Raspberry Robin: a new one-day exploit targeting Windows
According to Bleeping Computer, recent versions of the Raspberry Robin malware are now stealthier and able to implement one-day exploits. A one-day exploit takes advantage of the time delay between the release of a patch and its application to a vulnerable system. Cybersecurity researchers at CheckPoint say that Raspberry Robin is a worm that has been linked to EvilCorp and Clop and recently has been seen leveraging exploits in CVE-2023-36802 29360, which are two local privilege escalation vulnerabilities in Microsoft Streaming Service Proxy and the Windows TPM Device Driver.
Hyundai Europe suffers Black Basta ransomware attack
This attack apparently started in January and has resulted in the theft of 3TB of data from the company’s German division. Hyundai Motor Europe is only describing this as an “unauthorized third party having accessed a limited part of the network of Hyundai Motor Europe,” but according to Bleeping Computer, the threat actors have posted a list of folders that “were allegedly stolen from numerous Windows domains.”
Cisco to cut thousands of jobs as it focuses on high growth areas
The San Jose-based company is planning to eliminate some of its workforce, which currently stands at almost 85,000 as of fiscal 2023. The announcement of who and where could come as early this week, given that the company prepares has an earnings call on Feb. 14. According to Reuters, “Cisco had cut its full-year revenue and profit forecasts in its previous earnings call, in a sign that demand for its networking equipment was slowing. It blamed the weakness on a slowdown in orders in the first quarter, saying “customers are currently focused on installing and implementing products in their environments.”
New RustDoor backdoor targeting Apple macOS devices
Operating stealthily since November, it has been found to “impersonate an update for Microsoft Visual Studio and target both Intel and Arm architectures running MacOS” It is designed to steal files and pull together information on a compromised endpoint. Cybersecurity firm BitDefender suggests the malware is linked to Black Basta and BlackCat owing to overlaps in C2 infrastructure.
Huge thanks to this week’s episode sponsor, Vanta
U.S. DoJ Dismantles Warzone RAT and makes arrests
The seizure of the infrastructure and the arrests were announced Friday but the U.S. Justice Department. This included takedowns of domains that were “used to sell computer malware used by cybercriminals to secretly access and steal data from victims’ computers.” According to The Hacker News, Warzone RAT, also known as Ave Maria, was first documented in January 2019 when it was used to attack an Italian oil and gas sector company by deploying bogus Microsoft Excel files that exploited a security flaw in the Equation Editor (CVE-2017-11882). Two individuals were arrested in Malta and Nigeria and were charged with helping other cybercriminals use the RAT for malicious purposes.
Cohesity buys Veritas data protection businesses
The San Jose-based IT company announced the deal on Thursday. It will create a data security and management giant valued at roughly $7 billion, and the deal focuses on the acquisition of Veritas NetBackup, NetBackup appliances, and Alta data protection offerings. It was not clear from the announcement which names or brands will be used following the purchase, which is expected to close by the end of this year. The remainder of Veritas will become a separate company to be called DataCo, to be led by current Veritas SVP Lawrence Wong, and which will manage Veritas’ InfoScale, Data Compliance, and Backup Exec products and services.
Ukraine Kyivstar CEO explains Sandworm hack
Following up on a story we covered last month, the CEO of telecom operator Kyivstar, Oleksandr Komarov, has explained how the attack, which left 24 million subscribers without mobile or internet for days, happened. In short, Komarov states that initial access was obtained through a compromised employee account, which allowed access to other accounts and eventually gained admin privileges. He ruled out the possibility of this being an inside job. They were surprised by the attackers’ ability to move around their robustly protected systems, and said they remained undetected for months through the use of a zero-day wiper malware. He added that the attackers succeeded in wiping out the virtual servers but failed in their attempt to damage physical equipment due to swift response from the Kyivstar team. When asked about lessons learned, Komarov stated that despite robust security, his company’s infrastructure was too centralized, and they are now embarking on a program of micro-segmentation.
ExpressVPN discovered to be leaking DNS requests
This leak, which has been happening since May 2022, is due to a bug in the split tunneling feature of ExpressVPN. Split tunneling allows users to route some internet traffic in and out of the VPN tunnel, providing local access and secure remote access simultaneously. The bug caused users’ DNS requests to go to their internet service provider and not to ExpressVPN’s infrastructure, which was kind of the point. ExpressVPN says the issue only impacted roughly 1% of its Windows users.