Welcome to the latest edition of the Neu Cyber Threats, a weekly series in which we bring attention to the latest cyber attacks, scams, frauds, malware including Ransomware and DDoS, in order to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

 

Fortinet

Fortinet’s critical authentication bypass issue CVE-2022-40684 is being exploited in the wild

This week a critical bypass authentication tracked as CVE-2022-40684 impacted FortiGate firewalls and FortiProxy web proxies. This vulnerability can be exploited by hackers to log into vulnerable devices by performing operations on the administration interface via specially crafted HTTP or HTTPS requests.

Customers are urged to address this vulnerability ASAP by upgrading their systems to FortiOS/FortiProxy versions 7.0.7 or 7.2.2. Fortinet has also created a workaround for customers who cannot deploy security updates straight away.

However, Fortinet has advised any customers who cannot access the updates should disable HTTP/HTTPS administrative interface or Limit IP addresses that can reach it.

A proof-of-concept (PoC) exploit code has been developed by security researchers at Horizon3 Attack that is planned to be released later this week.

Pro-Russian hacker group KillNet claim responsibility for US Airport DDoS Attacks

On Monday 10th October 2022, many US airports were hit with Denial-of-Service (DDoS) attacks, where servers were flooded with website traffic causing their websites to be disrupted and rendered offline. Affecting airports include Los Angeles International Airport (LAX), Chicago O’Hare International Airport (ORD), Hartsfield-Jackson Atlanta International Airport (ATL), as well as airports in Colorado, Florida, Arizona, Kentucky, Mississippi, Florida, and Hawaii.

The attack caused affected websites to either be knocked offline for a few hours, intermittent or slow to respond. Luckily the attack did not have a direct effect on any airport operations; however, some airports reported the attack to the FBI and the Transportation Security Administration.

The Pro-Russian hacker group KillNet later went onto a Telegram channel to claim responsibility for the 14 attacks. KillNet is known for launching these kinds of attacks, with reportedly launching the same attack on a US airport in March as retaliation for the US support for Ukraine.

However, experts remind us although they are disruptive, DDoS attacks are usually short-lived, and due to them being obvious, their purpose is mainly to manipulate our perceptions.

A new cryptojacking campaign exploits DDL sideloading

Cyber security software maker Bitdefender discovered a cryptojacking campaign that exploits a Microsoft OneDrive vulnerability gaining persistence and running undetected on infected devices.

Malicious actors are using several techniques to install cyrptojackers on victims’ computers, causing chaos for consumers and enterprises. It has been discovered that the campaign uses four cryptocurrency algorithms: Ethash, Etchash, Ton and XMR. The average profit made per computer is around $13 in cryptocurrency. The hackers are using a known DDL sideloading vulnerability in OneDrive by writing a fake secur32.dll. file. Once this file is loaded, it downloads open-source cryptocurrency mining software and infiltrates it into Windows processes. This OneDrive sideloading technique also runs the threat of being used to implement spyware and ransomware.

The cryptocurrency mining campaign is resource-intensive; therefore, victims are quickly noticing drastic changes to their CPU and GPU performance, decreased battery life and overheating. Hackers have set the OneDrive.exe process to run after the reboot, and with OneDrive automatically rebooting every day, in 95.5% of the detections, the scheduled reboot was found to be loading the malicious secur32.dll.

Bitdefender has recommended that users ensure their antivirus and operating systems are up to date and only download software from trusted locations.

If you are concerned about any cyber security issues within your business, contact us today on 01283 753 333 or email hello@neuways.com.