CyberSecurity Newsletter February 5th 2024
In this week’s news: AnyDesk login credentials leak, Cloudflare compromised, Clorox breach will cost 49M, Schneider Electric ransomware, Docker API and Gitlab have critical. Ivanti has two criticals: Deepfakes will be used more often to hack biometrics, Jenkins vulnerability has an exploit in the wild, an Internal police operation has taken down 1,300 c2 servers, a CIA agent gets 40 years in prison, and A critical supply chain bug in Google's open-source software development tool called Bazel opened the door to hackers to insert malicious code.
Thousands of Stolen AnyDesk Login Credentials Sold on Dark Web, sale of compromised AnyDesk accounts isn’t connected to the security breach incident disclosed by the company on February 2, 2024:
https://www.hackread.com/anydesk-logins-credentials-sold-on-dark-web/
Cloudflare has revealed its systems were compromised on Thanksgiving last year, leading to source code being accessed by threat actors. The IT service provider believes the attack, which took place on November 23, 2023, was perpetrated by a nation-state actor, who used credentials stolen during a breach of identity and access management (IAM) specialist Okta:
https://www.infosecurity-magazine.com/news/cloudflare-breach-stolen-okta/
Microsoft is bringing the Linux 'sudo' feature to Windows Server 2025, offering a new way for admins to elevate privileges for console applications. This is going to result in a quite a few security bugs:
https://www.bleepingcomputer.com/news/microsoft/microsoft-is-bringing-the-linux-sudo-command-to-windows-server/
Cleaning products giant Clorox estimates the economic impact of the cyber attack that hit the company in August 2023 at $49 million:
https://securityaffairs.com/158575/security/clorox-attack-costs-exceed-49m.html
Energy management and automation giant Schneider Electric suffered a Cactus ransomware attack leading to the theft of corporate data, according to people familiar with the matter:
https://www.bleepingcomputer.com/news/security/energy-giant-schneider-electric-hit-by-cactus-ransomware-attack/
Mastodon has fixed a critical vulnerability that allows attackers to impersonate and take over any remote account:
https://www.bleepingcomputer.com/news/security/mastodon-vulnerability-allows-attackers-to-take-over-accounts/
Threat actors have targeted internet-exposed Docker API endpoints with the advanced Commando Cat crypto jacking campaign since the beginning of the year:
https://www.scmagazine.com/brief/novel-cryptojacking-campaign-targets-docker-apis
Popular source code management platform GitLab was patched on Friday against five vulnerabilities, including one with a critical severity rating:
https://www.itnews.asia/news/gitlab-patches-another-critical-vulnerability-604565
A cyber attack forced Lurie Children’s Hospital in Chicago to take IT systems offline, with a severe impact on its operations:
https://securityaffairs.com/158609/cyber-crime/lurie-childrens-hospital-cyberattack.html
In the last three days, Microsoft has been investigating a second outage affecting Microsoft Teams users across North and South America. Affected customers again report having connectivity issues and experiencing delays when sending and receiving messages in mobile and desktop Teams clients:
https://www.bleepingcomputer.com/news/microsoft/microsoft-teams-hit-by-second-outage-in-three-days/
Multinational building automation systems manufacturer Johnson Controls International has reported spending $27 million to remediate a ransomware attack in September attributed to the Dark Angels ransomware operation, which had demanded $51 million in exchange for a decryption tool and the deletion of more than 27TB of confidential information:
https://www.scmagazine.com/brief/impact-of-johnson-controls-ransomware-attack-detailed
An international law enforcement operation, ' Synergia', has taken down over 1,300 command and control servers used in ransomware, phishing, and malware campaigns. Command and control servers (C2) are devices operated by threat actors to control malware used in their attacks and to collect information sent from infected devices:
https://www.bleepingcomputer.com/news/legal/interpol-operation-synergia-takes-down-1-300-servers-used-for-cybercrime/
A critical supply chain bug in Google's open-source software development tool called Bazel opened the door to hackers to insert malicious code. The command injection vulnerability, according to researchers, impacted the security of millions of Bazel-dependent projects, including Kubernetes, Angular, Uber, LinkedIn, Databricks, DropBox, Nvidia and Google:
https://www.scmagazine.com/news/supply-chain-vulnerability-fixed-in-google-bazel
Ivanti Connect Secure zero-day Exploits. The zero-day vulnerability (CVE-2024-21893) identified is a server-side request forgery flaw in the SAML component of the gateways. This flaw enables unauthorised individuals to bypass authentication protocols and access restricted resources on vulnerable devices. Additionally, a separate vulnerability (CVE-2024-21888) has been discovered in the web component of the gateways. Exploiting this flaw allows malicious actors to elevate their privileges to that of an administrator:
https://dailysecurityreview.com/security-spotlight/ivanti-second-connect-secure-zero-day-exploit/
Blackbaud settles FTC charges on ransomware data breach:
https://www.scmagazine.com/brief/blackbaud-settles-ftc-charges-on-ransomware-data-breach
Deepfakes — AI-generated replicas of a person’s likeness — could shatter confidence in face biometric authentication solutions for 30% of companies by 2026, Gartner analysts predict:
https://www.scmagazine.com/news/deepfakes-will-hurt-30-of-organizations-trust-in-biometrics-by-2026
Several Java applications have been targeted by a new variant of the FritzFrog botnet, which has gained the ability to exploit the Log4Shell vulnerability as part of the Frog4Shell attack campaign:
https://www.scmagazine.com/brief/updated-fritzfrog-botnet-emerges
Several proof-of-concept (PoC) exploits for a recently patched critical vulnerability (CVE-2024-23897) in Jenkins have been made public, and there’s evidence of exploitation in the wild:
https://www.helpnetsecurity.com/2024/01/29/cve-2024-23897/
A former software engineer with the U.S. CIA has been sentenced to 40 years in prison for leaking classified documents:
https://securityaffairs.com/158529/intelligence/ex-cia-joshua-adam-schulte-sentenced-40-years.html
Major car rental company Europcar has denied the claimed theft of data belonging to over 48 million of its customers being promoted in a hacking forum, noting that the information was fake and potentially generated by OpenAI's ChatGPT chatbot:
https://www.scmagazine.com/brief/alleged-europcar-breach-involved-fake-data-possibly-from-chatgpt
CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. CVE-2024-21893 Ivanti Connect Secure, Policy Secure, and Neurons Server-Side Request Forgery (SSRF) Vulnerability:
https://www.redpacketsecurity.com/cisa-cisa-adds-one-known-exploited-vulnerability-to-catalog-05-02-2024/
LockBit Dominates the Threat Landscape. A hyper-active LockBit group led to a surge in ransomware campaigns in the last quarter of 2023, according to XDR security provider ReliaQuest:
https://www.infosecurity-magazine.com/news/lockbit-reigns-supreme-soaring/
Romance scam victims surged by more than a fifth (22%) in 2023 compared to 2022, according to new figures from Lloyds Bank. The average amount lost per incident was £6937 ($8847) last year. This was lower than in 2022 when the average loss was £8237 ($10,505):
https://www.infosecurity-magazine.com/news/romance-scam-victims-surge/
Australia's Rising Battle Against Cyber Fraud:
https://www.cybernewscentre.com/plus-content/content/australias-rising-battle-against-cyber-fraud
Popular instant messaging service Telegram has become a haven for cybercriminals and other threat actors looking to conduct phishing attacks due to the widespread availability of malicious tools and hackers-for-hire services across the platform:
https://www.scmagazine.com/brief/modern-phishing-operations-facilitated-by-telegram
VajraSpy: A Patchwork of espionage apps. ESET researchers discovered several Android apps carrying VajraSpy, a RAT used by the Patchwork APT group:
https://www.welivesecurity.com/en/eset-research/vajraspy-patchwork-espionage-apps/
An AWS Flask phishing application for harvesting credentials from mobile and desktop device logins:
https://gist.github.com/RoseSecurity/0ee09db8d764b85794a1fb38ac726a0f