Russian Hacking Group Killnet attacks NATO disrupting Turkey Earthquake relief
Largest DDoS Attacks ever recorded thwarted
Swedish Television Station knocked off air and Scandinavian airlines hit by cyber attacks
It is essential to emphasise the significance of promptly installing the latest security updates and disabling the OpenSLP service. This action is particularly critical in light of the recent large-scale campaign of ransomware attacks against Internet-exposed and vulnerable ESXi servers, which was reported last week.
Deployed as part of a massive wave of ongoing attacks, the ESXiArgs ransomware has already impacted thousands of vulnerable targets worldwide (over 2,400 servers, according to current data from Censys).
The attackers specifically target products that are "significantly out-of-date" or have already reached their End of General Support. In order to safeguard their systems, organisations must apply the patches released to address this vulnerability as soon as possible.
Our analysts have noticed an increase in phishing emails contain credential stealers. Multifactor authentication acts as a defence against this however users still need to remain vigilant as they are becoming used to simply accepting prompts from their MFA App. It only requires a single user in your organisation to fall for this. The attackers are then hoping to bag the credentials of privileged or target users in the organisation.
This week saw Microsoft release its February 2023 Patch Tuesday which included security updated for 77 flaws, including three zero-day vulnerabilities that are actively being exploited by threat actors. Out of the 77 vulnerabilities, nine were classified as ‘Critical’ since they permit remote code execution on vulnerable devices.
The three zero-day vulnerabilities are:
CVE-2023-2183- a Windows Graphics Component Remote Code Execution Vulnerability that enables attackers to commands with SYSTEM privileges.
CVE-2023-21715 – is a Microsoft Publisher Security Features Bypass Vulnerability, which allows macros in a malicious Publisher document to run without first warning a user.
CVE-2023-23376- is a Windows Common Log File System Driver Elevation of Privilege Vulnerability that could allow an attacker to gain SYSTEM privileges.
Elsewhere, Apple released a solution for two fresh vulnerabilities that impact iOS and iPadOS. We recommend that you update your devices immediately. One of the vulnerabilities, CVE-2023-23514, is a kernel problem that enables hackers to execute arbitrary code on a user's device with kernel privileges. The other vulnerability, CVE-2023-23529, affects WebKit, the browser engine utilized by Safari and various other apps such as Mail and App Store. It allows attackers to produce harmful web content that could lead to arbitrary code execution.
Patching vulnerabilities as soon as possible is critical in ensuring the security of systems and devices. Cybercriminals frequently exploit known vulnerabilities to gain access to systems and steal sensitive information, and the longer a vulnerability remains unpatched, the greater the risk of an attack. It is essential to ensure that software patches and security updates are installed as soon as they become available to maintain the security and integrity of the system.
If you need help with patch management get in touch with the experts at Integrity 360.
The Killnet group of Russian hackers disrupted communication between NATO and military aircraft providing aid to earthquake victims in the Turkish-Syrian region, that has claimed the lives of over 40,000 people.
A NATO official confirmed that the alliance was targeted in a cyberattack, with the group claiming responsibility for the distributed denial of service (DDoS) attack through one of their Telegram channels. Although NATO's Special Operations Headquarters website in Belgium was downed briefly, it was soon restored. The attack also affected other organisations, including the Strategic Airlift Capability, a multi-national organisation that depends on NATO for military and humanitarian airlifts.
A NATO official confirmed the attack, stating that NATO cyber experts are actively addressing the incident that has impacted some NATO websites. The official emphasized that NATO takes cyber security very seriously and regularly deals with cyber incidents. Meanwhile, western security agencies have classified Killnet as a group of pro-Kremlin activists who carry out DDoS attacks to disrupt military and government websites of nations that support Ukraine.
DDoS-mitigation vendor Cloudflare, reported that its customers suffered from a wave of volumetric attacks, including the largest such attack on record. The majority of attacks peaked at 50-70 million requests per second, with the largest exceeding 71 million rps.
The attacks originated from over 30,000 IP addresses, and some of the affected websites included a popular gaming provider, cryptocurrency companies, hosting providers, and cloud computing platforms. The audacity of attackers has been increasing, with ransom DDoS attacks steadily increasing throughout the year. DDoS-for-hire services make it easy for threat actors to launch attacks.
There is an increasing tendency for DDoS attackers to use cloud providers as the source of their network traffic, rather than the more common tools of IoT devices and home gateways, which are often rolled into botnets by attackers.
On Tuesday, Sweden's national public television broadcaster, SVT, temporarily went down due to a cyber-attack. The attack was claimed by a group called "Anonymous Sudan" on their Telegram channel, stating it was in response to Koran burnings in Sweden, and that Swedish media would be targeted.
On the same day, Scandinavian airline SAS experienced a cyber-attack which temporarily paralyzed its website and leaked customer information from its app. Although SAS urged customers to avoid using its app, it later confirmed that the issue had been resolved. Unfortunately, these incidents are not isolated and serve as a reminder of the constant threat to cyber security in the airline and airport industry. For instance, Go First airline's Twitter account was breached last year, and TAP Air Portugal had to respond to a data breach in which sensitive personal information of some passengers was exposed on the dark web. Furthermore, several major US airports encountered a series of cyber-attacks in October.
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.
The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.
If you’d like more detailed threat intelligence news, Integrity360 offers this as part of our security monitoring managed services.
We also offer a tailored threat intelligence monitoring service for your organisation that actively monitors for threat actors and campaigns of direct relevance to your organisation, brand damage, copycat & spoofed domains, credential leakage and dark web monitoring.
Join us in Dublin or London for the Security First 2022 conference. We'll be bringing together industry professionals and specialist experts to discuss the latest cyber security trends and offer actionable advice on preparing your business to put security first in 2022.