Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Briefing, 25 November - 1 December
Xaro, a new variant of the DJVU ransomware
Cybereason researchers have discovered a ransomware variant known as Xaro DJVU, which is distributed as decrypted software. DJVU is a variant of STOP ransomware, which typically masquerades as legitimate services and applications and is distributed via an attack pattern in which attackers deploy additional malware, mainly stealers.
They then add the .xaro extension to the affected files, demanding a ransom for a decryptor. In the latest campaign observed by Cybereason, the ransomware has been spread as a zipped archive masquerading as the legitimate CutePDF software, which actually installs the PrivateLoader malware, which establishes contact with a C2 server and implements multiple malware families such as RedLine Stealer, Vidar, Lumma Stealer, Amadey or SmokeLoader. The main objective is the collection and exfiltration of sensitive information for double extortion.
Multiple Critical Vulnerabilities Discovered in Zyxel NAS Devices
Zyxel has fixed several vulnerabilities, including three critical ones that could allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage (NAS) devices. The vulnerabilities have been classified as CVE-2023-35137, CVE-2023-35138, CVE-2023-37927, CVE-2023-27928, CVE-2023-4473 and CVE-2023-4474.
Threat actors could exploit the above vulnerabilities to gain unauthorized access, execute some operating system commands, obtain sensitive system information, or take complete control of affected Zyxel NAS devices.
Malicious Chrome extension targeting users in Latin America
Trend Micro researchers discovered a malicious Google Chrome extension called ParaSiteSnatcher, which uses a modular framework with highly obfuscated components to exploit Chrome's API and perform malicious actions.
The extension is reportedly designed to target users in Latin America, particularly in Brazil, extracting sensitive information related to banks and payment services. The extension is downloaded via a VBScript downloader, which has three variants with different levels of obfuscation and complexity, and establishes communication with a C2 server to receive commands and send stolen data.
Once installed, ParaSiteSnatcher manipulates web sessions, monitors PIX transactions, steals cookies, obtains banking data, intercepts POST requests and tracks user interactions across multiple tabs.
It also establishes persistence and manipulates the browser's user interface. Trend Micro further warns that the extension may also work in Chromium-based browsers and possibly in Firefox and Safari, so they emphasize the importance of being cautious when granting permissions to browser extensions.
General Electric and DARPA, victims of a security breach
General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA) have recently been victims of a security leak.
The threat actor behind the attack is called IntelBroker and has posted on an underground forum about the sale of a GE and DARPA database, including SSH and SVN login credentials, as well as military files and other sensitive and confidential documents.
According to Rosa Smothers, a former CIA cyber threat analyst, GE and DARPA have reportedly been collaborating on cutting-edge research initiatives in recent years, which could place them as targets for cyberattacks. Research continues to investigate the impact of the attack.
Critical vulnerabilities in ownCloud
The ownCloud open-source file sharing solution has issued a security advisory warning about three critical vulnerabilities.
The first of the flaws, registered as CVE-2023-49103, CVSSv3 of 10, could be exploited by malicious actors to expose administrator passwords and mail server credentials.
In reference to the second vulnerability, CVSSv3 of 9.8, its exploitation could allow accessing, modifying, or deleting any file without authentication if the username is known, provided it does not have a signing key configured.
As for the last security flaw, classified with a CVSSv3 of 9.0, an attacker can forward a specially crafted redirect URL to bypass the validation code. It is recommended to immediately apply the corresponding updates due to the criticality of the vulnerabilities.
