![[Information Security Daily]On May 2, Russian hacker APT28 attacked Ukrainian government agencies again, this time launching a phishing attack under the guise of IT personnel | iThome](https://s4.itho.me/sites/default/files/field/image/20230502.png "[Information Security Daily]On May 2, Russian hacker APT28 attacked Ukrainian government agencies again, this time launching a phishing attack under the guise of IT personnel | iThome")
During the war, Russian hackers frequently launched phishing attacks against Ukraine. Most of them pretended to provide information about the war situation and air raid alerts as a cover. In the name of updating the computer to carry out information collection work, it is very likely that the recipient will believe it is true and follow the instructions of the other party.
The emergence of new ransomware viruses is also worth keeping an eye out for. Recently, researchers revealed a ransomware called Rapture, and pointed out its rare method, which is different from many ransomware that disables various processing programs before encrypting files in order to make the process of encrypting files smoother. Rapture first detects firewalls Policy, PowerShell version and other measures to carry out.
As the Ukraine war has been going on for more than a year, there have been accidents targeting satellite network attacks, and related information security issues have also begun to receive attention. At the recently held Space Industry Information Security Exhibition (CYSAT), the European Space Agency (ESA) solicited researchers to conduct a drill. As a result, researchers from the information security company Thales successfully demonstrated relevant attack methods.
【Attack and Threat】
Under the guise of Windows updates, Russian hacker APT28 launched a phishing attack on Ukrainian government agencies, intending to collect computer information of the target agencies
The Ukrainian Computer Emergency Response Team (CERT-UA) issued a warning that the Russian hacker organization APT28 used the name of the system administrator to target multiple Ukrainian government agencies, and registered the Outlook.com email mailbox with the name of the actual system administrator of these organizations ( @outlook.com) to send phishing emails.
The hacker asks the recipient to execute the PowerShell command to “update” the Windows operating system. Once done, the computer will download the PowerShell command code and display the progress of the “update”, but in fact the hacker is conducting reconnaissance through commands such as tasklist and systeminfo , collect computer system information, and send an HTTP request to transfer the above data to a specific Mocky API.
In this regard, CERT-UA recommends that system administrators should limit the PowerShell function for important computers, and monitor whether there is any abnormal traffic connected to the Mocky service.
In order to increase the chance of success, before the ransomware Rapture is implanted, various methods are used to spy on the victim’s computer
Information security company Trend Micro revealed a ransomware called Rapture. They saw related attacks from March to April this year, and pointed out that the characteristic of this ransomware is that hackers try to greatly reduce the traces left on the victim computer , and encrypt computer files 3 to 5 days after the intrusion. The researchers first saw hackers injecting ransomware into legitimate processing programs. The behavior was similar to the process of loading the penetration testing tool Cobalt Strike into memory (In-memory). In some cases, hackers also disguised the ransomware as into an event log file (LOG).
Then, in order to make the process of encrypting files smoother, the attackers will check more system information before issuing specific commands to launch the ransomware, first of all, the firewall policy and the version of PowerShell. In addition, the ransomware will also Look for vulnerable Log4j libraries.
Researchers demonstrate how to hijack ESA satellite
The European Space Agency (ESA) exhibited a satellite system called OPS-SAT at the 3rd Space Industry Information Security Exhibition (CYSAT) held in Paris from April 26th to 27th, and publicly solicited white hat hacker capabilities. Try to crack and invade. As a result, four researchers from the information security company Thales successfully accessed the airborne system of the demonstration satellite and exploited several vulnerabilities to implant malicious code into the satellite.
These actions they have taken are likely to lead to falsification of the data sent back to the earth by satellites, or to block certain geographic locations on satellite images, and even have the opportunity to hide their attacks without being detected by the European Space Agency. The researchers’ technology demonstration is the world‘s first offensive and defensive exercise targeting satellite systems.
【Vulnerabilities and Fixes】
There is a major vulnerability in Zhaoqin firewall equipment, if it is not patched, it may be used to execute OS commands
Zyxel, a Taiwanese network equipment company, issued an information security bulletin on April 25, revealing a major vulnerability CVE-2023-28771 in its firewall equipment. The cause of this vulnerability is related to improper handling of error messages. In the case of identity verification, by sending forged packets to the target device, remote execution of some operating system commands, the CVSS risk score is 9.8.
This vulnerability affects ATP, USG Flex, VPN, ZyWall, and USG product line equipment. The company released version 5.36 firmware for ATP, USG Flex, and VPN, and released version 4.73 Patch 1 firmware for ZyWall and USG equipment.
Apple Releases First Rapid Security Response Update for Exploited Vulnerabilities
When Apple released the macOS Ventura operating system in June last year, it also proposed a rapid patching mechanism called Rapid Security Update. .
On May 1 this year, Apple released this update software for iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the first time, and emphasized that if the user does not adjust the software update settings of the device, the mobile device or computer will This update will be automatically received and installed. After a successful upgrade, the version number of the operating system will have one more letter at the end, for example: macOS 13.3.1 (a), but Apple has not stated which vulnerabilities have been patched this time.
It is worth noting that Apple emphasizes that this patching mechanism is only provided for devices running the latest versions of iOS, iPadOS, and macOS operating systems; if users turn off this update mechanism, their devices will be patched in the next routine update.
There is a GhostToken vulnerability in the Google Cloud platform, which may cause user accounts to be hijacked
Astrix, an information security company, disclosed the zero-day vulnerability GhostToken of Google Cloud Platform (GCP). Once attackers exploit this OAuth vulnerability, they can disguise malicious programs as legitimate applications or services and put them on the Google Marketplace and other application markets. , and lure users to install it.
Once the user is fooled, the hacker can hide the malicious application in the victim’s Google account, and it cannot be deleted through the application management interface. Furthermore, attackers can not only hide malicious programs, but also abuse Token to access the victim’s Google account at will.
The researchers pointed out that according to the permissions granted by the victim to the malicious program, the attacker may read the emails in Gmail, or access the private files and pictures of Google Drive and Google Photos, and know the information on the victim’s Google Calendar. Itinerary, and even tracking the victim’s geographic location according to Google Maps. The researchers reported in June last year that Google completed the patch on April 7 this year.
U.S. warns of major flaw in Illumina’s DNA testing system
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) jointly issued a warning against the vulnerabilities CVE-2023-1968 and CVE-2023-1966 of the DNA sequencing system Illumina Universal Copy Service, pointing out that if the When exploited, attackers can upload and execute code at the operating system level without authentication, and have the opportunity to tamper with settings and sensitive product data.
The most serious of these vulnerabilities, CVE-2023-1968 of the Major category, allows an unauthenticated attacker to listen to network traffic to find more vulnerable systems and has a CVSS risk score of 10. In this regard, Illumina issued an information security circular on April 5 and proposed mitigation measures.
【Information Security Industry Trends】
Google to block more than 170,000 developer accounts in 2022
On April 27, Google announced the information security situation of the Google Play ecosystem in 2022. The company blocked a total of 173,000 developer accounts and prevented 1.43 million mobile applications from being listed on the Google Play market. The identity verification threshold is verified through telephone, email, etc. In addition, the company also cooperates with SDK suppliers to reduce the access and sharing of sensitive information. Google said that after taking the above measures, it avoided more than 200 million US dollars in fraud losses.
Google uses the Google Play App Security Improvement program (Google Play App Security Improvement) to identify the security of apps, and will help developers fix 300,000 programs and 500,000 security flaws in 2022. Furthermore, Google also promoted the Mobile App Security Assessment (MASA) verification program early last year. Apps that pass the certification will be able to obtain the MASA mark.
The synchronization function added to Google Authenticator may have security risks, and the company promises to improve it with end-to-end encryption
Shortly after Google announced that it will provide a synchronization function for the dynamic password generator AuthenticatorSome researchers warnusers should temporarily disable related functions, because Google does not use end-to-end encryption (E2EE), resulting in the user’s two-factor authentication verification code may be leaked, in this regard,Christiaan Brand, Google Identity and Security Product Manager, CommitsIt will be included in E2EE in the future. Information security company Mysk pointed out that because the QR Code generated by the system contains dynamic password content, once someone knows the secret of the unencrypted traffic, there is a chance to generate a new dynamic password, resulting in the failure of the two-factor authentication protection mechanism.
【Other news】
Anonymous Sudan paralyzes major Israeli news site on Independence Day
Americold, a refrigerated logistics provider, is reported to have been attacked by a cyber attack
T-Mobile confirms second data breach this year
Ransomware Hacker BlackCat Claims to Invade Hard Drive Manufacturer Western Digital, Releases Internal Information of the Company
UK secondary school Hardenhuish hit by ransomware attack
Recent Information Security Daily
【April 28】Vietnamese hackers posted advertisements to spread malicious software SYS01 Stealer through Facebook corporate accounts
[April 27]Chinese hacker organization spreads the backdoor program MsgBot through Tencent instant messaging software, targeting NGOs
[April 26]A fire broke out in the information security department of the Investigation Bureau of the Ministry of Justice, which was suspected to be caused by the overload of computer equipment.