Skip to content
Join Censys for a Threat Hunting Workshop & Happy Hour! | April 17 at City Winery in Philadelphia | Register Now

This Week in Cybersecurity: July 24th-28th

Happy Friday, and welcome to another edition of the Censys cyber blog! Our industry blog draws attention to what’s happening each week in cybersecurity, so that we can better understand and predict attackers’ next moves. Let’s dive in and see what attackers have been up to.

1. Lazarus Hackers Hijack Microsoft IIS Servers to Spread Malware – July 24th

Web servers running on Windows Internet Information Service (IIS) are under attack and being exploited to spread malware. Lazarus is a North Korean government-run advanced persistent threat (APT) group. The cybercrime gang’s initial target was obtaining access to corporate networks; however, the group is now focusing on weakly protected and vulnerable IIS servers, hijacking them, and then distributing malware. The main incentive for breaching IIS servers is the effortless ability with which attackers can infect users whose services are hosted on these compromised servers of trustworthy organizations. Recently, Lazarus infiltrated South Korean financial security software with a compromised version of INISAFE CrossWeb EX V6. Then, to gain greater access to the system, Lazarus employed a privileged malware loader known as JuicyPotato. This tool gives attackers the ability to decode installed data files and process them into the memory while avoiding antivirus scanners.
(Source: BleepingComputer)

2. Zero-Day Vulnerabilities Discovered in Global Emergency Services Communications Protocol – July 25th

Five zero-day vulnerabilities (referred to as TETRA:BURST) were recently discovered in the emergency radio voice and data storage serviceTerrestrial Trunked Radio (TETRO). TETRO is utilized by law enforcement, fire departments, and the military all over the world. The system’s channels provide distinct key management, voice, and data encryption. TETRA Encryption Algorithm (TEA1) takes the encrypted algorithms and transmits them across the TETRO network. Midnight Blue Labs discovered these five vulnerabilities, two of which are critical.

The two critical vulnerabilities enable attackers to track law enforcement, listen in on discussions without raising any red flags, and modify critical infrastructure communications. CVE-2022-24401 allows attackers to receive any encrypted messages sent to a radio by targeting that channel. CVE-2022-24402 affects the TEA1 algorithm, which uses an 80-bit key. If an attacker performed a brute force attack on this 80-bit key, all conversations would be obtained without detection.
(Source: DarkReading)

3. New AI Phishing Tool FraudGBT Tied to Same Group Behind WormGBT – July 25th

A new AI bot called FraudGPT has been linked to the same attacker who developed WormGPT earlier this month. FraudGPT, like WormGPT, can be purchased on the dark web for spear phishing emails, cracking tools, and carding. However, FraudGPT is designed for short-term and large-scale attacks such as phishing, whereas WordGPT is used for long-term attacks involving malware and ransomware. Other threat actors can benefit if they pay a subscription for the tool. If they purchase, this will teach them how to present an extremely credible-looking email that contains malicious links.
(Source: SCMagazine)

4. Super Admin Elevation Bug Puts 900,000 MikroTik Devices at Risk – July 25th

A major flaw in the Mikrotik RouterOS operating system that was first identified in June 2022 continues to affect devices. Mikrotik’s CVE-2023-30799 severe vulnerability allows remote attackers to upgrade their admin accounts to super admin accounts discreetly. Attackers can gain full control of the entire RouteOS operating system and change the code path without any suspension. This flaw, which has already been detected on 926,000 devices, is said to be more enticing to attackers looking to jailbreak a network and change the operating system. Hackers need admin access to enter, but the system is pre-programmed to have admin access. Mikrotik advises users to update to the newest version of RouterOS because they do not believe this is the end of the attack.
(Source: TheHackerNews)

5. Lazarus Hackers Linked to 60 Million Alphapo Cryptocurrency Heist – July 26th

The hacking gang Lazarus, which was previously reported in this blog for breaching Microsoft’s web servers, has just carried out another successful campaign. The North Korean group stole $60 million from the cryptocurrency provider Alphapo. Initially, the group obtained $23 million from the payment provider and later acquired $37 million in TRON and BTC. Lazarus tricks employees at crypto firms into opening malicious files, infecting their systems, and causing them to lose account credentials. Lazarus has successfully stolen $617 million from the Axie Infinity robbery, $35 million from the Atomic Wallet heist, and $100 million from the Harmony Horizon attack over the past two years.
(Source: BleepingComputer)

Another busy week in cyber! This week’s blog highlighted five top news stories on attackers’ latest tactics. Come back next week to get more industry updates! 

Attack Surface Management Solutions
Learn more