CyberSecurity Newsletter March 4th 2024

                March 4, 2024

            CyberSecurity Newsletter March 4th 2024

            CyberSecurity Newsletter March 4th 2024
In this week’s news: US warnes of Phobos ransomware attacks, ConnectWise auth bypass, exposed database on security code company, the new draft of NIST CSF, an AI Worm, and U-Haul was breached.
The U.S. DoJ charged Iranian national Alireza Shafie Nasab for his role in attacks targeting U.S. government and defence entities:

https://securityaffairs.com/159837/hacking/us-charged-iranian-national.html
US CISA, the FBI, and MS-ISAC issued a joint CSA to warn of attacks involving Phobos ransomware variants observed as recently as February 2024:

https://securityaffairs.com/159822/cyber-crime/cisa-phobos-ransomware-attacks.html
Hackers Poison SEO Results To Deploy Gootloader Malware And Steal RDP Access:

https://cybersecuritynews.com/gootloader-seo-poisoning/
On February 19, 2024, ConnectWise published a security advisory for their remote desktop application software called ScreenConnect. One of the flaws, CVE-2024-1709 is an authentication bypass vulnerability that could let attackers gain administrative access to a ScreenConnect instance:

https://fortiguard.fortinet.com/threat-signal-report/5389
The US government has taken a strong stance against trading scams by adding Canadian tech firm Sandvine to its notorious “Entity List.” This move essentially bans American companies from doing business with Sandvine, raising concerns about the firm’s activities:

https://infosecwriteups.com/us-blacklists-canadian-tech-firm-sandvine-1dde77eed5b1
A technology company that routes millions of SMS text messages across the world has secured an exposed database that was spilling one-time security codes that may have granted users’ access to their Facebook, Google and TikTok accounts:

https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/
The Düsseldorf Police in Germany have seized Crimemarket, a massive German-speaking illicit trading platform with over 180,000 users, arresting six people, including one of its operators:

https://www.bleepingcomputer.com/news/legal/germany-takes-down-cybercrime-market-with-over-180-000-users/
Microsoft Azure MCR VSTS CLI vstscli Uncontrolled Search Path Element Remote Code Execution Vulnerability:

https://www.zerodayinitiative.com/advisories/ZDI-24-208/
A Florida journalist has been arrested and charged with breaking into protected computer systems in a case his lawyers say was less "hacking," more "good investigative journalism:

https://www.theregister.com/2024/02/26/in_brief_security/
Cybersecurity researchers have identified new infrastructure likely used by the operators of the commercial spyware known as Predator in at least 11 countries. By analyzing the domains likely used to deliver the spyware, analysts at Recorded Future’s Insikt Group were able to spot potential Predator customers in Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago:
https://therecord.media/new-predator-spyware-infrastructure-identified
A U.S. judge has ordered NSO Group to hand over its source code for Pegasus and other products to Meta as part of the social media giant's ongoing litigation against the Israeli spyware vendor:

https://thehackernews.com/2024/03/us-court-orders-nso-group-to-hand-over.html
Hackers have taken control of over 8,000 subdomains belonging to reputable companies and organizations to launch a massive phishing campaign that sends millions of malicious emails every day:

https://www.cysecurity.news/2024/03/ebay-vmware-and-mcafee-taken-down-in.html
The US National Institute of Standards and Technology (NIST) has released the latest draft of its well-regarded Cybersecurity Framework (CSF). The new "Govern" function to incorporate greater executive and board oversight of cybersecurity, and the expansion of the best practices beyond just those for critical industries mean that new program gaps will emerge that previously may not have been present, especially with respect to cybersecurity governance and supply chain risk management:

https://www.darkreading.com/ics-ot-security/nist-cybersecurity-framework-2-0-4-steps-get-started
Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static tracks compiled from various AV reports and custom user-defined lists:

https://github.com/stamparm/maltrail/
The Cybersecurity and Infrastructure Security Agency urged enterprises to weigh the risks of continued use of previously compromised Ivanti VPN appliances:

https://www.scmagazine.com/brief/cisa-warns-of-root-persistence-in-hacked-ivanti-devices
Russian-speaking ransomware operation LockBit reestablished a dark web leak site Saturday afternoon and posted a lengthy screed authored by its leader, who vowed not to retreat from the criminal underground world:

https://www.govinfosecurity.com/ransomware-operation-lockbit-relaunches-dark-web-leak-site-a-24442
New Bifrost RAT Variant Targets Linux Devices, Mimics VMware Domain:

https://www.hackread.com/bifrost-variant-linux-mimics-vmware-domain/
CISA ordered U.S. Federal Civilian Executive Branch (FCEB) agencies to secure their Windows systems against a high-severity vulnerability in the Microsoft Streaming Service (MSKSSRV.SYS) that's actively exploited in attacks. The security flaw (tracked as CVE-2023-29360) is due to an untrusted pointer dereference weakness that enables local attackers to gain SYSTEM privileges in low-complexity attacks that don't require user interaction:

https://www.bleepingcomputer.com/news/security/cisa-warns-of-microsoft-streaming-bug-exploited-in-malware-attacks/
European diplomats targeted by SPIKEDWINE with WINELOADER:

https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spikedwine-wineloader
Microsoft patched a high-severity Windows Kernel privilege escalation vulnerability in February, six months after being informed that the flaw was being exploited as a zero-day:

https://www.bleepingcomputer.com/news/security/windows-kernel-bug-fixed-last-month-exploited-as-zero-day-since-august/
A new phishing kit named CryptoChameleon is being used to target Federal Communications Commission (FCC) employees, using specially crafted single sign-on (SSO) pages for Okta that appear remarkably similar to the originals:

https://www.bleepingcomputer.com/news/security/hackers-target-fcc-crypto-firms-in-advanced-okta-phishing-attacks/
Hacker builds Prompt Injection Attacks using CoPilot:

https://embracethered.com/blog/posts/2024/whoami-conditional-prompt-injection-instructions/
Security researchers created an AI worm in a test environment that can automatically spread between generative AI agents—potentially stealing data and sending spam emails along the way:

https://www.wired.com/story/here-come-the-ai-worms/
U-Haul has been forced to notify tens of thousands of customers that their data was compromised in a breach last year:

https://www.infosecurity-magazine.com/news/uhaul-informs-customers-major-data/

                Don't miss what's next. Subscribe to BagheeraAltered's CyberSecurity Newsletter: