Weekly Cyber Reports

This Week in Cyber 24th March 2023

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

24th March, 2023


Ferrari Data Breach

Ferrari have advised of a cyber incident where a malicious actor was able to access a limited number of internal IT systems. Attackers reportedly demanded a ransom not to leak the data that had been stolen. It is currently unclear whether this is a ransomware attack or extortion. Ferrari advise that Customer Information including Names, Addresses, Email Addresses and Telephone numbers were exposed but there is no evidence to suggest that any payment details, bank account numbers or any other sensitive payment information had been accessed.

Dole Discloses Ransomware Attack Details

Dole, a worldwide provider of fresh fruit and vegetables has released further information regarding a ransomware attack they detected last month. In a report filed to the U.S. Securities and Exchange Commission (SEC) they mention that they were the victim of a sophisticated attack which resulted in unauthorised access to employee information. Upon detecting the attack, they engaged with experts to carry out containment and notified law enforcement.

Malicious ChatGPT Chrome Extension Hijacks Facebook Accounts

A malicious version of the legitimate ChatGPT Chrome Extension has been gathering popularity on the Chrome Web Store, having had over 9,000 downloads since it was published on February 14th. Researcher Nati Tal from Guardio Labs reports that the extension, which shares its infrastructure with a previously identified malicious ChatGPT extension, has been stealing Facebook session cookies.

These stolen cookies allow the threat actors to log in to Facebook accounts as the unsuspecting user and gain full access to their accounts. The extension abuses the Chrome Extension API to obtain a list of Facebook related cookies, encrypts them, then exfiltrates them back to the attackers server.

Emotet Evades Defences using OneNote

The notorious Emotet malware is now being distributed using Microsoft OneNote email attachments with the aim of bypassing security restrictions put in place by Microsoft. Traditionally Emotet was distributed via macro-enabled Microsoft Word and Excel attachments, but this method was becoming less and less viable as companies now generally block macro enabled attachments.

The attachments (*.one) are being distributed in reply-chain emails and when opened display a message stating that the document is protected & you need to click ‘View’ to continue. The threat actors have hidden a malicious VBScript underneath the ‘View’ button which contains an obfuscated script that downloads a DLL from a compromised website and then executes it.

Microsoft will be building improvements into OneNote to mitigate this threat, but for the time being it would be worth configuring Group Policies to block embedded files within OneNote or block .one file attachments at the mail gateway.

Lockbit 3.0

The FBI, CISA and MS-ISAC have released a joint cybersecurity advisory relating to the LockBit 3.0 Ransomware detailing the Indicators of Compromise (IoCs) and the associated Tactics, Techniques and Procedures (TTPs). Since first emerging in late 2019, LockBit 3.0 continues to become ever more prevalent as threat-actors pursue the "Ransomware as a Service" model.

View the advisory here


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus