Weekly Cyber Reports

This Week in Cyber 15th September 2023

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

14th September, 2023


Greater Manchester Police Officers' Personal Details Compromised in Cyber Attack

The Greater Manchester Police (GMP) has experienced a cyber attack resulting in the compromise of personal details of police officers. The incident occurred after a company in Stockport, responsible for producing ID cards, was targeted in a cyber attack. The firm held information on various UK organisations, including details of some GMP employees. Thousands of police officers' names are now at risk of being exposed to the public.

Although the GMP has confirmed awareness of the ransomware attack, it is not believed to involve financial data. The incident is being treated with utmost seriousness, with a national criminal investigation led by the National Crime Agency. GMP staff, especially undercover officers, are particularly concerned about the breach's implications. This incident follows a similar data breach in the Police Service of Northern Ireland and a security breach involving a Metropolitan Police supplier. Cybersecurity experts have emphasised the need for companies facing ransom demands to investigate rather than pay up.

Critical Security Flaws in Kubernetes Enable Remote Code Execution on Windows Endpoints

Three high-severity security flaws (CVE-2023-3676, CVE-2023-3893, and CVE-2023-3955) were discovered in Kubernetes, impacting Windows nodes in Kubernetes clusters. Attackers could exploit these flaws to achieve remote code execution with elevated privileges.

Amazon Web Services (AWS), Google Cloud, and Microsoft Azure released advisories for affected Kubelet versions. The affected versions are kubelet < v1.28.1, kubelet < v1.27.5, kubelet < v1.26.8, kubelet < v1.25.13, and kubelet < v1.24.17. The vulnerabilities result from input sanitisation issues, allowing attackers to inject and execute arbitrary code. These flaws were responsibly disclosed by Akamai in July 2023 and patched on August 23, 2023.

Microsoft Alerts of New Phishing Campaign Exploiting Microsoft Teams for Corporate Intrusion

Microsoft has issued a warning regarding a recently discovered phishing campaign known as Storm-0324, also identified as TA543 and Sagrid. This campaign, which began in July 2023, marks a shift from traditional email-based attack vectors to using Microsoft Teams messages as lures to infiltrate corporate networks.

Storm-0324 operates as a payload distributor, enabling the deployment of various payloads, including downloaders, banking trojans, ransomware, and modular toolkits like Nymaim, Gozi, and TrickBot. The phishing lures sent via Teams contain malicious links leading to SharePoint-hosted ZIP files. This technique utilizes an open-source tool called TeamsPhisher to attach files to messages sent to external tenants, exploiting a vulnerability first highlighted by JUMPSEC in June 2023. Microsoft has implemented security enhancements to block this threat and suspended accounts associated with fraudulent behavior. Identifying and remediating Storm-0324 activity is crucial to prevent further attacks, including ransomware.

Critical GitHub Vulnerability Puts 4,000+ Repositories at Risk of Repojacking Attacks

A new GitHub vulnerability recently discovered by Checkmarx could have potentially exposed over 4,000 code packages in languages like Go, PHP, and Swift to repojacking attacks. Repojacking, short for repository hijacking, is a technique where threat actors can bypass security mechanisms and take control of repositories. In this case, the vulnerability allowed attackers to exploit a race condition during GitHub's repository creation and username renaming operations.

The security flaw has significant implications for the open-source community, potentially leading to software supply chain attacks. The safeguard in place to prevent such attacks, called "popular repository namespace retirement," proved insufficient in preventing repojacking when this vulnerability was exploited. GitHub has since addressed the issue after responsible disclosure. However, this discovery underscores the ongoing risks associated with popular repository namespace retirement mechanisms and the need for robust security measures in code hosting platforms.

Critical Chrome Vulnerability Patched by Google

Google has taken swift action to address a critical security flaw in its Chrome web browser, known as CVE-2023-4863, which has already been exploited in the wild. This vulnerability, identified as a heap buffer overflow in the WebP image format, has the potential to lead to arbitrary code execution or a browser crash. The discovery and reporting of this flaw, on September 6, 2023, were credited to Apple Security Engineering and Architecture (SEAR) and the Citizen Lab at The University of Toronto's Munk School.

While specific details of the exploit remain undisclosed, Google has confirmed the existence of an exploit in the wild. This latest patch marks the fourth zero-day vulnerability addressed by Google in Chrome this year. Users are strongly advised to update their Chrome browsers to version 116.0.5845.187/.188 for Windows and 116.0.5845.187 for macOS and Linux to bolster their security defenses. Chromium-based browser users, including Microsoft Edge, Brave, Opera, and Vivaldi, should also stay vigilant for available fixes to protect against potential threats.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus