Cyber Security News Weekly Round-Up

The latest threats, vulnerabilities, data breaches, and defensive countermeasures are covered in the weekly cybersecurity news recap. 

In order to enhance your security posture and defenses, it is essential that you have up-to-date knowledge on two key things like emerging cyber risks and attack vectors. 

Dynamic threats may be overcome by keeping situational vigilance across this terrain of a rapidly changing nature so that your assets are protected at all times.

Cyber Attacks

Russian APT Hackers Attacking Critical Infrastructure

The report discuss about the Russian APT hackers who are involved in targeting critical infrastructure and using different genuine software installations to put their malware into operation.

Among these, ShadowPad RAT has been connected with them, whereas they use a wide range of tactics such as many backdoors at the same time for creating duplicate communication channels with polluted systems.

These comprise well-researched phishing emails, domain controller hijacking, and stealing confidential data that will be stored in servers hosted from various parts of the world.

Stolen information is forwarded from C&C servers used in these attacks to stage two servers located in China.

Hackers Attacking Foxit PDF Reader Users

A design flaw in the way it warns users about its security has been found by researchers, and a PDF exploit targeting Foxit PDF Reader users is now known.

Potentially, an attacker can create a malicious code to be executed by deceiving users with default “OK” options for security warnings.

Deviating from traditional security mechanisms, this flaw permits malware authors to trick users into clicking “OK” without any preference for the threat that will result.

This bug allows hackers to download and execute malware on victims’ machines once they lure them into visiting Websites under their control.

Instead of using conventional methods to launch attacks, social engineering is employed to make this exploit less detectable. Different harmful intentions have seen the vulnerability actively exploited in real-world assaults.

Weaponized WinSCP & PuTTY Delivers Ransomware

Attackers launched a campaign in early March 2024 distributing trojanized installers for WinSCP and PuTTY, which led to downloads containing malware. 

The malware used a renamed pythonw.exe that loaded a malicious DLL, which side-loaded a legitimate DLL and injected a Sliver beacon using reflective DLL injection. 

The attackers then established persistence, downloaded additional payloads, attempted to steal data, and deployed ransomware, showing TTPs similar to those used by BlackCat/ALPHV in the past. 

The ad for PuTTY download redirected users to a typo-squatted domain hosting a malicious download link, and clicking the link triggered a chain of redirects, ultimately downloading a malware-laced ZIP archive disguised as a PuTTY installer from a compromised WordPress domain.

400k Linux Servers Hacked

Cryptocurrency thefts and other financial offenses are being carried out by a huge botnet composed of over 400,000 hacked Linux servers, according to the new research from ESET cyber security experts.

Ebury criminal group is responsible for organizing this botnet that has been in operation since 2009 with multiple propagation methods including hijacking hosting providers’ infrastructure as well as ARP spoofing attacks. The network’s size has ballooned and it still had more than 100,000 infected servers till the end of 2023.

Apart from traditional spamming and directing traffic to other sites, this botnet also steals financial information and mines cryptocurrencies on infected machines.

The latest version of Ebury malware launched in late 2023, update number 1.8 improved its rootkits to be more difficult to find, added a new domain generation algorithm, and made hiding any information better.

Threats

New Linux Backdoor

One of the recently developed Linux backdoors is identified which was dubbed “Linux.Gomir.” It was created by the North Korean hacker group Springtail and has been frequently attacking users through installation packages. 

This backdoor acts as GoBear’s replica and communicates with its C&C server over HTTP POST where it first hashes the hostname and username before sending an infection ID.

It uses a particular form of encryption to interpret commands, this exhibits the group’s ability to attack platforms in different environments. A second alert discovers an evil code in XZ Utils versions 5.6.0 and 5.6.1 that introduces a backdoor via SSH into certain Linux distributions, affecting servers accepting incoming SSH connections.

Users should downgrade to unaffected versions and check for compromise signs on their systems that are affected by this vulnerability. The XZ Utils backdoor, found in the open-source library XZ Utils, allows for remote code execution and was planted into the program by one of its developers who had been engaged in developing it throughout two years before being promoted to maintainer’s position.

The latest releases of XZ Utils are vulnerable to this backdoor, meaning that downgrading compromised versions is very critical when preventing such attacks.

ViperSoftX Malware

A new acoustic keyboard side-channel attack has been found by cyber security researchers, which can be utilized by hackers to steal important information by capturing the sounds of keystrokes with the help of microphones.

This attack consists of waveform analysis that allows for extracting such information as timing and intensity. At this point, statistical analysis, machine learning, and signal processing come into play.

The authors suggest a method in which keystroke audio is captured, a statistical model is trained for prediction, and an English dictionary improves results for predicting words even if there is noise.

The aim of the research is to make it possible to identify keystrokes without relying on conditions in the environment precisely. It stresses how important it is to record correctly keyboard sounds in order to detect them efficiently.

QakBot Malware

The report discusses the discovery of a zero-day vulnerability in Windows OS, specifically the Windows Desktop Window Manager (DWM) vulnerability, designated as CVE-2024-30051. 

This vulnerability allows attackers to escalate privileges. The document containing information about this exploit was uploaded to VirusTotal on April 1, 2024. 

After reporting the findings to Microsoft, a patch was released on May 14, 2024. The exploit has been observed in attacks involving QakBot and other malware, indicating multiple threat actors have access to it.

New Social Engineering Attack

Cybersecurity analysts at Rapid7 have identified a new social engineering attack that delivers the Black Basta ransomware. 

The attack begins with a surge of seemingly harmless newsletter signup confirmation spam emails that bypass email protections. Attackers then make phone calls pretending to be IT support to persuade users to allow remote access through tools like AnyDesk or Quick Assist. 

Once connected, the attacker downloads payloads to harvest credentials and maintain persistence, which could ultimately result in ransomware infections, as in previous Black Basta operations. 

This new social engineering technique emerged towards the end of April 2024 and exploits human psychology and behavior to bypass technical security systems.

SugarGh0st RAT

There is a new campaign targeting AI research institutions in the United States by use of SugarGh0st Remote Access Trojan (RAT).

For instance, UNK_SweetSpecter has been found responsible for this operation and it has maliciously affected many businesses, government agencies, and universities. 

This attack involves sending emails with AI-related lures to victims, which include a zip archive file that drops an LNK shortcut file and a JavaScript dropper.

It then installs the SugarGh0st RAT code using this dropper. The attack chain is similar to one that was reported previously by Cisco Talos wherein sideloading ActiveX tools accompanied by base64 encoded binaries have been employed and a false document.

The timing of this offensive campaign during US-China tension over AI access and its focus on AI professionals may suggest possible motives related to espionage or intellectual property theft.

Darkgate Malware

Windows machines are targeted using malicious attachments such as XLSX, HTML, or PDF files in phishing emails. 

The malware can clone itself and take control of affected accounts with risks such as data loss, fraud, and compromising sensitive information.

QuickBooks invoices which are used to disguise phishing emails from this campaign make users download JAR files containing obfuscated AutoIt scripts that communicate with remote servers.

Darkgate is a major cybersecurity concern as it combines professional malware practices with historical URL patterns consequently demonstrating advanced persistent threat techniques.

Data Breach

Nissan Data Breach

Nissan Oceania has confirmed that in December 2023, roughly 100,000 persons, including customers and employees were affected by the data breach.

The breach resulted from a third party without permission accessing local IT servers. The Akira ransomware syndicate however claims they did it and exposed stolen information. 

Personal details compromised include government identification such as medical cards, licenses for driving, passports, and tax file numbers among others, and other personal details like loan documents, employment information, and dates of birth. 

Affected people are being informed by Nissan who are also offering such support as free credit monitoring services to these individuals together with ID replacement reimbursement. The firm is now collaborating with government authorities alongside cyber security experts to investigate this occurrence.

Notorious Data Leak Site BreachForums Seized

The report discusses that how authorities managed to seize the notorious data leak site “BreachForums.” It highlights the importance of cybersecurity executive summaries in reporting on cyber risk and security programs to prevent breaches and mitigate risks effectively. 

It emphasizes the need for clear communication in these reports, avoiding overly technical details, and providing context for readers without a technical background. 

Additionally, it mentions the significance of capturing high-risk items in cybersecurity executive summaries and the use of cybersecurity KPI dashboards to contextualize key findings and recommendations.

Hackers Abusing to GitHub

There have been instances of Russian-speaking threat actors from the Commonwealth of Independent States (CIS) using GitHub as a platform to host malicious infrastructure and distribute various forms of malware. 

They make imitation GitHub profiles and repositories that emulate famous software programs, tricking people into downloading pirated versions loaded with malware such as the Atomic macOS Stealer. 

Institutions are advised to observe tough security protocols, institute code reviews across their entire organization, and use auto-scanning tools to identify possible malware or suspicious coding patterns. 

Similarly, organizations should create means through which they can guard against unapproved applications and third-party scripts being used by outsiders in their systems while joining hands with larger cybersecurity community in order to effectively counter these diverse attacks.

Vulnerabilities

D-LINK RCE Zero-Day Vulnerability

A proof-of-concept (PoC) exploit has been publicly released for a remote code execution (RCE) zero-day vulnerability in D-Link EXO AX4800 (DIR-X4860) routers. 

The vulnerability allows unauthenticated remote attackers to gain elevated privileges and execute commands as root by combining an authentication bypass with command injection. 

The exploit takes advantage of flaws in the Home Network Administration Protocol (HNAP) service to bypass authentication and inject malicious commands. 

D-Link has been notified of the issues but has not released a fix, so users should disable remote management to prevent exploitation.

New Google Chrome Zero-day

The first zero-day vulnerability of 2024 that has been actively featured in Chrome, known as CVE-2024-0519, has been addressed by Google recently. 

There is an out-of-bounds memory access vulnerability in V8, a component of Chrome that leads to data beyond the allotted memory buffer consequently enabling attackers to leak data or crash the browser itself. 

This exploit again shows how difficult it is to keep browsers protected from evolving malware and spyware threats.

FortiOS & FortiProxy SSL-VPN Flaw

Fortinet detected a major vulnerability named FG-IR-23-225 in FortiOS SSL-VPN and FortiProxy SSL-VPN, enabling threat actors to bypass security controls that may have been placed by the firms on the systems and spoof IP addresses through crafted packets.

It can impact a wide range of versions of FortiOS and FortiProxy and consequently can result in a potential breach of unauthorized access to resources on the protected network. 

Fortinet has provided fixes for this bug which could be sheltered by upgrading immediately or using workarounds offered.

DNS Tunneling

This report examines how hackers make use of DNS tunneling to convey their secret messages and evade firewalls that seek to guard against network scans or track email delivery or CDN usage.

Firewalls permitting DNS traffic, indirect communication between client and server, and encodings that hide the secret information in the form of legally trafficked packets, enable DNS tunneling to remain invisible.

Consequently, data exfiltration through DNS protocols facilitates the creation of covert channels that security systems find difficult to discover as they are used by threat actors.

30+ Tesla Cars Hacked

In a cybersecurity contest, hackers won $200,000 by taking advantage of flaws in the modem and infotainment system of a Tesla. 

The Zero Day Initiative’s event is meant to detect issues in-car electronics. To hack into this Tesla vehicle, Synacktiv, the winning team used some bug chains and consequently gained a sum of money that added up to $450,000. 

The competition named ‘Pwn2Own Automotive 2024’ identified forty-nine new technical vulnerabilities with targeted products totaling over $1 million in prize money.

Hackers Exploiting Microsoft’s Quick Assist

Threat actors are manipulating Microsoft’s QuickAssist remote access tool to distribute ransomware in the guise of social engineering attacks. 

The hackers from Storm-1811 have been seen to take control of computers and propagate Qakbot, Cobalt Strike, and eventually Black Basta ransomware. 

Microsoft recommends that unused remote tools must be blocked, secure alternatives used instead, and users educated about recognizing tech support scams as measures to mitigate this risk. 

Ransomware is a kind of malware that encrypts files and then demands payment for decryption usually causing great harm or damage to companies. 

Proper preparedness such as installing software updates, utilizing anti-ransomware programs, and creating offline backups can greatly reduce the impact of any ransomware assault.

Other news

Norway Recommends Replacing SSLVPN/WebVPN

Norway’s National Cyber Security Centre (NCSC) recommends replacing SSLVPN/WebVPN solutions with more secure alternatives like IPsec with IKEv2 due to repeated vulnerabilities exploited by threat actors. 

The transition is advised to be completed by 2025, with critical infrastructure organizations urged to adopt safer options by the end of 2024. 

The move aims to reduce the attack surface for secure remote access incidents and enhance network security against breaches.

Apple Has Terminated 370 Million+ Developer & Customer Accounts

Apple recently terminated more than 370 million developer and customer accounts in 2023 to combat fraud and ensure a secure platform for users and developers. This action is part of Apple’s ongoing efforts to enhance antifraud measures and maintain the integrity of the App Store. 

The company’s strict fraud prevention analysis led to the deletion of millions of accounts and the rejection of fraudulent developer enrollments, demonstrating Apple’s commitment to protecting its ecosystem.

Tor Browser 13.0.15 Released

Tor Browser 13.0.15 has been released, which features vital security updates and flaw fixes. It is the Tor network’s anonymous door to Firefox.

It routes traffic through a network of volunteer relays to hide a user’s location and usage from anyone performing network surveillance or traffic analysis.

The browser is available for Windows, macOS, Linux, and Android and is localized in 37 languages. Users can then customize their privacy and security settings accordingly among three possible levels of protection like standard, safer, or safest.

MITRE Releases EMB3D Cybersecurity Threat Model

MITRE’s report on the EMB3D Cybersecurity Threat Model discloses an all-inclusive threat model for embedded devices, which was created in partnership with Red Balloon Security and others.

The threat model is aimed at tackling the ever-changing cyber threat landscape, giving practical insights into how to identify and reduce the risks of attacks on embedded systems.

This is all about integrating CTI processes into security operations to better the organization’s security posture and decision-making.

Microsoft to Mandate Multi-Factor Authentication

In July, Microsoft will be enforcing MFA for Azure users as a way of improving cloud security. MFA, which requires various proofs from the user before identity is verified, reduces risks related to unauthorized access and data breaches.

This aims at securing tenants such that only allowed users can utilize their Azure services or any other resources in regard to PCI DSS, HIPAA, GDPR, and NIST among other security standards.

Erin Chapple, Corporate Vice President of Azure Core emphasized on the significance of MFA for protecting customers hosting on Azure by noting its role in mitigating cyber threats and maintaining the integrity of cloud services.