Welcome to Security Sunday – Week 42. our weekly summary from the world of cybersecurity (16 October – 22 October 2023).
We’re collecting notable incident and vulnerability reports from the past week.
More than 40,000 Cisco IOS devices infected with backdoor using zero-day vulnerability
More than 40,000 Cisco devices running IOS XE were compromised after hackers exploited a recently disclosed vulnerability with a maximum CVSs score of 10, referred to as CVE-2023-20198.
“There is no patch or workaround available, and the only recommendation for customers to secure the device is to disable the HTTP Server feature on all Internet-facing systems.” Introduced by Cisco.
Initial estimates of the number of compromised devices were around 10,000. In the update of 18. Censys’ October platform said the number of compromised devices found had increased to 41,983.
The exact number of Cisco IOS XE devices that are available over the public Internet is difficult to obtain, but Shodan lists just over 145,000 systems, most of which are in the US.
Cisco has not released further details about the attacks, but promised to offer more information when it completes its investigation and when a fix is available.
Link: https://www.bleepingcomputer.com/news/security/over-40-000-cisco-ios-xe-devices-infected-with-backdoor-using-zero-day/
D-Link confirms security breach after employee succumbed to phishing attack
Taiwanese networking equipment manufacturer D-Link recently revealed that a data breach had occurred in which data was leaked.
The hackers allegedly claim to have stolen the source code of the D-View network management software. Among the data leaks are millions of records containing personal information of its customers and employees. Compromised data includes names, addresses, emails, phone numbers, account registration dates, and last login dates of users.
The attacker said on a hacker forum, “I have penetrated D-Link’s internal network in Taiwan, I have 3 million lines of customer information and also the source code for D-View extracted from the system. I have information on many government officials in Taiwan, as well as CEOs and employees of the company.”
According to D-Link, the security failure was caused by an employee falling for a phishing email that allowed an attacker to access the company’s network.
The company said hackers gained access to the old D-View 6 system, which expired in 2015. D-Link used this environment as a test lab.
The company believes the attacker deliberately altered the timestamps of recent logins to give the impression that more recent data theft had occurred. “We do not anticipate that this issue will affect the majority of the company’s current clients.” D-Link said
Link: https://www.cysecurity.news/2023/10/d-link-confirms-data-breach-after.html
E-Root administrator faces 20 years for selling stolen RDP and SSH accounts
E-Root was an illegal online marketplace that offered access to compromised computers around the world in exchange for cryptocurrency.
Evidence gathered during the investigation suggests that more than 350,000 compromised systems were for sale on the market, including computers from a variety of industries and at least one government system.
Buyers were provided with search tools to navigate the available offers using criteria such as price range, region, ISP, operating system, RDP or SSH access, and more.
The U.S. Department of Justice (DoJ) announcement states that there have been numerous confirmed cases where access purchased through E-Root has been used for cybercrime, including ransomware attacks.
“Many victims have been the subject of ransomware attacks and some of the stolen logins listed on the forum have been linked to tax fraud schemes or stolen identities.” said the US Department of Justice.
Sandu Diaconu, operator of the E-Root marketplace, has been extradited from the UK to the US where he faces a maximum sentence of 20 years in prison for selling access to the compromised systems.
Hacker uncovers another 4.1 million stolen genetic data profiles from 23andMe
An attacker under the alias “Golem”, who is allegedly behind the attacks on 23andMe’s data, has posted an additional 4.1 million data profiles on the hacker forum BreachForums.
The attackers claim that the stolen data contains genetic information about the royal family, for example. “On this list you can see the richest people living in the US and Western Europe,” the hacker said.
As reported by TechCrunch, some newly leaked data from the UK has been verified to match known and publicly available user and genetic information.
TechCrunch also reports that some of 23andMe’s leaked data was sold on the now-shuttered Hydra hacking forum in August 2023, where an attacker claimed to have stolen 300 terabytes of data. The hacker on the BreachForums forum also claims to have “hundreds of TB of data”, which probably indicates that it is the same stolen data.
“We are currently reviewing the data to see if it is legitimate. Our investigation is ongoing and if we learn that a customer’s data has been accessed without their authorisation, we will inform them directly and provide them with further information.” states 23andMe
More than 40,000 administrator accounts on web portals use “admin” as their password
Security researchers have found that IT system administrators are using weak passwords for administrator accounts, enabling cyber attacks on corporate networks.
Of the more than 1.8 million logins analyzed, “admin” was used as the password more than 40,000 times, showing that this default password is widely accepted by IT administrators.
Among the top 5 passwords that Outpost24 detected were. Admin, 123456, 12345678. 1234 or Password.
This data was collected between January and September this year through the Threat Compass system.
The researchers warn that although the tests are limited to known and predictable passwords, they are associated with administrator accounts and attackers are targeting those users.
SpyNote: Beware of Android Trojan that records audio and phone calls
According to F-Secure, this spyware is usually spread through phishing SMS campaigns that trick victims into installing an application by clicking on an embedded link.
In addition to requesting permissions to access call logs, camera, SMS messages, and external storage, SpyNote is known for hiding its presence on the Android home screen and recent items screen in an attempt to prevent its detection.
Most importantly, the app requests access permissions and then uses them to grant itself additional permissions to record audio and phone calls, record keystrokes, and also take screenshots of the phone via the MediaProjection API.
Closer examination of the malware revealed the presence of so-called. diehard services designed to resist attempts to terminate it, either by victims or by the operating system.
“In the end, the only option left to the victim is to perform a factory reset, which will result in the loss of all data.” said F-Secure
This revelation comes at a time when a Finnish cybersecurity firm has detailed a fake Android app that pretends to be an operating system update.
Link: https://thehackernews.com/2023/10/spynote-beware-of-this-android-trojan.html
Cyber attack
- Ransomware group BlackCat/ALPHV has started using a new tool called “Munchkin” that uses virtual machines to covertly deploy ransomware on network devices.
- Pro-Iranian hacktivists target Israeli industrial control systems
- Fake “RedAlert” rocket warning app in Israel installs Android spyware
- Qubitstrike malware attacks Jupyter laptops and is used to steal data
Vulnerabilities
- Critical vulnerabilities in Home Assistant
- Critical RCE errors found in SolarWinds access audit solution
- Disclosure of a new administrator takeover vulnerability in Synology’s DiskStation Manager
- Qubitstrike rootkit attacks Jupyter Linux servers and steals login credentials
- Critical Citrix vulnerability exploited as Zero-Day, patching not enough