CyberSecurity Newsletter 18th March 2024
CyberSecurity Newsletter 18th March 2024
In this week’s news: Gitlab vulnerability allows auth bypass, an acoustic attack by listening to typing, a critical RCE in Jenkins, A directory travesal vuln in a python library, 70K records from AT&T leaked, SpaceX is building a spy satellite network, Cisco has two new vulns, and a darknet market extorts it’s vendors and buyers.
Gitlab fixed 2 vulnerabilities on 06/03/2024, including a high-severity vulnerabilities that could allow attackers to bypass authorisation. An attacker could utilise a crafted payload in an old feature branch to perform malicious actions:
https://cert.be/en/advisory/warning-high-severity-vulnerability-gitlab
StopCrypt, the most common ransomware family of 2023, has a new variant leveraging more advanced evasion tactics. StopCrypt, also known as STOP/DJVU, surpassed the LockBit ransomware family in detections in 2023, according to Trend Micro’s 2023 Annual Cybersecurity Report published last week. STOP typically targets smaller targets with an average ransom payment size of $619 in the first half of 2023, according to a mid-year report by Chainalysis:
https://www.scmagazine.com/news/stop-ransomware-more-common-than-lockbit-gains-stealthier-variant
The U.S. Department of Justice (DoJ) is recovering $2.3 million worth of cryptocurrency linked to a "pig butchering" fraud scheme that victimized at least 37 people across the United States. Pig butchering is a social engineering scam where fraudsters contact people (the "Pigs") on social media and messaging platforms to build trust:
https://www.bleepingcomputer.com/news/cryptocurrency/us-moves-to-recover-23-million-from-pig-butchers-on-binance/
North Korea-linked Lazarus APT group allegedly using again the mixer platform Tornado Cash to launder $23 million:
https://securityaffairs.com/160525/breaking-news/lazarus-apt-returned-tornado-cash.html
Researchers have demonstrated a new acoustic side-channel attack on keyboards that can deduce user input based on their typing patterns, even in poor conditions, such as environments with noise.
Though the method achieves an average success rate of 43%, which is significantly lower than other methods presented in the past, it it does not require controlled recording conditions or a specific typing platform:
https://www.bleepingcomputer.com/news/security/new-acoustic-attack-determines-keystrokes-from-typing-patterns/
Interview with NoSQLBandit: The Marketplace for Compromised Account Creds:
https://coderoasis.com/interview-with-nosqlbandit-from-fedcreds/
Cyber threat actors are actively targeting Jenkins, a Java-based open-source automation server widely used by application developers. The critical vulnerability tracked as CVE-2024-23897 could enable remote code execution (RCE) potentially leading to unauthorised access and data compromise. Exploiting this vulnerability allows attackers to read any files on the Jenkins controller file system:
https://fortiguard.fortinet.com/threat-signal-report/5401
McDonald’s denies cyber attack as stores go down globally:
https://www.thenewdaily.com.au/life/eat-drink/2024/03/16/mcdonald-denies-cyber-attack-as-stores-go-down-globally
The Change Healthcare breach continues to impact the healthcare industry throughout the U.S., Lisa Plaggemier, Executive Director of the National Cybersecurity Alliance (NCA), tells Digital Journal about the lessons learned for healthcare companies, consumers, and the government:
https://www.digitaljournal.com/tech-science/change-healthcare-incident-sends-a-reminder-about-the-importance-of-tech-investment/article
Pro-Palestinian hackers calling themselves “Handala Hack” claim to have accessed 740GB of data from the messaging app Viber, including source code – Viber denies the breach but is investigating – Users are advised to change passwords:
https://www.hackread.com/hackers-claim-740gb-of-data-viber-messaging-app/
Vulnerability in 16.5K+ VMware ESXi Instances Let Attackers Execute Code:
https://gbhackers.com/vmware-esxi-vulnerability/
The notorious hacking group BianLian, known for its sophisticated cyber attacks, has shifted its focus to extortion-only operations following the release of a decryptor by Avast in January 2023:
https://cybersecuritynews.com/bianlian-hackers-exploiting-teamcity-servers/
NSA and CISA jointly released “Top 10 Cloud Security Mitigation Strategies” to advise cloud users on critical security practices for migrating data. The National Security Agency outlines ten essential strategy to improve cloud security posture, each explained in a separate cybersecurity information sheet:
https://cybersecuritynews.com/cloud-security-mitigation-strategies/
United States Senator Ron Wyden warned and notified the Director of the National Counterintelligence and Security Center (NCSC), Michael C. Casey, that Chinese hackers are actively backdooring digital locks to steal sensitive data:
https://cybersecuritynews.com/chinese-hackers-digital-locks-data-theft/
A new vulnerability, CVE-2023-5528, has been discovered with Kubernetes. This vulnerability is associated with a command injection vulnerability that leads to remote code execution with SYSTEM-level privileges on the compromised Windows node. The severity for this vulnerability has been given as 7.2:
https://gbhackers.com/kubernetes-vulnerability-full-system-control/
The ransomware actor 'ShadowSyndicate' was observed scanning for servers vulnerable to CVE-2024-23334, a directory traversal vulnerability in the aiohttp Python library. Aiohttp is an open-source library built on top of Python's asynchronous I/O framework, Asyncio, to handle large amounts of concurrent HTTP requests without traditional thread-based networking:
https://www.bleepingcomputer.com/news/security/hackers-exploit-aiohttp-bug-to-find-vulnerable-networks/
Threat actors leaked 70,000,000+ records allegedly stolen from AT&T. Researchers at vx-underground first noticed that more than 70,000,000 records from AT&T were leaked on the Breached hacking forum:
https://securityaffairs.com/160627/data-breach/70m-att-records-leaked.html
Fortinet’s FortiGuard Labs recently uncovered a new cybersecurity threat: a malware known dubbed “Vcurms.” The attackers behind Vcurms malware have employed sophisticated tactics, using email as their command and control center and leveraging public services such as AWS and GitHub to store the malicious software:
https://www.hackread.com/vcurms-malware-browsers-for-data-theft/
Banks are under pressure to stump up millions of pounds in interim funding for the organisation that polices open banking, with regulators saying the new money is needed to prevent financial crime and protect consumers if things “go wrong”:
https://www.theguardian.com/business/2024/mar/17/millions-more-needed-fund-uk-open-banking-watchdog
PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilises anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a dropper. Operating together, these two apps communicate to execute the fraud. So far, IBM Trusteer researchers have observed this malware attacking banks in Brazil:
https://securityintelligence.com/posts/pixpirate-brazilian-financial-malware/
French government agencies hit by cyberattacks of ‘unprecedented intensity’. The French government said the attack was “conducted using familiar technical means but of unprecedented intensity.” DDoS attacks cannot steal information, although they can prevent people from accessing a network resource because they flood the servers with junk requests:
https://therecord.media/france-government-ddos-incident
A new variant of StopCrypt ransomware has been discovered. It executes multi-stage shellcodes before launching a final payload containing the file encryption code. This malware uses several techniques, such as detection evasion, a time-delaying loop of 600 million iterations, and several other mechanisms. Moreover, the ransomware also uses scheduled tasks for its payload execution, with command-line arguments executed every five minutes:
https://gbhackers.com/stopcrypt-ransomware/
The first-ever head of the Pentagon's Chief Digital and Artificial Intelligence Office is stepping down from his post in April after building the newly created division into a highly influential component of the department and its operations:
https://www.govinfosecurity.com/pentagon-appoints-new-chief-artificial-intelligence-officer-a-24619
SpaceX is building a network of hundreds of spy satellites under a classified contract with a US intelligence agency, five sources familiar with the program said, demonstrating deepening ties between billionaire entrepreneur Elon Musk's space company and national security agencies:
https://www.itnews.com.au/news/spacex-is-building-spy-satellite-network-for-us-intelligence-agency-606177
Cybersecurity researchers discovered multiple GitHub repositories hosting cracked software that are used to drop the RisePro info-stealer:
https://securityaffairs.com/160596/hacking/risepro-info-stealer-targets-github-users.html
Enterprises across the United States and Europe are on high alert as a new ransomware strain, dubbed “DoNex,” has been actively compromising companies and claiming victims:
https://gbhackers.com/donex-ransomware-observed/
Cisco on Wednesday announced patches for multiple vulnerabilities in IOS RX software, including three high-severity flaws leading to denial-of-service (DoS) and elevation of privilege:
https://www.securityweek.com/cisco-patches-high-severity-ios-rx-vulnerabilities/
QNAP recently addressed three vulnerabilities affecting their QTS, QuTS hero, QuTScloud, and myQNAPcloud products. One of these vulnerabilities is of critical severity, marking a concerning development in the vulnerability landscape:
https://socradar.io/critical-vulnerability-in-qnap-poc-exploit-for-outlook/
Incognito Market has begun extorting all of its vendors and buyers, threatening to publish cryptocurrency transactions and chat records of users who refuse to pay a fee ranging from $100 to $20,000:
https://krebsonsecurity.com/2024/03/incognito-darknet-market-mass-extorts-buyers-sellers/
A co-administrator of an illicit online marketplace received a 42-month prison sentence in U.S. federal court after pleading guilty to two criminal counts that could have put him in prison for 15 years:
https://www.bankinfosecurity.com/illicit-credentials-marketplace-admin-gets-42-month-sentence-a-24620
In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America. The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions:
https://gbhackers.com/hackers-trick-users-to-install-malware-via-weaponized-pdf/
