AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 08/23/2023

‘Cuba’ Ransomware Group Uses Every Trick in the Book 

In June, Russian ransomware group Cuba attacked an organization servicing US critical infrastructure. The cyberattack failed despite the group’s use of multiple CVEs, off-the-shelf tools, unique malware programs, and evasion methods. Cuba is a financially motivated threat actor known for big money ransomware attacks primarily targeting US organizations. In its latest known campaign discovered by BlackBerry, it targeted an American critical infrastructure provider as well as a systems integrator in Latin America. 


New HiatusRAT malware attacks target US Defense Department 

In a new HiatusRAT malware campaign, threat actors have targeted a server belonging to the U.S. Department of Defense in what researchers described as a reconnaissance attack. This is a significant shift in tactics, seeing that the attacks previously focused on organizations from Latin America and Europe, being deployed to compromise business-class DrayTek Vigor VPN routers used by medium-sized businesses for remotely connecting to corporate networks. 


Microsoft is bringing Python to Excel 

Microsoft today announced the public preview of Python in Excel, which will allow advanced spreadsheet users to combine scripts in the popular Python language and their usual Excel formulas in the same workbook. This feature will first roll out to Microsoft 365 Insiders as part of the Excel for Windows beta channel. Yet while the feature will first only be available in the desktop version of Excel, Microsoft notes that the Python calculations will run in the Microsoft Cloud. Python runs perfectly well on any modern PC, so I’m not sure why Microsoft went the cloud route here. 


Ivanti warns customers another zero-day is under active attack 

U.S. software giant Ivanti has scrambled to patch another zero-day vulnerability under active attack. The vulnerability, tracked as CVE-2023-38035 with a vulnerability severity rating of 9.8 out of 10, affects the software company’s Sentry product. Ivanti Sentry (formerly MobileIron Sentry) is a mobile gateway designed to manage, encrypt and secure network traffic between employee devices and a company’s back-end systems. The new vulnerability — known as a zero-day because the company had no time to fix the bug before it was exploited — allows unauthenticated attackers to access sensitive APIs used to configure the Ivanti Sentry on the administrator portal, the company said. Successful exploitation of the zero-day could allow hackers to change configuration, run system commands or write files onto the system. 


CISA Warns of Another Exploited Adobe ColdFusion Vulnerability 

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning organizations that an Adobe ColdFusion vulnerability patched earlier this year is being exploited in attacks. The vulnerability in question is tracked as CVE-2023-26359 and it was added by CISA on Monday to its Known Exploited Vulnerabilities (KEV) Catalog“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warned. Adobe, which fixed the vulnerability with its March 2023 Patch Tuesday updates, describes CVE-2023-26359 as a critical data deserialization issue that can be exploited for arbitrary code execution.  


Cyberattack on UK IT Firm Swan Retail Affects 300 Retailers 

On Sunday, 13 August, 2023, a UK-based Retail Management and EPOS Solutions provider called Swan Retail observed ‘technical difficulties,’ in several back-office systems causing ‘significant’ service disruptions. According to a statement from the company’s representative, its systems were targeted by an unauthorized third party to which the company responded quickly by alerting its internal IT team, affiliated retailers, and law enforcement authorities. However, around 300 retailers have been affected by this attack. The company didn’t disclose what kind of attack took place that resulted in such an extensive outage of services. 

Related Posts