This Week in Cyber 21st April 2023

NCSC CYBERUK Event – Belfast

CYBERUK is a UK government led event which brings thousands of industry leaders and professionals together every year. The theme for 2023 was ‘Securing an open and resilient digital future’, which aimed to examine the steps everyone must take now to ensure a safe cyberspace in ten years’ time. The event has been well known for its fascinating topics, engaging speakers and high-level networking opportunities. The programme schedule was very much focused on the training and protocols organisations must implement to ensure that the future of cyberspace is safe and secure for all users. The event ran from the 19th – 20th of April and videos of the speeches will be available on other platforms for cyber enthusiasts to watch. 

Google Release Patch For High Severity Zero-Day Flaw

Google have released a patch for a zero-day flaw linked to the ‘Skia’ graphics library. The flaw, which has been assigned the tracking number CVE-2023-2136, could potentially allow a remote attacker to escape the browser's sandbox and execute code on the affected system via a crafted HTML page. Google has released an emergency update to address this flaw, along with seven other security issues. The company has acknowledged that the vulnerability is being actively exploited but has not provided any additional details to prevent further abuse. This is the second zero-day vulnerability in Google Chrome to be exploited by malicious actors this year. To mitigate the potential threats posed by this vulnerability, users are advised to upgrade to the latest version of Chrome, which is version 112.0.5615.137/138 for Windows, 112.0.5615.137 for macOS, and 112.0.5615.165 for Linux.

Qbot Banking Trojan Found To Be Hijacking Business E-mails To Spread Malware

Kaspersky researchers have uncovered a new QBot malware campaign that uses hijacked business correspondence to deceive unsuspecting victims into installing the malware. QBot is a banking trojan that has been active since at least 2007, and it functions as a backdoor to inject next-stage payloads such as Cobalt Strike or ransomware, as well as stealing passwords and cookies from web browsers. The malware is being delivered to potential victims through malware already residing on their computers, social engineering, and spam mailings. The attackers are using email thread hijacking attacks, with the goal of enticing victims into opening malicious links or attachments. In this case, the attachment is a PDF file masquerading as a Microsoft Office 365 or Microsoft Azure alert that leads ultimately leads to downloading the malware.

APT28 Attacks on Cisco Routers

An ongoing threat has resulted in a threat actor group, known as APT28, infiltrating the CISCO routers of small to medium sized businesses. The group in question exploited critical vulnerabilities in Cisco routers (CVE-2017-6742); using this exploit they're able to run commands against the operating system of the router and deploy malware onto unsecured devices.  According to CISCO: These vulnerabilities affect Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 routers. Mitigation of the issue can be achieved through disabling remote management of the affected devices, limiting SNMP activity, and updating the routers as the latest patches close the CVE-2017-6742 vulnerability. Due to the nature of this attack UK based organisations, that are affected, should contact the NCSC whilst American based organisations should contact CISA. 

Lazarus Group Modified Operation ‘Dream HSBC Job’ To Exploit Linux Users

The Lazarus Group, has been identified as being behind a new Linux malware campaign called Operation Dream Job. The campaign uses fraudulent job offers to lure victims into downloading malware. This is the first documented instance of the group using Linux malware in this way. The attack chain involves a fake HSBC job offer, which is sent via a ZIP archive file containing a Linux backdoor named SimplexTea, distributed via an OpenDrive cloud storage account. The exact distribution method is not known, but it is believed to be either spear-phishing or direct messages on LinkedIn. The backdoor is similar to a Windows Trojan previously attributed to the group. ESET, the cybersecurity firm that uncovered the campaign, also identified similarities between the artifacts used in the Dream Job campaign and those found in the recent supply chain attack on VoIP software developer 3CX.

Patch management and social engineering techniques such as spear-phishing remain prevalent risks within cyber security. Our team of security analysts can monitor and detect these threats across your network and cloud services. We then work with you to pro-actively mitigate any findings, thereby enhancing your overall security posture.