CyberSecurity Newsletter 22nd January 2024
CyberSecurity Newsletter 22nd January 2024
In this week’s news: Ivanti VPN has a CVE that should be urgently patched, Nation-state attacks Microsoft, CISA, and FBI warn about attacks on drone infrastructure, APT groups focusing on VMWare and Fortigate vulns, a Widespread phishing campaign on Facebook, A new Outlook vulnerability that can be used to extract NTLMv2 hashes and the SmartScreen vulnerability in Microsoft Defender still needs attention.
The Microsoft security team detected a nation-state attack on our corporate systems on January 12, 2024. It immediately activated our response process to investigate, disrupt malicious activity, mitigate the attack, and deny the threat actor further access. Microsoft has identified the threat actor as Midnight Blizzard, the Russian state-sponsored actor also known as Nobelium: https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
Ransomware tracker: The latest figures [January 2024]: https://therecord.media/ransomware-tracker-the-latest-figures
The Cybersecurity and Infrastructure Security Agency and the FBI are warning about potential threats from Chinese-made drones on critical infrastructure. In new guidance issued Wednesday, CISA and the FBI cautioned that Beijing could use drones to obtain sensitive information from critical infrastructure sites. The guidance is meant to assist critical infrastructure owners and operators to reduce the risk from those drones, and it encourages buying from U.S. companies: https://cyberscoop.com/cisa-drone-critical-infrastructure-warning/
An advanced China-nexus cyber-espionage group has been attributed to abusing a critical vulnerability in VMware vCenter Server as a zero-day since late 2021. CVE-2023-34048 (CVSS score: 9.8), an out-of-bounds write that could be put to use by a malicious actor with network access to vCenter Server to achieve remote code execution: https://thehackernews.com/2024/01/chinese-hackers-silently-weaponized.html
Healthtech firm’s cyberattack victim list keeps growing. Health management solution company HealthEC LLC disclosed that a data breach in July of 2023 impacted nearly 4.5 million individuals. The company provides population health management (PHM) platforms to healthcare service providers and state-level systems nationwide. https://www.digitaljournal.com/business/healthtech-firms-cyberattack-victim-list-keeps-growing/article
A widespread Facebook phishing campaign stating, "I can't believe he is gone. I'm gonna miss him so much," leads unsuspecting users to a website that steals your Facebook credentials. This phishing attack is ongoing and widely spread on Facebook through friend's hacked accounts as the threat actors build a massive army of stolen funds for use in further scams on the social media platform: https://www.bleepingcomputer.com/news/security/watch-out-for-i-cant-believe-he-is-gone-facebook-phishing-posts/
CVE-2023-6548, CVE-2023-6549: Zero-Day Vulnerabilities Exploited in Citrix NetScaler ADC and NetScaler Gateway: https://www.tenable.com/blog/cve-2023-6548-cve-2023-6549-zero-day-vulnerabilities-netscaler-adc-gateway-exploited
Users exposing poorly secured PostgreSQL and MySQL servers online are in danger of getting their databases wiped by a ransomware bot, Border0.: https://www.helpnetsecurity.com/2024/01/18/postgresql-mysql-ransomware-bot/
How a Novel Legal Maneuver Got a Hospital's Stolen Data Back: https://www.govinfosecurity.com/interviews/how-novel-legal-maneuver-got-hospitals-stolen-data-back-i-5347
Several orgs compromised via Ivanti VPN zero-days. Two zero-day bugs in Ivanti products were likely under attack by cyberspies as early as December. This situation is especially worrisome because neither flaw has a patch — Ivanti hopes to start rolling those out the week of January 22 in a staggered fashion and, in the meantime, urges customers to "immediately" deploy mitigations: https://www.theregister.com/2024/01/13/ivanti_zeroday_mandiant_analysis/
The financially motivated hacking group Octo Tempest, responsible for attacking MGM Resorts International and Caesars Entertainment in September, has been branded "one of the most dangerous financial criminal groups" by Microsoft's Incident Response and Threat Intelligence team. The group gains initial access through advanced social engineering techniques, often targeting employees with access to network permissions, including support and help desk personnel. The attackers call these individuals and attempt to persuade them to reset user passwords, change or add authentication tokens, or install a remote monitoring and management (RMM) utility: https://www.darkreading.com/threat-intelligence/octo-tempest-group-threatens-physical-violence-social-engineering-tactic
A new Outlook vulnerability that can be used to extract NTLMv2 hashes by exploiting Outlook, Windows Performance Analyzer (WPA), and Windows File Explorer has been identified: https://gbhackers.com/outlook-flaw-hashed-passwords/
A federal judge sentenced "Pompompurin," the administrator of a now-defunct data breach marketplace, to 20 years of supervised release. The Peekskill, N.Y. man avoided a recommended 15-year prison sentence for his role in BreachForums: https://www.bankinfosecurity.com/breachforums-admin-avoids-prison-term-a-24153
Bluetooth vulnerabilities in Android, Linux, macOS, iOS, and Windows are critical as hackers could exploit them to gain unauthorised access to the vulnerable devices. Such flaws in Bluetooth protocols enable the threat actors to steal sensitive data, eavesdrop on communications, and execute malicious actions: https://cybersecuritynews.com/bluetooth-flaw-hackers-takeover/
Finnish IT services and enterprise cloud hosting provider Tietoevry has suffered a ransomware attack impacting cloud hosting customers in one of its data centres in Sweden, with the attack reportedly conducted by the Akira ransomware gang: https://www.bleepingcomputer.com/news/security/tietoevry-ransomware-attack-causes-outages-for-swedish-firms-cities/
Inside the Massive Naz.API Credential Stuffing List: https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/
The LockBit ransomware gang claimed to have hacked Subway, the American multinational fast food restaurant franchise: https://securityaffairs.com/157852/cyber-crime/lockbit-hacked-sandwich-chain-subway.html
A Phemedrone information-stealing malware campaign exploits a Microsoft Defender SmartScreen vulnerability (CVE-2023-36025) to bypass Windows security prompts when opening URL files. Phemedrone is a new open-source info-stealer malware that harvests data stored in web browsers, cryptocurrency wallets, and software like Discord, Steam, and Telegram. This data is then sent back to the attackers to be used in other malicious activities or to be sold to other threat actors: https://www.bleepingcomputer.com/news/security/windows-smartscreen-flaw-exploited-to-drop-phemedrone-malware/
AhnLab Security Intelligence Center (ASEC) discovered that multiple SmokeLoader malware strains are distributed to the Ukrainian Government and companies. The number of attacks targeting Ukraine has increased recently. The targets confirmed so far include the Ukrainian Department of Justice, public institutions, insurance companies, medical institutions, construction companies, and manufacturing companies: https://malware.news/t/distribution-of-smokeloader-targeting-ukrainian-government-and-companies/77832
Cybersecurity Startup Funding Hits 5-Year Low, Drops 50% From 2022: https://news.crunchbase.com/cybersecurity/funding-drops-eoy-2023/
Ligolo-mp: a multiplayer tunnelling tool for pen testers. Multiple pen-testers can share one tunnel to an internal network. https://github.com/ttpreport/ligolo-mp
Security researchers analysing the activity of the recently emerged 3 AM ransomware operation uncovered close connections with infamous groups, such as the Conti syndicate and the Royal ransomware gang: https://www.bleepingcomputer.com/news/security/researchers-link-3am-ransomware-to-conti-royal-cybercrime-gangs/