Updated: Aug 5, 2022
In this week's Cyber Weekly Digest we dive into the latest cyber security stories including the attackers arrested by Spanish law enforcement for sabotaging the country’s radioactivity alert network last year. Keep reading to stay up to date on the biggest cyber security news.
Israeli Spyware company actively exploited Google Chrome Zero-Day that came to light earlier this month. They weaponised the exploit in attacks targeting journalists in the Middle East. Researchers have linked the exploitation to Candiru (aka Saito Tech), which has a history of leveraging previously unknown flaws to deploy a Windows malware named DevilsTongue, a modular implant with Pegasus-like capabilities. The vulnerability used by the Israeli spyware company is CVE-2022-2294, memory corruption in the WebRTC component of the Google Chrome browser. This exploit has been patched by Google. The exploit was abused to gain initial access to the victim’s device, the threat actors will then abuse another zero-day exploit that has not been captured yet and gain full access to the victim’s device.
The Amadey Bot malware is being distributed through the SmokeLoader malware, using software cracks and keygen sites as lures. Amadey Bot was first discovered 4 years ago, it is capable of gaining reconnaissance, stealing information, and loading additional payloads. The SmokeLoader payload is downloaded and executed voluntarily by the victim. The installation requires the user to disable Anti-virus, which is normal for software cracking and keygen. SmokeLoader will then load Amadey on to the victim’s device. Amadey now establishes a C2 communication and sends a system profile to the threat actor’s server, including the OS version, architecture type, list of installed antivirus tools, etc. Amadey is capable of sideloading RedLine malware, which is a hyper-spreading info-stealer. This opens the user up to losing account credentials, communications, files, and cryptocurrency assets.
Hackers are targeting websites using the PrestaShop platform, leveraging a previously unknown vulnerability chain to perform code execution and potentially steal customers’ payment information. The attack is an SQL injection that impacts PrestaShop versions 18.104.22.168 or later and versions 22.214.171.124 or later if they run modules vulnerable to SQL injection, such as the Wishlist 2.0.0 to 2.1.0 module. This exploit has been given the identifier CVE-2022-36408. PrestaShop opened with a security advisory statement "We believe attackers are targeting shops using outdated software or modules, vulnerable third-party modules, or a yet-to-be-discovered vulnerability.” PrestaShop has released a security fix 126.96.36.199 that strengthens MySQL Smarty cache storage against all code injection attacks, which was the attack vector the hackers used to exploit.
System Administrators are under immense pressure to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed. According to Palo Alto, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution. The most exploited vulnerabilities in H1 2022 are ProxyShell exploits making up 55% of all exploited flaws that hackers are using. It’s a race against the clock to roll out patches and updates before the hackers can cause damage and steal data, temporary downtime is better than a data breach.
The Spanish police have announced the arrest of two hackers believed to be responsible for cyberattacks on the country’s radioactivity alert network (RAR), which took place between March and June 2021. The arrested hackers were former workers of a company contracted by the General Directorate of Civil Protection and Emergencies (DGPGE) to maintain the RAR system, so they had deep knowledge of how to deliver an effective cyberattack. The role of the RAR system is to detect sudden rises in radioactivity levels and raise the alarm to help the authorities take protection measures, detect, and remediate the problem. However, the cyberattack committed on these systems specifically disabled 300 out of 800 radiation sensors which can induce a severe risk to the state. The reason behind the sabotage is unclear.