Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Cyber Security Briefing, 1 - 8 September
DB#JAMMER: malicious campaign against Microsoft SQL servers
The Securonix research team has published an investigation into a malicious campaign called DB#JAMMER in which malicious actors are attacking MS SQL servers to distribute ransomware.
The group behind these incidents could not be identified, however it has been detailed that the methodology employed by them follows the same pattern, which is to gain initial access through brute force attacks on MS SQL servers. Thereafter, they begin to perform network enumeration and reconnaissance tasks with the aim in the next phase of attacking the system's firewall and establishing persistence by connecting to a remote SMB share to transfer files to and from the victim's system, as well as installing tools such as Cobalt Strike.
Finally, this campaign ends with the distribution of the FreeWorld ransomware, which is considered to be a variant of the Mimic ransomware.
New variant of Agent Tesla malware
FortiGuard Labs has discovered a phishing campaign used to spread a new variant of Agent Tesla, a malware family used as Malware-as-a-Service that employs a remote access trojan (RAT) and a data stealer to gain access to devices.
This campaign starts with a phishing email that includes an Excel file used, once opened by the user, to exploit the vulnerability CVE-2017-11882/CVE-2018-0802, which allows remote code execution. Agent Tesla is then downloaded and installed, allowing the threat actor to steal sensitive victim information, including credentials, keylogging information and device screenshots.
Finally, the malware, which encrypts its most relevant modules to avoid being analysed, transmits the stolen sensitive information via SMTP protocol emails.
New Apple 0-day vulnerabilities actively exploited
Apple has issued a security advisory in which it fixes two new 0-day vulnerabilities that are being actively exploited. One of the security flaws has been registered as CVE-2023-41064, which is a buffer overflow weakness that is triggered when processing maliciously crafted images and can lead to the execution of arbitrary code.
The other security flaw is CVE-2023-41061, which is a validation issue that can be exploited by means of a malicious attachment. Researchers at Citizen Lab have published research detailing that these vulnerabilities were exploited via an iMessage zero-click exploit chain called BLASTPASS that was used to deploy NSO Group's Pegasus software via PassKit attachments containing malicious images.
Apple recommends its users update their assets to the following versions macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1 and watchOS 9.6.2.
Android patches one actively exploited vulnerability and three critical ones
Android has released a new bulletin listing vulnerabilities that were patched in the September security update, including a high-severity vulnerability that appears to be exploited, according to Google. This vulnerability (CVE-2023-35674) would allow a threat actor to perform privilege escalation without the need for user interaction.
The bulletin claims to have patched a total of 34 vulnerabilities, including three of critical severity (CVE-2023-35658, CVE-2023-35673, CVE-2023-35681) that would allow an attacker to remotely execute code without requiring additional execution privileges.
The security update is targeted at devices running Android versions 11, 12 and 13, so users of these versions are advised to install the update as soon as possible, while if you have a device running Android 10 or lower, it is recommended to upgrade to a device with a newer version.
Investigation of techniques used in Storm-0558 threat actor attacks
Microsoft published an article last July reporting how it mitigated an attack by the threat actor known as Storm 0558, which targeted email accounts of up to 25 different entities across US government agencies, including the State Department, and European institutions.
According to recent disclosures, Storm-0558 was able to carry out the attack because it found information about a digital key after compromising a corporate account of a Microsoft engineer in April 2021. Thanks to the exfiltration of that key, the threat actor was able to create its own authentication tokens to access the Outlook email accounts of high-ranking government officials.
Based on these facts, Microsoft revoked all valid MSA signing keys to prevent access to other compromised keys and notes that they have not identified any evidence of unauthorised access to customer accounts using the same authentication token forgery technique.
Image Rawpixel / Freepik.
