The holiday season is here, and organizations are facing an increased risk of cyberthreats with a notable focus on the activities of access brokers. These threat actors specialize in gaining and selling unauthorized access to organization accounts by orchestrating social engineering campaigns and exploiting seasonal vulnerabilities. There has been a significant surge in access broker activity, especially towards the end of the year. Cybercriminals are capitalizing on the distracted workforce, reduced staff, and operational changes that are typical during the holiday season.

During the holiday season, cyber-threats intensify, with increased online activities and vulnerabilities. Ransomware, constituting nearly 25 percent of malicious attacks in 2023 with average costs exceeding $5 million, strategically exploits the holiday period, taking advantage of limited IT support for impactful network exploitation and ransomware propagation.

Access brokers are a notable threat during this season and actively participate in sophisticated social engineering campaigns, exploiting vulnerabilities, and orchestrating well-crafted attacks. Phishing escalates, creating a surge in promotional emails and mimicking seasonal content, such as order and tracking emails, charity requests, and holiday event messages. Spear-phishing campaigns see a notable uptick as well, boasting an average click-through rate of 11 percent.

Concurrently, Distributed Denial of Service (DDoS) attacks proliferate, with approximately 7.9 million incidents recorded globally in the first half of 2023, marking a 31 percent increase from the previous year. These attacks strategically target eCommerce businesses and financial institutions during holiday peaks, aiming to disrupt operations in industries experiencing a surge in internet traffic.

This Cybersecurity Threat Advisory highlights a new security flaw that has recently been discovered in Atlassian’s Confluence Data Center and Server, which could result in significant data loss if exploited. Tracked as CVE-2023-22518, this vulnerability is rated 9.1 out of a maximum of 10 on the CVSS scoring system. It has been described by Atlassian as an “improper authorization vulnerability.”

What is the exposure or risk?

All versions of Confluence Data Center and Server are at risk of being affected by this vulnerability. Because Confluence sites are only accessible via an atlassian.net domain, there is no impact to confidentiality because attackers are unable to exfiltrate data from that domain. Versions outside of the support window, including those which have reached the end of their services (or End of Life, when manufacturers no longer support that type of hardware) may also be affected.

Several serious security flaws have been found in the Veeam ONE platform for analytics and IT infrastructure monitoring. These vulnerabilities may result in data breaches, illegal access, and NTLM hash theft. To fix these problems, Veeam has published security patches and issued a warning. Read this Cybersecurity Threat Advisory on recommendations to mitigate risks and protect Veeam environments.

Multiple vulnerabilities have been found in Veeam ONE, an IT infrastructure monitoring and analytics platform. CVE-2023-38547, CVE-2023-38548, and CVE-2023-41723 affect Veeam ONE versions 11, 11a, and 12. CVE-2023-38549 affects only Veeam ONE 12.

The initial two vulnerabilities, CVE-2023-38547 and CVE-2023-38548, are rated critical. CVE-2023-38547 can permit an unauthenticated user to access Veeam ONE’s configuration database’s SQL server connection information, potentially leading to remote code execution on the SQL server. CVE-2023-38548 enables unprivileged Veeam ONE Web Client users to obtain the access token of a Veeam ONE Administrator. These weaknesses might permit aggressors to take NTLM hashes and exploit other security shortcomings. Veeam has recognized these issues and delivered security updates to address the weaknesses.

What is the exposure or risk?

These vulnerabilities come with significant risk and exposure. Attackers may be able to obtain sensitive data exfiltration, compromise vital systems, and obtain unauthorized access to an organization’s IT infrastructure if they are successful in their exploit. The effect of a breach may increase if NTLM hashes are stolen since they may allow for more exploitation and lateral movement throughout the network. A successful attack may result in reputational harm as well as monetary losses.

What is the threat?

The wiper, named “BiBi-Windows Wiper”, has been used by a pro-Hamas hacker group in the wake of the ongoing Israel-Hamas war.

BiBi-Windows Wiper is part of a wider data-wiping attack on Israeli computers destroying data on both Linux and Windows systems. It is primarily targeting the education and technology sectors. The wiper malware also causes irreversible data corruption and operational disruption on almost all files. The malware simply overwrites the original file with random bytes to prevent their recovery, followed by renaming the files using a ten-character long sequence of random letters containing the “BiBi” string, with no possible method to recover it. The malware also switches off the “Error Recovery” mode and deactivates the “Windows Recovery” feature.