Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 21 - 27 October
Critical Vulnerability in Citrix NetScaler ADC and Gateway
Citrix recently issued an advisory on the critical vulnerability CVE-2023-4966 CVSS 9.4 affecting NetScaler ADC and Gateway devices. Although Citrix had patched the vulnerability on 10 October, security firm Mandiant discovered that threat actors have been exploiting the vulnerability since August 2023.
This vulnerability allows attackers to steal authentication sessions and hijack accounts. Even after patching, compromised sessions persist, facilitating lateral movement across the network. Citrix recommends immediate patch installation and termination of all active and persistent sessions using specific commands. CISA has included this vulnerability in its catalogue and has ordered federal agencies to protect their systems by 8 November.
In addition, a team of Assetnote researchers has published a working exploit for the same vulnerability, which can be executed via a Python script published on Github. This exploit allows verifying the existence of the vulnerability and obtaining sensitive information by exploiting a buffer overflow in the HTTP Host header.
ExelaStealer: new information-stealing malware
Fortinet FortiGuard Labs researcher James Slaughter recently observed and analyzed a newly identified information-stealing malware. The infostealer, called ExelaStealer, is written in Python with JavaScript support, could capture passwords, Discord tokens, credit cards, cookies, keystrokes, screenshots and clipboard data on compromised Windows systems.
It is also sold on underground forums and through a Telegram channel, with payment options ranging from $20 per month to $120 for a lifetime license. Its low price makes it an attractive tool for novice threat actors, as it significantly lowers the barrier to entry for carrying out malicious attacks. On the other hand, the malware is distributed via an executable that pretends to be a PDF document.
The findings about ExelaStealer prove that there is always room for new actors and campaigns aimed at extracting data belonging to corporations and individuals that can be used for blackmail, espionage, or ransomware.
High severity vulnerabilities in Chrome and Firefox browsers
Mozilla and Google have released security patches to fix vulnerabilities in Firefox and Chrome browsers this week. Regarding the first of these browsers, Mozilla released a patch that fixes 11 vulnerabilities, 3 of which are considered to be of high severity, namely those registered as CVE-2023-5721, CVE-2023-5730, CVE-2023-5731 that could lead to the execution of arbitrary code.
At the same time, Google fixed two vulnerabilities, including a high-severity issue that has been registered as CVE-2023-5472, whose exploitation could allow to escape from the browser environment to perform code execution on the underlying operating system, provided that they can be combined with other security flaws.
It should be noted that both manufacturers recommend updating their browsers to fix the above flaws.
Octo Tempest threat actor analysis
Microsoft's research team has published an analysis of the threat actor named Octo Tempest, also known as 0ktapus, Scattered Spider and UNC3944. According to experts, this threat actor would have started its activity in early 2022 by conducting attacks on business process outsourcing and mobile telecommunications organizations carrying out actions related to SIM swapping.
Its operations were later framed in phishing campaigns using social engineering and data theft targeting companies in the gaming, hospitality, commerce, technology, and finance sectors. Microsoft also reports that Octa Tempest is allegedly affiliated with the operators of the ALPHV/BlackCat ransomware.
It should also be noted that the experts point out that these malicious actors are English-speaking, as well as providing tools used by Octo Tempest along with a series of recommendations that would help to identify this actor through security solutions.
New DarkGate malware distribution campaign via Teams
The company malwarebytes has made a release in which they report identifying a malware campaign that used external Teams messages with the goal of distributing DarKGate Loader. First reported publicly in 2018, DarkGate is a Windows-based malware with a wide range of capabilities including credential theft and remote access to victims' endpoints.
In the current distribution campaign in particular, experts note that malicious actors behind these events used a phishing attempt via Microsoft Teams as a methodology of action, sending a ZIP file through this channel, with the aim of the victim falling for the hoax and executing the file to initiate the computer infection.
