CyberIntelMag's Threat report

Weekly Cyber Threat Report, September 6-September 10

Welcome to CyberIntelMag’s weekly roundup! A place where you can find the most important stories in the cybersecurity world from the past week.

From the good news:

This week, we’ve learned about new security features for Android, fixes for Azure bugs, an arrest of TrickBot dev and a Ukrainian credential stealer, and more.

  • Google has rolled out a set of new features for Android’s open-source platform Private Compute Core, which is in the beta stages of development. The new suite is expected to “provide a privacy-preserving bridge between Private Compute Core and the cloud.”
  • A developer from TrickBot cybercrime group was apprehended in South Korea when he was trying to leave the country. The man is believed to have worked with TrickBot as a web browser developer in 2016 when he was in Russia.
  • A popular JavaScript programming language NPM package has addressed and resolved a “pac-resolver” flaw that could allow an attacker to execute code inside a Node.js process. NPM has 3 million downloads a week and 285,000 public repos on GitHub.
  • A Ukrainian man was extradited by the US Department of Justice for selling login credentials to a criminal remote access marketplace. He brute-forced and harvested login credentials and sold them on a dark web marketplace.
  • Microsoft has fixed a vulnerability in its Azure container Instances (ACI) that could allow an attacker to execute arbitrary commands on other users’ containers to steal customer secrets and images from the platform.

From the bad news:

This week has brought news about the rumored reappearance of REvil gang, Babuk ransomware source code leaked, the UN email breach, data breaches at US defense agencies and Fortinet, and more.

  • Hackers stole confidential data from the United Nation’s IT network. Bloomberg reported the hackers stole Umoja credentials of a UN employee and used them to access the UN’s system. Resecurity researchers believe that the hackers managed to steal data in the incident.
  • Mēris botnet has been attacking Yandex, the Russian internet giant, in a wave of attacks that has been lasting for a month now. The attacks have reached an unprecedented 21.8 million requests per second. Many of the botnet’s devices are powerful networking equipment, which explains its power.
  • The dark web servers that in the past were used by the ransomware gang REvil have suddenly gone back online. It is unclear if they are being used by law enforcers or if the ransomware gang is back.
  • Threat actors increasingly use Dropper-as-a-Service (DaaS) scheme to rapidly spread their malware across thousands of PCs and steal sensitive data. They often mask their malware as real or pirated apps.
  • Email accounts of Virginia Departments of Military Affairs and Virginia Defense Force were attacked by a hacker in July. Officials said the attacks did not compromise email addresses. However, a stolen data marketplace Marketo posted a vast amount of data allegedly stolen from the Virginia Department of Military Affairs.
  • Howard University on Monday suffered an attack that forced it to cancel classes on Tuesday. The Uni subsequently acknowledged it as a ransomware attack; however, the school denied any evidence of personal information leaks, but the inquiry is still underway.
  • Jenkins, a popular open-source automation server, said its discontinued Confluence service was attacked using the Confluence CVE-2021-26084 vulnerability. The team is examining the impact.
  •  A list of almost 500,000 usernames and passwords of Fortinet’s security products leaked on an online forum. The list was allegedly obtained from compromised devices during this summer.
  • Seven high-severity vulnerabilities have been identified in GitHub’s npm CLI packages “tar” and “#ntpmcli/arborist.” Attackers can exploit these issues to execute arbitrary code by installing untrusted npm packages.
  • CISA warned about hackers exploiting a critical vulnerability in Zoho’s popular password management solution, ManageEngine ADSelfService Plus. The bug can grant an unauthenticated attacker access to the system and allow executing arbitrary code.
  • Source code for the Babuk ransomware was leaked on a Russian-speaking hacking forum by an alleged member of the group. It contains all the necessary components to build a functional ransomware executable.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.