CYBERSECURITY NEWS V. February — what happened?
A round-up of the major security events that have happened so far in this new year.
This year started only two (and a few) months ago, but a lot of stuff has already happened in the security world. Criminals don’t sit still, and neither do the researchers. Let’s take a look at the major events that have occurred to date in 2023.
Breaches and more breaches
There have already been some major breaches this year:
- Atlassian: It was reported that Atlassian was breached. Atlassian blamed a third-party service Envoy for being responsible for the breach. However, later it was revealed that the attackers obtained one of the Atlassian employee’s credentials from a public repository. SiegedSec, a notorious hacker group, has taken responsibility for the attack.
- Reddit: One of the biggest social media and discussion sites, Reddit was reportedly breached on 10th February. Once again, a stolen employee credential allowed attackers to access some of the internal source code, employee data, etc. According to Reddit’s statement, the employee fell victim to a phishing campaign.
- T-Mobile: German telecom giant T-Mobile announced around mid-January that they had suffered a breach, leaking 37 million account details. Although the breach occurred in November 2022, T-Mobile first noticed malicious activity around the beginning of January. The attacker had taken over an exploited API, leading to the leakage of data.
These were some of the major breaches, and as usual, we see mentions of leaked credentials, phishing, exposed APIs, and whatnot. These things will continue throughout the year; take our word for it.
Sudo Exploit: CVE-2023-22809
Another year, another major sudo vulnerability. A flaw in sudoedit (or the “sudo -e”) implementation allowed users with permission to execute sudoedit as root to edit unauthorized files. This could lead to privilege escalation. This was demonstrated in one proof of concept exploit, where the “sudoers” (a file containing sudo related configuration) were edited to give arbitrary root access.
Versions from 1.8.0 up to 1.9.11 (both included) are affected by this vulnerability, and it is advised to upgrade to 1.9.12 which is the patched version. Otherwise, affected systems will remain vulnerable.
KillNet continues to threaten
A hacktivist collective known as KillNet, formed somewhere in March 2022, has continued to threaten multiple sectors including banking, healthcare, airlines, etc. The pro-Russia hacking group recently hit NATO’s headquarters in an attempt to stop its aid program for devastating earthquakes that happened in Turkey and Syria region earlier this month,
Further, KillNet has recently targeted the healthcare industry in the US and Europe. Websites of multiple medical institutions were brought down in a series of DDoS attacks at the end of January. Data was also stolen which was published by the threat actor. KillNet continues to perform DDoS attacks on high-value targets and threaten others.
Resurgence of Mirai
As we all know, the Mirai botnet is one of the most notorious in cybersecurity history. Since its discovery in 2016, Mirai has performed multiple high-profile DDoS attacks successfully. And over the years, there have been numerous Mirai variants causing havoc, and new variants keep emerging due to the fact that Mirai botnet’s source code is open-source.
2023 is no different. Palo Alto’s security intelligence team Unit 42 revealed that Mirai botnet has resurfaced in form of a new variant, dubbed the V3G4 variant. As before, the botnet has locked Linux and IoT devices with a public IP address as its target. The variant looks for unpatched devices and exploits known vulnerabilities to compromise systems, mainly remote code execution exploits. It is advised to keep all your devices up to date to avoid unintended vulnerabilities.
Chromebooks are massively used in colleges, schools, and institutions as enrolled devices that only allow access to specific functionalities, which is controlled by administrators who create policies depending on the requirement.
A new exploit dubbed “Sh1mmer” is a jailbreaking technique that allows people to bypass the device restrictions, allowing the user to unenroll the device from the managed network. The exploit works by gaining arbitrary remote code execution during the recovery mode of ChromeOS. All that is needed is a USB stick with a custom “shim” image according to the version of the Chromebook board. During the recovery process, this custom “shim” image is used as the recovery source, enabling multiple functions: device un-enroll/re-roll, enable dev mode, start a bash terminal, etc.
RCE in ClamAV
A critical remote code execution vulnerability was found in ClamAV, a popular open-source antimalware/antivirus detection toolkit maintained by Cisco. One of Google’s security engineers discovered the vulnerability in the HFS+ partition file scanner module, where a maliciously crafted file can be uploaded to be scanned, resulting in arbitrary code execution. The RCE is due to the “heap buffer overflow” family of bugs.
The bug was assigned CVE-2023-20032, and Cisco promptly provided the patched version. Please check the CVE advisory for more details about the updated version and make sure your ClamAV instances are not vulnerable.
Want to receive more hot cybersecurity news and updates from Hexway? Subscribe to our newsletter!
Or follow us here: