Even though 2022 is coming to an end, the number of attacks carried out by threat actors show no signs of slowing down. Read this week’s Cyber Weekly Digest for a rundown of the biggest cyber security stories from the week, including how attackers are targeting the Football World Cup and the latest zero-day patched by Apple. Keep reading to stay up to date with the latest cyber security news.
A python backdoor that was previously undocumented has been targeting VMware ESXi servers in the wild, which enabled hackers to execute commands remotely on a compromised system. VMware ESXi is a virtualisation platform commonly used in the enterprise to host numerous servers on one device while using CPU and memory resources more efficiently. The new backdoor was discovered by Juniper Networks researchers, who found the backdoor on a VMware ESXi server. However, they could not determine how the server was compromised due to a limited log retention. They believe the server may have been compromised using the CVE-2019-5544 and CVE-2020-3992 vulnerabilities in ESXi’s OpenSLP service. While the malware is technically capable of targeting Linux and Unix systems, too, Juniper’s analysts found multiple indicators that it was designed for attacks against ESXi. The backdoor is established when the adversary adds 7 lines inside “/etc/rc.local.d/local.sh,” one of the few ESXi files that survive between reboots and is executed at startup. One of the lines injects a malicious python script that allows the adversary to reverse shell into the device. System administrators of ESXi servers are advised to check the existence of the files mentioned and the additional lines in the “local.sh” file.
Apple on Tuesday rolled out security updates to iOS, iPadOS, macOS, tvOS, and Safari web browser to address a new zero-day vulnerability that could result in the execution of malicious code. Tracked as CVE-2022-42856, the flaw has been described as a type confusion issue in the WebKit browser engine that could be triggered when processing specially crafted content, leading to arbitrary code execution. Apple also stated that it is "aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.1.". The update marks the resolution of the tenth zero-day vulnerability discovered in Apple software since the start of the year. It's also the ninth actively exploited zero-day flaw in 2022.
The Department of Finance in California has been the target of a cyberattack by the infamous LockBit ransomware gang. An investigation has been started by the California Cybersecurity Integration Center (Cal-CSIC), a group of state and federal agencies dedicated to protecting against cyber threats. California Governor’s Office of Emergency Services has confirmed that the Department of Finance has been affected by a cyber incident but did not provide too many details. It is unclear how much damage the hackers did or how they managed to breach the department. However, the state of California says funds remained unaffected by the attack. On Monday, the LockBit ransomware gang posted on their leak site that they had breached the Department of Finance of the state of California and stole databases, confidential data, financial documents, and IT Documents. To prove their claim, the hackers published a few screenshots of files they allegedly exfiltrated from the systems of the Department of Finance in California.
48 Internet domains have been seized by the US Department of Justice and charged six suspects for their involvement in running “Booter” or “Stresser” platforms that allow anyone to easily conduct DDoS. Booters are online platforms allowing threat actors to pay for DDoS attacks on websites and Internet-connected devices. Essentially, they are “booting” the target off the Internet. “Stressing” services claim to be in good/legitimate nature to which they can be used to test the reliability of web services, however this is rarely the case for these. The 48 Domains have been transferred to DNS owned and operated by law enforcement, and they will display a seizure message warning that these services are illegal. The UK’s National Crime Agency has placed adverts on google when you search for “booter” or “booter service” displaying messages that booting is illegal.
FuboTV has confirmed that a streaming outage preventing subscribers from watching the World Cup Qatar 2022 semifinal match between France and Morocco was caused by a cyberattack. FuboTV stated that as the game was about to start, subscribers were unable to log in to watch the stream. Instead, they were greeted with a CB_ERR_OPEN error, stating "ff: downstream not available," when attempting to log in. In a statement released, FuboTV claimed "The incident was not related to any bandwidth constraints on Fubo’s part. We were instead the target of a criminal cyber attack" and they are now engaged with incident responders.