Updated: Jul 28
Stay up to date with the biggest cyber security news from the week in our latest Cyber Weekly Digest. This week we take a look at the two ransomware gangs claiming to have breached Estee Lauder and the new ransomware operation impersonating Sophos. Keep up to date with the latest news from across the globe.
Two ransomware actors, ALPHV/BlackCat and Clop, have listed the beauty company Estée Lauder on their data leak sites as victims of separate attacks. On Tuesday, The Estée Lauder Companies confirmed one of the attacks saying that the threat actor gained access to some of its systems and may have stolen data. The Clop ransomware gang apparently gained access to the company after exploiting a vulnerability in the MOVEit Transfer platform for secure file transfers. On their data leak site, Clop posted the message "The company doesn't care about its customers, it ignored their security!!!" and a note that they have more than 131GB of the company's data. On Tuesday, BlackCat also added Estée Lauder to their list of victims, but the entry is accompanied by a message stating Estee Lauder is failing to respond to their negotiation attempts.
Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild. Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. Successful exploitation requires configuring the device as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) or authorization and accounting (AAA) virtual server. Customers of NetScaler ADC and NetScaler Gateway version 12.1 are recommended to upgrade their appliances to a supported version to mitigate potential threats.
Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, were exposed after an employee inadvertently uploaded the information to the malware scanning platform. The incident included a database of 5,600 names in a 313KB file and was first discovered on Monday. Google confirmed the leak and took immediate steps to remove the data. The data includes accounts linked to official U.S. bodies such as the Cyber Command, Department of Justice, Federal Bureau of Investigation (FBI), and the National Security Agency (NSA).
Cybersecurity vendor Sophos is being impersonated by a new ransomware-as-a-service called SophosEncrypt, with the threat actors using the company name for their operation. When first discovered this week, researchers assumed that SophosEncryt was part of a Sophos red teaming project. The Sophos X-Ops team tweeted that they did not create the encryptor and are investigating its launch. The ID Ransomware shows one submission from infected victims, indicating the operation is active. As part of the impersonation, the ransomware displays the Sophos logo on the infected device's wallpaper.
Microsoft and the Ukraine CERT warn of new attacks by the Russian state-sponsored Turla hacking group, targeting the defence industry and Microsoft Exchange servers with a new 'DeliveryCheck' malware backdoor. The episodes start with phishing emails containing Excel XLSM attachments that contain malicious macros. These macros execute a PowerShell command when activated, creating a scheduled task impersonating a Firefox browser updater. This task downloads the DeliveryCheck backdoor and launches it in memory, where it connects to the threat actor's command and control server to receive commands to execute or deploy further malware payloads. After infecting devices, the threat actors utilize the backdoor to exfiltrate data from the compromised devices using the Rclone tool. What makes DeliveryCheck stand out is a Microsoft Exchange server-side component that turns the server into a command and control server for the threat actors.