MSP cybersecurity news digest, April 19, 2024

Microsoft's April 2024 Patch Tuesday addressed a total of 150 flaws and 67 remote code execution (RCE) bugs. Three critical vulnerabilities were remedied as part of the security update. 

Notably, the majority of these RCE flaws are concentrated within Microsoft SQL drivers, suggesting a potential common vulnerability. Additionally, twenty-six secure boot bypasses, including two from Lenovo, were resolved this month. The categorized vulnerabilities consist of 31 elevation of privilege, 29 security feature bypass, 13 information disclosure, 7 denial of service and 3 spoofing vulnerabilities. However, this total count excludes 5 Microsoft Edge flaws addressed earlier and 2 Mariner flaws, referring to an open-source Linux distribution designed by Microsoft specifically for its Microsoft Azure services.

Among the updates, two zero-day vulnerabilities were addressed, both were previously exploited in malware attacks, though initially were not marked as actively exploited by Microsoft. One vulnerability involves a malicious driver signed with a valid Microsoft Hardware Publisher Certificate, while the other is a SmartScreen Prompt Security Feature Bypass, utilized by a financially motivated hacking group targeting forex trading forums. Researchers also disclosed two Microsoft SharePoint zero days, adding complexity to detecting suspicious file downloads from servers — though no CVEs have been assigned to these flaws yet. 

A recent cyberattack on Hoya Corporation was conducted by the Hunters International ransomware operation, demanding a $10 million ransom to decrypt files and refrain from releasing stolen data. Hoya, a Japanese company with a revenue of $5.609 billion in 2023, specializing in optical instruments, medical equipment, and electronic components, operates globally with 160 offices and subsidiaries in over 30 countries and 43 laboratories.

The attack disrupted production and order processing across several business divisions, leading to IT outages. While Hoya investigates potential data access or exfiltration by attackers, the ransomware group demanded a ransom to prevent the release of alleged 1.7 million stolen files, totaling 2 TB. Despite no files surfacing on the Hunters International site and no public claim of responsibility, evidence suggests ransom negotiations, with a strict "No Negotiation / No Discount Policy" imposed by the attackers. 

In another incident claimed by Hunters International, Benetton Group, a renowned global fashion company headquartered in Italy  with a revenue of over €1 billion in 2023, is purportedly targeted, with the ransomware gang threatening to disclose 33.8 MB of clients' data if ransom demands are not met within a specified time frame. Despite being listed on Hunters International's leak site and facing threats of disclosing 33.8 MB of clients' data if ransom demands are not met within a specified time frame, Benetton has not issued an official statement. 

Bogus installers, masquerading as Adobe Acrobat Reader installers, are serving as vehicles to disseminate a newly identified, multifunctional malware named Byakugan. The attack commences with a PDF file, crafted in Portuguese, which upon opening displays a blurred image, prompting the victim to click on a link to download the Reader application to access the content. 

Upon clicking the URL, users inadvertently trigger the deployment of an installer named "Reader_Install_Setup.exe," initiating the infection sequence, as reported by researchers. The intricate attack chain exploits techniques such as DLL hijacking and bypassing Windows User Access Control (UAC) to execute a malicious dynamic-link library (DLL) file dubbed "BluetoothDiagnosticUtil.dll," which further unleashes the final payload. Additionally, the malware employs a legitimate PDF reader installer, such as Wondershare PDFelement, to obfuscate its malicious activities. 

Byakugan, characterized as a node.js-based malware, features various libraries and functionalities, including establishing persistence, desktop monitoring using OBS Studio, capturing screenshots, downloading cryptocurrency miners, logging keystrokes, enumerating and uploading files, and extracting data from web browsers. Meanwhile, a parallel discovery by researchers unveils a campaign distributing the Rhadamanthys information stealer, disguised as a groupware installer, indicating an evolving trend among threat actors. Furthermore, recent findings underscore the exploitation of a manipulated version of Notepad++ to propagate the WikiLoader malware

boAT, a leading Indian audio products and smartwatch manufacturer, with a revenue of $406.98 million in 2023, has experienced a significant data breach affecting approximately 7.5 million customers. The breach, attributed to an attacker known as 'ShopifyGUY', has exposed sensitive personal information such as names, addresses, contact numbers, email IDs and customer IDs on the dark web.

This exposure poses risks of financial fraud, phishing scams and identity theft for affected individuals, prompting grave concerns among cybersecurity experts about its impact on boAT's reputation, customer trust and legal standing. Additionally, the breach may lead to potential lawsuits, regulatory scrutiny and the sale of exposed data on the dark web, posing further risks to digital security. 

Established in 2016 by Aman Gupta and Sameer Mehta, boAT has become the second most popular wearable brand in India, renowned for its affordable earphones and other audio products.

Targus, a manufacturer of laptop and tablet accessories with a revenue of $6.1 million in 2023, revealed a cyberattack that disrupted its operations when a threat actor breached the company's file servers. 

B. Riley Financial, Inc., Targus' parent company, disclosed the cyberattack in an SEC FORM 8-K filing. Targus reportedly activated incident response and business continuity protocols with the assistance of external cybersecurity experts upon discovery of the breach. The company stated that while containment measures were implemented to disrupt unauthorized access, resulting in a temporary interruption of business operations, internal systems are currently undergoing recovery efforts.

Though it's unclear if corporate data was compromised, the company notified regulatory authorities and law enforcement about the unauthorized access. Targus has yet to respond to inquiries regarding the attack, and no ransomware gangs or other threat actors have claimed responsibility for the incident.