CyberSecurity Newsletter 13th October 2024

                October 14, 2024

            CyberSecurity Newsletter 13th October 2024

In this week’s news: OpenAI used by APT groups, F5 BIG-IP warning, Moneygram hacked, Apple Text to Speech has a remote code execution vulnerability, Veeam Backup & Replication vulnerability exploited by APT groups, The Internet Archive disclosed a data breach, OilRig Exploits Windows Kernel Flaw in Espionage Campaign, GitLab issued updates for CE and EE, FBI Creates Fake Cryptocurrency,  and discovered deepfake tool, ProKYC, used to bypass two-factor authentication.
Subscribe the newsletter

OpenAI has disrupted over 20 malicious cyber operations, abusing its AI-powered chatbot, ChatGPT, to debug and develop malware, spread misinformation, evade detection, and conduct spear-phishing attacks. The report, which focuses on operations since the beginning of the year, constitutes the first official confirmation that generative mainstream AI tools are used to enhance offensive cyber operations.
https://www.bleepingcomputer.com/news/security/openai-confirms-threat-actors-use-chatgpt-to-write-malware/
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that it has observed threat actors leveraging unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) module to conduct reconnaissance of target networks. It said the module is being used to enumerate other non-internet-facing devices on the network. The agency, however, did not disclose who is behind the activity or what the end goals of the campaign are:
https://thehackernews.com/2024/10/cisa-warns-of-threat-actors-exploiting.html
OS Command injection in MacOS Text-To-Speech class in significant-gravitas/Autogpt:
https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e
U.S. money transfer giant MoneyGram has confirmed that hackers stole its customers’ personal information and transaction data during a cyberattack last month:
https://techcrunch.com/2024/10/07/moneygram-says-hackers-stole-customers-personal-information-and-transaction-data/
A vulnerability was found in D-Link DIR-619L B1 2.06 and classified as critical. Affected by this issue is the function formEasySetTimezone of the file /goform/formEasySetTimezone. The manipulation of the argument curTime leads to a buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used:
https://github.com/dylvie/CVE-2024-9570_D-Link-DIR-619L-bof
Microsoft has officially deprecated the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) in future versions of Windows Server, recommending admins switch to different protocols that offer increased security.:
https://www.bleepingcomputer.com/news/microsoft/microsoft-deprecates-pptp-and-l2tp-vpn-protocols-in-windows-server/
Sophos reports ransomware operators are exploiting a critical code execution flaw in Veeam Backup & Replication. Sophos researchers warn that ransomware operators exploit the critical vulnerability CVE-2024-40711 in Veeam Backup & Replication to create rogue accounts and deploy malware.:
https://securityaffairs.com/169679/cyber-crime/ransomware-groups-exploit-veeam-backup-replication-bug.html
FBI Creates Fake Cryptocurrency to Expose Widespread Crypto Market Manipulation. The U.S. Department of Justice (DoJ) has announced arrests and charges against several individuals and entities for allegedly manipulating digital asset markets as part of a widespread fraud operation. The law enforcement action – codenamed Operation Token Mirrors – is the result of the U.S. Federal Bureau of Investigation (FBI) taking the "unprecedented step" of creating its own cryptocurrency token and company called NexFundAI:
https://thehackernews.com/2024/10/fbi-creates-fake-cryptocurrency-to.html
American Water, the largest regulated water and wastewater utility company in the US, is now reconnecting its infrastructures after taking its systems offline due to a cybersecurity incident it reported on Oct. 7:
https://www.darkreading.com/cyberattacks-data-breaches/american-water-reconnects-network-taps-cyber-incident
GitLab issued updates for CE and EE to address multiple flaws, including a critical bug allowing CI/CD pipeline runs on unauthorized branches. GitLab released security updates for Community Edition (CE) and Enterprise Edition (EE) to address multiple vulnerabilities, including a critical bug, tracked as CVE-2024-9164 (CVSS score of 9.6), allowing CI/CD pipeline runs on unauthorized branches:
https://securityaffairs.com/169671/security/gitlab-fixed-critical-flaw-cve-2024-9164.html
A new tax-themed malware campaign targeting insurance and finance sectors has been observed leveraging GitHub links in phishing email messages as a way to bypass security measures and deliver Remcos RAT, indicating that the method is gaining traction among threat actors:
https://thehackernews.com/2024/10/github-telegram-bots-and-qr-codes.html
Casio now confirms it suffered a ransomware attack earlier this month, warning that the personal and confidential data of employees, job candidates, and some customers was also stolen:
https://www.bleepingcomputer.com/news/security/casio-confirms-customer-data-stolen-in-a-ransomware-attack/
Ransomware gangs now exploit a critical security vulnerability that lets attackers gain remote code execution (RCE) on vulnerable Veeam Backup & Replication (VBR) servers. Code White security researcher Florian Hauser found that the security flaw, now tracked as CVE-2024-40711, is caused by deserialization of untrusted data weakness that unauthenticated threat actors can exploit in low-complexity attacks:
https://www.bleepingcomputer.com/news/security/akira-and-fog-ransomware-now-exploiting-critical-veeam-rce-flaw/
The Internet Archive disclosed a data breach; the security incident impacted more than 31 million users of its “The Wayback Machine.”:
https://securityaffairs.com/169643/data-breach/internet-archive-disclosed-a-data-breach.html
The Iranian state-sponsored hacking group APT34, aka OilRig, has recently escalated its activities with new campaigns targeting government and critical infrastructure entities in the United Arab Emirates and the Gulf region. In these attacks, spotted by Trend Micro researchers, OilRig deployed a novel backdoor, targeting Microsoft Exchange servers to steal credentials, and also exploited the Windows CVE-2024-30088 flaw to elevate their privileges on compromised devices:
https://www.bleepingcomputer.com/news/security/oilrig-hackers-now-exploit-windows-flaw-to-elevate-privileges/
U.S. and U.K. cyber agencies warn that Russia-linked group APT29 is targeting vulnerable Zimbra and JetBrains TeamCity servers on a large scale:
https://securityaffairs.com/169708/apt/apt29-target-zimbra-and-jetbrains-teamcity.html
Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability was found in Foxit PDF Reader, a widely used alternative to Adobe Acrobat. Given the memory corruption vulnerability, attackers could execute arbitrary code on the machine that is the target of their attack:
https://gbhackers.com/foxit-pdf-vulnerability-code-execution/
Threat actors are leveraging a newly discovered deep fake tool, ProKYC, to bypass two-factor authentication on cryptocurrency exchanges:
https://gbhackers.com/prokyc-bypasses-2fa/

                Don't miss what's next. Subscribe to BagheeraAltered's CyberSecurity Newsletter: