Updated: Oct 28, 2022
In this week’s Cyber Weekly Digest find out about the latest critical vulnerabilities being exploited by attackers including a new flaw reported to be similar to Log4Shell. Keep reading to stay up to date on the biggest cyber security news from this week.
American business magazine Fast Company reached out to its Executive Board members this week to let them know their personal information was not stolen in the September 27 cyberattack that forced it to shut down its website. It was also confirmed that the attacker was able to steal contributor credentials and put them up for sale online after compromising its content management system. “The hacked downloaded Fast Company contributor usernames and passwords and made the obtained information available for purchase on the website called Breached Forums,” Fast Company said in a statement. Thankfully executive board member information wasn’t compromised in the cyberattack, Fast Company said. This alert follows a two-week shutdown of Fast Company’s website after the hacker also pushed racist notifications to readers’ mobile devices via Apple News.
Almost 900 servers have been compromised using a critical Zimbra Collaboration Suit (ZCS) vulnerability, which at the time was a zero-day left without a patch for nearly 1.5 months. This vulnerability was tracked as CVE-2022-41352 which allows an adversary to send an email with a malicious archive attachment that plants itself as a web-shell in the ZCS server and at the same time, bypassing anti-virus security checks. This CVE is marked as 9.8, making it critical. According to cyber security researchers, 876 servers have been compromised by Advanced Persistent Threats (APTs) before the vulnerability was marked as a CVE. After the vulnerability was marked as a CVE, hackers moved to mass server compromising with as many servers worldwide before admins patched the systems and shut the door to intruders.
A Remote Code Execution vulnerability labeled CVE-2022-42889 has recently been disclosed. Security researchers reported that Text2Shell is similar to the Log4Shell that has been abused in the wild by threat actors. However, CVE-2022-42889 could be more dangerous since Common Texts are used more broadly. The Apache Foundation published a vulnerability in the Apache Commons Text project code and published a message to this effect in the project’s mailing list on October 13th, which is the official birth date of the vulnerability. The vulnerability is a Server-Side Template Injection issue with a payload that looks similar to Log4Shell, with the right crafted injection, hackers can execute arbitrary code using different Java Class methods. Firewall signatures aren’t currently available as the vulnerability allows for many possible obfuscations in template injection syntaxes and using different device chains of Java objects by attackers.
Security researchers have uncovered cyberattacks attributed to the China-linked espionage actor APT41 that breached government agencies in Hong Kong and, in some cases, remained undetected for a year. The threat actor has also been using custom malware called Spyder Loader, which has been previously attributed to the group. Analysts discovered in May 2022, “Operation CuckooBees”, which had been underway since 2019 focusing on high-tech and manufacturing firms in North America, East Asia, and Western Europe. In Operation CuckooBees, APT41 used a new version of the Spyder Loader backdoor. According to the report, the malware continues to evolve the malware, deploying several variants on the targets, all with the same functions. APT41 also uses Mimikatz password extractor in some of the most recent campaigns to burrow deeper into the victim network. Researchers note that APT41 is going to continue to evolve its malware toolkit and introduce new payloads, as well as add more layers of obfuscation where possible.
On October 20th, the Brazilian Federal Police arrested a Brazilian suspect in Feira de Santana, Bahia, believed to be part of the Lapsus$ extortion gang. The suspect was detained following an investigation that started in December 2021 after last year’s breach of the Brazilian Ministry of Health. During the incident, the attackers deleted files and defaced the Ministry of Health website to display a message where the Lapsus$ hacking group claimed the attack and said it had stolen data from the Ministry’s network. The investigations that led to the arrest are part of Operation Dark Cloud, which aimed to collect information about the criminal organisation behind multiple cyberattacks targeting Brazilian government agencies. It is believed that most Lapsus$ members are teenagers that are not financially motivated but rather motivated by making a name for themselves in the hacking community. Another Lapsus$ member, who was 17, was arrested for suspicion of being behind the Uber hack.