CyberSecurity Newsletter April 22nd, 2024
CyberSecurity Newsletter April 22nd
In this week’s news: Ransomware payments drop 28%, though Akira made 42M in one year, attacker pose as lastpass staff, MS gets slammed by safety board, Malware dev targets child exploitors, VW breached, Cisco 3rd party breached exposing customer data, FBI says Chinese hackers preparing to hit US infrastructure, and security researcher j00ru get’s 44 CVEs on Windows Registry research.
@j00ru of Google’s ProjectZero spent 20 months auditing Windows Registry, and got 44 CVEs. GOAT level hacker.
https://googleprojectzero.blogspot.com/2024/04/the-windows-registry-adventure-1.html
Ransomware payments drop to a record low of 28% in Q1 2024. Ransomware actors have had a rough start this year, as stats from cybersecurity firm Coveware show companies are increasingly refusing to pay extortion demands, leading to a record low of 28% of companies paying ransom in the first quarter of 2024:
https://www.bleepingcomputer.com/news/security/ransomware-payments-drop-to-record-low-of-28-percent-in-q1-2024/
Cybercriminals pose as LastPass staff to hack password vaults:
https://www.bleepingcomputer.com/news/security/cybercriminals-pose-as-lastpass-staff-to-hack-password-vaults/
The Cyber Safety Review Board’s report slammed Microsoft's security practices over 2023 intrusion but also delivered a wealth of recommendations crucial for cloud service providers:
https://www.csoonline.com/article/2088307/microsoft-blasting-csrb-report-also-contains-recommendations-aiming-to-rev-up-cloud-security.html
The Akira ransomware has been around for just more than a year, but has caused its share of damage, racking up more than 250 victims and pulling in about $42 million in ransom, according to law enforcement and cybersecurity agencies in the United States and Europe:
https://securityboulevard.com/2024/04/akira-ransomware-group-takes-in-42-million-from-250-attacks-in-a-year/
Malware dev lures child exploiters into honeytrap to extort them. Targeting those who actively seek out child pornography.
https://www.bleepingcomputer.com/news/security/malware-dev-lures-child-exploiters-into-honeytrap-to-extort-them/
Explosive data was stolen from Volkswagen. Traces point to hackers from China. Research by ZDF frontal and “Spiegel” shows what the data thieves stole:
https://www-zdf-de.translate.goog/nachrichten/wirtschaft/volkswagen-china-hacking-industriespionage-emobilitaet-100.html
Cisco Duo MFA logs exposed in third-party data breach. Cyber attack on an unnamed supplier for Cisco Duo’s SMS and VOIP multifactor authentication service exposes sensitive customer data used across internal networks and corporate apps:
https://www.itpro.com/security/cisco-duo-mfa-logs-exposed-in-third-party-data-breach
FBI says Chinese hackers preparing to attack US infrastructure:
https://www.itnews.com.au/news/fbi-says-chinese-hackers-preparing-to-attack-us-infrastructure-607271
Palo Alto Networks has released fixes for a zero-day vulnerability affecting its GlobalProtect VPN product that is being targeted following its disclosure last week:
https://therecord.media/palo-alto-networks-fixes-vpn-zero-day
Crooks manipulate GitHub’s search results to distribute malware:
https://securityaffairs.com/161792/cyber-crime/githubs-search-results-d
Threat actors exploited a critical zero-day vulnerability in the CrushFTP enterprise in targeted attacks, Crowdstrike experts warn. CrushFTP is a file transfer server software that enables secure and efficient file transfer capabilities:
https://securityaffairs.com/162067/hacking/crushftp-zero-day-exploited.html
Critical PuTTY Client Vulnerability Lets Attackers Recover Private Keys:
https://cybersecuritynews.com/putty-client-vulnerability/
Veriti Research has discovered a surge in attacks from operators of the Androxgh0st malware family, uncovering over 600 servers compromised primarily in the U.S., India and Taiwan. According to Veriti’s blog post, the adversary behind Androxgh0st had their C2 server exposed, which could allow for a counterstrike by revealing the impacted targets. The researchers then went on to alert the victims:
https://www.hackread.com/androxgh0st-malware-servers-botnets-attacks/
Critical PHP Vulnerabilities: Update Now to Prevent Takeovers and Command Injection (CVE-2024-1874, CVE-2024-2756, CVE-2024-3096, CVE-2024-2757):
https://malware.news/t/critical-php-vulnerabilities-update-now-to-prevent-takeovers-and-command-injection-cve-2024-1874-cve-2024-2756-cve-2024-3096-cve-2024-2757/80830
PoC Released For Critical Zero-Click Windows Vulnerability:
https://cybersecuritynews.com/poc-released-zero-click-windows-vulnerability/
Dark Web Sales Driving Major Rise in Credential Attacks Cybercriminals Netting Over 50 Credentials Per Infected Device:
https://www.databreachtoday.co.uk/dark-web-sales-driving-major-rise-in-credential-attacks-a-24893
The MITRE Corporation, a non-profit organization that runs federally funded research and development centers, has disclosed that a sophisticated cyber attack recently compromised one of its internal research and development networks:
https://cybersecuritynews.com/mitre-hacked/
MITRE detected the attack on one of its internal R&D networks and took immediate action to contain the incident.
The attack was believed to have been initiated by the UNC5221 group from China.
The attack had no impact on the organization’s business and public-facing networks.
A French hospital was forced to return to pen and paper and postpone medical treatments after a cyber attack.:
https://securityaffairs.com/162057/hacking/french-hospital-cyber-attack.html
The FBI and Australian Federal Police have partnered to arrest and indict an unnamed Australian who developed Firebird/Hive remote access trojan and California-based Edmond Chakhmakchyan, also known as Corruption, who allegedly marketed the RAT, according to BleepingComputer:
https://www.scmagazine.com/brief/us-australia-apprehend-firebird-rat-developer
A new Android trojan called SoumniBot has been detected in the wild targeting users in South Korea by leveraging weaknesses in the manifest extraction and parsing procedure. The malware is "notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest," Kaspersky researcher Dmitry Kalinin said in a technical analysis:
https://thehackernews.com/2024/04/new-android-trojan-soumnibot-evades.html
New RedLine Stealer Variant Disguised as Game Cheats Using Lua Bytecode for Stealth:
https://thehackernews.com/2024/04/new-redline-stealer-variant-disguised.html
Apache Kafka Flaw Let Attackers Gain Access To Sensitive Data:
https://cybersecuritynews.com/apache-kafka-security-flaw/
Androxgh0st Malware Compromises Servers Worldwide for Botnet Attack. Veriti Research exposes surge in Androxgh0st attacks, exploiting CVEs and building botnets for credential theft. Patch systems, monitor for web shells, and use behavioral analysis to protect yourself:
https://www.hackread.com/androxgh0st-malware-servers-botnets-attacks/
Threat actors target government entities in the Middle East with a new backdoor dubbed CR4T as part of an operation tracked as DuneQuixote:
https://securityaffairs.com/162036/hacking/dunequixote-campaign-targets-middle-east.html
National Security Agency’s Artificial Intelligence Security Center (NSA AISC) published the joint Cybersecurity Information Sheet Deploying AI Systems Securely in collaboration with CISA, the Federal Bureau of Investigation (FBI):
https://www.cisa.gov/news-events/alerts/2024/04/15/joint-guidance-deploying-ai-systems-securely
Bypassing EDRs With EDR-Preloading by Marcus Hutchins:
https://malwaretech.com/2024/02/bypassing-edrs-with-edr-preload.html
Psoglav Ransomware has released a new RaaS. The first 3 partners are free:
https://twitter.com/AlvieriD/status/1781922472146719211#m
Analysis of VirtualBox CVE-2023-21987 and CVE-2023-21991:
https://qriousec.github.io/post/vbox-pwn2own-2023/
Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance:
https://github.com/subat0mik/Misconfiguration-Manager
Android 14 kernel exploit for Pixel7/8 Pro:
https://github.com/0x36/Pixel_GPU_Exploit