This Week in Cyber 17th November 2022

New Data Wiping Campaign Discovered in Ukraine

Ukraine's Computer Emergency Response Team (CERT) have disclosed a new attack campaign thought to be Russian threat actors, that compromises victims VPN accounts and encrypts network resources. The attack is started via a phishing email that tricks the user into downloading an 'Advanced IP Scanner' that contains Vidar malware which is generally considered to be of Russian origin. Vidar is an updated version of the Arkei malware and is typically used to exfiltrate data and steal cryptocurrency from its victims. In this case, it can also steal Telegram session data which it used to access user accounts via VPN connection as they are not protected with 2-factor authentication (2FA). This then allowed unauthorised access to the corporate network. Ukrainian authorities are uncertain how long this has been going for, but they suspect is has been since Spring 2022. The goal of the threat actors is not to leak data or hold companies to ransom but attempt to destroy the victim environments.

Oxeye Research Team Discover Critical Remote Code Execution Flaw in Spotify Backstage

A critical sandbox escape vulnerability within the hugely popular vm2, has been discovered in Spotify's open-source, Cloud Native Computing Foundation (CNCF) project, Backstage. This critical vulnerability, with a CVSS score of 9.8, allows for a VM escape attack to be exploited, in many cases without authentication. Taking advantage of the 'Sandbreak' exploit that came to light recently (CVE-2022-36067), this would allow threat actors to leave the virtual environment containing the instance of the Backstage software, and remotely execute code on the victim system itself. Oxeye have reported this via Spotify's bug bounty program, in which the Backstage team replied by rapidly releasing version 1.5.1 to mitigate it. The vulnerability occurred in the software templates tool which is used to create components within Backstage and Oxeye were able to identify more than 500 publicly exposed instances, which could all be at risk. It’s very important to update Backstage to at least 1.5.1 as soon as possible, to avoid the threat.

Hundreds Of Amazon RDS Instances Have Been Found Leaking Users’ Personal Data

‘Mitiga’, a cloud incident response company, have found hundreds of Relationable Database Service (RDS) instances are exposing personal data. Some of the personal information included are names, email addresses, phone numbers, dates of birth and company logins. The vulnerability is due to public RDS snapshots which can be accessed by any AWS user which makes this vulnerability extremely simple to exploit. Amazon have warned in the documentation not to expose any personal information with their public RDS snapshot feature however many instances have overlooked this caution and unknowingly exposed personal data. This data can be sold or used to start an attack with company logins which can bypass many security features that the organisation has implemented.  

Google Fined $391 Million For Secretly Tracking Users’ Location

In 2018 a report was released from the Associated Press which revealed Google were continuing to track users’ locations after the user believed they had turned off tracking. This was prevalent on both Android and IOS, meaning that most smartphone users were being geo-tracked without their knowledge. Google benefits from users’ location because it can be an incredibly valuable data point to sell to advertisers. This is because it shows patterns and routines which advertisers can exploit. Google have responded and claim to implement more changes to make it more transparent which data points they will record and which ones users can opt out of. However, Google have multiple other geo-tracking cases coming up in other states such as Washington DC, Indiana and Texas which could all produce a similar amount in fines.