In this week’s Threat Digest, we delve into a spectrum of cyberthreats, from law enforcement’s takedown of BlackCat’s leak site to the discovery of a Trojan-Proxy on macOS. Atlassian’s critical updates and WordPress’s new security patch highlight the need for vigilance in software maintenance. We also explore Russia’s AI-powered disinformation campaign and Microsoft’s alert on a critical Outlook vulnerability. Finally, the evolving threat of Qilin ransomware targeting VMware ESXi servers is a reminder of the constant need to stay ahead in cybersecurity.

The AlphV (BlackCat) ransomware group’s leak site was reportedly taken down by law enforcement, as confirmed by intelligence firm RedSense. However, there has been no official statement from the Department of Justice. AlphV initially attributed the downtime to hosting provider issues. The incident raises questions about potential concerted law enforcement actions, as similar disruptions were observed with BreachForums. AlphV’s qTox account status changed from “REPAIR” to a message indicating operational recovery soon, though the authenticity and implications of this claim remain uncertain.

SecureList has reported the discovery of a new Trojan-Proxy for macOS, hidden within cracked software. This malware, which targets macOS devices, operates by replacing specific system files to gain control and establish a connection with a Command and Control (C2) server. The Trojan creates log files and attempts to obtain a C2 server IP address via DNS-over-HTTPS, thus evading traffic monitoring. It then connects to the server via WebSocket, awaiting commands. This discovery highlights the risks associated with downloading cracked software and emphasizes the need for users to be vigilant, especially when obtaining software from unverified sources.

Atlassian has released critical software updates to address four vulnerabilities that, if exploited, could lead to remote code execution (RCE). These include:

1. a deserialization issue in the SnakeYAML library (CVE-2022-1471),
2. a remote code execution vulnerability in Confluence Data Center and Server (CVE-2023-22522),
3. a flaw in Assets Discovery for Jira Service Management (CVE-2023-22523), and
4. a vulnerability in the Atlassian Companion app for macOS (CVE-2023-22524).

CVE-2023-22522 is a template injection flaw that could allow code execution through injected user input. The Assets Discovery flaw permits RCE on machines with the agent installed, and CVE-2023-22524 allows execution via WebSockets, bypassing security measures. Given the increasing targeting of Atlassian products, users are urged to promptly update to patched versions.

WordPress released update 6.4.2 to address a critical security flaw which could enable remote code execution (RCE) when combined with vulnerabilities in specific plugins, particularly in multisite installations. The vulnerability is rooted in the WP_HTML_Token class, impacting HTML parsing in the block editor. Security firm Wordfence notes that exploiting a PHP object injection vulnerability in any plugin or theme, when chained with this flaw, could allow attackers to execute arbitrary code, delete files, or access sensitive data. Patchstack advises developers to replace the unserialize function with safer alternatives like JSON encoding/decoding. Users are urged to update their WordPress sites to the latest version for protection against potential exploitation.

A recent report highlights the Doppelganger influence operation, linked to Russia, targeting Ukraine, the U.S., and Germany. This operation utilizes a mix of inauthentic news sites and social media accounts to amplify content that undermines Ukraine, promotes anti-LGBTQ+ sentiment, and critiques U.S. military competence and Germany’s socio-economic issues. The campaigns leverage advanced obfuscation techniques, possibly using AI to generate inauthentic articles, and involve over 800 social media accounts. While their reach is limited, these tactics reveal the evolving strategies in Russian information warfare aimed at influencing public opinion.

Microsoft has issued a warning about CVE-2023-23397, a critical vulnerability in Microsoft Outlook on Windows, actively exploited by a Russian nation-state group, Forest Blizzard. This exploit does not require user interaction and involves a specially crafted message triggering a Net-NTLMv2 hash leak. Microsoft’s Incident Response team observed post-exploitation activities, including Net-NTLMv2 Relay attacks against Exchange Servers and using the Exchange Web Services API for additional attacks and persistence. Organizations are advised to implement comprehensive threat hunting strategies and monitor for indicators of compromise (IoCs) related to this vulnerability. This exploit affects all versions of Microsoft Outlook on Windows, with the recommendation to keep Outlook patched and up to date.

The Qilin ransomware group’s latest tool, a sophisticated Linux ELF64 encryptor, specifically targets VMware ESXi servers. Discovered by MalwareHunterTeam and analyzed by BleepingComputer, this customizable encryptor is designed for various server environments but primarily focuses on VMware ESXi. It encrypts virtual machines and deletes snapshots, appending a unique extension to file names and leaving a ransom note. The ransom demands can range from $25,000 to millions. Initially launched as “Agenda” in August 2022, Qilin has evolved its operations, conducting double-extortion attacks by stealing data and encrypting devices across breached networks.

For real-time intel and updates, don’t forget to follow APG on Twitter and Reddit.