Weekly Cyber Reports

This Week in Cyber 02nd June 2023

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

1st June, 2023


MOVEit - Zero-Day Vulnerability Actively Being Exploited

A critical flaw in Progress Software's MOVEit Transfer managed file transfer application is being actively exploited, allowing attackers to take over vulnerable systems. The flaw is a severe SQL injection vulnerability that enables unauthorized access to the database which can result in escalated privileges and unauthorized access to the system. Progress Software, the Massachusetts-based company that owns Telerik, has released patches for the bug in several versions of MOVEit Transfer: 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1). As of May 31, 2023, approximately 2,500 instances of MOVEit Transfer were exposed on the internet, mainly in the U.S. The exploit deploys a web shell named "human2.aspx" to exfiltrate data and creates hidden admin user accounts to avoid detection. The U.S. CISA has issued an alert urging users to take mitigation steps and apply the available fixes. 


"Migraine": Bypassing macOS System Integrity Protection

The recent discovery of the "Migraine" vulnerability in macOS has raised significant concerns among the cybersecurity community. This vulnerability enables attackers with root access to bypass the highly regarded System Integrity Protection (SIP) mechanism, which serves as a crucial defense against malicious activities on Apple devices. By exploiting a specific entitlement called com.apple.rootless.install.heritable, threat actors can manipulate the child processes of systemmigrationd, thereby gaining arbitrary code execution and successfully evading SIP checks. The severity of this critical vulnerability (CVE-2023-32369) cannot be understated, as it exposes the potential for widespread unauthorized access and control over macOS systems. The ability to bypass SIP, a fundamental security feature designed to safeguard critical components of the operating system, poses a significant threat to the integrity and confidentiality of user data. In response to the discovery, Apple swiftly released a security update to mitigate the risk posed by the "Migraine" exploit.


Capita hack - 90 organisations report data breaches to watchdog

Capita, a major outsourcing company, has experienced breaches of personal data from around 90 organizations. A cyber-attack in March and the subsequent discovery of unsecured data online have put hundreds of thousands of individuals at risk. Capita claims to have taken steps to secure the data, but the Information Commissioners Office (ICO) is currently investigating. Capita handles personal information for various public and private organizations, including pension schemes and councils. Capita is facing two separate issues: the cyber-attack earlier this year and the subsequent revelation of unsecured files online. Security researcher Kevin Beaumont believes the initial incident was a ransomware attack, and he alerted Capita to the second issue. The ICO is urging organizations to check if their data has been affected.


Exposure of Approximately 7 Million Devices Due to a Severe Firmware Vulnerability Found In Gigabyte Systems

Cybersecurity researchers have discovered a backdoor-like behaviour in Gigabyte systems, allowing the UEFI firmware to drop a Windows executable and retrieve insecure updates. Firmware security firm Eclypsium detected this anomaly in April 2023, and Gigabyte has addressed the issue. The embedded Windows executable is executed during the Windows start-up process and downloads additional binaries using insecure methods. While the software appears to be a legitimate update application, it exposes around 364 Gigabyte systems and approximately 7 million devices to potential risks. Exploiting vulnerabilities in the firmware update mechanism could lead to stealthy UEFI rootkits that bypass security controls. Additionally, malware injected into the UEFI firmware can persist even after drive wipes and OS reinstalls. Organizations are advised to update firmware, disable certain features, and set BIOS passwords. Firmware updates, although often neglected, are crucial to address this irony of an insecure update application.


People Are Being Paid To Solve CAPTCHA’s For Cybercriminals

Cybersecurity researchers have identified CAPTCHA-breaking services being sold on the market, which bypass systems designed to distinguish human users from bots. These services employ actual human solvers to break CAPTCHAs instead of using advanced technology. CAPTCHAs are used to combat spam and prevent fake account creation. The illicit services work by delegating CAPTCHA-solving tasks to human solvers and providing the answers to customers in real-time via API calls. This allows bot operators to develop automated tools that render CAPTCHAs ineffective in filtering out bot traffic. Threat actors have also combined CAPTCHA-breaking services with proxyware offerings to evade antibot measures. Proxyware turns devices into residential proxies, obscuring the originating IP address. To address these risks, online services are advised to supplement CAPTCHAs and IP blacklisting with other anti-abuse measures


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus