{"id":4504,"date":"2023-03-01T12:24:29","date_gmt":"2023-03-01T12:24:29","guid":{"rendered":"\/cybersecurity-blog\/?p=4504"},"modified":"2023-04-06T09:10:53","modified_gmt":"2023-04-06T09:10:53","slug":"malware-news-digest-february-2023","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/malware-news-digest-february-2023\/","title":{"rendered":"Cybersecurity News Digest: February 2023"},"content":{"rendered":"\n

Another month filled with intriguing cybersecurity incidents has come and gone, and we\u2019re ready to share the news with you.<\/p>\n\n\n\n

<\/p>\n\n\n\n

Reddit falls victim to a phishing attack<\/h2>\n\n\n\n

When someone as seasoned as an r\/Reddit moderator falls victim to phishing, it really sets into perspective how dangerous these attacks are. That’s exactly what happened<\/a> this month, when an attacker directed Reddit employees to a website that imitated the company\u2019s intranet gateway, in an attempt to steal credentials and auth tokens. <\/p>\n\n\n\n

This led to a security breach that exposed some confidential information, but Reddit’s prompt investigation concluded that no user data had been leaked.<\/p>\n\n\n\n

Reddit was highly praised for how openly the platform has handled communication with its community, after the incident took place.<\/p>\n\n\n\n

A critical vulnerability exploited in the ZK framework<\/h2>\n\n\n\n

CISA warns<\/a> that hackers are actively exploiting a critical vulnerability in ZK, a popular open source web development framework written in Java.<\/p>\n\n\n\n

The vulnerability that is now tracked as CVE-2022-36537<\/a>, was used in a recent attack to gain initial access to ConnectWise R1Soft Server Backup Manager software and plant a backdoor. Companies running ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1 are currently at risk.<\/p>\n\n\n\n

KeePass denies having a vulnerability<\/h2>\n\n\n\n

The vulnerability which is now tracked as CVE-2023-24055<\/a> was found<\/a> in an extremely popular open-source password manager KeePass. With the exploit, attackers who have write access to a system can edit the KeePass XML configuration and insert a malicious trigger that will export the whole database, including all usernames and passwords in plaintext.<\/p>\n\n\n\n

However, the development team behind KeePass doesn\u2019t agree, maintaining that this is only true as long as the program is run in an insecure environment, hence the vulnerability doesn\u2019t count. <\/p>\n\n\n\n

New hacker group targets China with targeted attacks<\/h2>\n\n\n\n

Beijing-based security experts have uncovered a new hacking group \u2014 made up of members primarily from Europe and North America \u2014 that has been targeting Chinese online resources. The group, which is confusingly named Against The West (ATW), poses a serious risk to the country’s data security, experts say<\/a>.<\/p>\n\n\n\n

According to a report obtained by the Global Times, the cyber gang has claimed to have leaked sensitive information such as source code and database of more than 100 information systems of important government agencies, aviation, and infrastructure departments over 70 times since 2021, and their activity has been intensifying thorough 2022.<\/p>\n\n\n\n

Go Daddy admits a multi-year security breach<\/h2>\n\n\n\n

Go Daddy, a major web hosting company, revealed<\/a> a long-term security breach. The hackers were able to access the companye’s source code, as well as customer, and employee login information, which allowed them to abuse Go Daddy’s services by launching a series of watering hole attacks. This involves inserting malicious code into websites hosted by the provider.<\/p>\n\n\n\n

Apparently, this has been going on for some years, but folks at GoDaddy are finally on top of the breach.<\/p>\n\n\n\n

Google Engineers promise to eradicate prototype pollution<\/h2>\n\n\n\n

Programmers at Google have created a plan to combat prototype pollution, a well-known vulnerability that affects web security. This language flaw in JavaScript permits attackers to modify objects they have no authority over in real-time. This issue happens when there is no distinction between objects and their blueprints.<\/p>\n\n\n\n

The solution was described at length on GitHub<\/a>.<\/p>\n\n\n\n

<\/p>\n\n\n\n

<\/div>\n\n\n\n
\n

Try ANY.RUN for Enterprises <\/strong><\/h3>\n\n\n\n

Combat new threats together \u2013 ANALYZE MALWARE IN A TEAM<\/h2>\n\n\n\n
\n
Get a demo<\/a><\/div>\n<\/div>\n<\/div><\/div>\n\n\n\n
<\/div>\n\n\n\n

A vulnerability found in Cisco ClamAV <\/h2>\n\n\n\n

A potentially dangerous flaw in an anti-malware scanning product has been identified in Cisco\u2019s networking hardware. Specifically, a security flaw affecting the ClamAV scanning library (CVE-2023-20032<\/a>) has resulted in critical security risks for Cisco\u2019s Secure Web Appliance and multiple versions of the Cisco Secure Endpoint, including Windows, MacOS, Linux, and cloud.<\/p>\n\n\n\n

Toyota patches a critical backdoor<\/h2>\n\n\n\n

A significant<\/a> vulnerability in the internet portal of Toyota\u2019s international vendor management system was uncovered by U.S.-based security researcher Eaton Zveare. This issue related to the implementation of JWT (JSON Web Token) verification and would permit anybody possessing a legitimate email address to enter into any account.<\/p>\n\n\n\n

The Global Supplier Preparation Information Management System (GSPIMS) is an online platform that offers Toyota personnel and providers access to existing jobs, polls, info on acquisitions, and more. The vulnerability has since been patched.<\/p>\n\n\n\n

Meta fixes a 2FA bypass<\/h2>\n\n\n\n

Facebook’s parent company, Meta, has recently addressed a serious security vulnerability that could have allowed cyber attackers to bypass two-factor authentication (2FA) that relies on SMS-based verification. This flaw, which was discovered<\/a> by a security researcher named Manoj Gautam, could confirm a targeted user’s previously verified Facebook mobile number by exploiting a rate-limiting issue within Instagram. <\/p>\n\n\n\n

The vulnerability could have allowed cybercriminals to brute-force the verification pin required to confirm someone’s phone number, effectively bypassing the 2FA process.<\/p>\n\n\n\n

Belgium to become a safe-haven for ethical hackers<\/h2>\n\n\n\n

Belgium has announced<\/a> the development of a legal framework to regulate ethical hacking, thus becoming the first European state to govern the work of independent penetration testers. Crucially, the new legislation clears up the circumstances that may or may not lead to law violation.<\/p>\n\n\n\n

The announcement emphasizes the significance of white-hat hacking and the duties of pen-testers, who attempt to get into online systems for educational or security purposes without a prearranged agreement with the target.<\/p>\n\n\n\n

ANY.RUN\u2019s February updates<\/h2>\n\n\n\n

An in-depth XLoader analysis, ChatGPT shenanigans, where we tried to get it to be useful for blue teamers and failed, an announcement about our stand in GISEC 2023, and an interview with a security expert and educator J\u00e9zer Ferreira, where we discuss the state of security in Latin America, OSINT methods and much, much more:<\/p>\n\n\n\n

These are the February posts to read from ANY.RUN:<\/p>\n\n\n\n