Updated: Jun 2
Take a look at this week’s Cyber Weekly Digest for a rundown of our top cyber security news picks of the week. This week we dive into the latest BlackBasta ransomware victim and how a viral AI-generated image briefly caused the stock market to crash. Keep reading to stay up to date on the latest cyber security stories.
A new PowerShell-based malware named PowerExchange is being used in attacks linked to APT34 Iranian state attackers to backdoor on-premise Microsoft Exchange servers. After infiltrating the mail server via a phishing email containing an archived malicious executable, the threat actors deploy a web shell named ExchangeLeech that can steal user credentials. The malware communicates with its command-and-control (C2) server via emails sent using the Exchange Web Services (EWS) API, sending stolen info and receiving base64-encoded commands through text attachments to emails with the “Update Microsoft Edge” subject. Researchers also discovered the PowerExchange backdoor on the compromised systems of a United Arab Emirates government organisation. APT34 uses phishing emails as an initial infection vector in their attacks and has previously breached other UAE entities.
Email protection and network security services provider Barracuda is warning users about a zero-day vulnerability that has been exploited to breach the company’s Email Security Gateway (ESG) appliances. The zero-day is being tracked as CVE-2023-2868 and described as a remote code injection vulnerability affecting versions 5.1.3.001 through 9.2.0.006. The issue is rooted in a component that screens incoming emails for malicious attachments. According to a NIST advisory, the vulnerability arises from a failure to comprehensively sanitise the processing of .tar files (tape archives). Barracuda has urged customers to review their email environments.
German automotive and arms manufacturer Rheinmetall AG confirms that it suffered a BlackBasta ransomware attack that impacted its civilian business. On the 20th of May, BlackBasta posted Rheinmetall on its extortion site along with samples of the data the attackers claimed to have stolen from the German company. The data samples include non-disclosure agreements, technical schematics, passport scans, and purchase orders. In 2023, BlackBasta attacks have increased, with recent attacks including Capita and the Yellow Pages Group.
Highly realistic AI-generated images depicting an explosion near the Pentagon that went viral on Twitter earlier this week caused the stock market to crash briefly. Tweets with images supposedly depicting an explosion near the Pentagon building in Arlington, Virginia, were retweeted by many verified Twitter accounts, including a Russian state media one with millions of followers and a verified account impersonating the Bloomberg news agency. The Twitter account that shared the initial image removed the tweet hours after the picture was tagged as a fake across the platform by US government agencies and OSINT experts. The fake Bloomberg account highlights the problems with Twitter’s new pay-to-verify system in which anyone can pay for their “blue tick”.
A new botnet called Dark Frost has been found launching a series of distributed denial-of-service (DDoS) attacks against the gaming industry. The Dark Frost botnet, modelled after Gafgyt, QBot, Mirai, and other malware strains, has expanded to encompass hundreds of compromised devices. Targets include gaming companies, game server hosting providers, online streamers, and even other gaming community members. Dark Frost represents the latest iteration of a botnet that appears to have been stitched together by stealing source code from various botnet malware strains such as Mirai, Gafgyt, and QBot. The adversary has set up a Discord channel to facilitate attacks in exchange for money, indicating their financial motivations and plans to flesh it out as a DDoS-for-hire service.