Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 13 - 19 April
Earth Hundun cyber-espionage group develops new malware
The malicious actor Earth Hundun has developed a new version of the Waterbear malware that has been dubbed Deuterbear. According to an analysis post by Trend Micro, the Earth Hundun cyber-espionage group has been updating the Waterbear backdoor since 2009 and has used it in attacks against technology and government entities in Asia-Pacific. Waterbear can use techniques to avoid detection by security solutions, as well as to download and deploy a Remote Access Trojan (RAT).
On the other hand, Deuterbear has been classified as a different entity from Waterbear and not a variant of it, due to differences in configuration structure and decryption flow. The researchers also note that Deuterbear encrypts network traffic via HTTPS and features updates to the malware, including sandbox checking and altered decryption functions.
https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html
Oracle issues 441 patches to address multiple vulnerabilities in several of its products
Oracle recently released its April critical patch update advisory. It contains a total of 441 new security patches, addressing around 372 vulnerabilities in several of its products, of which more than 200 could be exploited by unauthenticated remote attackers. In the advisory are more than 30 vulnerabilities that were classified as critical with a CVSSv3 score of 9.8 or higher by vendor.
These include CVE-2024-21234, CVE-2024-21235 and CVE-2024-21236, which allow remote code execution in different Oracle components. In addition, patches were issued for a significant variety of products, including Oracle Communications, which received the highest number of security updates, MySQL, Fusion Middleware and Java SE, among others.
For its part, Oracle strongly recommends that security patches be applied as soon as possible to prevent successful attacks, as some customers have been compromised due to the lack of patches being applied.
https://www.oracle.com/security-alerts/cpuapr2024.html
Cisco Duo provider falls victim to security breach
The security team at Cisco Duo, a service dedicated to multi-factor authentication, has issued a security advisory alerting users to a security breach at its telecommunications provider. Specifically, Cisco Duo says its unnamed provider, which is dedicated to managing the company's SMS and VOIP multi-factor authentication (MFA) messages, was compromised.
The threat actor involved allegedly obtained employee credentials through a phishing attack and then used those credentials to gain access to the provider's systems, resulting in the download of SMS and VoIP MFA message logs associated with Duo accounts during March. Among the data obtained in the exfiltrated logs were phone numbers, carriers, dates, location data and messages, among other things.
Cisco says it is still investigating the incident with its vendor and that, according to the vendor, the malicious actor did not access any of the message content or use its access to send messages to customers.
https://app.securitymsp.cisco.com/e/es?e=2785&eid=opguvrs&elq=bd1c1886a59e40c09915b029a74be94e
554 million Spanish cookies are already on the dark web
A recent study by NordVPN has found that more than 54 billion cookies are in circulation on the dark web, with Spain topping the list as the top European country with 554 million leaked cookies. Researchers examined a dataset of cookies and their listings available on the dark web to determine how they were obtained and the security and privacy risks they pose, as well as the type of information they contain.
Cybercriminals would succeed in acquiring these millions of cookies primarily through malware, such as information stealers, Trojans and keyloggers. When cookies, which function as digital keys for online sessions and personal data, are exposed, they become a valuable asset for cybercriminals.
This vulnerability can lead to the theft of personal and financial information, as well as identity theft and unauthorized transactions. Given these circumstances, an advisable initial step would be to periodically delete browser cookies.
https://nordvpn.com/es/research-lab/stolen-cookies-study/
Atlassian flaw being used to deploy Cerber ransomware
Unpatched Atlassian servers are being exploited by threat actors to deploy a Linux variant of the Cerber ransomware. Specifically, these attacks exploit vulnerability CVE-2023-22518 (CVSSv3 9.8) in Atlassian Confluence Data Center and Server, allowing attackers to reset Confluence and create an administrator account.
The campaign consists of three highly obfuscated C++ payloads, compiled as a 64-bit linkable executable format, and packaged with UPX making them difficult to detect. Once inside the system, they install the Effluence web shell plugin to execute arbitrary commands and then unleash the Cerber ransomware. The latter encrypts files with the extension .L0CK3D and leaves a ransom note. However, although it is stated in the note that data will be leaked, this does not happen.
Security firm Cado Security, who observed these attacks, claim that Cerber is a relatively sophisticated, albeit old, ransomware payload. However, its use of the Confluence vulnerability allows it to compromise many probably high-value systems.
https://www.cadosecurity.com/blog/cerber-ransomware-dissecting-the-three-heads
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
