During May, several research pieces were released on the crafty ways adversaries are targeting end users – from hiding malware in software development extensions to pretending to be researchers from universities to establish trust.

New/Improved Techniques

Marketplace Contains Malicious Extensions

Security researchers from Check Point performed analysis over a range of extensions available on the VSCode Marketplace, the Microsoft central hub, where developers can download official, third-party and community developed extensions. Their investigation found a number of (now reported and removed from the marketplace) malicious extensions – totalling over 45,000 combined installations. The malicious extensions primarily included PII (personally identifiable information) stealers, and attempted to drive installs by namesquatting popular extensions, including Prettiest-Java, a copy of the ever popular Prettier-Java.
Check Point performed similar analysis earlier in the year on packages found in the popular PyPI (Python Package Index), with incredibly similar results – highlighting the need for developers to thoroughly vet any IDE extensions.

Fractureiser – Persistent Mod Malware

The popular Minecraft mod platforms Bukkit and CurseForge were used to distribute a new information stealing malware dubbed Fractureiser. This particular malware represents a new stage within these supply chain-based attacks, as the Fractureiser malware contains an additional stage, not seen in these game mod based attacks – persistence. Once deployed, the malware seeks out other Minecraft mods, and injects it with the same malicious code.
The mods found to contain this code were not purpose built exploits, but rather existing projects – many of which were bundled into popular mod packs, including a popular pack with over 4.6 million total downloads. Combined with the API delivery of mod updates included in the CurseForge and Bukkit applications, this malware likely already has a large footprint worldwide.

State Sponsored Hackers Impersonate Journalists and Academics

A joint advisory from the FBI and NSA, along with NIS, NPA and MOFA (South Korea’s National Intelligence Service, National Police Agency, and Ministry of Foreign Affairs) warning that the state sponsored North Korean hacking group Kimsuky has been impersonating journalists and academics. The spear-phishing campaign aims to collect intelligence from research centres, think tanks, media organisations, and academic institution, with the actors performing in-depth reconnaissance into the users they wish to impersonate. The technique appears to be a slow burn – with the malicious actors looking to build trust, rather than deliver malware directly. Included in the advisory were the standard mitigation measures, which recommends holding a preliminary video call to confirm users’ identities prior to providing any sensitive information.

Attacks / Threats

[US] City of Augusta Cyber Attack

The city of Augusta, Georgia has confirmed that a recent IT system outage was caused by unauthorised access in their network. The attack on the second largest city in Georgia was claimed by BlackByte, who released a 10GB sample that appears to hold PII, as well as contract and budget allocation data; however the city has yet to confirm the authenticity of this information.
This attack marks the fourth North American city to be victimised by ransomware gangs this year alone, with the cities of Toronto, Dallas and Oakland all suffering major attacks – In Oakland’s case, two attacks.

[US] MOVEit Transfer Zero-Day

 Cl0p ransomware gang, who were responsible for the Fortra GoAnywhere MFT breach earlier in the year, have utilised a zero-day vulnerability in the Progress Software MOVEit MFT platform to access and steal data from organisations who use the solution. It only took Microsoft a few days to link the attack back to the Cl0p group, who were happy to take credit, but at this time would not reveal the exact number of organisations affected – although it is claimed to be in the hundreds. The attacks begun during the US memorial holiday long weekend, a tactic Cl0p have been known to exploit previously to hinder response efforts.
A patch was swiftly created and made available to address this vulnerability, with Progress Software announcing that all of their managed clusters had been updated, and advising customers using on-premise configurations to update as soon as possible.

[Worldwide] Chrome Zero-Day Exploited in the Wild

Google has released an update to address the third zero-day vulnerability exploited by hackers in 2023. Tracked as CVE-2023, Google have remained tight-lipped with the technical information around the security issue, although security researchers have discovered that this flaw is a bug in the V8 JavaScript engine – the same target of the first zero-day vulnerability for the year.
Google have indicated that they will be releasing a patch to remediate this bug and will provide technical details once the majority of the userbase has completed the update.

RaidForums Database Leak – 478,870 Users

A database of users from RaidForums (hacking forum) has been leaked online, providing security researchers and other threat actors insight into the users of this forum. In late 2022, the RaidForums website and associated infrastructure was seized in an international law enforcement operation, resulting in the arrest of the administrator and two others. The leaked database appeared on Exposed – a forum that was launched in the wake of the RaidForums seizure. The database includes usernames, email addresses and hashed passwords, although some users were cleansed from the database before release, likely to remove information relating to the party who dumped the database. Users of this forum should be very concerned, as threat actors have a strong history of infighting, and the use of ruthless tactics against one another.

Honda E-Commerce API Flaw

A security researcher who earlier in the year breached Toyota’s supplier portal has leveraged similar vulnerabilities to access the Honda e-commerce platform for the power equipment division. Access to the e-commerce platform was obtained through a flaw in the API, allowing unauthorised users to process a password reset on any account. Once inside the platform, a further vulnerability was exploited, allowing the researcher to bypass access protections by enumerating user IDs into the API, providing full access to all the dealer information stored on the platform. Included in the accessible data was personal information relating to customers, as well as internal documents. Honda had completed remediation of this issue prior to the flaw being made public.  
Unfortunately for the security researcher, neither Honda nor Toyota have bug bounties in place, and declined to provide a reward for highlighting the vulnerabilities.

Medibank 3rd Class-Action Lawsuit

Beleaguered private healthcare provider Medibank has been served another class-action lawsuit related to the 2022 ransom incident, alleging a failure to adequately protect personal customer information, breaching consumer, and privacy law. Already under investigation from the Office of the Australian Information Commissioner and defending itself from two other class-action suits, the healthcare provider indicated it would defend the proceedings. The company managed to avoid a drop in share price relating to this news.