CyberSecurity Newsletter Feb 12th 2024
In this week’s news:
DoJ announced the seizure of infrastructure that was used to sell a remote access trojan (RAT), Hackers steal 3TB of data from Hyuandi, HijackLoader has new defence evasion techniques, Employee Duped by AI-Generated CFO in $25.6M Deepfake Scam, Fakepass app impersonates LastPass in the APP Store, ExpressVPN fixes DNS leaking issue, Ivanti has a auth bypass vuln and Fortinet has an RCE vuln that needs your attention now.
Shameless Plug - My site is up:
https://www.bagheeralabs.com/
U.S. DoJ Dismantles Warzone RAT Infrastructure, Arrests Key Operators:
https://thehackernews.com/2024/02/us-doj-dismantles-warzone-rat.html
CISA confirmed today that attackers are actively exploiting a critical remote code execution (RCE) bug patched by Fortinet on Thursday. The flaw (CVE-2024-21762) is due to an out-of-bounds write weakness in the FortiOS operating system that can let unauthenticated attackers execute arbitrary code remotely using maliciously crafted HTTP requests. Admins who can't immediately deploy security updates to patch vulnerable appliances can remove the attack vector by disabling SSL VPN on the device:
https://www.bleepingcomputer.com/news/security/new-fortinet-rce-bug-is-actively-exploited-cisa-confirms/
Ivanti warned of a new authentication bypass vulnerability impacting Connect Secure, Policy Secure, and ZTA gateways, urging admins to secure their appliances immediately. The flaw (CVE-2024-22024) is due to an XXE (XML eXternal Entities) weakness in the gateways' SAML component that lets remote attackers gain access to restricted resources on unpatched appliances in low-complexity attacks without requiring user interaction or authentication:
ExpressVPN has removed the split tunnelling feature from the latest version of its software after finding that a bug exposed the domains users were visiting to configured DNS servers:
https://www.bleepingcomputer.com/news/security/expressvpn-bug-has-been-leaking-some-dns-requests-for-years/
A multinational company’s Hong Kong branch faced a substantial financial setback due to an advanced deepfake scam. During a video call, an employee was deceived by digitally manipulated versions of the company’s CFO and others, resulting in the unauthorised transfer of funds to the scammers:
https://www.hackread.com/employee-duped-ai-generated-cfo-deepfake-scam/
LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install:
https://www.theregister.com/2024/02/08/lastpass_lookalike_apple_app_store/
The threat actors behind a loader malware called HijackLoader have added new techniques for defence evasion, as the malware continues to be increasingly used by other threat actors to deliver additional payloads and tooling:
https://thehackernews.com/2024/02/hijackloader-evolves-researchers-decode.html
Car maker Hyundai Motor Europe suffered a Black Basta ransomware attack, with the threat actors claiming to have stolen three terabytes of corporate data:
https://www.bleepingcomputer.com/news/security/hyundai-motor-europe-hit-by-black-basta-ransomware-attack/
Iran's cyber conflict with Israel has reached global proportions, with cyberattacks against businesses and government agencies on other continents causing arguably as much ruckus as those in Israel itself:
https://www.darkreading.com/ics-ot-security/iran-israel-cyber-war-goes-global
macOS Backdoor RustDoor likely linked to Alphv/BlackCat ransomware operations:
https://securityaffairs.com/158942/malware/macos-backdoor-rustdoor.html
CEO of Ukraine's largest telecom operator describes the Russian cyberattack that wiped out thousands of computers:
https://therecord.media/kyivstar-ceo-on-russian-cyberattack-telecom
Microsoft warned Outlook for Microsoft 365 users that clients might have issues connecting to email servers via Exchange ActiveSync after a January update. Exchange ActiveSync (EAS) is an Exchange synchronisation protocol using HTTP and XML to let users access their email, calendar, contacts, and tasks:
https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-clients-not-syncing-over-exchange-activesync/
A new Rust-based macOS malware spreading as a Visual Studio update to provide backdoor access to compromised systems uses infrastructure linked to the infamous ALPHV/BlackCat ransomware gang:
https://www.bleepingcomputer.com/news/security/new-rustdoor-macos-malware-impersonates-visual-studio-update/
The U.S. Federal Trade Commission (FTC) says Americans lost over $10 billion to scammers in 2023, marking a 14% increase in reported losses compared to the previous year:
https://www.bleepingcomputer.com/news/security/americans-lost-record-10-billion-to-fraud-in-2023-ftc-warns/
Microsoft has lifted a compatibility hold that blocked upgrades to Windows 11 23H2 after resolving an issue that caused desktop icons to move erratically when using Windows Copilot on multi-monitor systems:
https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-copilot-issue-blocking-windows-11-upgrades/
Data breaches at two French healthcare payment service providers, Viamedis and Almerys, have now been determined to impact over 33 million people in the country:
https://www.bleepingcomputer.com/news/security/data-breaches-at-viamedis-and-almerys-impact-33-million-in-france/
United Nations sanctions monitors are investigating dozens of suspected cyberattacks by North Korea that raked in $3 billion to help it further develop its nuclear weapons program:
https://www.reuters.com/technology/cybersecurity/un-experts-investigate-58-cyberattacks-worth-3-bln-by-north-korea-2024-02-08/
New Coyote Trojan Targets 61 Brazilian Banks with Nim-Powered Attack:
https://thehackernews.com/2024/02/new-coyote-trojan-targets-61-brazilian.html
Juniper Support Portal Exposed Customer Device Info:
https://krebsonsecurity.com/2024/02/juniper-support-portal-exposed-customer-device-info/
The startup that develops the phone app for casino resort giant WinStar has secured an exposed database that was spilling customers’ private information to the open web:
https://techcrunch.com/2024/02/09/winstar-hotel-casino-app-exposed-customer-personal-data/
According to cybersecurity firm Pen Test Partners, Livall’s smart helmets had an inherent flaw that could lead to the leaking of critical, sensitive user information, including location data:
https://www.hackread.com/smart-helmets-flaw-hacking-surveillance-risk/
Recent versions of the Raspberry Robin malware are stealthier and implement one-day exploits that are deployed only on systems that are susceptible to them. One-day exploits refer to code that leverages a vulnerability that the developer of the impacted software patched recently but the fix has either not been deployed to all clients or it has not been applied on all vulnerable systems:
https://www.bleepingcomputer.com/news/security/raspberry-robin-malware-evolves-with-early-access-to-windows-exploits/
JSON CSRF in Microsoft Bing Maps Collections:
https://jayateerthag.medium.com/json-csrf-in-microsoft-bing-maps-collections-74afc2b197d5