Headline
Go Beyond the Headlines for Deeper Dives into the Cybercriminal Underground
Discover stories about threat actors’ latest tactics, techniques, and procedures from Cybersixgill’s threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT
Discover stories about threat actors’ latest tactics, techniques, and procedures from Cybersixgill’s threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web.
****Stolen ChatGPT credentials flood dark web markets****
Over the past year, 100,000 stolen credentials for ChatGPT were advertised on underground sites, being sold for as little as $5 on dark web marketplaces in addition to being offered for free.
Stolen ChatGPT credentials include usernames, passwords, and other personal information associated with accounts. This is problematic because ChatGPT accounts may store sensitive information from queries, including confidential data and intellectual property. Specifically, companies increasingly incorporate ChatGPT into daily workflows, which means employees may disclose classified content, including proprietary code. Cybersixgill’s threat analysts detected advertisements for stolen ChatGPT credentials on popular dark web marketplaces, in addition to an advertisement for an AI chatbot allegedly capable of generating malicious content.
What should companies do to protect employees and critical assets from the unintended risks posed by ChatGPT?
Click here to read more
****Pro-Russian hacktivists attack Microsoft platforms, threaten European banking system****
A highly active pro-Russian hacktivist group knocked offline multiple Microsoft platforms, demanding US$1M dollars to halt the attacks, echoing the collective’s strategy in a recent Distributed-Denial-of-Service (DDoS) incident targeting Scandinavian Airlines. While Microsoft initially provided evasive explanations for the outages, it later confirmed that Azure, Outlook, and OneDrive web portals were inaccessible due to Layer 72 DDoS attacks attributed to the hacktivist group. Our threat experts observed the group boasting about the Microsoft attack on the underground, in addition to an ally announcing a new pro-Russian coalition that plans to attack the European banking system.
While DDoS attacks have intensified since Russia invaded Ukraine in February 2022, hacktivists’ recent shift to blackmail indicates an emerging financial dimension of politically motivated incidents. With these risks in mind, what should organizations do to prepare for more DDoS campaigns launched by pro-Russian gangs, and the possibility of accompanying blackmail demands?
Click here to read more
****New malware steals data from browsers and password managers****
Advertisements for a new type of information stealer are showing up on Russian-language cybercrime forums. While the stealer debuted in April 2023, sales reportedly spiked in June, which could indicate an increase in attacks using the malware. The malware allegedly targets close to 200 browsers, extensions, and password managers, among other applications. Our threat research team observed the malware’s developers touting its features on the underground, in addition to threat actors questioning the stealer’s capabilities.
Once executed, the stealer collects data related to the operating system and hardware, sending a screenshot to attackers’ command-and-control3 (C2) servers. The stealer then targets specific information stored in various applications, including web browsers. The malware can be rented for $150/month or $390 for four months, with advertisements posted on popular cybercrime forums that Cybersixgill collects.
As the emergence of new stealer malware illustrates, data theft tools remain popular on the underground. Such tools extract sensitive information, including credentials and other valuable data. With powerful user-friendly stealers readily available on the underground, what should organizations do to protect against such threats?
Click here to read more
****New VMware critical vulnerability exploited in the wild****
VMware recently released an advisory related to a critical remote code execution (RCE) vulnerability (CVE-2023-20877), warning that threat actors are already exploiting the flaw in attacks. While an update was released to address the command injection vulnerability, two unpatched instances of VMware’s Aria Operations for Networks3 remain highly vulnerable. Ultimately, threat actors could leverage CVE-2023-20887 to access networks and inject malicious commands into Aria Operations for Networks, which could lead to data theft, data corruption, or even complete system compromise.
As of July 3, 2023, Cybersixgill’s DVE module assigned CVE-2023-20887 a severe score (9.23), indicating the threat posed by the flaw to unpatched systems. This score is dynamic and may continue to rise – especially given the existence of a publicly available proof-of-concept (PoC) for the CVE published by a threat hunter on GitHub. According to the data collected by the Cybersixgill Investigative Portal, CVE-2023-20887 is related to at least one advanced persistent threat (APT). This means the vulnerability is likely being actively exploited by sophisticated threat actors who may be able to bypass traditional security measures.
Our threat experts observed a PoC for this vulnerability circulating on the underground, and ransomware groups may see this vulnerability as a great opportunity to launch attacks and demand payments in double extortion schemes. In light of this, what should corporations using VMWare do to thwart the actions of cybercriminals?
Click here to read more
Subscribe to Cybersixgill’s Beyond the Headlines monthly magazine and receive detailed insights each month from our threat research team about the latest threats and threat actors’ TTPs on the deep, dark web. To get the latest updates, click here.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution. The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation. "A
VMWare Aria Operations for Networks (vRealize Network Insight) is vulnerable to command injection when accepting user input through the Apache Thrift RPC interface. This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on the underlying operating system as the root user. The RPC interface is protected by a reverse proxy which can be bypassed. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. A malicious actor can get remote code execution in the context of root on the appliance. VMWare 6.x version are vulnerable. This Metasploit module exploits the vulnerability to upload and execute payloads gaining root privileges. Successfully tested against version 6.8.0.
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
Categories: News Tags: CISA Tags: BOD 23-02 Tags: Internet exposed Tags: management interfaces Tags: vulnerabilities Tags: CVE-2023-27992 Tags: CVE-2023-20887 There is a lot to be said for the strategy of shielding management interfaces from public internet access (Read more...) The post Reducing your attack surface is more effective than playing patch-a-mole appeared first on Malwarebytes Labs.
VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as CVE-2023-20887, could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. It impacts VMware
The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867 (CVSS score: 3.9), "enabled the execution of privileged commands across Windows, Linux, and PhotonOS (vCenter) guest VMs without authentication of guest credentials
Categories: Exploits and vulnerabilities Categories: News Tags: cve-2023-20887 Tags: cve-2023-20888 Tags: cve-2023-20889 Tags: vmware Tags: Aria Operations for Networks Tags: RCE Tags: information disclosure Tags: deserialization Tags: command injection VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution (Read more...) The post VMware patches critical vulnerabilities in Aria Operations for Networks appeared first on Malwarebytes Labs.
VMware has released security updates to fix a trio of flaws in Aria Operations for Networks that could result in information disclosure and remote code execution. The most critical of the three vulnerabilities is a command injection vulnerability tracked as CVE-2023-20887 (CVSS score: 9.8) that could allow a malicious actor with network access to achieve remote code execution. Also patched by
Aria Operations for Networks contains an information disclosure vulnerability. A malicious actor with network access to VMware Aria Operations for Networks may be able to perform a command injection attack resulting in information disclosure.
VMware Aria Operations contains a privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'.