In a recent report released by Orca Security, insights into attacker tactics, techniques, and procedures (TTPs) were detailed, along with the factors that attract attackers. The report, titled “2023 Honeypotting in the Cloud Report,” focused on the use of cloud honeypots as a means of luring cybercriminals away from actual threats. The researchers deployed nine honeypots in various environments, including AWS S3 Buckets, GitHub, and DockerHub, among others. Each honeypot contained a secret, which in this case was an AWS secret access key.
Key findings from the report revealed that threat actors were able to discover vulnerabilities in the honeypots within minutes of their deployment. The time it took for attackers to exploit these vulnerabilities varied depending on the environment. GitHub keys were used within two minutes, while exploitation of S3 buckets took upwards of eight hours. The report also highlighted that certain resources and environments were more attractive to malicious actors, as they offered easy access and the potential for sensitive information. The researchers at Orca Security advised against relying solely on automated protection solutions, instead recommending tailored strategies to defend each resource against threats.
In another update, it was reported that at least sixty-three organizations had been compromised by the Cl0p ransomware gang through vulnerabilities in MOVEit. The victims of this cyberattack included Gen Digital, the U.S. Department of Energy, Louisiana’s Office of Motor Vehicles, and the Nova Scotia government, among others. Even prominent organizations like British Airways, the British Broadcasting Company, and U.K. drugstore chain Boots were not immune to the attack. The Cl0p gang claimed to have deleted any stolen data from government entities and denied having any data from the BBC, British Airways, and Boots, although doubts were raised about the veracity of these claims.
Progress Software disclosed and patched a third vulnerability in its MOVEit file transfer application. The flaw, a SQL injection vulnerability with the CVE-2023-35708 identifier, could allow threat actors to modify and disclose the contents of the MOVEit database. A proof-of-concept for the vulnerability was published on June 15th. The Cl0p gang continued to exploit the MOVEit vulnerabilities to distribute ransomware, with ransom demands being sent to U.S. government agencies and other victims.
Fraudsters were found to be abusing generative AI in a report released by Sift. The Q2 2023 Digital Trust and Safety Index focused on “Fighting fraud in the age of AI automation” and highlighted the use of generative AI in social engineering schemes. The report noted that consumers had noticed an increase in the frequency of spam and scams, likely driven by the surge in AI-generated content. Sift data showed a 40% increase in the average rate of fraudulent content blocked in Q1 2023 compared to the entirety of 2022. The ease with which generative AI can generate plausible language poses a significant threat, as it lowers the barrier to entry for fraud and social engineering scams.
A study conducted by Cofense revealed that compromised domains accounted for 53% of embedded URLs used to deliver malware. These domains, used by threat actors of moderate to advanced skill levels, were found to be moderately effective at bypassing Secure Email Gateways (SEGs) and tricking victims. Abused domains, such as those using Google Docs or Microsoft OneDrive, constituted 37% of embedded URLs and were highly effective but short-lived due to quick detection by hosting services. Domains created by threat actors themselves accounted for just 11% of embedded URLs. While these domains were not highly effective at bypassing SEGs, they were highly effective at tricking victims.
Proofpoint provided updates on the exploitation of CVE-2023-2868, a vulnerability in Barracuda’s Email Security Gateway (ESG). The aggressive and highly skilled threat actor UNC4841, believed to be acting on behalf of the Chinese government, targeted organizations primarily in the United States, Norway, Taiwan, and Poland. Academic institutions, defense establishments, and the US Federal Government were the most frequently affected sectors. The vulnerability was actively being used by UNC4841 as recently as three weeks ago, and phishing campaigns associated with the actor were aimed at espionage operations. Barracuda has released both mitigations and patches for the vulnerability.
In the ongoing Russia-Ukraine hybrid war, Ukraine has experienced a surge in cyberattacks parallel to the kinetic aspects, according to US Deputy National Security Advisor Anne Neuberger. The attacks’ scope and the specific sectors targeted were not disclosed. The GRU’s APT28 group, also known as Fancy Bear, used three Roundcube exploits against Ukrainian email servers as part of a recent Russian cyberespionage campaign. The attack’s success was facilitated by the victims’ use of an outdated version of the Roundcube open-source webmail software, which remains vulnerable to SQL injection attacks. The detection of the activity was credited to information received from a Western company participating in a program of regular information exchange.
Apple has patched two security flaws that were used in hacks against thousands of Russian devices. Russia’s Federal Security Service (FSB) attributed the campaign to the US National Security Agency (NSA), although there is no evidence of NSA’s involvement beyond the FSB’s accusation. Apple denied any collaboration with governments to insert backdoors into their products and reiterated their commitment to user privacy and security.
In conclusion, the latest updates in the cybersecurity landscape highlight the prevalence of cyberattacks across various sectors and the exploitation of vulnerabilities by threat actors. As new technologies such as generative AI emerge, fraudsters find innovative ways to abuse them for malicious purposes. Both organizations and individuals need to remain vigilant and employ tailored strategies to defend against evolving threats.