Cyber Security News Weekly Round-Up

Stay updated with the most recent advancements in the cybersecurity industry with our weekly recap of cybersecurity news.

Get comprehensive insights into the latest technical details and cutting-edge technologies being employed to safeguard against cyber threats.

This will help you stay informed about the latest trends, vulnerabilities, cutting-edge advancements, cyber attacks, threats, and stories.

Discover new threats and fixes in our recap. Learn about the latest tactics harming your devices. These key things will help you to stay updated on cybersecurity issues for timely fixes and complete coverage.

Threats

SSO-Based Phishing Attack

In SSO-based phishing attacks, threat actors use phishing scams to deceive individuals into sharing sensitive information like login credentials. 

This method exploits human trust through social engineering, posing a significant risk for unauthorized access and identity theft. 

Cybersecurity researchers identified this new tactic targeting users to disclose their login details by mimicking legitimate SSO pages. 

The attackers employ various phishing techniques like email, SMS, and voice phishing to trick victims into revealing their credentials.

GTPDOOR

The GTPDOOR Linux malware is a newly discovered threat targeting telecom networks, specifically systems within the closed GRX network used by multiple telecommunication operators. 

This malware operates stealthily by leveraging the GTP-C protocol, a legitimate protocol in mobile networks, to blend in with regular traffic and evade detection. 

It communicates with a command and control server using the GTP-C protocol, allowing threat actors to send commands and receive stolen data. 

GTPDOOR uses covert communication through GTP Echo Request messages and can modify its process name to mimic legitimate system processes for enhanced stealth.

Zoom & Google Meet Lures

Fake Google Meet and Zoom sites are being used by hackers who target Android and Windows users, where they distribute NjRAT malware.

Zoom rooms, on the other hand, have a crucial weakness that can enable unauthorized individuals to take over meetings, resulting in organization tenant account penetration. 

Zoom is also grappling with security lapses that affect its customers. As a result, users were advised to upgrade their software to the most recent versions for safety concerns. These events demonstrate the ongoing cyber risks related to popular online meeting platforms.

Linux Malware Attacking Apache, Docker, Redis & Confluence Servers

New Linux malware exploits misconfigurations and known vulnerabilities to target popular servers (Apache, Docker, Confluence, Redis) using Golang binaries. 

Attackers gain access, execute code, deploy a crypto miner, and create a reverse shell. Krasue RAT threatens Thai telecom companies with remote access and embedded rootkits. 

Linux malware landscape includes CloudSnooper, Mirai, RansomExx, EvilGnome, GonnaCry, and Tycoon, posing diverse threats. Users were urged to prioritize system security with updates and vigilance.

Server Killers Alliances

This alliance indicates the changing problems countries encounter when protecting digital materials, which indicates the importance of international cooperation. The alliance unites many groups of hackers, which typically operate apart but show a high level of coordination.

This development shows how vital it is to share information and strengthen global collaboration in addressing the threats posed by such alliances.

Android Malware-as-a-Service: Coper

Android Malware-as-a-Service “Coper” highlights its evolution from a fake version of Bancolombia’s ‘Personas’ app to a present-day malware-as-a-service offering advanced features like keylogging, message interception, and screen control. 

This descendant of the Exobot malware family targets Colombian Android users by impersonating legitimate apps. The malware collects victim device information and sends updates to a C2 server that enables threat actors to control devices.

xStealer Malware

The malware xStealer has recently been introduced, and it follows a long line of developments that have resulted from its evolution. For example, this software carries multiple complicated functionalities that efficiently enable it to steal personal data and, hence, pose serious risks to cyber space. 

Updates and improvements on xStealer keep the malware in the top position as far as stealing information is concerned. The appearance of xStealer highlights how dynamic and fluid the cyber threat landscape is, stressing the significance of always being on the lookout for new dangers and continuously developing nimble security frameworks.

WogRAT Malware

WogRAT is a highly sophisticated malware that targets Windows and Linux systems. It takes advantage of the aNotepad service to save and spread malicious codes with tricks to go unnoticed.

This malware can be very dangerous since it can exploit system resources and user privileges on popular operating systems. The Linux variant of WogRAT uses the ELF format, while Tiny Shell is used for command execution, thereby indicating its unique strategies for Linux systems.

CISA & FBI Releases TTPs & IOCs Used by Phobos Ransomware Group

The FBI, CISA, and MS-ISAC have issued a joint advisory as part of the #StopRansomware initiative to warn critical infrastructure organizations about the Phobos ransomware group.

Since May 2019, this ransomware-as-a-service (RaaS) has been targeting sectors like municipal and county governments, emergency services, education, and public healthcare. 

The advisory details Phobos ransomware tactics, indicators of compromise, and mitigation strategies to enhance defenses against this threat.

Cyber Attack

Russian Spies Hacked Microsoft Email Systems

In response to the theft of its source code, Microsoft has increased security and helped those affected by an attack from a Russian group of hackers known as “Midnight Blizzard,” who infiltrated its corporate email systems.

Since November, this breach is part of a continuing cyber-attack that is worrying because it demonstrates national threats to technology infrastructures.

Microsoft disclosed this on March 8th, 2024. This highlights how serious this problem is and how the company is reacting proactively to overcome cybersecurity threats posed by such criminals.

CACTUS Hackers

Two companies were attacked by CACTUS hackers. The hackers took advantage of a recently published software vulnerability in their systems and launched ransomware that infected them within just one day. 

These networks are attacked simultaneously to gain unauthorized entry, where remote access tools are introduced, desktops are encrypted, and virtualization infrastructure is aimed at multiple servers. 

The attackers showed remarkable coordination abilities, which enabled the expansion of the attack to ESXi and Hyper-V hosts. Because of this, the affected firms requested Bitdefender Labs for forensics help instead of giving money to cyber crooks.

Hackers Exploit WordPress Plugin Flaw to Deploy Godzilla Web Shell

The importance of proactive cybersecurity measures like software updates and robust access controls was highlighted by hackers who deployed Godzilla Web Shell by exploiting a flaw in a WordPress plugin.

These cases illustrate the dangers of vulnerabilities in popular plugins, which led to over 200,000 and 300,000 websites being attacked due to flaws.

Project DDoSia

Project DDoSia involves Russian hackers from the group “NoName057(16)” planning massive DDoS attacks, particularly targeting pro-Ukraine entities like NATO members. 

The group’s activities have heightened since the Ukraine conflict began, with a focus on disrupting online services through large-scale attacks. 

Despite the group’s ties possibly extending to the state, their operations continue to evolve with new features like enhanced encryption and collaboration with other hacktivist groups.

MacOS Malware Spread via Weaponized Calendar Invites

Hackers exploit email system vulnerabilities by using weaponized calendar invites to trick users into clicking on malicious links or downloading malware disguised as event attachments. 

This tactic leverages trust in calendar invitations to increase the success of phishing attacks and gain unauthorized access to sensitive information. 

Cybersecurity researchers have identified active exploitation of these weaponized calendar invites to install macOS malware, particularly targeting Mac users interested in cryptocurrency opportunities.

Active Password Cracking Attacks

PetSmart has conveyed caution over a surge in password-cracking attempts on their website, resulting in the adoption of precautionary measures without any system breach. 

The firm is aware that strong passwords are key to fighting online threat actors who could compromise customers’ accounts. As a result, it advises its clients to come up with unique and regularly updated passwords. 

Hacked WordPress Sites Conducting Browser-Based Brute Force Attacks

In a recent attack, Hacked WordPress sites were used to conduct distributed brute force attacks through the browsers of their visitors.

The attack was conducted by malicious actors who hacked into websites to target several thousand other sites by getting their URLs, extracting author usernames, injecting malicious scripts, trying different passwords until they were successful, and verifying validated credentials.

This attack aimed to use legitimate visitors as weapons against WordPress websites, especially targeting Web3 and cryptocurrency assets.

New Python Infostealer Targeting Facebook Messenger Users

Facebook Messenger users are under attack from a new threat called “Python Infostealer,” which attempts to steal login details through clever ways of using platforms like GitHub and GitLab for malicious activities. 

This malware attacks with legitimate platforms such as messaging apps thereby complicating its detection. The first stage involves Facebook Messenger messages which trick victims into downloading archived files. This causes a two-stage infection process that has three different variants.

UAC-0050 Hacked Thousands Of Emails

The report on UAC-0050 reveals a significant cyber threat where threat actors from UAC-0050, also known as the DaVinci Group, have been targeting and hacking thousands of email addresses to launch malspam attacks. 

This group has been linked to Russian-speaking mercenary organizations and has targeted Ukrainian organizations since the 2022 Russian invasion.

TA4903 Hackers Spoofing U.S. Government Entities

TA4903 hackers have been detected targeting US government entities and companies to hijack staff access credentials using high-volume email campaigns. 

The cyber-criminals, who pose as both government agencies and private firms are focused mainly on the USA but also other countries. They carry out their operations in various forms such as stealing passwords through phishing, hacking of mailboxes and participating in business email compromise activities.

New Money Laundering Attack Targeting UPI Users

A new money laundering attack hits UPI users, exploiting convenience and weaker security. 

This malicious scheme uses the compromised accounts to funnel the funds to China through fraudulent channels.

.NET Framework & Visual Studio Flaw

A vulnerability, CVE-2023-36049, has been discovered in the Microsoft .NET Framework and Visual Studio, posing a significant threat to FTP servers by allowing attackers to write or delete files. 

This flaw arises from improper user input validation related to handling FTP commands that potentially lead to data loss or unauthorized access.

Vulnerabilities

VMware Critical Flaws

VMware software is exposed to remote code execution falws that are found in VMware products such as ESXi, Workstation, and Fusion which were patched by the company after private disclosure. 

The specific vulnerabilities include use-after-free issues with USB controllers and out-of-bounds write bugs.

Gitlab Authorization Bypass Vulnerability

Among the critical vulnerabilities that have been fixed in GitLab, there were flaws in an authorization bypass (CVE-2024-0199) and privilege escalation (CVE-2024-1299). These flaws would allow an attacker to access protected variables and steal runner registration tokens.

For this reason, users are strongly advised to update to the latest versions for both CVE-2024-0199 (16.9.2, 16.8.4, 16.7.7) and CVE-2022-0735 (14.8.2, 14.7.4, 14.6.5), which will help them mitigate these risks and maintain their data’s security on GitLab servers as well as databases hosted by GitLab themselves thereby enhancing the platform’s security posture accordingly.”

Snort 2.9.8.3 and Snort 2.9.13.0 End of Life for Talos Rules

The end-of-life for Talos rules support has been announced for Snort versions 2.9.8.3 and 2.9.13.0, impacting users’ access to updates and security patches and potentially leaving systems vulnerable to new threats. 

Users of version 2.9.8.3 will no longer receive updates, while support for version 2.9.13.0 will cease around July 1, 2024.

Cisco Secure Client Flaw

The report discusses a Cisco Secure Client Flaw that allows attackers to trigger a CRLF Injection Attack. Cisco has addressed this vulnerability by releasing software updates. 

Versions earlier than 4.10.04065 are not vulnerable, while versions 4.10.04065 and later, including 5.0 and 5.1, are vulnerable. 

The first fixed release for affected versions is 4.10.08025, with specific fixes for version 5.0 and 5.1.

ArubaOS Security Flaw

The ArubaOS has a security hole where one can execute remote code thereby leading to risks of leakage of sensitive information and arbitrary file deletion. 

ArubaOS-Switches have multiple vulnerabilities, like command injections and memory corruptions, that range from low to high severity. 

Aruba Networks released patches for these vulnerabilities, stressing the need to update Mobility Controllers, Conductors, and Gateways with specific ArubaOS versions.

Foxit PDF Reader Flaw

Foxit Software has addressed critical security vulnerabilities in its Foxit PDF Reader and Foxit PDF Editor for Windows, including a Heap Buffer Overflow Remote Code Execution vulnerability and a Type Confusion Remote Code Execution vulnerability. 

These flaws could allow attackers to execute remote code on a user’s system. Users are advised to update to the latest versions, such as Foxit PDF Reader 2024.1 and Foxit PDF Editor 2024.1, to mitigate these risks and prevent potential cyber threats.

iOS 0-day

Hackers have exploited two zero-day vulnerabilities in iOS and iPadOS 17.4 versions, bypassing memory protections and performing arbitrary kernel read and write on affected devices. 

These vulnerabilities, assigned CVE-2024-23225 and CVE-2024-23296, have been patched by Apple in their recent security advisory. 

The company has issued updates to fix these vulnerabilities and warned of potential exploitation by threat actors.

Data Exposure

ChatGPT Credentials Up For Sale

The report “Hi-Tech Crime Trends 2023/2024” by Group-IB highlights a significant cybersecurity threat with over 225,000 compromised ChatGPT credentials being sold on dark web markets. 

It underscores the increasing collaboration between ransomware and Initial Access Brokers, leading to a surge in global cyber threats. 

Threat actors are exploiting AI technologies like ChatGPT to develop advanced malware, and there has been a substantial increase in ransomware attacks, with 4,583 companies affected.

Fidelity Investments Third-party Data Breach

More than thirty thousand individuals have suffered a third-party data breach at Fidelity Investments Life Insurance Company indicating possible security risks on customer’s data. 

This incident highlighted the vulnerability of people, especially when sensitive information like names, social security numbers and bank details is exposed during such breaches. 

Additionally, it shows the impact of third-party breaches as well as the need for strong cybersecurity systems to protect personal data. 

Other Stories

US court orders NSO to give Pegasus code to WhatsApp

WhatsApp has taken legal action against NSO Group, alleging that the Pegasus spyware infected 1,400 devices, including those of journalists and activists, through a WhatsApp vulnerability. 

The US court has ordered NSO Group to disclose the spyware code related to the alleged attacks from April 2018 to May 2020, allowing WhatsApp to understand the vulnerability and enhance its defense mechanisms.

Seven Pillars Of Zero Trust

The NSA has detailed the Zero Trust framework’s seven pillars, including User, Device, Network & Environment, Data, Application & Workload, Automation & Orchestration, and Visibility & Analytics. 

These pillars provide extensive network security through capabilities such as Data flow mapping, Macro segmentation, Micro-segmentation, and Software-Defined Networking.

Ex-Google Engineer Arrested

⁤Former Google engineer Linwei Ding has been arrested for stealing secrets about AI technology. ⁤

⁤Leon Ding, also known as Linwei Ding, was indicted for illegally transferring Google’s trade secret information into his personal email account while working with Chinese companies involved in the artificial intelligence business. ⁤

⁤This case shows how important it is to protect intellectual property rights in the technology industry, particularly when it comes to areas like AI that are considered strategic.

Surge In Malicious Emails

According to the 2024 Annual State of Email Security report by Cofense, there has been a massive surge in malicious emails that evade Secure Email Gateways (SEGs), and one such malicious email bypasses SEGs every minute. 

The number of cyber-attacks on businesses has grown by 310% since 2022 in comparison to the past year, having seen a rise of 67% over the previous year majorly as a result of credential phishing attacks. 

Besides this, the emerging threats comprise QR code-related threats, growing by 331%, and Google AMP emails that escape SEGs, increasing significantly by 1,092%.

Aviation Risk Identification And Assessment Software Program

Along with MIT, MITRE Corporation recently unveiled the Aviation Risk Identification and Assessment (ARIA) software program.

By supplying comprehensive risk identification and assessment as well as real-time insights into the location of aircrafts, ARIA is a helpful tool for improving aviation safety and efficiency.

Nigerian National Pleads Guilty For Hacking Business & Individual Emails

A Nigerian national, Echefu, has pleaded guilty to involvement in a business email compromise scheme, managing over $22,000 of fraudulently obtained money. 

He agreed to a plea deal requiring a restitution payment of at least $199,929 to victims and a separate money judgment of $22,187.35. 

This case highlights the ongoing issue of cybercrime and the legal consequences individuals face for engaging in fraudulent activities.

FBI Releases Internet Crime Report for 2023

The FBI has unveiled a report on Internet Crime for the year 2023, which shows that cybercrime losses have increased by 22% in comparison to 2022, amounting to over $12.5 billion.

According to the report, cyber criminals are becoming more sophisticated in their use of digital vulnerabilities with the Internet Crime Complaint Center receiving 880,418 complaints from Americans in 2023, an all-time high.

Complaints about ransomware incidents rose by 18%, while reported losses climbed by as much as 74% from $34.3 million during last year to $59.6 million. The FBI emphasized the importance of public reporting in fighting against cybercrimes and termed cybersecurity as being inclusive of both the Bureau and the American people together.

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]