Welcome to Security Sunday – Week 46. our weekly summary from the world of cybersecurity (13 November – 19 November 2023).
We’re collecting notable incident and vulnerability reports from the past week.
BiBi wiper targets Windows
This wiper, referred to as BiBi-Windows Wiper, is an alternative to the BiBi-Linux Wiper that was used by a pro-Hamas hacktivist group last month in the context of the war between Israel and Hamas.
The Windows variant confirms that the attackers who created the wiper continue to build malware and threaten to spread the attack to end-user computers and application servers.
The Slovak company ESET has been tracking the actor behind the wiper under the name BiBiGun and notes that the Windows variant (bibi.exe) is designed to recursively overwrite data in the C:\Users directory with junk data and append “.BiBi” to the filename.
In addition to corrupting all files except those with .exe, .dll and .sys extensions, wiper removes shadow copies from the system, effectively preventing victims from restoring their files.
Another interesting feature is the multi-threading capability. For the fastest possible destructive action, the malware runs 12 threads with eight processor cores.
BiBi-Windows Wiper was reportedly compiled on the 21st. October 2023, two weeks after the war began. The exact method of distribution is currently unknown.
Denmark’s infrastructure faces largest cyber attack in history
Denmark’s critical infrastructure faced the largest online attack in the country’s history in May, according to SectorCERT, Denmark’s specialist organisation for critical-set cyber security.
In its report detailing the waves of attacks, it revealed that 22 companies were attacked in just a few days. Some of them were forced to go into island mode of operation, where they had to disconnect from the internet and cut all other non-essential network connections
In almost all cases, the Zyxel firewalls vulnerability was exploited and in some cases, it appeared that the attackers were using a zero-day exploit.
Given that Zyxel devices were not visible on public scanning services such as Shodan, SectorCERT believes that the target was specifically Danish critical infrastructure.
The first wave of attacks began on 11. May and targeted 16 energy organizations, the attackers tried to exploit the CVE-2023-28771 vulnerability and 11 of them succeeded. SectorCERT believes that this was the initial reconnaissance phase of the attack and the attackers were likely sent only firewall configurations and login credentials.
Ten days later, a second wave of attacks began – this time, one organisation had already been attacked.
It turned out to be an attack that plugged the organization’s infrastructure into the Mirai botnet. The compromise was used to launch DDoS attacks against two targets in the US and Hong Kong
Link:
https://www.theregister.com/2023/11/13/inside_denmarks_hell_week_as/
Ransomware group ALPHV (BlackCat) uses Google ads to target victims
Cybersecurity experts at eSentire, have released details of an ongoing attack campaign by the notorious ransomware gang ALPHV (aka BlackCat).
Researchers found that the BlackCat group has expanded its attack tactics to include malvertising. As part of this campaign, attackers place deceptive Google ads promoting popular software such as Advanced IP Scanner, WinSCP, Slack, and Cisco AnyConnect to trick corporate employees into visiting compromised websites and distributing Nitrogen malware.
Nitrogen is initial-access malware discovered in June 2023. It uses obfuscated Python libraries and sideloading DLLs to evade detection and hide the next stage of the attack.
Once installed, attackers can penetrate deeper into the company and execute the malware of their choice. In an ongoing campaign, victims are usually infected with ransomware.
These cyber attacks appear to be part of a larger campaign involving malicious ads placed in both Google and Bing search results.
Link:
https://www.hackread.com/alphv-blackcat-ransomware-gang-google-ads/
Royal Mail’s recovery from ransomware attack will cost the business at least $12 million
The UK postal business has been hit by LockBit and the incident has caused “severe service disruption” for parcels sent abroad. It later emerged that the ransomware group had demanded nearly $80 million from the company to keep them from disclosing the stolen data.
Although Royal Mail has refused to pay, as recommended by law enforcement, the operational costs associated with this incident are beginning to emerge.
A regulatory filing showed that the company’s international sales were down 6.5% year-on-year, a drop of £22m ($27m), partly as a result of the cyber attack it suffered. The cost of increasing the resilience of the systems is £10 million.
Link:
https://www.theregister.com/2023/11/16/royal_mail_recovery_from_ransomware/
Samsung data leak reveals personal details of UK customers
In an email to customers shared on social media by web security consultant and Have I Been Pwned creator Troy Hunt, the breach, which exposed the data of customers who made purchases between Jan. July 2019 until 30. June 2020, 13. November.
Samsung Electronics UK said that an unauthorised person had exploited a vulnerability in a third-party business application that the company was using. The information revealed included names, phone numbers, plus physical and email addresses.
No financial data such as bank and credit card details or customer passwords were affected. We have taken all necessary steps to address this security issue. Said Samsung
Link:
https://www.theregister.com/2023/11/17/uk_samsung_electronics_discloses_yearlong/
Toyota confirms breach after Medusa ransomware gang threatened to leak data
Toyota Financial Services Europe & Africa recently detected unauthorised activity on its branch systems.
“We have taken some systems out of service to investigate this activity and reduce the risk. We have also started working with law enforcement. In most countries, the process of bringing systems back into operation is already underway.” Toyota said
Before Medusa disclosed that TFS was its victim, security analyst Kevin Beaumont pointed out that the company’s German branch had a Citrix Gateway endpoint exposed to the Internet that had not been updated since August 2023, suggesting it was vulnerable to the critical Citrix Bleed security issue tracked as CVE-2023-4966.
More and more ransomware groups are targeting Citrix Bleed. 10,000 servers exposed to the Internet are currently vulnerable and administrators are advised to update as soon as possible.
TETRA encryption algorithms become public
In mid-2023, Dutch security firm Midnight Blue revealed five vulnerabilities affecting all TETRA networks that could allow criminals to decrypt and eavesdrop on communications in real time.
These vulnerabilities, along with the secrecy of the algorithms themselves, caused outrage in the security community because the proprietary encryption algorithms prevented independent researchers from testing the code, making it difficult to detect bugs and defend networks.
In October, the technical committee responsible for the TETRA standard met and unanimously decided that all TETRA interface cryptographic algorithms would be released as open source.
This step will allow academic research to be independently reviewed, which is in line with the trend towards transparency and safety assurance.
Link:
https://www.theregister.com/2023/11/14/tetra_encryption_algorithms_open_sourced/
63,000 un-updated Microsoft Exchange servers are vulnerable to RCE attacks
More than 63,000 Microsoft Exchange servers remain exposed to the CVE-2023-36439 vulnerability, which causes remote code execution (RCE). This vulnerability, which is one of four security flaws addressed in Microsoft’s November 2023 Patch Tuesday update, poses a significant threat to organizations due to the potential for exploitation.
Microsoft’s analysis shows that the exploit requires the attacker to be authenticated as a valid Exchange user. This vulnerability, if exploited, could grant an attacker the rights to remotely execute code on the mailbox server backend as an NT AUTHORITY\SYSTEM user.
This vulnerability is accompanied by three other Exchange vulnerabilities that Microsoft has identified as “higher probability exploits”: CVE-2023-36050, CVE-2023-36039 and CVE-2023-36035. Together, they form a quartet of security issues that organisations need to address urgently.