CyberSecurity Newsletter November 18th, 2024
CyberSecurity Newsletter November 18th, 2024
In this week’s news: Hacker gets 5 years for hacking bitcoin exchange, Fake AI video generators infect WIndows and MacOS, Google’s Gemini AI tells people to die, T-Mobile confirms they were hacked, Palo Alto critical vuln exploited in the wild and Microfsoft pulled back a security update.
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue.:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/paloalto_expedition_rce.rb
The U.S. Environmental Protection Agency (EPA) Report Exposes Cybersecurity Risks in US Water Systems: Vulnerabilities in Critical Drinking Water Infrastructure Serving 193 million People increase cyberattack risks. The U.S. Environmental Protection Agency (EPA) Office of Inspector General (OIG) has published a report pointing out some major cybersecurity vulnerabilities in drinking water systems serving large populations across the United States:
https://hackread.com/cybersecurity-flaws-us-drinking-water-systems-risks/
GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, the GitHub repository of Exo Labs, an AI and machine learning startup, was targeted in the attack, which has left many wondering about the attacker's true intentions:
https://www.bleepingcomputer.com/news/security/github-projects-targeted-with-malicious-commits-to-frame-researcher/
A hacker responsible for stealing 119,754 Bitcoin in a 2016 hack on the Bitfinex cryptocurrency exchange was sentenced to five years in prison by U.S. authorities. The man, Ilya Lichtenstein, was arrested in February 2022 in Manhattan following a lengthy investigation led by the IRS, HSI, and the FBI, which managed to recover roughly 80% of the stolen cryptocurrency (94,000 Bitcoin):
https://www.bleepingcomputer.com/news/security/bitfinex-hacker-gets-5-years-in-prison-for-120-000-bitcoin-heist/
Fake AI image and video generators infect Windows and macOS with the Lumma Stealer and AMOS information-stealing malware, used to steal credentials and cryptocurrency wallets from infected devices. Lumma Stealer is a Windows malware and AMOS is for macOS, but both steal cryptocurrency wallets and cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers. This data is collected into an archive and sent back to the attacker, where they can use the information in further attacks or sell it on cybercrime marketplaces.:
https://www.bleepingcomputer.com/news/security/fake-ai-video-generators-infect-windows-macos-with-infostealers/
AppOmni has identified misconfigurations in Microsoft Power Pages that can lead to severe data breaches. Learn about the common issues that expose sensitive information and how to protect your data in SaaS applications. A recent discovery by AppOmni, a SaaS security company, revealed a security vulnerability in Microsoft Power Pages, a low-code platform over 250 million people use monthly. This issue has led to the exposure of millions of sensitive data records across various organizations in public and private sectors, “spanning financial services, healthcare, automotive and more,” explained AppOmni’s chief of SaaS security research, Aaron Costello in a report shared with Hackread.com:
https://hackread.com/microsoft-power-pages-misconfigurations-data-leak/
Google’s Gemini AI Chatbot faces backlash after multiple incidents of it telling users to die, raising concerns about AI safety, response accuracy, and ethical guardrails. AI chatbots have become integral tools, assisting with daily tasks, content creation, and advice. But what happens when an AI provides advice no one asked for? This was the unsettling experience of a student who claimed that Google’s Gemini AI chatbot told him to “die.”:
https://hackread.com/google-gemini-ai-chatbot-tells-users-to-die/
T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests.
"T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information,":
https://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/
Palo Alto Networks confirmed active exploitation of a zero-day in its PAN-OS firewall and released new indicators of compromise (IoCs).Palo Alto Networks recommended reviewing best practices for securing management access to its devices. Guidelines to secure the Palo Alto management interface include isolating it on a dedicated management VLAN, using jump servers for access, limiting inbound IP addresses to approved management devices, and allowing only secure communication (SSH, HTTPS) and PING for connectivity testing:
https://securityaffairs.com/171057/hacking/palo-alto-networks-zero-day-exploitation.html
Legal documents released as part of an ongoing legal tussle between Meta's WhatsApp and NSO Group have revealed that the Israeli spyware vendor used multiple exploits targeting the messaging app to deliver Pegasus, including one even after it was sued by Meta for doing so.:
https://thehackernews.com/2024/11/nso-group-exploited-whatsapp-to-install.html
Researchers at the Shadowserver Foundation observed a botnet exploiting a zero-day in GeoVision EOL (end-of-Life) devices to compromise devices in the wild. The GeoVision zero-day, tracked as CVE-2024-11120 (CVSS 9.8), is a pre-auth command injection vulnerability that was discovered by Shadowserver Foundation and verified with the help of TWCERT.:
https://securityaffairs.com/171067/malware/ddos-botnet-exploits-geovision-zero-day.html
CVE-2024-11120 - Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports:
https://github.com/FoKiiin/CVE-2024-11120
A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site. The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites:
https://thehackernews.com/2024/11/urgent-critical-wordpress-plugin.html
The Glove Stealer malware exploits a new technique to bypass Chrome’s App-Bound encryption and steal browser cookies. Glove Stealer is a .NET-based information stealer that targets browser extensions and locally installed software to steal sensitive data. The malware could harvest a huge trove of data from infected systems, including cookies, autofill, cryptocurrency wallets, 2FA authenticators, password managers, and email client information.:
https://securityaffairs.com/171034/malware/glove-stealer-bypasses-chromes-app-bound-encryption.html
ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI's security on the whole. Figueroa warns, though, that the extent of information ChatGPT leaks via prompt injection might one day help hackers find zero-day vulnerabilities, and break out of their sandboxes. "The reason why I stumbled onto everything I did was because of an error. This is what hackers do [to find bugs]," he says. And if trial and error doesn't work for them, he adds, "the LLM could assist you in figuring out how to get through it.":
https://www.darkreading.com/cloud-security/chatgpt-exposes-instructions-knowledge-os-files
Microsoft pulled its November 2024 Exchange security updates that it released earlier this month for Patch Tuesday due to them breaking email delivery. This decision came after there were reports from admins saying that email had stopped flowing altogether. The issue affects Microsoft Exchange customers who use transport rules, or mail flow rules, as well as data loss protection rules. The mail flow rules filter and redirect emails in transit, while the data loss protection rules ensure that sensitive information isn't being shared via email to an outside organization.:
https://www.darkreading.com/cloud-security/microsoft-pulls-exchange-patches-amid-mail-flow-issues