Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities.jpg)
Cyber Security Briefing, 26 August - 1 September
New variants of Lockbit ransomware
Kaspersky researchers have published an article reporting the appearance of new strains of LockBit ransomware. The experts point out that since September 2022, when the Lockbit builder was leaked onto the network, it has allowed anyone to create a customised version of the ransomware. Kaspersky says that, of the total of 396 samples identified, 312 artefacts are associated with variants from the leak.
Of these new versions, one incident has been detected in which the ransom note procedure has changed. This note uses the name of a group called National Hazard Agency as the headline, which adds to other groups that use variants called Bl00dy and Buhti, and directly indicates the amount to be paid and directs its communications to a Tox service and an email. This contrasts with the lockBit group, which did not mention the amount and the communication was carried out on its platform.
In conclusion, Kaspersky indicates that of the samples analysed, 77 did not carry the Lockbit name in the note.
Vulnerability in Intel CPU affects Windows systems
Microsoft has published an article warning of a new attack exploiting the Downfall vulnerability in Windows devices. The vulnerability, identified as CVE-2022-40982, with CVSS of 6.5, affects several versions of Intel processors and all versions of Windows 10, Windows 11 and Windows Server 2019 and 2022.
It is a flaw that, if successfully exploited, would allow an authenticated user to enable information disclosure through local access and could be used to infer data from affected CPUs, such as the user kernel, processes, virtual machines, and trusted execution environments. The vulnerability has been mitigated with the Intel Platform Update 23.3 microcode update.
Malicious campaign attacking Citrix NetScaler assets
The Sophos research team has made a post on its Twitter profile reporting malicious campaign activity exploiting a vulnerability in Citrix NetScaler. The security flaw in particular is CVE-2023-3519, which, according to the experts, a threat actor, probably attributed to FIN8, has been exploiting since August, allowing it to perform payload injections, implement obfuscated PowerShell scripts and place PHP webshells on victims' systems.
Sophos also pointed out to BleepingComputer that due to the possible attribution of the FIN8 actor, the campaign's specific aim could be to infect its victims by distributing the BlackCat ransomware. It should also be noted that the CVE-2023-3519 vulnerability has been patched since July, but it is estimated that in August there were still more than 31,000 vulnerable assets exposed.
High criticality vulnerability patched in Google Chrome
Google has patched a high-criticality vulnerability affecting Chrome in the new security update, version 116.0.5845.140 for Mac and Linux, and 116.0.5845.140/.141 for Windows, which will be released in the coming days. The vulnerability, registered as CVE-2023-4572, is a use after free vulnerability affecting MediaStream.
An attacker could exploit this bug to manipulate the asset if MediaStream does not remove the pointer to a memory location after freeing it. In addition, Google has reported that updates patching high-impact security vulnerabilities will be released weekly, instead of every four weeks, in order to deploy security fixes faster.
With this, the company also intends for the weekly updates to help address the patching gap in Chrome's release cycle.
Analysis of the new SapphireStealer variants
SapphireStealer is a .NET stealer malware focused on stealing credentials from browser databases, whose code was first published on GitHub in December 2022. However, Cisco Talos researchers claim that in early 2023 new versions began to be released, with multiple variants of this malware currently being exploited by various threat actors.
While SapphireStealer can steal sensitive information from infected devices, including screenshots, browser credentials and host information, new variants also appear to be focused on enhanced data exfiltration. Finally, it should be noted that this stealer has also been used in conjunction with another malware, FUD-Loader, in multi-stage infections.
