CyberSecurity Newsletter 20th May 2024:
CyberSecurity Newsletter 20th May 2024:
In this week’s news: CIS Controls mappings are now easier to use, two healthcare attacks, a massive hack of an Asian TeleCom, Fortigate remote code execution, HCL Big Fix vulnerabilities, and North Korea uses a new Linux backdoor.
CIS has made the controls mappings easier to use:
https://www.cisecurity.org/insights/blog/3-ways-weve-made-the-cis-controls-more-automation-friendly
WebTPA is a third-party administrator that provides healthcare management and administrative services. The US company disclosed a data breach that impacted almost 2.5 million people:
https://securityaffairs.com/163403/data-breach/webtpa-data-breach.html
In a startling revelation, a hacker known as "kiberphant0m" has claimed responsibility for breaching a major Asian telecom company with annual revenues exceeding $5 billion. This breach, described as one of the largest and most damaging in recent history, has exposed a wealth of sensitive data and granted unprecedented access to the company's internal network:
https://foresiet.com/blog/major-cybersecurity-breach-of-a-leading-asian-telecom-company-an-unprecedented-data-heist
Ascension confirms ransomware attack as systems remain down. The major nonprofit does not yet have a timeline for restoring its computer systems, which were taken offline following the attack last week:
https://www.healthcaredive.com/news/ascension-cybersecurity-emergency-diversion-ehr-down/715762/
Symantec researchers observed the North Korea-linked group Kimsuky using a new Linux backdoor dubbed Gomir. The malware is a version of the GoBear backdoor, which was delivered in a recent campaign by Kimsuky via Trojanized software installation packages:
https://securityaffairs.com/163364/apt/kimsuky-new-linux-backdoor.html
FortiGate RCE with CVE-2024-21762. Fortinet released an advisory for an "out-of-bounds write vulnerability" that could lead to remote code execution:
https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762
Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a theme and having employees attack a problem together:
https://techcrunch.com/2024/05/19/why-companies-are-turning-to-internal-hackathons/
Microsoft has said that all Azure users will have to use multi-factor authentication (MFA) starting in July. This is a big step to make the cloud safer. This project is part of a more significant attempt by Microsoft to improve security and keep company data and investments in the cloud secure:
https://cybersecuritynews.com/multi-factor-authentication-for-azure-users/
Soon, Your Bank Will Have to Tell You About Any Data Breaches Within 30 Days. The SEC rules update impacts broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents:
https://www.pcmag.com/news/soon-your-bank-will-have-to-tell-you-about-any-data-breaches-within-30
Proofpoint has found a new operation using the SugarGh0st Remote Access Trojan (RAT) that is going after AI research organisations in the United States:
https://cybersecuritynews.com/sugargh0st-rat-attacks/
MITRE Releases EMB3D Cybersecurity Threat Model for Embedded Devices:
https://gbhackers.com/emb3d-cybersecurity-threat-model/
Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam:
https://thehackernews.com/2024/05/chinese-nationals-arrested-for.html
CVE-2024-20353: A vulnerability in the management and VPN web servers for Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, resulting in a denial of service (DoS) condition:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
1000 exploitable cybersecurity vulnerabilities that MITRE & NIST ‘might’ have missed but China or Russia didn’t:
https://blog.arpsyndicate.io/over-a-1000-vulnerabilities-that-mitre-nist-might-have-missed-but-china-or-russia-did-not-871b2364a526
HCL BigFix Platform has addressed insufficiently protected credentials (CVE-2024-23583), Cross-site Request Forgery (CSRF) (CVE-2024-23554), failure to restrict SSL/TLS renegotiation (CVE-2024-23556), and cURL (CVE-2024-0853) security vulnerabilities:
https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0113140
Type Confusion in V8 in Google Chrome before 125.0.6422.60 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page:
https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_15.html
CVE-2023-7028: An issue has been discovered in GitLab CE/EE, in which user account password reset emails could be delivered to an unverified email address:
https://github.com/V1lu0/CVE-2023-7028
OmniVision Technologies has officially acknowledged a data breach resulting from a ransomware attack conducted by the Cactus group last year. Impacted individuals have just received notices outlining steps for protecting their personal information and enrolling in complimentary credit monitoring services:
https://cyberinsider.com/omnivision-admits-data-breach-following-cactus-ransomware-attack/
The threat actors behind the Windows-based Grandoreiro banking trojan have returned in a global campaign since March 2024 following a law enforcement takedown in January. The large-scale phishing attacks, likely facilitated by other cybercriminals via a malware-as-a-service (MaaS) model, target over 1,500 banks across the world:
https://thehackernews.com/2024/05/grandoreiro-banking-trojan-resurfaces.html
In April 2024, security researchers revisited CVE-2023-36033, a Windows DWM Core Library elevation of privilege vulnerability that was previously discovered and exploited in the wild:
https://gbhackers.com/qakbot-exploiting-windows-zero-day/
Attackers launched a campaign distributing trojanized installers for WinSCP and PuTTY in early March 2024, as clicking malicious ads after searching for the software leads to downloads containing a renamed pythonw.exe that loads a malicious DLL:
https://gbhackers.com/weaponized-winscp-putty/
A new report from cybersecurity researchers at ESET has uncovered a massive botnet comprised of over 400,000 compromised Linux servers being used for cryptocurrency theft and another illicit financial gain:
https://cybersecuritynews.com/400k-linux-servers-hacked/
An analysis of National Security Memorandum 22 (NSM-22), signed by U.S. President Joe Biden, prioritises bolstering the security and resilience of the nation’s critical infrastructure:
https://industrialcyber.co/features/slicing-through-bidens-nsm-22-amidst-ongoing-need-to-shore-up-critical-infrastructure-security-and-resilience/
LATRODECTUS Loader Getting Popular Among Cybercriminals, Is It Replacing ICEDID. Hackers use loaders to bypass security measures and run harmful code in a genuine process’s memory themselves. This makes it possible for malware payloads to be quietly loaded into the system without being discovered:
https://cybersecuritynews.com/latrodectus-loader-rising-threat/
Hackers Exploiting Docusign With Phishing Attack To Steal Credentials:
https://gbhackers.com/docusign-phishing-credential-theft/
Hackers Exploiting MS-SQL Severs To Deploy Mallox Ransomware:
https://cybersecuritynews.com/exploit-ms-sql-mallox-ransomware/
The banking trojan "Grandoreiro" is spreading in a large-scale phishing campaign in over 60 countries, targeting customer accounts of roughly 1,500 banks:
https://www.bleepingcomputer.com/news/security/banking-malware-grandoreiro-returns-after-police-disruption/
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added three security vulnerabilities to its 'Known Exploited Vulnerabilities' catalogue, one impacting Google Chrome and two affecting some D-Link routers:
https://www.bleepingcomputer.com/news/security/cisa-warns-of-hackers-exploiting-chrome-eol-d-link-bugs/