The Year 2022 has been a very eventful year for the cybersecurity industry globally with several new exploits, new malware, attack TTPs, more illicit communities on the Dark web, new scams, and emerging threat actors or groups targeting various sectors. Some of the notable events this year include “Exit Scams”, we saw admins of darknet markets disappearing after making enough money. From the selling of narcotics to hacking tools and exploit toolkits, one of the darknet markets, Darkode (an all-purpose drug market) suddenly disappeared. Also worthy of note for the year 2022, we witnessed a spike in Ransomware Blogs operated by threat groups to post updates or databases of their victims and part of a “name and shame” technique to persuade victims to pay the ransom. Stealer Logs became the order of the day in the last quart of the year. From Vidar to Raccoon and several new info stealers are becoming the worst nightmare for security researchers and analysts.
Around this same time, in 2021, between November and December, the global cybersecurity industry, including researchers, blogs and analysts, was going bonkers in trying to analyze the new dreadful exploit “Log4Shell”. Thankfully, 2022 has not hit us (at least for the few days remaining) with another exploit to cause that same magnitude of chaotic dissonance in the cybersecurity world.
With only a few days to Christmas, while a lot of security organizations across the globe are already looking forward to the New Year, it appears that we haven’t seen it all for 2022 just yet! Massive data breaches rock different organizations worldwide, targeting all sectors, including finance, education, health, and government, among several others.
Highlights of the Latest Exploits in the Last 48 Hours
“The-Best” Sold RDP Access to Network of Unspecified Turkish Company
The-Best, a member of the top-tier forum Exploit, sold RDP access with administrator privileges to the network of an unspecified Istanbul-based company for $500. According to the threat actor, the compromised network contains approximately 7 TB of data. Although the credibility of “The-Best” is low, the operator has authored 13 threads and posts since registering their account in May 2022.
Okta Inc.’s Source Code Breached Due to Compromised GitHub Repositories
Okta Inc.’s GitHub repositories were allegedly compromised this December 2022, which resulted in its source
code being breached by undisclosed threat actors, according to a December 21 report by BleepingComputer. BleepingComputer based this claim on a “confidential” security incident email notification sent from Okta Inc. to its security contacts, including IT administrators.
Upon identifying the unauthorized access, Okta Inc. notified law enforcement about the incident, temporarily restricted access to its GitHub repositories, and suspended all third-party applications, including GitHub integrations. Okta Inc. investigated the compromised GitHub repositories and identified that its Okta Workforce Identity Cloud (WIC) code repositories were affected. Still, the leak does not concern any Auth0 (Customer Identity Cloud) products.
“shx0822” Selling 137,000 Records of Doctors Based in China
shx0822, a member of the Chinese-language dark web marketplace Chang’An Sleepless Night, is selling a database with more than 137,000 records of doctors based in China for $28. The threat actor did not specify the source of the data leak. The sample screenshots shared by the threat actor include the following data fields: full names, gender information, names of the hospitals the doctors work at, medical specialities, and job titles. There are other data fields containing what seem to be medical license numbers and dates reflecting when the doctors joined the respective medical institutions.
“KakToTak” Sold Access to a Network of Unspecified US Business Services Companies
KakToTak, a member of the top-tier forum Exploit, sold RDWeb access with domain user privileges to the Windows Server 2021 of an unspecified US company with over $5 million in annual revenue that operates in the business services industry. The starting price was $200, or it could be purchased immediately for $600. The credibility of KakToTak is low: the operator has authored 5 threads and posts since registering on the forum in October 2022. The account has not received any feedback on the forum.
“sikinawnaw” Selling Access to Government Email Accounts of Brazil, Colombia, India, Indonesia, Lebanon, Nigeria, and the Philippines
sikinawnaw, a member of the top-tier forum XSS, is selling access to government email accounts from Brazil, Colombia, India, Indonesia, Lebanon, Nigeria, and the Philippines. The threat actor claims that emails can be sent and received from these accounts. Additionally, sikinawnaw also claims that some email accounts contain unspecified documents. The price for each account is $30, or they can all be purchased for $150. The threat actor can be contacted via Telegram (@shadowhackerr). The account has received 2 endorsements and has no indicated sales on the forum.
CONCLUSION
While several new vulnerabilities affecting technology stacks are continuously observed, security analysts and researchers are advised not to let down their guards. They remain fully alerted to threats by threat actors or group seeking to take advantage of the festive period to gain unauthorized access to corporate networks and infrastructure.