Storm⚡️Watch - 12/5/23

Welcome to the latest episode of Storm⚡️Watch, where we delve into the most recent cybersecurity events and trends.  We are also joined by our friends at Trinity Cyber. 

In this episode, we're excited to announce the arrival of TAGSMAS! This is a special event where we celebrate the power of tags in cybersecurity and how they can help us better understand and respond to threats.

We start the show with the team over at Trinity Cyber, with an in-depth discussion about what they do and how they and GreyNoise partner to keep organizations (and humans) safe.

The episode continues with a security bulletin from New Relic, who recently identified unauthorized access to their staging environment. This environment provides insights into customer usage and certain logs, but does not store customer telemetry and application data. The unauthorized access was due to stolen credentials and social engineering related to a New Relic employee account. The unauthorized actor used the stolen credentials to view certain customer data within the staging environment. Customers confirmed to be affected by this incident have been notified and given recommended next steps. Importantly, there is no evidence of lateral movement from the staging environment to customer accounts in the separate production environment or to New Relic's production infrastructure.

Next, we discuss a phishing campaign targeting WordPress users. The campaign tricks victims into installing a malicious backdoor plugin on their site. The phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user's site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a "Patch" plugin and install it. If the victim downloads the plugin and installs it on their WordPress site, the plugin is installed with a slug of wpress-security-wordpress and adds a malicious administrator user with the username wpsecuritypatch. The malicious plugin also includes functionality to ensure that this user remains hidden. 

In our shameless self-promotion segment, we highlight some of our recent work at GreyNoise Labs. We've been busy analyzing and documenting various cybersecurity threats and trends, and we're excited to share our findings with you. Be sure to check out our latest posts on the GreyNoise blog and sign up for our Noiseletter to stay up-to-date with our latest research.

We also discuss some recent vulnerabilities, including a Google Skia Integer Overflow Vulnerability (CVE-2023-6345), an ownCloud graphapi Information Disclosure Vulnerability (CVE-2023-49103), and two Apple Multiple Products WebKit vulnerabilities (CVE-2023-42917 and CVE-2023-42916). These vulnerabilities highlight the ongoing need for robust cybersecurity measures and the importance of staying informed about the latest threats.

Finally, we discuss a recent CISA alert about the Iranian military organization IRGC. IRGC-affiliated cyber actors using the persona "CyberAv3ngers" are actively targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers (PLCs). These PLCs are commonly used in the Water and Wastewater Systems (WWS) Sector and are additionally used in other industries including, but not limited to, energy, food and beverage manufacturing, and healthcare. The PLCs may be rebranded and appear as different manufacturers and companies. The authoring agencies urge all organizations, especially critical infrastructure organizations, to apply the recommendations listed in the Mitigations section of this advisory to mitigate risk of compromise from these IRGC-affiliated cyber actors.

Thank you for joining us for this episode of Storm⚡️Watch. We look forward to bringing you more insights into the world of cybersecurity in our next episode.

Episode Slides >>

Join our Community Slack >>

Learn more about GreyNoise >>