hardware wallets to store private keys offline.
Wizard Spider reinvests its revenues into growth and development
On Wednesday, PRODAFT published the results of an investigation into Wizard Spider, believed to either be or be associated with the Grim Spider and Lunar Spider hacking groups. According to the cybersecurity firm, Wizard Spider, likely Russian in origin, runs an infrastructure made up of a “complex set of sub-teams and groups, [..] has huge numbers of compromised devices at its command and employs a highly distributed professional workflow to maintain security and a high operational tempo.” Although none of their techniques such as BEC or cold-calling victims for payment are novel, Wizard Spider appears to demonstrate an above average corporate approach to running the many arms of its business.
(ZDNet)
Your data is auctioned off up to 747 times a day, NGO reports
The average American has their personal information shared in an online ad bidding war 747 times a day. For the average EU citizen, that number is 376 times a day. In one year, 178 trillion instances of the same bidding war happen online in the US and EU. That’s according to data shared by the Irish Council on Civil Liberties in a report detailing the extent of real-time bidding (RTB), the technology that drives almost all online advertising and which it said relies on sharing of personal information without user consent. Real-time bidding involves the sharing of information about internet users, and it happens whenever a user lands on a website that serves ads. The report includes activities by Google, but not Amazon or Facebook. Suggesting that this activity may be illegal in many areas, it goes on to describe RTB as “the biggest data breach ever recorded.”