The CyberScotland Technical Bulletin is designed to provide you with information about updates, exploits and countermeasures.
Please subscribe to our CyberScotland mailing list to be notified by email when a new bulletin is published.
Microsoft Patch Tuesday
On Microsoft’s February 2023 patch Tuesday, security updates addressed a total of 77 flaws, including three zero-day vulnerabilities that are being actively exploited. Nine vulnerabilities are classified as ‘Critical’ as they can allow remote code execution on vulnerable devices.
The first zero-day vulnerability, CVE-2023-21823, pertains to the Windows Graphics Component and could potentially grant attackers SYSTEM privileges. The second zero-day vulnerability, CVE-2023-21715, relates to Microsoft Publisher and allows crafted documents to bypass Office macro policies that block malicious files. Finally, the third zero-day vulnerability, CVE-2023-23376, is a Windows Common Log File System Driver Elevation of Privilege Vulnerability.
It is important to update all vulnerable systems as soon as possible to protect against attacks exploiting these flaws.
Prilex Point-of-Sale malware evolves
The Prilex malware, believed to be developed by Brazilian threat actors, has been a concern for the cybersecurity community for some time. Initially designed for ATM systems, it has since evolved into a modular point-of-sale malware that facilitates credit card fraud. The latest version of Prilex, discovered recently, has a new feature that blocks contactless payment transactions. The motive behind this update is to force the user to insert their card into the PIN pad, allowing the threat actors to steal credit card information.
When the malware is installed on an infected point-of-sale terminal, it uses rule-based logic to determine whether to capture credit card information and block NFC-based transactions. If an NFC transaction is detected, the PIN pad reader displays a fake error message, tricking the victim into inserting their physical card. This new feature, along with the ability to filter credit cards by segments and craft rules, has made Prilex even more dangerous.
The rise of contactless payments, fuelled by the COVID-19 pandemic, has made Prilex’s new feature even more concerning. It highlights the importance of cybersecurity measures in the face of evolving threats, and the need for businesses and consumers to be vigilant in protecting their information.
No evidence of zero days in recent VMWare ESXi ransomware
VMware has issued a statement regarding the recent ransomware attacks targeting unpatched and unsecured VMware ESXi servers worldwide. The company stated that they have found no evidence of the attackers using a zero-day flaw in VMware’s software. To protect against known issues, VMware is recommending users upgrade to the latest supported releases of vSphere components and disable the OpenSLP service in ESXi.
This announcement comes after the large-scale ransomware campaign dubbed “ESXiArgs” has targeted servers likely by exploiting a two-year-old bug that was patched in February 2021. The vulnerability, CVE-2021-21974, is a heap-based buffer overflow vulnerability that allows unauthenticated threat actors to gain remote code execution.
Cybersecurity researchers have advised ESXi customers to back up their data and update their installations to a fixed version as soon as possible to avoid potential attacks. In addition, they recommend not exposing ESXi instances to the internet if possible.
PyPI packages install Chrome Extensions to steal cryptocurrency
A recent discovery shows that over 450 malicious packages on PyPI, a repository of Python packages, have been found installing browser extensions to hijack cryptocurrency transactions made through browser-based crypto wallets and websites. This is part of an ongoing campaign that began with 27 malicious packages in November 2022 and has since expanded through a typosquatting campaign that impersonates popular packages to deceive software developers.
The malicious packages create a malicious Chromium browser extension and hijack Windows shortcuts related to various browsers to load the extension. When a web browser is launched, the extension loads and monitors for cryptocurrency addresses copied to the Windows clipboard. The extension replaces any detected crypto address with a set of hardcoded addresses controlled by the threat actor, resulting in any sent crypto transaction amount going to the threat actor’s wallet instead of the intended recipient.
The threat actor has also extended the number of supported wallets in this new campaign and added cryptocurrency addresses for Bitcoin, Ethereum, TRON, Binance Chain, Litecoin, Ripple, Dash, Bitcoin Cash, and Cosmos. It is essential to be cautious when downloading packages from PyPI and other repositories and to verify the authenticity of the package source to avoid falling victim to such malicious attacks.