Weekly Cyber Reports

This Week in Cyber 18th August 2023

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

17th August, 2023


Researchers Identify Vulnerabilities in PowerShell Gallery Facilitating Supply Chain Attacks

The PowerShell Gallery, a Microsoft-maintained repository for sharing and acquiring PowerShell code, contains vulnerabilities that could be exploited by malicious actors to execute supply chain attacks, according to Aqua security researchers. These flaws facilitate typosquatting attacks within the repository, making it difficult for users to verify package ownership. The vulnerabilities arise from the registry's loose policy on package names and lack of safeguards against typosquatting. This allows threat actors to upload seemingly legitimate but malicious PowerShell modules.

Another issue involves the manipulation of module metadata, allowing attackers to spoof the metadata -- including Author(s), Copyright, and Description fields, deceiving users into installing harmful packages. Users must check the 'Package Details' tab to identify authentic authors, but attackers can easily fabricate author profiles, so users must be aware of these potential threats.

Additionally, a third vulnerability enables attackers to list hidden package names and versions by exploiting the PowerShell API. By using a specific URL, attackers can gain unrestricted access to the complete package database. The unrestricted access grants malicious actors the capability to scour unlisted packages for potential sensitive information. As a result, any unlisted package containing confidential data becomes extremely vulnerable to being compromised. Reportedly, Microsoft has implemented responsive solutions since March 7, 2023. Nevertheless, the issues persist and can still be reproduced.

Cybersecurity Insights from the Recent Electoral Commission Breach

The breach of the Electoral Commission's systems has raised significant cybersecurity concerns. 


The UK electoral commission had been running Microsoft Exchange Server with the Outlook Web App (OWA) accessible via the internet with exposed vulnerabilities. Despite the Commission's diligent application of security updates for Exchange Server 2016 until August 2022, a critical zero day vulnerability named ProxyNotShell emerged in September 2022. 


ProxyNotShell would allow remote code execution on the compromised system. This is especially impactful on a Microsoft Exchange server due to the server running with high privilege active directory accounts by default which could lead to complete compromise of the targets network.


Although security mitigations were provided by Microsoft in the meantime, a security patch wasn't issued by Microsoft until November 2022, resulting in substantial security breaches. 


This occurrence highlights the need for Microsoft to ship critical security patches for Microsoft Exchange Server faster and that although temporary mitigations are good they cannot be relied on for longer durations especially for frequently attacked systems.

BlackBerry Global Threat Intelligence Report Reveals Escalating Cyberattacks on Critical Sector

BlackBerry reports a significant surge in attacks against public service and government entities, increasing by 40% since March. Notably, the targets of these attacks have been public institutions considered 'vulnerable,' partly due to limited resources and evolving cybersecurity defense strategies. Operated by both nation-state actors and criminal elements, these attacks aim to cripple or ransom critical sectors of day-to-day life.

Remote access vulnerabilities are continuously exploited to gain entry to sectors, including finance and healthcare. BlackBerry's report also highlights the considerable strides and improvements made by cybersecurity companies internationally, reporting that 1.5 million attacks were prevented within the 90-day period.

Addressing the Rising Threat of Credential Theft: Insights from Verizon's 2023 Data Breach Investigations Report

In the ever-evolving cybersecurity landscape, the specter of credential theft continues to haunt IT teams as a potent threat. The 2023 Verizon Data Breach Investigations Report (DBIR) brings this concern to the forefront, unveiling that a substantial 83% of breaches involve external actors, most of them driven by financial motives.

Of these external breaches, a staggering 49% are executed through stolen credentials. As the report delves deeper, it becomes evident that users, often the weakest link, bear the brunt of successful cyberattacks. Threat actors deploy a myriad of techniques, including sophisticated fake login pages, falsified invoices, and redirected email exchanges, exploiting users' vulnerabilities for access to critical data.

The DBIR underscores that 74% of breaches involve a human element, encompassing human error, privilege misuse, social engineering, or stolen credentials. A notable revelation is that 50% of social engineering attacks employ 'pretexting,' manipulating users into revealing credentials or performing actions that benefit attackers.

This emphasizes the adversaries' grasp of users' vulnerability and their persistent reliance on social engineering tactics. The report also underscores that even well-funded organizations aren't immune to these threats, exemplified by Norton Lifelock Password Manager's case study, which highlights the lengths attackers go to acquire passwords. Norton's experience demonstrates that despite robust security measures, stolen credentials remain a potent tool in attackers' arsenals. As Verizon's findings illustrate, almost half of last year's breaches stemmed from stolen credentials, available in the burgeoning online black markets that cater to non-technical attackers

Raccoon Stealer: Resurgence of an Infostealer Threat

Raccoon Stealer, introduced as a 'Malware-as-a-Service' (MaaS) threat in 2019, is an information stealer designed to pilfer victim credentials and cryptocurrency wallet data. Although it lacks sophisticated evasion techniques, Raccoon's popularity has endured due to its straightforward yet effective data theft capabilities.

Originally spread through malicious email attachments and exploit kits, it now finds distribution channels in file-sharing sites hosting infringing content. Its recent resurgence, following a hiatus triggered by an operator's arrest, highlights its adaptability. The stealer encompasses a broad array of targets including popular browsers like Chrome, Firefox, and Edge, as well as cryptocurrency wallets such as Electrum, Exodus, and Ethereum. Raccoon's control panel, hosted on Tor, empowers subscribers to manage campaigns, build payloads, and oversee stolen data. Its dynamic adaptation of command and control server addresses using encrypted strings from Telegram URL shortening services showcases its agility.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus