The HighPoint Security Hub – Oct 30, 2023

Navigating the ever-evolving landscape of cyber threats is a constant challenge. “The Security Hub” is here to make it easier, offering a succinct overview of the most pressing developments from the past two weeks.

This week, rogue Google Ads targeted those searching for PDF converters, SolarWinds faced another round of severe vulnerabilities and state-sponsored Russian and Chinese threat actors targeted WinRAR.

Global Developments

1. Cisco issued a fix for a critical zero-day security vulnerability in its widely-used IOS XE software, in which an unidentified hacked installed malicious backdoors in about 42,000 devices worldwide. The suspicious activity dates back to Sept. 18 and continued through to Oct. 12 before being addressed by Cisco this week. Read more.
2. SolarWinds has faced another round of vulnerabilities, with eight newly discovered that are considered to be of critical severity. These vulnerabilities potentially allow unauthorised parties to take over networks and gain the highest levels of privilege in any unpatched systems. After the highly publicised 2020 breach, one of the biggest cybersecurity breaches of the 21st century, these new vulnerabilities emphasise the importance of robust security measures. Read more.
3. D-Link, the networking equipment manufacturer, confirmed a breach but disputed claims from the hacker about the extent of the compromise. The attacker claimed to have heisted 3 million lines of customer information and source code, including that of Taiwanese government officials. D-Link rebutted these claims, saying the stolen data was outdated and only amounted to 700 records. Read more.
4. Popular identity and access management provider Okta suffered a breach of its support system that allowed as yet unidentified threat actors to access its support case management system. Okta has not disclosed the scale or timeframe of the attack, with this new attack being the latest in a long list of security breaches that have targeted the company in recent years. Read more.

Commonly Used Tools and Gadgets

1. ServiceNow experienced a data leak that potentially puts thousands of companies at risk. A cybersecurity expert warned the vulnerability could have compromised private data for years, allowing unauthenticated users to extract data, including names, email addresses and internal documents. Around 70% of total data instances currently seem have been affected, although there is no proof as of yet that the glitch has been exploited by hackers. Read more.
2. A critical vulnerability in Citrix NetScaler has been discovered that could expose sensitive data. The vulnerability, with a CVSS rating of 9.4, is considered remotely exploitable and low complexity without an attacker requiring high privileges or user interaction. Read more.
3. Microsoft has resolved a known issue that has been affecting Outlook since June, causing slow starts and program freezes for many users. The fix is being rolled out to Beta users now, with plans for it to reach all users in late November. Read more.
4. Researchers at Google’s Threat Analysis Group have been tracking persistent attacks in recent weeks that are exploiting a WinRAR vulnerability to delivery infostealers and backdoor malware. State-sponsored threat actors from Russia and China are particularly targeting organisations in Ukraine and Papua New Guinea. The exploited flaw is a known and patched WinRAR vulnerability, but systems that haven’t been updated remain vulnerable. Read more.

Malware and Ransomware

1. Attackers are hiding malware in seemingly innocuous browser updates. By seeding legitimate but vulnerable websites with malicious JavaScript, they are able to present website users with convincing browser update notifications that when clicked, mask dangerous payloads. At least four different threat clusters so far have adopted this new approach, with the trend appearing to be growing. Read more.
2. The BlackCat ransomware has evolved, now using a new ‘Munchkin’ tool that uses virtual machines to stealthily deploy encryptors into network devices, enabling the ransomware to run on remote systems. This update to an already extensive ransomware arsenal makes BlackCat more attractive to cybercriminals and makes it easier for them to bypass security solutions. Read more.
3. Malvertisers are using Google Ads to target users who search for Notepad++ and PDF converters. Exploiting user trust in advertisements, the malware directs users to fictitious landing pages, silently fingerprinting devices to determine if the user is a potential target or not before delivering final-state malware. These rogue Google Ads are a sign that malvertising via search engines is increasing in sophistication. Read more.