zerofox logo
Advisories

ZeroFox Daily Intelligence Brief - September 01, 2023

|by Alpha Team

banner image

ZeroFox Daily Intelligence Brief - September 1, 2023

ZeroFox Intelligence collects, curates, and analyzes information derived from open and proprietary sources. Please find today’s daily roundup to give you and your clients an advantage over the adversary.

Brief Highlights

  • CISA and International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware
  • Hackers Release Advanced Variants of Popular Open-Source Infostealer
  • Researchers Take Down Telescopes after Suspicious Activity in Systems
  • Data broker / initial-access broker / hacktivist group: BreachForums user LegendShadow and Türk Hack Team
  • Vulnerabilities: CVE-2023-4698 and CVE-2023-41163
  • Exploits: CVE-2021-43798 and CVE-2020-5260
  • BreachForums/XSS: Hitfinex Data Leak and Combolist: '70k Hulu CLoud.txt'

CISA and International Partners Release Malware Analysis Report on Infamous Chisel Mobile Malware

The “Five Eyes” alliance has published a report on “Infamous Chisel”—mobile malware that enables persistent access to infected Android devices over Tor, scans files, monitors traffic, and periodically steals sensitive information from victims’ devices. Attributed to Russian Main Intelligence Directorate’s (GRU’s) Sandworm, the malware targeted Android devices used by the Ukrainian military. Defenders should analyze the published indicators of compromise (IOCs), detection rules, and signatures to determine system compromise.

Hackers Release Advanced Variants of Popular Open-Source Infostealer

Cybercriminals are developing an open-source infostealer called "SapphireStealer," to spawn numerous publicly-released variants that democratize data-theft attacks. Initially shared by a Russian hacker in late 2022, it has been adopted by others who make further modifications and share them within underground communities with cleaner code, extended capabilities, and further communication methods, creating a reinforcing feedback loop. The malware, written in .NET, allows non-technical hackers to steal files, screenshots, and browser credentials.

Researchers Take Down Telescopes after Suspicious Activity in Systems

Researchers at the U.S. National Science Foundation (NSF) temporarily took down several telescopes as a precautionary measure after detecting suspicious activity in NOIRLab's computer systems. These telescopes include the Gemini North and South telescopes in Hawaii and Chile, and smaller ones in Cerro Tololo in Chile. It is unclear when normal operations will resume. While the motive behind the NOIRLab incident remains uncertain, the incident highlights the potential impact of such disruptions on scientific studies.

THREAT ACTIVITY: INITIAL-ACCESS BROKERS, DATA BROKERS, AND HACKTIVISTS

VULNERABILITIES

  • CVE-2023-4698: Improper Input Validation in GitHub repository usememos/memos prior to 0.13.2.
  • CVE-2023-41163: phpjabbers Business Directory Script 3.2 is vulnerable to Cross Site Scripting (XSS)

EXPLOITS

BREACHES

Tags: DIBtlp:green