Cybersecurity Newsletter 29th April 2024

                April 29, 2024

            Cybersecurity Newsletter 29th April 2024

            Cybersecurity Newsletter 29th April 2024

In this week’s news: UNICEF breached, Post Office phishing site gets more traffic than real one, Venture Capitalists ranking leaked, Citrix PrivEsc Vuln, MS OpenMetadata vuln, DOS get’s opensourced and a seven year old MS bug get’s used to drop c2.

Threat actor, 888, has allegedly breached UNICEF dated April 2024. The Breach includes data from 11 countries:
https://twitter.com/DarkWebInformer/status/1784212971251487120#m

US Post Office phishing sites get as much traffic as the real one:
https://www.bleepingcomputer.com/news/security/us-post-office-phishing-sites-get-as-much-traffic-as-the-real-one/

KageNoHitobito Ransomware Attacking Windows Users Around the Globe:
https://gbhackers.com/kagenohitobito-ransomware-attacking/

Venture capital investors have ranked each other in a private survey, the leaked results are on Newcomer.

Sequoia, Founders Fund, USV, Elad Gil & Benchmark Top Venture Manager Survey
I got my hands on a VC scorecard circulating among top founders & VCs

Ex-NSA hacker and ex-Apple researcher launch startup to protect Apple devices:
https://techcrunch.com/2024/04/25/ex-nsa-ex-apple-researcher-doubleyou/

Citrix UberAgent Vulnerability Allows Attackers To Escalate Privileges:
https://cybersecuritynews.com/citrix-uberagent-privilege-escalation/

VMware ESXi Shell Service Exploit on Hacking Forums:
https://gbhackers.com/vmware-esxi-shell-service-exploit/

Ten years ago, Microsoft released the source for MS-DOS 1.25 and 2.0 to the Computer History Museum, and then later republished them for reference purposes. Microsoft are releasing the source code to MS-DOS 4.00 under the MIT license:
https://cloudblogs.microsoft.com/opensource/2024/04/25/open-sourcing-ms-dos-4-0/

Pro-ukraine hacktivists, Nebula claim to have conducted a breach and leak of considerable volume against a Russian organisation:
https://twitter.com/Cyberknow20/status/1784536117813146024

Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage them for cryptomining activity:
https://www.microsoft.com/en-us/security/blog/2024/04/17/attackers-exploiting-new-critical-openmetadata-vulnerabilities-on-kubernetes-clusters/

Windows Kernel Elevation of Privilege Vulnerability - CVE-2024-26218:
https://github.com/exploits-forsale/CVE-2024-26218

A server-side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server:
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

CVE-2023-20198-RCE exploit:
https://github.com/W01fh4cker/CVE-2023-20198-RCE

Global Protec Palo Alto File Write Exploit:
https://github.com/ak1t4/CVE-2024-3400

A POC for the new injection technique, abusing windows fork API to evade EDRs:
https://github.com/deepinstinct/Dirty-Vanity

Millions of devices could still be compromised by the abandoned PlugX USB worm with self-replicating functionality, with infections logged from almost 2.5 million IP addresses over a six-month period beginning September 2023:
https://www.scmagazine.com/brief/infections-with-abandoned-plugx-usb-worm-continue-to-be-prevalent

7-Year-Old 0-Day in Microsoft Office Exploited to Drop Cobalt Strike
Hackers are dusting off old tricks! A recent attack exploited vulnerabilities in systems running outdates Microsoft Office to deliver Cobalt Strike malware:
https://www.hackread.com/microsoft-office-0-day-exploited-cobalt-strike/

IBM i is vulnerable to a local privilege escalation due to an unqualified library call in networking and compiler infrastructure [CVE-2024-25050]:
https://www.ibm.com/support/pages/node/7149672

US government and critical infrastructure entities were sent 1754 ransomware vulnerability notifications under the Ransomware Vulnerability Warning Pilot (RVWP) program in 2023, resulting in 852 vulnerable devices being secured or taken offline.
https://www.infosecurity-magazine.com/news/vulnerable-devices-secured-cisa/

McAfee Labs recently discovered a new Redline Stealer variant that uses Lua bytecode to hide its malicious code. This is the first time we’ve seen this technique used in Redline Stealer 1. The malware was also found on GitHub, inside Microsoft’s official vcpkg repository: https[:]//github[.]com/microsoft/vcpkg/files/14125503/Cheat.Lab.2.7.2.zip. 
https://malware.news/t/new-redline-version-uses-lua-bytecode-propagates-through-github/81331

An ongoing social engineering campaign is targeting software developers with bogus npm packages under the guise of a job interview to trick them into downloading a Python backdoor. Cybersecurity firm Securonix is tracking the activity under the name DEV#POPPER, linking it to North Korean threat actors:
https://thehackernews.com/2024/04/bogus-npm-packages-used-to-trick.html

Japanese police create fake support scam payment cards to warn victims:
https://www.bleepingcomputer.com/news/security/japanese-police-create-fake-support-scam-payment-cards-to-warn-victims/

Hackers are now offering administrative access to over 3000 Fortinet SSL-VPN devices. This breach poses a significant threat to numerous organisations relying on these devices for secure remote access:
https://cybersecuritynews.com/hackers-offering-admin-access/

ThreatFabric researchers identified a new Android malware called Brokewell, which implements a wide range of device takeover capabilities:
https://securityaffairs.com/162381/malware/brokewell-android-malware.html

Hackers abuse Windows Print Spooler vulnerabilities because it runs with elevated SYSTEM privileges, allowing privilege escalation:
https://cybersecuritynews.com/russian-apt28-exploits-windows-print-spooler/

Threat actors accessed more than 19,000 online accounts on a California state platform for welfare programs:
https://securityaffairs.com/162408/data-breach/california-state-welfare-platform-accounts-compromise.html

Organizations in the Americas, Europe, and Asia have been subjected to the ongoing FROZEN#SHADOW attack campaign that involved the distribution of the stealthy SSLoad malware alongside Cobalt Strike and ConnectWise ScreenConnect software to compromise networks:
https://www.scmagazine.com/brief/ongoing-global-malware-attack-campaign-seeks-network-compromise

BLACK HAT ASIA Researchers at US/Israeli infosec outfit SafeBreach last Friday discussed flaws in Microsoft and Kaspersky security products that can potentially allow the remote deletion of files:
https://www.theregister.com/2024/04/22/edr_attack_remote_data_deletion/

Google Chrome's new post-quantum cryptography may break TLS connections. Google started testing the post-quantum secure TLS key encapsulation mechanism in August and has now enabled it in the latest Chrome version for all users. The new version utilizes the Kyber768 quantum-resistant key agreement algorithm for TLS 1.3 and QUIC connections to protect Chrome TLS traffic against quantum cryptanalysis:
https://www.bleepingcomputer.com/news/security/google-chromes-new-post-quantum-cryptography-may-break-tls-connections/

Targeted operation against Ukraine exploited 7-year-old MS Office bug:
https://securityaffairs.com/162420/hacking/ukraine-campaign-old-ms-office-bug.html

The Akira ransomware attack has been actively and widely impacting businesses. According to CISA advisory, the ransomware group has affected over 250 organisations and claimed approximately $42 million (USD) in ransomware proceeds. The ransomware group gains initial access via either less-secured VPN or Cisco vulnerabilities:
https://fortiguard.fortinet.com/threat-signal-report/5426

Active Palo Alto vulnerability exploitation puts over 22K firewalls at risk:
https://www.scmagazine.com/brief/active-palo-alto-vulnerability-exploitation-puts-over-22k-firewalls-at-risk

Microsoft Azure ODSP nikisos Uncontrolled Search Path Element Remote Code Execution Vulnerability:
https://www.zerodayinitiative.com/advisories/ZDI-24-396/

Okta warns of unprecedented scale in credential stuffing attacks on online services:
https://securityaffairs.com/162464/hacking/okta-warned-spike-credential-stuffing-attacks.html

FTC distributes $5.6 million in refunds to Ring customers from privacy settlement:
https://www.techspot.com/news/102774-ftc-distributes-56-million-refunds-ring-customers-privacy.html

Hackers Claim to Have Infiltrated Belarus’ Main Security Service:
https://www.securityweek.com/hackers-claim-to-have-infiltrated-belarus-main-security-service/

US government says security flaw in Chirp Systems’ app lets anyone remotely control smart home locks:
https://techcrunch.com/2024/04/22/cisa-chirp-systems-remotely-unlock-smart-locks/

Don't miss what's next. Subscribe to BagheeraAltered's CyberSecurity Newsletter: