Weekly Security News – 27th November 2023

Welcome to this week’s Security News. 

If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Konni Group Using Russian-Language Malicious Word Docs in Latest Attacks

A recent phishing attack has been identified, utilizing a Russian-language Microsoft Word document to deploy malware capable of extracting sensitive information from compromised Windows systems. The attack has been linked to a threat actor known as Konni, sharing similarities with a North Korean group tracked as Kimsuky or APT43. The campaign employs a remote access trojan (RAT) with the ability to extract information and execute commands on compromised devices. Fortinet FortiGuard Labs researcher Cara Lin provided this analysis in a report published recently.

Mirai-based Botnet Exploiting Zero-Day Bugs in Routers and NVRs for Massive DDoS Attacks

A currently active malware campaign is exploiting two zero-day vulnerabilities equipped with remote code execution functionality to enlist routers and video recorders into a Mirai-based distributed denial-of-service (DDoS) botnet. The payload specifically targets devices like routers and network video recorders (NVRs) that use default admin credentials, installing Mirai variants upon successful compromise. Akamai issued an advisory this week, withholding specific details of the vulnerabilities to provide the affected vendors time to release patches and prevent potential abuse by other threat actors. The fixes for one of the vulnerabilities are anticipated to be released next month.

Windows Hello auth bypassed on Microsoft, Dell, Lenovo laptops

Security researchers from Blackwing Intelligence have identified vulnerabilities in embedded fingerprint sensors on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops. The flaws were exploited to bypass Windows Hello fingerprint authentication. The research, sponsored by Microsoft’s MORSE, focused on the top three embedded fingerprint sensors—ELAN, Synaptics, and Goodix—used for Windows Hello authentication. The tested sensors were Match-on-Chip (MoC) types with their own microprocessor and storage, enabling secure fingerprint matching within the chip. The vulnerabilities discovered highlight potential security risks in widely-used fingerprint authentication systems.


Cyber Attacks

Hamas-Linked Cyberattacks Using Rust-Powered SysJoker Backdoor Against Israel

Cybersecurity researchers have identified a Rust version of the cross-platform backdoor SysJoker, associated with a threat actor linked to Hamas targeting Israel amid regional conflict. The malware underwent significant changes, with a complete rewrite in Rust language while maintaining similar functionalities. Additionally, the threat actor shifted from using Google Drive to OneDrive for storing dynamic command-and-control server URLs. Check Point provided this analysis in a report on Wednesday.

Kubernetes Secrets of Fortune 500 Companies Exposed in Public Repositories

Cybersecurity researchers have issued a warning about the exposure of Kubernetes configuration secrets, posing a risk of supply chain attacks for organizations. The exposed secrets, encoded Kubernetes configurations, were discovered in public repositories. Aqua security researchers identified affected entities, including two major blockchain companies and several Fortune 500 companies. The researchers utilized the GitHub API to retrieve entries containing files like .dockerconfigjson and .dockercfg, which store credentials for accessing container image registries. The vulnerability highlights the potential for security breaches and underscores the importance of securing configuration data in cloud environments.

Open-source Blender project battling DDoS attacks since Saturday

Blender, a popular 3D design suite, has confirmed that its recent site outages are a result of ongoing distributed denial-of-service (DDoS) attacks that began on Saturday. The attacks have overwhelmed blender.org servers with an excessive number of requests, rendering them unable to process legitimate connection requests. The project’s team has been working continuously to address the issue but attempts to block IP ranges from attackers have proven ineffective as they quickly shift to other locations. The DDoS attacks have caused a significant disruption to Blender’s operations.