Weekly Cyber Reports

This Week in Cyber 17th February 2023

Latest news & views from our Cyber Analysts

Written by

Team Nucleus

Written on

17th February, 2023


Cloudflare Mitigate Record-Breaking DDoS Attack

A record-breaking HTTP based DDoS (Distributed Denial of Service) attack has been mitigated by CloudFlare which peaked at 71,000,000 requests per second. The attack originated from a botnet comprising over 30,000 IP addresses spread across several cloud providers, Cloudflare reports. The websites targeted included Gaming Providers, CrytoCurrency Exchanges along with Hosting & Cloud Computing providers. The aim of such an attack is to exhaust resources of the servers running the websites, making them inaccessible. The size, sophistication, and frequency of DDoS attacks are on the rise and the company has reported that there has been a 79% spike in HTTP DDoS attacks during 2022 Q4.

Ion Markets Targeted by Ransomware Group Lockbit

Ion Markets, a crucial financial data group that plays a vital role in the infrastructure supporting the derivatives trading industry, has fallen victim to the cybercrime group Lockbit. The company has reported that the attack has impacted 42 clients, causing significant disruption in its cleared derivatives division. According to reports, some clients have been unable to reach Ion via phone since Tuesday, and some have even gone to the company's St Pauls office for further information. In a statement on its website, Ion stated that "the incident is contained to a specific environment, all affected servers have been disconnected, and we are actively working on restoring services." The attack has also affected other trade processing systems, causing some companies to resort to manual processing. Lockbit has been particularly active lately, taking responsibility for the attack on Royal Mail last month, which resulted in the suspension of international postal deliveries. The group is believed to have used their signature ransomware, which encrypts files and issues a ransom demand, usually requesting payment in cryptocurrency before providing the decryption key.

Researchers Hijack Popular NPM Package to Expose Supply Chain Security Flaws

A popular npm package with 3.5 million weekly downloads was found vulnerable to an account takeover attack. By recovering an expired domain name and resetting the password, a threat actor could access the package's associated GitHub account, publish trojanized versions to the npm registry, and conduct supply chain attacks. The attack exploited a GitHub Action to bypass two-factor authentication. The maintainer has since secured the account. This highlights the need for secure developer accounts and supply chain security. Strong authentication, regular reviews, and code assessments are vital. It's also essential to use trusted packages and keep software updated to prevent cyber threats.

CISA Release Decryptor Tool for ESXIArgs Ransomware Victims

Last week, we reported on the well-publicised Ransomware campaign targeting internet facing VMWare ESXi servers using a 2-year-old vulnerability (CVE-2021-21974). This week, the US Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor tool (available here) allowing victims to recover their data. This has led to a new variant of the ransomware being circulated which has several changes which make the recovery process more complex.

Microsoft’s February Patch Tuesday Addresses 75 Vulnerabilities

On Tuesday, Microsoft released security updates to address 75 vulnerabilities – 3 of which are being actively exploited. Out of the 75, 9 are rated Critical and 66 rated Important. 37 of them are Remote Code Execution (RCE) vulnerabilities. The 3 which are being actively exploited are CVE-2023-21715 (CVSS score: 7.3), CVE-2023-21823 (CVSS score: 7.8) and CVE-2023-23376 (CVSS score: 7.8).

For more information, see the Microsoft Security Update website here

The Sidewinder Group Linked to Dozens of Targeted Attacks On Multiple Countries

The SideWinder group is believed to be a nation-state actor from India that has attempted attacks against 61 entities in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka between June and November 2021. The group targeted government, military, law enforcement, banks, and other organizations using spear-phishing emails and a variety of malware tools. Group-IB, a cybersecurity firm, also found links between SideWinder and two other intrusion sets tracked as Baby Elephant and DoNot Team. The group has been linked to over 1,000 attacks against government organizations in the Asia-Pacific region since April 2020. The ability of the threat actor to continuously refine its toolset based on its evolving priorities makes it a particularly dangerous actor operating in the espionage area.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus