CyberSecurity Newsletter April 1st 2024
CyberSecurity Newsletter April 1st 2024
On March 28, 2024, Red Hat Linux announced CVE-2024-3094 with a critical CVSS score of 10. This vulnerability results from a supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised people to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0):
https://unit42.paloaltonetworks.com/threat-brief-xz-utils-cve-2024-3094/
The-xz-backdoor:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor
AT&T said it has begun notifying millions of customers about the theft of personal data recently discovered online. The telecommunications giant said Saturday that a dataset on the "dark web" contains information such as Social Security numbers for about 7.6 million current AT&T account holders and 65.4 million former account holders. The company said it has already reset the passcodes of current users and will be communicating with account holders whose sensitive personal information was compromised:
https://techxplore.com/news/2024-03-att-notifies-users-breach-resets.html
A new tool dunned BlueDucky, automating the exploitation of a critical Bluetooth pairing vulnerability that allows for 0-click code execution on unpatched devices. This revelation comes on the heels of Marc Newlin’s January 2024 publication of a proof of concept script, which targets a Bluetooth vulnerability identified as CVE-2023-45866:
https://cybersecuritynews.com/blueducky-exploits-bluetooth-vulnerability/
Threat actor ‘IntelBroker’ has claimed another high-profile data breach, this time against Mashvisor, claiming to hold multiple user and agent databases, exposing hundreds of thousands of sensitive entries. Mashvisor is a real estate data analytics company that provides various tools and services to help investors analyse and find profitable traditional and Airbnb rental properties across the United States:
https://restoreprivacy.com/hacker-claims-breach-on-real-estate-data-analytics-firm-mashvisor/
The United States and Britain imposed sanctions on China’s elite hacking units on Monday, accusing Beijing’s top spy agency of a yearslong effort to place malware in America’s electrical grids, defence systems and other critical infrastructure and of stealing the voting rolls for 40 million British citizens:
https://www.nytimes.com/2024/03/25/us/politics/china-hacking-us-sanctions.html
Quantum Implementation and Analysis of SHA-2 and SHA-3:
https://eprint.iacr.org/2024/513
Facebook had a secret "Project Ghostbusters" (get it?) which allegedly was to decrypt "man-in-the-middle" style Snapchat traffic to copy it:
https://twitter.com/jason_kint/status/1772459601356583268
https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic
A Linux privilege-escalation proof-of-concept exploit has been published that, according to the bug hunter who developed it, typically works effortlessly on kernel versions between at least 5.14 and 6.6.14:
https://www.theregister.com/2024/03/29/linux_kernel_flaw/
Security researchers found a new version of the Vultur banking trojan for Android that includes more advanced remote control capabilities and an improved evasion mechanism. Researchers at fraud detection company ThreatFabric first documented the malware in March 2021, and in late 2022, they observed it being distributed over Google Play through dropper apps:
https://www.bleepingcomputer.com/news/security/vultur-banking-malware-for-android-poses-as-mcafee-security-app/
The source code and documentation of the Italian anti-piracy platform Privacy Shield have reportedly been leaked on the popular code-sharing platform GitHub. This incident raises serious questions about privacy, security, and the potential for censorship. According to reports, the leak comprises nine repositories that contain comprehensive details of the Privacy Shield platform:
https://cybersecuritynews.com/source-code-leaked/
Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named 'Tycoon 2FA' to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection. Tycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels. The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers:
https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/
A previously disclosed critical flaw in Fortinet’s FortiClient Enterprise Management Server (FortiClientEMS) is now actively exploited by threat actors, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). On March 12, Fortinet disclosed and issued a patch for the SQL injection flaw (CVE-2023-48788), which exists in FortiClientEMS, its central management solution for endpoints. Last week, Fortinet updated the security advisory to reflect that the flaw has been exploited in the wild, and on Monday, CISA added the flaw to its Known Exploited Vulnerabilities catalogue:
https://malware.news/t/critical-fortinet-flaw-now-actively-exploited/80118
Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple IDs through what’s known as a “push bombing” or “MFA fatigue” attack. This method exploits the multi-factor authentication (MFA) system, bombarding users with constant notifications to approve password changes or logins, ultimately aiming to steal passwords and gain unauthorised access to personal information and devices:
https://cybersecuritynews.com/apple-id-push-bombing-attack/
Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell Script:
https://www.trendmicro.com/en_us/research/24/c/agenda-ransomware-propagates-to-vcenters-and-esxi-via-custom-pow.html
St. Cloud most recent in a string of Florida cities hit with ransomware:
https://therecord.media/st-cloud-hit-with-ransomware-florida-string
Over 170,000 users have fallen victim to a meticulously orchestrated scheme exploiting the Python software supply chain. The Checkmarx Research team has uncovered a multi-faceted attack campaign that leverages fake Python infrastructure to distribute malware, compromising the security of countless developers and organisations:
https://gbhackers.com/170k-user-accounts-hacked/
The Top.gg Discord bot community with over 170,000 members has been impacted by a supply-chain attack aiming to infect developers with malware that steals sensitive information. The threat actor has been using several tactics, techniques, and procedures (TTPs) over the years, including hijacking GitHub accounts, distributing malicious Python packages, using a fake Python infrastructure, and social engineering:
https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/hackers-poison-source-code-from-largest-discord-bot-platform/amp/
A vulnerability has been discovered that impacts all supported versions of Ivanti Neurons for ITSM (2023.3, 2023.2 and 2023.1). Unsupported versions are also at risk; customers should upgrade to a supported version before applying the patch (hotfix):
https://forums.ivanti.com/s/article/SA-CVE-2023-46808-Authenticated-Remote-File-Write-for-Ivanti-Neurons-for-ITSM?language=en_US
A new vulnerability has been discovered in the Ivanti Standalone Sentry, and patches to remediate this vulnerability are available now. This vulnerability impacts all supported versions 9.17.0, 9.18.0, and 9.19.0. Older versions are also at risk:
https://forums.ivanti.com/s/article/CVE-2023-41724-Remote-Code-Execution-for-Ivanti-Standalone-Sentry
United Nations peacekeeping missions, especially in Africa, are at a growing risk of compromise by sophisticated nation-state-sponsored threat actors, and they need to adopt basic cybersecurity infrastructure best practices and tools to defend them, according to new research:
https://www.darkreading.com/cyber-risk/un-peace-operations-under-fire-from-state-sponsored-hackers
Multiple threat actors are exploiting the recently disclosed security flaws in JetBrains TeamCity software to deploy ransomware, cryptocurrency miners, Cobalt Strike beacons, and a Golang-based remote access trojan called Spark RAT:
https://thehackernews.com/2024/03/teamcity-flaw-leads-to-surge-in.html