Security News – May 2023

Read our roundup of cybersecurity news from May 2023. Each month, we’ll bring you security cases and interesting insights to help you stay secure. 

Politics 

Two APT groups affiliated with the Iranian government are actively exploiting the PaperCut vulnerability, which targets the print management software. The vulnerability allows the remote code execution, acquisition of system privileges, and access to sensitive data stored on corporate servers. Despite the existence of updates, the vulnerability is still being actively exploited.

A new map in CS:GO bypasses Russian censorship and enables players to learn about the ongoing war in Ukraine. The project is implemented by the Finnish newspaper Helsingin Sanomat.

Pro-Russian group UserSec has announced a new campaign targeting NATO countries and their websites. According to their statement, no country should be left out.

Investigations and research

A British hacker, who was extradited to the USA, faces up to 77 years in jail for multiple offenses. They include computer and system intrusions, data extraction, stalking, bank fraud, and money laundering. He has confessed to all the crimes.

A Russian hacker, Mikhail Matveev, is wanted by the authorities and a reward has been offered for his arrest. He was included in multiple ransomware attacks targeting critical infrastructure in the United States. Matveev is connected to the ransomware strains known as Hive, LockBit, and Babuk.

Toyota has announced a data breach that lasted for nearly 10 years. The breach contained information about the location of more than two million vehicles. The error was caused by poor database configuration, which allowed access to anyone without the need for a password.

Merck’s insurance company has been ordered to pay a sum of $1.4 billion as compensation for the damages caused by the NotPetya attack. Initially, the insurance company declined to fulfill its obligation, citing a clause related to the state of war, as Russian hackers targeting Ukraine were behind the attack.

Spanish police arrested 40 members of the cybercriminal gang Trinitarians, which victimized more than 300,000 people. Their method involved sending deceptive SMS messages that were urging recipients to carry out activities on a fraudulent website posing as a financial institution.

Intel is currently conducting an investigation into a reported breach involving the exposure of private keys utilized by Intel Boot Guard. This incident has the potential to compromise Intel’s capability to safeguard MSI devices against the installation of malicious UEFI firmware. The breach occurred after an attack targeting MSI. As the MSI company refused to pay ransom, the attackers proceeded to disclose the obtained data.

A former CISO of Uber has been sentenced to a three-year probation period, fines, and community service for deliberately withholding information about a successful cyber attack on the company in 2016. This data breach resulted in the exposure of sensitive information belonging to 57 million customers and 600,000 drivers.

The FBI has seized 13 more domains connected to the potential “rental” of DDoS attacks. This represents the third wave of interventions against such domains, resulting in a shutdown of 76 domains in total.

Meta (formerly Facebook) was fined €1.2 billion. Since 2020, the company has been transferring personal user data from the EU to the USA. This is a violation of a court rule on data transfers between the EU and the USA.

Attacks

WordPress plugins “Advanced Custom Fields” and “Advanced Custom Fields Pro” are vulnerable to cross-site scripting (XSS). With over 2 million downloads, they are among the most popular WordPress extensions. Even though there is an available update, more than 72% of users are still using an outdated version.

The WordPress plugin “Essential Addons for Elementor” had a vulnerability that enabled unauthorized users to obtain administrative privileges on the website. This widely-used plugin is utilized by over a million websites. Fortunately, an update addressing this issue has been released.

The cybercriminal group known as Lemon Group is taking advantage of millions of Android devices infected by their malware. It appears that the malware infiltrated these devices through a compromised firmware supplier for mobile devices.

A hospital on Staten Island (USA) fell victim to a ransomware attack. Despite the limitations, the hospital managed to continue serving their patients. 

The Medical Clinic & SurgiCenter in Tennessee fell victim to a ransomware attack, resulting in the cancellation of all operations and the implementation of an emergency network shutdown to mitigate the spread of the attack.

Despite the FBI’s strong recommendation against paying ransoms, the city of San Bernardino, California decided to pay a ransom of $1.1 million to a ransomware gang that had encrypted the network of their police department.

Other

Google has recently introduced a new feature for American Gmail accounts, allowing users to monitor the dark web. This service actively scans the dark web for any appearances of users’ emails and provides valuable recommendations to strengthen their security measures. Additionally, users will receive prompt notifications if their email happens to be involved in any data breaches.

The web browser Brave has unveiled an innovative feature known as “Forgetful Browsing” that enhances user privacy. This functionality ensures that websites cannot reidentify users during subsequent visits. Once a website is closed, Brave automatically deletes cookies, localStorage, indexedDB, HTTP, and DNS cache, leaving no trace of the user’s browsing activity.

In the year 2022, Apple decided to block 1.7 million applications due to concerns related to privacy and security. This significant measure resulted in safeguarding over two billion dollars from fraudulent activities. Additionally, Apple also eliminated more than 400,000 developer accounts. 

The introduction of new top-level domains, such as ZIP and MOV, has sparked concerns regarding their potential exploitation for phishing attacks. The problem stems from their resemblance to well-known and widely used file extensions for zipped and movie files. To emphasize the problem with these domains, individuals have already registered domains like setup.zip and update.zip, highlighting the need for caution and vigilance.

According to US federal agencies, the hesitancy of victims to report ransomware attacks poses challenges in mitigating cyberattacks. It is estimated that only 20-30% of victims actually report such incidents. Increased reporting could significantly improve the effectiveness of ongoing initiatives and their overall impact.

A man in China is currently facing a possible 10-year prison sentence. Using ChatGPT, he fabricated a false news report about a train accident. The report gained traction in China through widespread sharing, including on Baidu. To prevent the spreading of misleading information, deepfake sources in China must be explicitly labeled to ensure public clarity and awareness.

The Cisco SPA 112 2-Port Phone Adapters have a vulnerability that enables remote code execution and unauthorized access to administrator privileges by unauthenticated attackers. However, since the device has already reached its end-of-life (with support ending in 2020), no further updates will be released for it.

Attackers are taking advantage of QR codes for malicious purposes. By scanning a manipulated QR code to complete a questionnaire, users may unknowingly download an application that provides attackers with access to their internet banking. Additionally, QR codes are used in fake parking ticket scams, falsely claiming to offer convenient online payment options.

The password manager KeyPass has a vulnerability that allows the extraction of the master password from the system’s operating memory. To extract the password, an attacker needs access to the operating memory or its artifacts within the operating system (e.g., hiberfil.sys). A release of an update addressing this issue is anticipated in July 2023.