Progress Software has recently patched a third vulnerability in its MOVEit file transfer application. The company disclosed that the flaw was a SQL injection vulnerability (CVE-2023-35708) that could potentially allow an attacker to modify and disclose MOVEit database content. A proof-of-concept for the vulnerability was published on June 15th. However, Progress Software reassured customers that they have not seen any evidence of the vulnerability being exploited.
As a precautionary measure, Progress Software temporarily took MOVEit Cloud offline for maintenance in order to protect their customers. The company stated that this action was not in response to any malicious activity, but rather to quickly patch the vulnerability and disable MOVEit Cloud. Product teams and third-party forensics partners have reviewed the vulnerability and confirmed that the fix has successfully addressed the issue. The patch has been applied to all MOVEit Cloud clusters and is now available for MOVEit Transfer customers.
Moving on, Microsoft has published a report describing a Russian state-sponsored threat actor known as “Cadet Blizzard.” This threat actor is associated with Moscow’s General Staff Main Intelligence Directorate (GRU) and is engaged in destructive attacks, espionage, and information operations. Cadet Blizzard primarily targets Ukraine and has conducted destructive cyber operations in support of broader military objectives.
According to Microsoft, Cadet Blizzard was responsible for creating and deploying WhisperGate, a destructive capability that wipes Master Boot Records (MBRs), against Ukrainian government organizations. This occurred a month before Russia invaded Ukraine, foreshadowing future destructive activity. Cadet Blizzard is also linked to defacing several Ukrainian organization websites and operates the hack-and-leak forum called “Free Civilian.” Microsoft’s report highlights the emergence of this novel GRU-affiliated actor as a notable development in the Russian cyber threat landscape.
In addition, Symantec has outlined the activities of a threat actor known as Shuckworm, which the Ukrainian government has attributed to Russia’s Federal Security Service (FSB). Shuckworm has been conducting cyberespionage against Ukrainian military, security, research, and government organizations. The attackers have focused on machines containing sensitive military information that could be exploited to support Russian kinetic war efforts.
These attacks began in February/March 2023, and some organizations have indicated that the attackers had access to significant amounts of sensitive information. The attackers even targeted the human resources departments of organizations, suggesting that gathering information about individuals working for these organizations was a priority.
Another emerging threat is the Mystic Stealer malware. Researchers at Cyfirma have identified Mystic Stealer as a new info stealer that is gaining traction in the cyber threat landscape. The developers of Mystic Stealer have made the malware available for testing to well-known veterans within the forum. These veterans have verified its effectiveness and provided valuable feedback for further enhancements, leading to ongoing updates and improvements. As a result, Mystic Stealer has established a stronger foothold in the threat landscape, as evidenced by the rising number of command and control (C2) panels observed in the wild.
What makes Mystic Stealer particularly dangerous is the community feedback loop from its customers. The developers actively use this feedback to make the tool more effective and efficient. For instance, the malware can capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. It can also collect Steam and Telegram credentials, as well as data related to installed cryptocurrency wallets. Mystic Stealer specifically targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications.
Lastly, Bitdefender has shared their discovery of a new custom malware strain called RDStealer, which uses DLL sideloading for cyberespionage purposes. This technique allows the threat actor to monitor incoming Remote Desktop Protocol (RDP) connections with client drive mapping enabled. Once the victim’s device is infected with the Logutil backdoor, sensitive data is extracted.
It’s worth noting that both RDStealer and Logutil are written in the Go programming language, which enables them to infect multiple operating systems. Researchers have found instances of these malware strains impacting Linux and ESXi systems. The threat actor behind RDStealer, active since at least 2020, is believed to be based in China, although this has yet to be confirmed. Credential theft and data exfiltration are believed to be the primary goals of this cyber espionage campaign.
In conclusion, the cybersecurity landscape continues to face various threats, including software vulnerabilities, state-sponsored threat actors, evolving malware strains, and cyber espionage tools. Organizations and individuals must remain vigilant and implement robust security measures to protect their sensitive information from potential attacks.