This Week in Cyber 11th August 2023

Patchwork Hacking Group Expands Targeting Universities and Organizations

The hacking group Patchwork has been detected in a recent campaign targeting educational institutions and research organizations using a backdoor tool called EyeShell. Also known as Operation Hangover and Zinc Emerson, Patchwork has links to other cyber-espionage groups and is suspected to operate on behalf of specific countries. With a history dating back to 2015, Patchwork employs customized implants like BADNEWS to conduct focused attacks, often involving spear-phishing and watering hole tactics. Notably, Meta's disclosure revealed the takedown of rogue accounts on social media platforms used by Patchwork to exploit victims in various regions. The EyeShell backdoor, utilized alongside BADNEWS, serves as a modular .NET-based tool facilitating communication with remote servers for executing commands, file operations, and more. The group's activities emphasize the persistent threat to academic institutions and underline the evolving landscape of cybersecurity challenges.

New High-Severity Vulnerability Discovered in PaperCut Print Management Software

Researchers have recently identified a significant security flaw in PaperCut print management software for Windows, capable of enabling remote code execution in specific scenarios. Tracked as CVE-2023-39143, this high-severity vulnerability affects versions of PaperCut NG/MF before 22.1.3. It combines aspects of both path traversal and file upload vulnerabilities. Cybersecurity experts at Horizon3.ai explain that the flaw can allow unauthenticated attackers to potentially manipulate files on the PaperCut MF/NG application server, leading to remote code execution in certain configurations. Notably, this vulnerability becomes more concerning when the external device integration setting, which is active by default in some PaperCut installations, is enabled. In April, the same product faced a remote code execution vulnerability (CVE-2023-27350) and an information disclosure flaw (CVE-2023–27351), both exploited by threat actors to deliver malicious payloads. This latest discovery underscores the evolving complexity of cybersecurity threats, reflecting the need for vigilant software security practices.

Customized Yashma Ransomware Targets Multiple Countries

An unidentified threat actor has launched a widespread ransomware campaign that targets several nations, including Bulgaria, China, and Vietnam. Since its initiation around June 4, 2023, the attack has utilized a Yashma ransomware variant, which imitates certain attributes reminiscent of the infamous WannaCry ransomware. This actor employs a distinct approach, downloading the ransom note from an actor-controlled GitHub repository using an embedded batch file. The choice of GitHub repository names and languages within the ransom notes suggest a specific focus on certain geographic areas. By mimicking WannaCry's ransom note structure, the attacker further complicates attribution efforts.

UK's Elections Watchdog Discloses Cyber Attack Incident

The United Kingdom's elections oversight body recently revealed that it fell victim to a sophisticated cyber attack. The Electoral Commission disclosed that unidentified malicious actors managed to breach its systems, gaining unauthorized access to copies of electoral registers dated from August 2021. This attack, encompassing emails and control systems, went undetected until October of the following year. Although the breach exposed names and addresses of individuals who registered to vote in the UK between 2014 and 2022, it is reassuring to note that data of individuals who opted for anonymity or registered with enhanced privacy measures remained untouched. The commission has alerted the public to be vigilant against potential unauthorized use of their personal data and has reinforced its cybersecurity measures to thwart future attacks. The Information Commissioner's Office is currently engaged in a thorough investigation into the incident.