The main attacks and vulnerabilities found by our experts last week: 19th— 23rd September

Check in our weekly report the main attacks and vulnerabilities found by our teams of experts.

Here are the most relevant headlines of the week, take note and keep informed of all the details:

Revolut suffers data breach with more than 50,000 users exposed

Revolut, the online bank that has a banking license in Lithuania, has been the victim of a cyber-attack in which the personal information of more than 50,000 customers has been compromised.

The incident occurred a week ago and has been described as “highly targeted”.
According to the Lithuanian Data Protection Agency, 50,150 customers have been affected, 20,687 of them belonging to the European Economic Area.

All indications are that the threat actor relied on a social engineering attack as an entry vector, although at this stage, details of how the attacker gained access to the bank’s database have not been disclosed

The Agency notes that the information exposed includes email addresses, first and last names, postal addresses, phone numbers, limited payment card details, and account details.

Revolut has issued a statement saying that no card details or passwords have been accessed.

More info here.

Quantum and BlackCat ransomware use Emotet as an entry vector

The results of an investigation published by researchers at AdvIntel have reported that ransomware operators Quantum and BlackCat have adopted the use of Emotet as a dropper in their operations among their TTPs.

Emotet emerged in 2014 and was classified as a banking trojan. Its evolution eventually turned it into a botnet that Conti ransomware operators used in their operations until June 2022, when it was disbanded.

The methodology currently adopted by Quantum and BlackCat to use Emotet is to install a Cobalt Strike beacon that deploys a payload that allows them to take control of networks and execute ransomware operations.

According to experts, Emotet has increased its activity since the beginning of the year by distributing itself via .lnk files, and it is estimated that more than 1.2 million computers are infected.

More info here.

Old Python vulnerability affects thousands of repositories

Researchers at Trellix have released details of the exploitation of a vulnerability in the Python programming language that has been overlooked for 15 years. This bug could affect more than 350,000 open-source repositories and could lead to code execution.

The researchers rediscovered the vulnerability while reviewing other unrelated bugs, concluding that it was CVE-2007-4559, already documented in an initial report in August 2007, and which has remained unpatched to this day.

Only during the year 2022, from the Python Bug Tracker, was an update provided to the documentation that only warned developers about the risk. For its part, Trellix points out that the bug persists, providing explanatory videos on how to exploit it.

The vulnerability is in the extract and extractall functions of the tarfile module, which would allow an attacker to overwrite arbitrary files by appending the sequence “…” to filenames in a TAR file.

In addition, Trellix has announced patches for just over 11,000 projects, although, for the moment, the Python Software Foundation has not commented on the vulnerability, so extreme caution is recommended as this bug represents a clear risk to the software supply chain.

More info here.

Critical vulnerabilities in industrial control system environments

The CISA has issued a total of eight security advisories warning of vulnerabilities in industrial control systems (ICS), including critical flaws affecting Dataprobe iBoot-PDU products.

It should be noted that power distribution units (PDUs) are used to remotely manage the power supply of systems commonly used in critical infrastructures. Claroty security researchers discovered seven vulnerabilities in the Dataprobe product, including CVE-2022-3183 and CVE-2022-3184 with a CVSS of 9.8.

David Weiss, CEO of Dataprobe, has indicated that the security issues have been patched in version 1.42.06162022 and that others are fixed by a proper configuration such as disabling SNMP, telnet, and HTTP.

More info here.

Chromeloader malware increases its activity and boosts its capabilities

Researchers from Microsoft and VMware have reported a malicious campaign by the Chromeloader malware, a malicious extension for the Chrome browser, aimed at infecting victims’ devices with multiple malicious programs.

During the first quarter of 2022, Chromeloader came to the limelight in the form of adware and later became a stealer specializing in stealing data stored in the browsers of targeted users.

However, according to Microsoft, there is currently an ongoing campaign attributed to the threat actor tracked as DEV-0796, which makes use of this malware to launch much more powerful and targeted payloads.

Chromeloader has been found to be deployed in ISO files that are distributed via malicious advertisements and YouTube video comments.

In addition, as VMware also details in its report, there are at least 10 variants of this malware camouflaged under utilities intended to manage movie subtitles, music players and, more worryingly, a variant of Chromeloader that implements the Enigma ransomware in an HTML file.

More info here. 

Stay informed of the latest cyber security news, vulnerabilities, and attacks from our experts:

#5 Top 250 Mssp Alert

Related news

Stay up to date. Get the latest news and trends
Sign Up