Weekly Cyber Reports

This Week in Cyber 3rd March 2023

Latest news & views from our Cyber Analysts

Written by

Team Nucleus

Written on

3rd March, 2023


WHSmith Staff Data Hit by Cyber-Attack

British high street retailer WHSmith has confirmed that they have been hit by a cyber attack which resulted in the theft of company data. The company has advised that current and former employee data was accessed during the attacks, including Names, Addresses, Dates of Birth and National Insurance numbers. This attack against WHSmith is the latest in an ever increasing number of attacks against well known high street chains based in the UK. This trend is only expected to continue and recent reports suggest that over a quarter of UK business leaders are anticipating that the frequency of cyber attacks will increase significantly this year.

New EX-22 Tool Being Sold For $5000 For A Lifetime Subscription

A new post-exploitation framework known as EXFILTRATOR-22 (EX-22) has been discovered, which aims to deploy ransomware within enterprise networks while avoiding detection. The tool has several capabilities, including establishing a reverse shell, logging keystrokes, launching ransomware, and conducting lateral movement. It can persist after system reboots, generate cryptographic hashes of files, and extract authentication tokens. The cybersecurity firm CYFIRMA believes that the creators of this malware are operating from North, East, or Southeast Asia and are likely former affiliates of the LockBit ransomware.

Law Firms Being Targeted By GootLoader And FakeUpdates Malware

In recent months, there have been two distinct threat campaigns distributing GootLoader and SocGholish malware strains. These campaigns specifically targeted six law firms in January and February 2023. GootLoader, which has been active since late 2020, is a downloader that can deliver a range of secondary payloads, including Cobalt Strike and ransomware. The malware employs search engine optimization (SEO) poisoning to direct victims searching for business-related documents towards drive-by download sites that drop the JavaScript malware. SocGholish is another JavaScript malware downloader capable of dropping additional executables. It has been used in a separate set of attacks on law firms and other businesses. In both campaigns, the threat actors compromised legitimate but vulnerable WordPress websites, adding new blog posts without the owners' knowledge. Users who navigated to these malicious web pages and clicked on the link to download a business agreement unknowingly downloaded GootLoader. What makes these attacks particularly notable is the absence of ransomware deployment. Instead, the threat actors favour hands-on activity, suggesting that the attacks may have diversified to include espionage operations.

Cryptocurrency Firms Are Being Targeted By New Parallax RAT

Cryptocurrency companies are being targeted in a new campaign that uses a remote access trojan (RAT) called Parallax RAT to gain remote access to victim machines. Parallax RAT can upload and download files, record keystrokes and screen captures, and access data stored in the clipboard. Attackers are using Notepad to communicate with victims and instructing them to connect to an actor-controlled Telegram channel. The attacks are particularly interested in cryptocurrency companies, and the RAT is being delivered via phishing emails bearing the malware. The use of Telegram is also concerning, as the platform has become a hub for criminal activities due to lax moderation efforts.

Threat Actors Target ManageEngine CVE-2022-47966

BitDefender Labs report that since January 20th 2023 there has been a global increase in attacks against ManageEngine vulnerability CVE-2022-47966 - a Remote Code Execution (RCE) vulnerability found in 24 Zoho/ManageEngine products. Based on their research there are up to 4000 internet facing servers affected and still unpatched. The RCE vulnerability allows unauthenticated remote code execution and the underlying cause is an outdated third party component containing a 15 year old vulnerability. Telesoft's Cyber Analysts have been carrying out targeted threat hunts for our customers who use ManageEngine products based on the Indicators of Compromise (IoCs) available.


Recommended Posts

Subscribe to Nucleus blog updates.

Subscribe to our newsletter and stay updated.

Subscribe to Nucleus