Aug 25th LastPass disclaimed that they had observed an intrusion in their cloud environment, but it didn't touch the main core of the passwords vaults. They hired third parties to be able to do some forensic. In September, the first conclusion gave view on the targeted infrastructure and the Development environment. End of November, LastPass disclosed a new incident claiming that the Production environment in the Cloud had been accessed via some data stolen from the previous attack on August. In December, LastPass disclosed their last incident reports where a Cloud environment had been accessed using backed up information, but still encrypted. This week the origin of the intrusion has been identified, a personal computer from the DevOps team who had been compromised using a vulnerability on Plex Server! What did we learn during those events? A development environment should be as protected as a production one, Cyber Security is the concern of every actor of the activity, yes, even developers. There is a strict wall between personal and professional to respect. No one should use professional data on a personal computer. The personal activity should be kept at the very minimum on professional computers. Plex should be updated.
'Hiatus' targets DrayTek Vigor router models 2960 and 3900 is an ongoing attack campaign since July 2022 that steal data from victims and then build covert proxy network. DrayTek Vigor are VPN routers used by small to medium-size business for remote connectivity to corporate networks. There are three parts to this campaign. The HiatusRAT is the most interesting. Once the threat actors gain access to the router, the threat actors deploy a bash script that downloads three components to the router — the HiatusRAT and the legitimate tcpdump utility. The first script downloads the HiatusRAT and executes it, this cases the malware to start listening on port 8816, and if there’s already a process running on that port, it kills it first as to be able to listen on the port unbothered. The purpose of the SOCKS proxy is to forward data from other infected machines through the breached router, obfuscating network traffic and mimicking legitimate behavior. Threat actors aim to get sensitive data transmitted through the compromised router. The Hiatus campaign remain small but remains dangerous.
Europol alongside law enforcement in Germany and Ukraine targeted and arrested two individuals believed to be part of the DoppelPaymer’s core members. Law enforcement (including FBI, Dutch Police and Europol) raided multiple locations in the two countries in February. There are three more suspects who have arrest warrant out for them. Law enforcement believes DoppelPaymer has five core members. The group was active from 2019 to 2021 and attacked critical infrastructures.
Researchers found that a new machine-learning model improved the prediction capabilities of exploited vulnerability to 82%. Exploit Prediction Scoring System (EPSS) uses more than 1,400 features including the age of the vulnerability or if its remotely exploitable to predict which software issues will be exploited in the next 30 days. Before we get excited over this good news, multiple factors must be considered such as the unpredicting factors of human behaviours and the black number of crime. We cannot measure what we do not know or see. The main factor of 0day is that they are unknown which then would make them not part of the data studied. Then, when a vulnerability is exposed, there is a raise in interest from various threat actors that could explain why within the 30 days after exposition, they are likely to be used. Also, humans’ behaviours remain often a mystery: academics often refers to human behaviours as the wildcard. Although this is good news for cybersecurity defenders, its important to consider other factors that explains these results.
The proof-of concept on Microsoft word on the vulnerability CVE-2023-21716 was published this weekend. The cve was graded as a 9.8 severity as it requires low attack complexity and there is a lack of privileges and user interactions required to exploit it. The patch for this vulnerability was part of Patch Tuesday and thus we recommend to quickly have your Microsoft updated.
