Weekly Cyber Reports

This Week in Cyber 26th May 2023

Latest news & views from our Cyber Analysts

Written by

Team Nucleus

Written on

25th May, 2023


Enhanced Legion Malware Targets SSH Servers and AWS Credentials in Latest Upgrade

An updated version of the malware known as Legion has emerged, featuring expanded functionalities aimed at compromising SSH servers and acquiring Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch. The recent update signifies a broader scope and evolving capabilities in targeting cloud services.

Legion, originally a Python-based hacking tool, was initially uncovered by a cloud security firm for its ability to exploit vulnerable SMTP servers and gather credentials. It also exploits web servers running content management systems (CMS), utilizes Telegram for data exfiltration, and sends spam SMS messages using stolen SMTP credentials and dynamically generated U.S. mobile numbers.

The updated version of Legion introduces new features, including the ability to exploit SSH servers using the Paramiko module. Additionally, it includes mechanisms for retrieving specific AWS credentials related to DynamoDB, CloudWatch, and AWS Owl from Laravel web applications.

Researchers emphasize that misconfigurations in web applications remain the primary method by which Legion acquires credentials. To mitigate the risk, developers and administrators are advised to regularly review access to application resources and explore alternatives to storing sensitive information in environment files.

Meta fined $1.3 Billion For Violating GPDR Regulations

Facebook's parent company Meta has been fined a record $1.3 billion by EU data protection regulators for transferring EU user data to the US in violation of GDPR. The European Data Protection Board has ordered Meta to comply with GDPR, delete unlawfully stored data, and suspend future data transfers within five months. The EDPB deemed Meta's infringement as serious, given the systematic, repetitive, and continuous nature of the data transfers. The fine serves as a significant signal to organizations that serious infringements have severe consequences. Meta plans to appeal the ruling, citing a conflict between US government data access rules and European privacy rights. The fine is the largest ever under GDPR and underscores the EU's commitment to data protection.

Technical Analysis of Medusa Ransomware: Behaviour and Techniques

Medusa ransomware, discovered in June 2021, has gained prominence as an active threat this year, particularly with the launch of the "Medusa Blog," where data leaked from non-compliant victims is published. This ransomware variant targets various services and processes, decrypting them at runtime and erasing Volume Shadow Copies to hinder recovery efforts. The encryption process involves AES256 algorithm, with the encryption key itself encrypted using an RSA public key. Upon completion of file encryption, the ransomware self-deletes, leaving the encrypted files with the ".MEDUSA" extension. Additional analysis reveals specific parameters that the malware can run with, its use of PowerShell processes, and techniques to terminate services, processes, and Volume Shadow Copies.

Vlad Pasca's technical examination provides insight into the behaviour and techniques employed by Medusa ransomware. Understanding its operational characteristics and attack vectors enables security practitioners to enhance their defence mechanisms, develop appropriate mitigation strategies, and improve incident response efforts to combat this evolving threat landscape effectively.

Email Protection Company ‘Barracuda’ Warns Of Zero-Day Exploit

Barracuda, an email protection and network security services provider, has warned users about a zero-day flaw (CVE-2023-2868) that has been exploited to breach its Email Security Gateway appliances. The vulnerability allows remote code injection and affects versions through Barracuda released patches and disclosed evidence of active exploitation, urging affected users to take remedial actions. In a separate incident, a WordPress plugin called Beautiful Cookie Consent Banner had a now-fixed vulnerability that allowed attackers to inject malicious JavaScript, resulting in site takeovers. Defiant, a WordPress security company, blocked millions of attacks since May 23.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus