X
NEXT
Forgot password?

DigitalXRAID

Threat Pulse – August 2023

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats. 

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

Rhysida Ransomware Behind Recent Attacks on Healthcare 

Rhysida is a Windows-based ransomware operation that is linked to a series of high-profile cyberattacks in Western Europe, North and South America, and Australia.  

The group appears to have links to the notorious Vice Society ransomware gang. The group have been observed attacking companies in the education, government, manufacturing, technology and managed service provider sectors. More recently however, they have been targeting the Healthcare sector. 

A report released by Trend Micro details the attack chain of Rhysida. The threat group uses phishing emails to achieve initial access, then deploys Cobalt Strike and PowerShell scripts, and eventually drops the locker. The PowerShell scripts used by Rhysida terminate AV processes, delete shadow copies, and modify RDP configurations. 

WinRAR Security Flaw Exploited in Zero-Day Attacks 

New findings have brought to light the exploitation of a recently patched security vulnerability within the widely used WinRAR archiving software, dating back to April 2023.  

This flaw, officially labelled as CVE-2023-38831, permits malicious actors to counterfeit file extensions, enabling the execution of harmful scripts concealed within an archive that pretends to be harmless image or text files.  

The rigged archive is meticulously crafted to contain both an image file and a folder sharing the same name. Consequently, when a victim clicks on the image, it activates a batch script situated within the folder, initiating the subsequent phase—a self-extracting (SFX) CAB archive, intended to unpack and initiate additional files.

Simultaneously, the script loads the misleading image to avoid raising suspicion. 

New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC 

A high-severity security flaw (CVE-2023-40477) has been disclosed in the WinRAR utility that could be potentially exploited by a threat actor to achieve remote code execution on Windows systems.  

Successful exploitation of the flaw requires user interaction, in that the target must be lured into visiting a malicious page or by simply opening a booby-trapped archive file.  

The issue has been addressed in WinRAR 6.23 released on August 2, 2023. 

Thousands of Android Malware Apps Using Stealthy APK Compression to Evade Detection 

According to research conducted by Zimperium, threat actors are employing Android Package (APK) files that utilise obscure or unsupported compression methods in order to evade detection during malware analysis.  

Zimperium’s findings have uncovered 3,300 instances where these unconventional compression techniques are being utilised in the wild. Among these samples, 71 have the capability to be seamlessly integrated into the operating system. 

It’s important to note that there is no evidence suggesting that these applications were ever accessible on the Google Play. This implies that these apps were likely disseminated through alternative channels, often through unverified app stores or by employing social engineering tactics to deceive users into manually installing them. 

Ransomware With an Identity Crisis Targets Small Businesses & Individuals 

VMware Researchers have uncovered a new strain of ransomware, known as TZW, which has been in operation since 2019.  

Unlike traditional ransomware that demands large sums of money, TZW targets individuals and small businesses, demanding smaller ransoms from each victim. TZW is part of the Adhubllka ransomware family, with its origins dating back to January 2020 and possibly even earlier.

The researchers were able to link TZW to Adhubllka through various clues, including the use of the email address [email protected], associated with the ransomware group, and its connection to an MD5 variant of Adhubllka identified in 2019. 

This discovery highlights how ransomware is evolving to evade detection and emphasises the need for robust endpoint security solutions.  

However, the researchers also stress the importance of basic security education and regular anti-phishing campaigns to prevent your workforce from falling victim to newly created ransomware, such as refraining from clicking on malicious links delivered via email. 

FBI Warns of Patched Barracuda ESG Appliances Still Being Hacked 

The FBI has issued a warning about the continued vulnerability of Barracuda Email Security Gateway (ESG) appliances, despite patches being applied.  

This vulnerability, known as CVE-2023-2868, was exploited in October 2022, allowing attackers to compromise ESG appliances, steal data, and establish remote access.  

Although Barracuda patched all appliances and blocked attackers’ access in May 2023, they later advised customers to replace affected appliances due to uncertainties about malware removal.  

Users with high-level credentials were urged to change them to prevent ongoing access attempts. 

KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities 

The botnet known as KmsdBot is now targeting IoT devices, increasing the malware’s attack surface.  

The latest iteration, first observed last month by security researcher Laarry Cashdollar, is now capable of scanning & brute-forcing Telnet connections. This is on top of its existing ability to brute force open SSH ports 

The botnet starts by calling a function that generates a random IP address, then it attempts to connect to that device over ports 22 and 23 by brute force. The malware gains access through the use of a text file containing a list of frequently used passwords.  

The Resurgence of the Ursnif Banking Trojan 

The Ursnif banking trojan, which was described back in May as the “most wanted malware”, is making a resurgence across its customers’ networks.  

Banking trojans continue to present a credible and persistent threat to organisations of all sizes across the globe. This attack was delivered via phishing email, which initiated a download of an executable file masquerading as a .cab extension. 

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, whilst you take care of business.    

Talk to the team to see how you can start protecting your business against cyberattacks today. 

Previous Article

Why Fintech and Financial Services Institutions Need to Prepare for DORA Now

Next Article

Unveiling CVSSv4: What You Need to Know

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]