Weekly Cyber Reports

This Week in Cyber 29th September 2023

Latest news and views from our Cyber Analysts

Written by

Team Nucleus

Written on

28th September, 2023


Critical Security Vulnerability Discovered in TeamCity On-Premises: Update Urgently 

TeamCity, a widely used Continuous Integration (CI) and Continuous Delivery (CD) server, faces a critical security vulnerability discovered by Sonar's Vulnerability Research Team. Tracked as CVE-2023-42793 with a CVSS score of 9.8, this flaw affects the on-premises version of TeamCity. It allows unauthenticated attackers with HTTP(S) access to execute remote code (RCE) attacks, potentially compromising the server's integrity, stealing source code, service secrets, private keys, and more. JetBrains, the developer behind TeamCity, swiftly responded with version 2023.05.4 to address this issue, urging all users to update their servers or use a security patch plugin for immediate protection.

This critical vulnerability raises the importance of keeping software systems up to date with the latest security patches. Failure to do so can lead to severe consequences, including unauthorized access and data breaches. JetBrains has acted responsibly in promptly addressing this issue, emphasizing the criticality of ensuring server security in an ever-evolving threat landscape.


Mysterious 'Sandman' Threat Actor Targets Telecom Providers Across Three Continents

A newly discovered threat actor, referred to as Sandman, has recently orchestrated a series of cyberattacks targeting telecommunications providers across the Middle East, Western Europe, and South Asia. These attacks are marked by a calculated approach, emphasizing strategic lateral movement to specific target workstations while minimizing the risk of detection. Sandman employs an innovative implant named LuaDream, which takes advantage of the LuaJIT compiler to avoid detection.

Despite extensive efforts, the identity of the attacker remains shrouded in mystery, with their persistent focus on the telecom sector being the only clear motive. LuaDream, a versatile and stealthy modular backdoor, is designed for data exfiltration, plugin management, and employs anti-debugging techniques. This development underscores the ever-evolving nature of cyber espionage, underscoring the importance of robust cybersecurity measures in safeguarding critical infrastructure.

Concurrently, Chinese threat actors are actively targeting various sectors in Africa, including telecommunications, finance, and government, in campaigns collectively known as BackdoorDiplomacy, Earth Estries, and Operation Tainted Love. These intrusions serve the broader goal of extending influence across the continent, aligning with China's soft power agenda. As these threats continue to emerge, organizations worldwide must remain vigilant and enhance their defenses to protect against evolving cyber threats that could potentially disrupt critical services and infrastructure.


Ransomed.vc Group Claims Data Breach on Sony

In a bold move, the recently emerged ransomware group, Ransomed.vc, has targeted Sony, one of its many victims since its inception in September. The group announced its intrusion into Sony's systems on both clear and dark web platforms, stating they had successfully compromised Sony's systems and planned to sell the stolen data since Sony refused to pay a ransom. While Ransomed.vc provided some proof-of-hack data, including screenshots of internal login pages and PowerPoint presentations, the quantity fell short of expectations given the audacious claim of breaching "all of Sony systems."

The file tree shared by the group contains fewer than 6,000 files, a surprisingly modest number given the scope of their assertion. These files include "build log files," various Java resources, and HTML files, many of which prominently feature Japanese characters. Ransomed.vc has set a "post date" of September 28, 2023, implying that the data will be made public if no buyers emerge. Sony has not officially acknowledged the cyber incident on its websites, and Ransomed.vc, 


Sony have since informed the ransomware group that they do not intend to pay. Since then, Ransomed.vc have announced on their website that they are happily selling the data.


DarkMe Exploits Critical WinRAR Vulnerability CVE-2023-38831

The emergence of CVE-2023-38831, a remote code execution vulnerability within the widely used WinRAR software, has taken a significant turn as it falls prey to the Evilnum APT group's DarkMe Malware. DarkMe exploits this flaw through crafted archive files, targeting European trading forums with precision spear-phishing emails.

These attacks aim to compromise financial assets and transaction data. DarkMe's modus operandi involves loading Windows ActiveX files, establishing registry keys, and connecting to a command-and-control server via rundll32.exe, facilitating the deployment of the DarkMe Trojan malware.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus