top of page
  • Kathleen Maxted

Cyber Weekly Digest - 2023 Week #6

Take a look at our Cyber Weekly Digest for a rundown of the biggest cyber security news. This week we dive into the latest wave of ransomware attacks targeting VMware ESXi servers across the world as well as a data breach impacting the largest Asian and Hispanic grocery store in North America. Keep reading to stay up to date on the latest cyber security news.

Threat actors are now rolling out Google ads malware campaigns to spread malware installers that leverage KoiVM virtualization technology to evade detection when installing the Formbook data stealer. KoiVM is a plugin for the ConfuserEx .NET protector that obfuscates a program's opcodes so that the virtual machine only understands them. Then, when launched, the virtual machine translates the opcodes back to their original form to execute the application. SentinelLabs researchers reported that "Virtualization frameworks such as KoiVM obfuscate executables by replacing the original code, such as NET Common Intermediate Language (CIL) instructions, with virtualized code that only the virtualization framework understands." The virtual machine engine can translate the obfuscated code into the original code at runtime. Google ads are being used to push fake software downloads of trusted authors, commonly open-source/free software. The downloads from the sites often try to replicate digital signatures by impersonating Microsoft, Acer, DigiCert, Sectigo, and AVG Technologies USA. The malware that is dropped is a newly abused infostealer called Formbook; connecting to C2 servers to relay the stolen user information back to the adversaries.

A two-year-old remote code execution vulnerability is being actively exploited by threat actors, targeting Admins and Hosting Providers. Response teams warn that attackers are targeting unpatched VMware ESXi Servers. Tracked as CVE-2021-21974, the security flaw is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in low-complexity attacks. "As current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021," CERT-FR said. "The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7." To block malicious attacks, admins need to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that haven't yet been updated. CERT-FR strongly recommends applying the patch as soon as possible but adds that systems left unpatched should also be scanned for signs of compromise. Threat actors are using the vulnerabilities to deploy ransomware attacks called ESXiArgs, demanding around 2 BTC (~£38,000) for a ransom.

Cyber security researchers disclosed late last month that E-commerce industries in South Korea and the US are at the receiving end of an ongoing GuLoader malware campaign. The malspam activity is notable for transitioning from malware-laced Microsoft Word documents to NSIS executable files for loading malware. Other countries targeted as a part of the campaign include Germany, Saudi Arabia, Taiwan, and Japan. NSIS, short for Nullsoft Scriptable Install System, is a script-driven open-source tool used to develop installers for the Windows operating system. While attack chains in 2021 leveraged a ZIP archive containing a macro-laced Word document to drop an executable file tasked with loading GuLoader. The new phishing wave employs NSIS files embedded within ZIP or ISO images to activate the infection.

A data breach exposing the personal information of 1.1 million customers on Weee! has been confirmed. Weee! claims to be the largest Asian and Hispanic grocery store in North America, delivering food across 48 states in the USA via warehouses spread throughout the country. On Monday, a threat actor named "IntelBroker" began leaking the data for Weee! on the Breached hacking and data breach forum. The compromised data includes devices, first and last names, email, phone numbers, and order notes. Weee! has stated that no customer payment data has been exposed. They have also said they do not store that information in their database. The threat actor has claimed that 11 million customers' information has been exposed. However, only 1.1 million of them are unique emails. The additional records are likely caused by the same customer placing multiple orders. Weee! said they would notify all affected customers individually if their information has been exposed. You can check if you are included in this data breach by going to "Have I Been Pwned" and searching for your email address.

Reddit has disclosed this week that it was the victim of a security incident in which threat actors gained unauthorised access to internal documents, code, and some unspecified business systems. The threat actors were able to compromise a single employee's credentials by sending out "plausible-sounding prompts" that redirected to a fake website masquerading as Reddit's intranet portal to steal credentials and two-factor authentication tokens. Reddit claims there is no evidence that their production systems or users' information were breached. There is also no indication that the accessed information has been published or distributed online.



bottom of page