The CyberWire: Latest Cybersecurity News.

"Five Eyes warning against top exploited vulnerabilities."

Views expressed in this cybersecurity, cybercrime update are those of the reporters and correspondents.  Accessed on 04 August 2023, 1549 UTC.

Content provided by email subscription to "The CyberWire."

Source:   https://mail.google.com/mail/u/0/?tab=rm&ogbl#inbox/FMfcgzGtwWDKgGWLpmJSGDbwrngpvGSH ("The CyberWire").

Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (https://www.hawaiicybersecurityjournal.net

More signal, less noise.

SPONSORED BY DRATA:

14+ compliance frameworks. None of the manual work.

By integrating with your tech stack, Drata automates compliance and control monitoring for top frameworks, including SOC 2, ISO 27001, and GDPR—eliminating time consuming, manual tasks. With 450+ 5-star G2 reviews, you’ll see why 2,500+ customers choose Drata to automate workflows, ace their audits, and stay compliant year round. Want to see automation in action? Book a demo and get 10% off and waived implementation fees.

Daily Briefing

August 4, 2023. SUMMARY

At a glance.

Five Eyes warning against top exploited vulnerabilities. Rilide info stealer in the wild. Abuse of a legitimate tool. Malicious PyPI packages. Cyber attacks continue to gutter on both sides of Russia's war against Ukraine.

Five Eyes warning against top exploited vulnerabilities.

Intelligence services in the Five Eyes yesterday issued a joint Cybersecurity Advisory (CSA), 2022 Top Routinely Exploited Vulnerabilities, describing the vulnerabilities that attackers have used most often this year. There are twelve vulnerabilities atop the hacker's leader board: "CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2020 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors. "CVE-2021-34473, CVE-2021-31207, CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft’s web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers. "CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022. "CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021. "CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022. "CVE-2022-22954, CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year. "CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software. "CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system. "CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022." The cooperating agencies are, in the United States the Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI); in Australia the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC); in Canada the Canadian Centre for Cyber Security (CCCS); in New Zealand the New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ); and in the United Kingdom the National Cyber Security Centre (NCSC-UK). Sponsored by mWISE

First look: mWISE 2023 session catalog

Check out the topics, meet the speakers, and sign up for discount registration.

Rilide info stealer in the wild.

Trustwave’s SpiderLabs describes a new version of the Rilide Stealer extension that’s targeting Chromium-based browsers. The researchers note that the malware “uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.” Compared to earlier versions of Rilide, this variant “exhibits a higher level of sophistication through modular design, code obfuscation, adaptation to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures.” Sponsored by Expel

Wish you had a cheat sheet for AWS investigations? Expel created one!

We remediate loads of cyber incidents in Amazon Web Services (AWS), and some common themes have emerged re: attacker use of APIs. We’ve noticed they map nicely to MITRE ATT&CK tactics. So we captured them in a mind map of possible attack paths once hackers are inside an AWS environment. This resource should be helpful if you ever find yourself chasing a baddie through the cloud and want to catch them sooner than later.

Abuse of a legitimate tool.

Guidepoint Security outlines how the legitimate tool Cloudflare Tunnel (also known as “Cloudflared) is being abused by threat actors: “[Cloudflared] allows a TA to configure an environment in advance of an attack, then execute a single command from a victim machine to establish a foothold and conduct further operations. Since the Cloudflared execution only requires the token associated with the tunnel they’ve created, the TA can initiate these commands without exposing any of their configurations on the victim machine prior to a successful tunnel connection. Once the tunnel is established, Cloudflared obtains the configuration and keeps it in the running process.” Sponsored by CrashPlan

Recover from ransomware and disasters the indisputable way. Backup Better.

Be ready for the inevitable with CrashPlan endpoint backup. With 256-bit AES encryption in transit and at rest running automatically every 15 minutes, you can work without friction or fear. Trusted by organizations worldwide with less than 100 endpoints to more than 100,000, CrashPlan is the undeniable solution to recover all your work and intellectual property at the endpoints from any data calamity. And, see what exactly was compromised to fully understand the risk.

Malicious PyPI packages.

Researchers at ReversingLabs discovered twenty-four malicious packages in the Python Package Index (PyPI) open-source repository. The packages imitated three popular Python packages: “vConnector, a wrapper module for pyVmomi VMware vSphere bindings; as well as eth-tester, a collection of tools for testing ethereum based applications; and databases, a tool that gives asyncro support for a range of databases.” The campaign began in late July, and the attackers keep posting new malicious packages daily as the older ones are removed: “In contrast to other, recent supply chain campaigns, such as Operation Brainleeches, the malicious packages that make up this campaign display evidence of a concerted effort to deceive developers. They achieve this by implementing the entire functionality of the modules they are imitating and standing up corresponding and linked GitHub projects that omit the malicious functionality found in the PyPI release package.”

Cyber attacks continue to gutter on both sides of Russia's war against Ukraine.

The SVR cyberespionage campaign recently described by Microsoft (and summarized by Reuters) is the most prominent of recent cyber operations, but there have been others. The Times describes ongoing disruption of Russian online services by Ukrainian hacktivist auxiliaries. The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here. [1050]

Notes.

Today's issue includes events affecting Australia, Bangladesh, Belarus, China, the European Union, Georgia, India, Israel, Kazakhstan, NATO/OTAN, Poland, Romania, Russia, Ukraine, the United Kingdom, and the United States. SPONSORED EVENTS Cyber Security Summits This Summer (Multiple Locations / Virtual, July 20 - August 17, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception on 7/20 in DC, on 7/27 in Pittsburgh & on 8/17 in Detroit. Learn about the latest threats and solutions from The FBI, U.S. DHS / CISA, US Secret Service & more. Earn CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at CyberSecuritySummit.com mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open SELECTED READING

Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+526: The drone war at week's end. (CyberWire) Russia and Ukraine continue to exchange drone strikes. Russian attacks have concentrated on grain ... Russia-Ukraine war: List of key events, day 527 (Al Jazeera) These are the main developments as the Russian invasion of Ukraine enters its 527th day. Russia-Ukraine war at a glance: what we know on day 527 of the invasion (the Guardian) Ukraine claims to have incapacitated a ship in Russia’s Black Sea fleet ; Russian defence minister ... Find MORE on our website.

Attacks, Threats, and Vulnerabilities

CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022  | CISA (Cybersecurity and Infrastructure Security Agency CISA) The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), ... CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vu (National Security Agency/Central Security Service) The “2022 Top Routinely Exploited Vulnerabilities” CSA provides details on the top Common ... 2022 Top Routinely Exploited Vulnerabilities (Cybersecurity and Infrastructure Security Agency CISA) The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA): Find MORE on our website.

Security Patches, Mitigations, and Software Updates

CISA Releases Five Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) CISA released five Industrial Control Systems (ICS) advisories on August 3, 2023. These advisories ... Google is making it easier to remove your private information from Search (Engadget) Google is making it easier for people to request the removal of their phone number, home address and ...

Trends

BlackBerry Global Threat Intelligence Report — August 2023 Edition (BlackBerry) This report by the BlackBerry Threat Research and Intelligence team provides the latest actionable ... Cyberattacks on governments and public services were way up this spring, research shows (Record) Cyberattacks on governments and public entities worldwide surged by 40% from March to May compared ... New Survey Reveals Majority of Organizations Still Using Phishable Multifactor Methods for Customer Authentication (Benzinga) Nok Nok and Enterprise Strategy Group today released the findings of a comprehensive survey on the ... Find MORE on our website.

Marketplace

Cybersecurity Snapshot (May 2023) (Momentum Cyber) We are pleased to provide you with Momentum’s Cybersecurity Market Review for 1H 2023. Strategic ... ‘Tidal Wave’ of Down Rounds Hits Startups (The Information) Turntide Technologies, a maker of electric motor systems backed by Bill Gates–founded Breakthrough ... Jericho Security Raises $3 Million for Awareness Training Powered by Generative AI (SecurityWeek) Jericho Security raises $3 million in a pre-seed funding round to help organizations defend against ... Find MORE on our website.

Products, Services, and Solutions

Threat Intelligence with Breach and Attack Simulation (SafeBreach) Combining threat intelligence with breach and attack simulation provides the context needed to ... The Valence SaaS Security Platform is now available in the Microsoft Azure Marketplace (GlobeNewswire News Room) Microsoft Azure customers worldwide now gain access to Valence Security to take advantage of the ... Security Tools for Containers, Kubernetes, and Cloud (Sysdig) See all vulnerabilies, configuration issues, and suspicious activity with Sysdig's unified cloud and ... Find MORE on our website.

Technologies, Techniques, and Standards

Qualys Announces Ground-Breaking First-Party Software Risk Management Solution (PR Newswire) Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security ... Cyber Incident Response Plan Template | ManagedMethods (ManagedMethods) Our comprehensive incident response template provides a structured framework, guiding you through ...

Legislation, Policy, and Regulation

China calls on all citizens to spy on their neighbour (The Telegraph) Secretive security service says people need to be vigilant to form a 'line of defence' against ... An Internet Shutdown Means Manipur Is Burning in the Dark (WIRED) Since May 4, the Indian government has shut off the internet in Manipur, giving cover to murders, ... The Lose-Lose-Lose-Lose Bill C-18 Outcome: Meta Blocking News Links on Facebook and Instagram in Canada (Michael Geist) For months, supporters of Bill C-18, the Online News Act, assured the government that Meta and ... Find MORE on our website.

Litigation, Investigation, and Law Enforcement

US navy sailors arrested on charges of passing sensitive material to China (the Guardian) Jinchao Wei, 22, and Wenheng Zhao, 26, accused in separate cases of ‘violating commitments they made ... FCC fines robocaller a record $300M after blocking billions of their scam calls (TechCrunch) The FCC ordered a record $300 million forfeiture, but whether and when that money will be paid is, ... Tech Entrepreneur Admits to Being Hacker in $4.5 Billion Bitcoin Heist (Wall Street Journal) Ilya Lichtenstein, who pleaded guilty to laundering stolen digital currency, made an unexpected ... Find MORE on our website. SPONSOR & SUPPORT

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc. This email was sent to kh6jrm@gmail.com why did I get this?  |  unsubscribe  |  manage subscription preferences The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA