Updated: Mar 24
Take a look at this week’s Cyber Weekly Digest for a rundown of the biggest cyber security news, including a threat actor who claims to have stolen 160GB of data from Acer as well as the data breach affecting the US House of Representatives members. Keep reading to stay up to date on the latest cyber security stories.
Acer has confirmed an incident of unauthorised access to one of its document servers for repairs technicians. A threat actor named “Kernelware” has claimed responsibility for the attack on a dark web forum earlier this week. They mentioned they executed the attack mid-February and stole 160GB of information from the company, including 655 directories and 2869 files. Acer has not confirmed if the leaked data is legitimate but they believe no customer data was stolen in the attack. The Kernelware attacker has offered to sell the allegedly stolen data for XMR (Monero) and provided a sample showing slides and presentations, technical manuals, backend infrastructure data and product model documentation.
Law enforcement in Germany and Ukraine are now targeting two individuals believed to be core members of the DoppelPaymer ransomware group. The operation consisted of raiding multiple locations in the two countries during February and resulted from a coordinated effort involving Europol, the FBI, and the Dutch Police. Europol notes that “despite the current extremely difficult security situation that Ukraine" due to the Russian invasion, police officers in the country "interrogated a Ukrainian national who is also believed to be a member of the core DoppelPaymer group." German police officers raided one location, the house of the German national believed to have had a “major role in the DoppelPaymer ransomware group.” In Ukraine, the police searched two locations – Kiev and Kharkiv. Both the investigation and the legal procedures are ongoing at the moment. DoppelPaymer has ransomed over $42.2 Million of cryptocurrencies. The German authorities have also confirmed 37 cases where the ransomware gang targeted companies.
A phishing campaign is targeting organisations in Eastern European countries with the RemcosRAT malware with aid from an old Windows User Account Control bypass discovered over two years ago. The use of mock trusted directories to bypass Windows User Account Control stands out in the attack and it’s been known since 2020 but remains effective today. The latest Remcos campaign was observed and analysed by SentinelOne researchers, who documented their findings in a report this week. The phishing emails contain a tar.lz file, which is an archiving format, but also more unlikely to be opened by a victim. However, this can also aid in evading detection from AV as the file extension is uncommon. The archive contains an .exe which is a DBatLoader. A second-stage payload is fetched from a public cloud service, such as Microsoft OneDrive or Google Drive, upon launching the malware loader. Then, the script used by DBatLoader, creates mock trusted directories creating a "C:\Windows \System32" folder and copying legitimate executables ("easinvoker.exe") and malicious DLLs ("netutils.dll") to it. "easinvoker.exe is susceptible to DLL hijacking enabling the execution of the malicious netutils.dll in its context," explains SentinelOne.
Fortinet has disclosed a “Critical” vulnerability impacting FortiOS and FortiProxy, which allows an unauthenticated attacker to execute arbitrary code or perform denial of service (DoS) on the GUI of vulnerable devices using specially crafted requests. This buffer underflow vulnerability is tracked as CVE-2023-25610 and has a CVSS v3 score of 9.3, rating it critical. This type of flaw occurs when a program tries to read more data from a memory buffer than is available, resulting in accessing adjacent memory locations, leading to risky behaviour or crashes. Fortinet says that fifty device models, listed in the security bulletin, are not impacted by the arbitrary code execution component of the flaw but only the denial-of-service part, even if they run a vulnerable FortiOS version. A working proof-of-concept exploit to leverage the flaw was made public only four days later, and active exploitation in the wild began in February.
A data breach is being investigated by the FBI that targeted the US House of Representatives members and staff after their account and sensitive personal information was stolen from DC Health Link’s servers. DC Health Link is the organisation that administers the health care plans of US House members, their staff, and their families. Impacted individuals were notified today of the breach in an email from the US House Chief Administrative Officer, stating that "DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through the D.C. Health Link, your data may have been comprised,". Over 170,000 individuals are affected by the data breach including names, DOB, addresses, email addresses, phone numbers, SSNs, and much more. The data was put up for sale on the hacking site “BreachedForums” for an undisclosed amount in XMR cryptocurrency.