Take a look at this week's Cyber Weekly Digest where we dive into the latest cyber security news, including a new attack carried out by the Lazarus hacking group and how the Barracuda ESG patch has been ineffective and many devices are still at risk. Keep reading to stay up to date on stories from across the world.
The FBI, THIS WEEK, warned that patches for a critical Barracuda Email Security Gateway (ESG) remote command injection flaw are "ineffective," and patched appliances are still being compromised in ongoing attacks. Tracked as CVE-2023-2868, the vulnerability was first exploited in October 2022 to backdoor ESG appliances and steal data from the compromised systems. Even though the Barracuda patched all appliances remotely and blocked the attackers' access to the breached devices in May, a day after the bug was identified, it also warned all customers in June that they must replace all impacted appliances immediately, likely because it couldn't ensure the complete removal of malware deployed in the attacks. The FBI now reinforced Barracuda's warning to customers that they should urgently isolate and replace hacked appliances.
The North Korea-linked threat actor known as Lazarus Group has been found exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called QuiteRAT. Researchers note that "QuiteRAT has many of the same capabilities as Lazarus Group's better-known MagicRAT malware, but its file size is significantly smaller." The activity was first detected in early 2023. It involved the exploitation of CVE-2022-47966, just five days after a POC for the flaw emerged online, to directly deploy the QuiteRAT binary from a malicious URL.
Data from 2.6 million users of Duolingo has been leaked on a hacking forum. The compromised data includes real names, login names, email addresses and internal service-related details. Duolingo confirmed that the data was sourced from publicly available profiles; the leaked email addresses are particularly alarming as they are not public information and can facilitate targeted phishing attempts. The scraped dataset was brought to light by VX-Underground on Monday, and it was made available on a new version of the Breached hacking forum. The cost of accessing this dataset was set at eight site credits, which is just $2.13. The breach reportedly originated from an exposed API, discovered in March 2023, that enables the retrieval of user profile information.
Security researchers have released NoFilter, a tool that abuses the Windows Filtering Platform to elevate a user's privileges to increase privileges to SYSTEM, the highest permission level on Windows. The utility is helpful in post-exploitation scenarios where an attacker must execute malicious code with more elevated permissions or move laterally on a victim network as another user already logged into the infected device. Microsoft defines the Windows Filtering Platform (WFP) as "a set of API and system services that provide a platform for creating network filtering applications." Developers can use the WFP API to create code that can filter or modify network data before it reaches the destination, capabilities seen in network monitoring tools, intrusion detection systems, or firewalls. Researchers developed three new attacks to elevate privileges on a Windows machine without leaving too much evidence and without being detected by numerous security products.
A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote." The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg. XLoader was first detected in 2020 and is considered a successor to Formbook. It is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. Researchers detected multiple submissions on VirusTotal throughout July, indicating a new widespread campaign. XLoader is designed to harvest clipboard data and information stored in the directories associated with web browsers such as Google Chrome and Mozilla Firefox.