CyberSecurity Newsletter January 29th 2024
CyberSecurity Newsletter January 29th 2024
In this week’s news: New Vulnerabilities for Outlook, Jenkins and GitLab are being exploited, Ransomware groups switch to extortion over ransomware, the 23andme hackers were possibly there for months before detection, Cyberattack takes down 2.4T$ securities company Equiland, and Microsoft Leadership had their email read by hackers exploiting Solorwinds.
Varonis Threat Labs has discovered a new Outlook vulnerability (CVE-2023-35636) among three new ways to access NTLM v2 hash codes by exploiting Outlook, Windows Performance Analyzer (WPA) and Windows File Explorer: https://www.acceis.fr/theft-of-ntlm-v2-hash-code-via-outlook-vulnerability-cve-2023-35636/
Multiple PoC exploits released for Jenkins flaw CVE-2024-23897: https://securityaffairs.com/158251/hacking/cve-2024-23897-poc-exploits.html
The Akira gang has conducted extortion-only operations. In these attacks, data is stolen from victims' environments without deploying ransomware and encrypting systems and data. This marks a significant change in the Akira group's attack methods and how organizations must defend their systems and data: https://www.scmagazine.com/resource/akira-ransomware-groups-changing-tactics-what-you-need-to-know
Thousands of GitLab servers are vulnerable to zero-click account takeover attacks exploiting the flaw CVE-2023-7028: https://securityaffairs.com/158075/hacking/gitlab-servers-vulnerable-cve-2023-7028.html
Trello Allegedly Breached: Database of 15,115,516 User Records Up for Sale. The cybercriminal, who goes by the name 'emo,' claims that the database includes data such as emails, usernames, full names, and other account information: https://twitter.com/H4ckManac/status/1747527579559411959
EquiLend, which processes $2.4T of securities-lending transactions per month, goes down after a January 22 cyberattack and says restoration may take a few days: https://www.bloomberg.com/news/articles/2024-01-24/wall-street-s-stock-lending-tech-firm-goes-down-in-cyberattack
Microsoft revealed last week that it had discovered a nation-state attack on its corporate systems from the Russian state-sponsored hackers that were behind the SolarWinds attack. Hackers were able to access the email accounts of some members of Microsoft’s senior leadership team: https://www.theverge.com/2024/1/26/24051708/microsoft-hack-russian-security-attack-senior-leadership-emails
23andMe Failed to Detect Account Intrusions for Months: https://www.wired.com/story/23andme-failed-to-detect-account-intrusions-for-months/
The UK's Caravan and Motorhome Club (CAMC) is battling a suspected cyberattack with members reporting widespread IT outages for the past five days: https://www.theregister.com/2024/01/24/major_it_outage_at_caravan/
Cops Used DNA to Predict a Suspect’s Face—and Tried to Run Facial Recognition on It: https://www.wired.com/story/parabon-nanolabs-dna-face-models-police-facial-recognition/
Some Ukrainian state-owned critical infrastructure entities, including oil and gas firm Naftogaz, transport safety agency DSBT, national postal service provider Ukrposhta, and state railway Ukrzaliznytsia disclosed cyberattacks: https://www.scmagazine.com/brief/cyberattacks-impact-ukrainian-state-owned-critical-infrastructure-orgs
CVE-2022-37434 is a critical heap-based buffer overflow vulnerability in zlib that is used in rsync. An attacker could exploit this vulnerability to trigger remote code execution on the exploited system. The exploit is triggered by passing a specially crafted file to the affected application: https://cert.be/en/advisory/warning-critical-heap-based-buffer-overflow-leading-rce-rsync-rhel86-patch-immediately
The Australian, US, and UK governments announced sanctions against Aleksandr Gennadievich Ermakov, a Russian national believed to be responsible for the 2022 Medibank hack and a member of the REvil ransomware group: https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-26th-2024-govts-strike-back/
Network boot for UEFI devices with iPXE: https://cylab.be/blog/321/network-boot-for-uefi-devices-with-ipxe
Top 5 Breaches Caused by Infostealer Infections: https://www.infostealers.com/article/top-5-breaches-caused-by-infostealer-infections/
Google Ad powered Crypto Scam: https://infosecwriteups.com/google-ad-powered-crypto-scam-3aeed1c9b472
Evolution of Critical Log Sources in SIEM: https://infosecwriteups.com/evolution-of-critical-log-sources-in-siem-a-5-year-retrospective-841bae2b6a6c
How to hack a train toilet: https://www.devever.net/~hl/traintoilet
Decrypting AsyncRAT: https://www.securityinbits.com/tools/cyberchef/asyncrat-config-decryption-using-cyberchef-recipe-2/
Using rundll32 to execute shellcode and possibly avoid EDR detection: https://github.com/florylsk/ExecIT
Rohan Chauhan dives into Audio OSINT: https://seczap.medium.com/audio-osint-analysis-8606afcb2d59
A PoC for the Jenkins exploit: CVE-2024-23897: https://github.com/Vozec/CVE-2024-23897
Kansas City public transportation authority hit by ransomware: https://www.bleepingcomputer.com/news/security/kansas-city-public-transportation-authority-hit-by-ransomware/