Cyber Security News Weekly Round-Up Vulnerabilities, Cyber Attacks & Stories
Staying informed is the key in this dynamic battle of cybersecurity, and due to this, the weekly news recap provides you with the newest trends, weaknesses, infringements found, and some possible defense mechanisms.
Quickly knowing about new cyber risks and attack vectors lets you immediately strengthen your defenses and preventive measures.
Keeping alert situational awareness gives an all-around view of this fast-changing landscape which ensures that your assets are adequately protected from the threats that are volatile in nature.
Data Breach
Dell Technologies is currently investigating a data leakage event in which customers’ names, physical addresses, and purchases of about 49 million people were found exposed on its customer portal.
The unauthorized individual was able to enter the system that consisted of small amounts of customer details linked to buying products like service tags, descriptions, date of order, and warranty details, though it had no access to financial or highly sensitive information.
Due to this company hired an external forensics company as well as informed security agencies. It has also put in place measures for dealing with the breach and necessary steps were taken as well.
SSH Accounts With Root Access Advertised
In the report, researchers discussed insecure hosts that use SSH as an authentication mechanism but which are being abused by attackers who gain access to powerful accounts like ‘root’ or ‘administrator’ via SSH keys.
It underscores how hackers can extend their control over networks in order to plant malware or carry out data exfiltration using these hijacked accounts.
Some recommendations include not allowing direct root user logins and also relocating default SSH ports for enhanced security measures.
The 2022 Global Automotive Cybersecurity Report, by Upstream, draws attention to the severe financial repercussions of cyber attacks on the automotive sector with an estimated loss of $505 billion by 2024.
The report further reveals that such hackers are becoming more sophisticated with 84.5% of attacks in 2021 being carried out from a distance.
It also shows various trends like keyless entry attacks and the rise of Black-hat actors who are posing challenges for industry stakeholders, calling upon them to stay cautious about the new regulations such as UNECE WP.29 and ISO/SAE 21434.
New LLMjacking Used Stolen Cloud Credentials
A new attack vector referred to as “LLMjacking” and which employs stolen cloud passwords to break into large language models (LLMs) has been discussed in the report.
By using such hacked accounts, attackers can modify LLMs using malicious information that will enable them to create content that are harmful also it can go a long way in tampering with the characteristics of the model.
The report underscores the necessity for strict security mechanisms including multifactor authentication and constant tracking of cloud resource consumptions that could help mitigate LLMjacking pitfalls.
Vulnerability
Critical Next.js Vulnerability
This report shows the security considerations of using a popular framework that builds server-side rendered (SSR) and statically generated (SSG) sites, Next.js.
It is important to think of security issues when one decides to use SSR and SSG because these may introduce flaws that can be exploited if not configured properly.
It also explains some advantages of adopting Next.js like its adaptability and extensive support from the community however it does not escape such issues as lazy page loading in development environments.
Also, this hints on how to approach Next.js security encompassing auditing data access layers validating user input and protecting against CSRF attacks.
Lastly, it highlights a vulnerability that was reported in Netlify’s Next.js library which was fixed in 2022 that could have exposed universal XSS attacks on high-traffic websites.
“TunnelVision”, a new technique that may allow hackers to monitor users’ online activities by evading VPN encryption has been found by security researchers.
This technique is based on how computers handle multiple network connections and routing tables, with traffic being diverted away from the VPN tunnel and directed towards other networks.
To protect against TunnelVision attacks, providers of VPN should consider using network namespaces in supported operating systems, which effectively isolate the interfaces and routing tables from local network control.
In addition, organizations would do well to enable DHCP snooping, ARP protections as well as port security on switches, and possibly ignore option 121 for the DHCP server when VPN is used.
The vulnerability was reported to Electronic Frontier Foundation (EFF) and US Cybersecurity and Infrastructure Security Agency (CISA), who have assigned it CVE-2024-3661.
Google Chrome has been targeted by a zero-day vulnerability, CVE-2024-4671, which is actively exploited by malicious attackers. This high-risk flaw in Chrome’s Visuals component allows unauthorized access to sensitive information and potential remote code execution.
Google promptly released the Chrome 124.0.6367.201/.202 update for Windows, Mac, and Linux to address this critical issue. Users are urged to update their browsers immediately to mitigate the risk of exploitation and enhance system security.
To whine up the CVE records, CISA started the “Vulnrichment” project to include additional metadata for organizations to prioritize their vulnerability remediation efforts.
This initiative is hosted on GitHub and it seeks to add key data points to CVE records such as Common Platform Enumeration (CPE) identifiers, Common Vulnerability Scoring System (CVSS) scores among others.
In addition to those enriched CVE data, CISA intends to make available the Stakeholder-Specific Vulnerability Categorization (SSVC) decision points in order to enhance transparency in prioritization methodologies.
The Go language has been found to have a critical vulnerability (CVE-2023-24538) that allows for JavaScript injection in Go templates.
Despite the CVSS score of 9.8 (critical), Grafana Labs using Go rated their exposure as informational (0.0) because they didn’t find any exploitable use cases.
Grafana subsequently released patches for affected versions as a precautionary measure, which also exposes the increasing adoption of Go by malware authors given an 80% increase in Go-written malware samples from June to August 2021.
Go’s ability to cross-compile the same codebase for multiple platforms is why cryptocurrency miners make up the highest percentage of Go malware.
A security update has been released recently by Citrix to address a crucial vulnerability (CVE-2024-31497) identified in certain versions of their Citrix Hypervisor virtualization platform.
The flaw is due to XenCenter using a vulnerable version of the PuTTY SSH client, which is the management console for Citrix Hypervisor.
Versions of XenCenter prior to 8.2.6 for Citrix Hypervisor 8.2 CU1 Long Term Service Release (LTSR) had a vulnerability in PuTTY that would enable an attacker with control over a guest VM to derive the SSH private key of a XenCenter administrator authenticating on via SSH into the affected VM.
PuTTY was deprecated by Citrix with XenCenter 8.2.6 and customers should update to PuTTY 0.81 or later if they are utilizing the SSH console functionality present in XenCenter as recommended by Citrix. This vulnerability has received a severity score of CVSS 5.9.
Hackers are exploiting a high-severity vulnerability in the LiteSpeed Cache plugin for WordPress (CVE-2023-40000) to create rogue admin accounts on vulnerable websites.
This flaw allows threat actors to set up unauthorized admin users which enables them to gain full control over the website. The vulnerability was disclosed in February 2024 and fixed in October 2023.
To protect against such attacks, users are advised to update to the latest version of the plugin, review installed plugins, and delete any suspicious files.
A dangerous issue concerning cross-site scripting (XSS) has been identified in the commonly used Yoast SEO WordPress plugin, putting more than 5 million websites at risk of being compromised.
The flaw was discovered by Bassem Essam, a security researcher who reported it through the Wordfence Bug Bounty Program. The reflected XSS vulnerability exists in all Yoast SEO versions up to 22.5 due to insufficient input sanitization and output escaping.
If the breach is successful, attackers can introduce malicious code into theme or plugin files, create unauthorized admin accounts, redirect users to infected sites or take over the WordPress site altogether.
Yoast has released an update that addresses this security hole called version 22.6, which is recommended for all Yoast SEO-powered sites to be installed immediately.
The report discusses a failure in Oracle’s WebLogic Server that makes HTTP header injection and manipulation of HTTP requests possible even through coded URLs which consequently exposes security vulnerabilities.
The reason behind this vulnerability is the way web server plugin processes URLs which allows attackers to insert special characters into requests directed at application servers.
This makes it easier for an attacker to convert a reflected XSS flaw to a persistent one which can cause great damage to the security of WebLogic deployments.
Solutions include applying patches and blocking certain encoded special characters in requested URLs to mitigate the threat.
PoC Released for PuTTY Private Key Recovery Flaw
The report is about a Proof of Concept (PoC) release about PuTTY private keys and focuses on encryption and storing private keys in PPK files. It describes the format of PPK files including version, algorithm type, encryption method, and comment for the key.
It also highlights a security vulnerability in PuTTY versions 0.68 to 0.80 that may enable attackers to uncover private keys gaining unauthorized access to SSH servers as well as signing commits.
The defect was fixed in version 0.81 of PuTTY which utilizes more secure methods when generating keys.
Researchers Hacked Apple Infrastructure
Apple’s Book Travel web portal had an SQL injection vulnerability that enabled hackers to break into Apple’s infrastructure.
They also zeroed in on a JSON API used to offer some functions, making it easier for them to find where the attack surface was using Masa/Mura CMS.
The researchers also identified a critical SQL injection sink in the dspObjects function of the Mura servlet event handler by parsing CFM/CFC files.
This followed immediate action by Apple within two hours of the first report, and fixed versions issued by Masa CMS. However, the Mura CMS team ignored all attempts by investigators to report these lapses in their system.
F5’s Next Central Manager Vulnerabilities
Researchers have discovered critical vulnerabilities in F5’s Next Central Manager that could allow attackers to gain full administrative control over the device and create hidden rogue accounts on any managed assets.
The vulnerabilities, identified as “CVE-2024-21793” and “CVE-2024-26026,” which enable unauthenticated OData and SQL injection attacks, leading to sensitive information leakage and unauthorized account creation.
F5 has acknowledged the issues and released fixes in software version 20.2.0, urging organizations to upgrade immediately.
Threats
New Malware Attacking Windows & MS Office Users
There has been an advanced malware campaign aimed at Windows and Microsoft Office users through cracked software, spreading Remote Access Trojans (RATs) and coin miners that pose severe cybersecurity threats.
This malicious software uses sophisticated techniques to ensure it remains in place which makes it difficult to remove it completely. In this regard, Symantec has identified indicators of compromise related to the campaign which helps in detecting and blocking harmful actions.
VMware Carbon Black products have good detection and blocking of these malware variants, like ACM.Ps-Http!g2 or ACM.Ps-Masq!g1, consequently emphasizing the need for strong cyber security measures.
FIN7 Hackers Abuse Sponsored Google Ads
The report points out that FIN7 hackers exploit sponsored Google Ads to distribute MSIX payloads which is one of the tactics that enables them to reach a wider audience faster.
This has resulted in misleading users through the ads by injecting malicious links, which could lead to malware infections or phishing attempts.
The scheme was uncovered by eSentire’s Threat Response Unit where signed MSIX files disguised as browser extensions were used by FIN7 to drop NetSupport RAT and DiceLoader malware via sponsored Google Ads.
This shows how threat actors are changing their strategies in order to deceive innocent users.
Unauthenticated attackers can bypass authentication on internet-exposed interfaces through a vulnerability in the F5 BIG-IP, a popularly used application delivery controller (ADC).
An attacker with this vulnerability which is listed as CVE-2022-1388 can have a CVSS score of 9.8 and could leverage it for executing arbitrary system commands, creating or deleting files as well as disabling services. This gives the attacker absolute control over the compromised device.
Versions 16.1.x prior to 16.1.2.2, 15.1.x prior to 15.1.5.1, and 14.1.x prior to 14.1.4.6 are affected by this vulnerability that does not affect the data plane but only the control plane. However, a superficial search on the web shows us there are currently about 2500 such devices online.
The FBI has warned that the utilization of artificial intelligence (AI) by threat actors is expanding, for instance, a CEO who confessed to breaching the Bank Secrecy Act and a Russian national charged with running Lockbit ransomware.
In addition, tech support scams were identified as the largest number reported in the 2023 Elder Fraud Report released by the FBI, while investment scams proved to be the costliest. Moreover, people have been convicted and taken actions against them based on multimillion-dollar fraud schemes, ransomware operations as well as cyberstalking.
These occurrences demonstrate ongoing endeavors to fight cybercrime and safeguard people and corporations from any digital threat.
Morlock ransomware targets organizations, and this ransomware is a significant threat that encrypts files and demands payment for decryption.
It highlights the impact on organizations and the need for robust cybersecurity measures to prevent such attacks. The report emphasizes the importance of staying vigilant against evolving cyber threats and maintaining up-to-date security protocols.
Besides this, it also sheds light on the tactics used by threat actors to infiltrate systems, posing risks to data security and operational continuity.
Identity of LockBit Ransomware Group Leader
In its investigation of the well-known LockBit ransomware gang, which is identified as Dmitry Khoroshev going by his online name “LockBitSupp,” the National Crime Agency (NCA) in the UK has made a significant breakthrough.
This affected over 91 million dollars in ransom payments and had an impact on thousands of victims across the globe. The NCA’s operation Cronos, which infiltrated LockBit, has taken control of its criminal enterprise along with their source code, decryption keys, and data from their servers.
To dig deeper into the activities of this organization and others tied to it, they have now started posting daily reports on a dark web leak website that was formerly being used by these threat actors.
This group’s actions have hit various sectors worldwide leading to huge financial losses and operational damages. Lately, it’s been identified that Khoroshev is the leader of the group who has been running one of the most devastating cybercrime operations in recent history.
HijackLoader Using Weaponized PNG Files
HijackLoader is a modular malware loader that has advanced with fresh evasion tricks such as PNG images to carry next-stage malware like Amadey and Racoon Stealer.
This includes modules for UAC bypass, process creation, and anti-hooking, along with dynamic API resolution, and blacklisting to avoid detection.
A Python script was developed by researchers in order to extract configurations and modules from HijackLoader samples showing its complex nature as well as progression.
The report discusses the emergence of a new malware strain called “Cuckoo” targeting macOS users, exhibiting spyware and infostealer characteristics.
This malware, discovered in April 2024, targets both Intel and ARM-based Macs, extracting sensitive information through sophisticated tactics. To protect against such threats, users are advised to update software, use reputable anti-malware tools, and avoid downloading from untrusted sources.
The SocGholish malware targets businesses by showing them fake browser update popups on corrupted websites.
It is well known for its secretive and complicated approaches in delivering tricks that can make a subscriber download malicious content as opposed to browser updates.
SocGholish employs high-level evasion methods to bypass automated analysis systems. When the evasion is successful, the malware then proceeds to execute its payload. The script also has some examples of the URLs that were used in carrying out this attack.
Hackers Abuse Google Search Ads
To distribute malware that personates popular software products such as Grammarly, MSI Afterburner, and others, hackers are taking advantage of Google Ads.
In this case, they clone the official websites of these products to distribute trojanized software like Raccoon Stealer and IcedID.
While impersonation ads have been removed by some efforts, critics say Google has failed to protect its advertisers closely enough consequently allowing malicious campaigns to be launched against innocent users searching for genuine software.
Critical PDF.js & React-PDF Vulnerabilities
This report discusses the vulnerabilities and threats associated with PDF.js and React PDF. It goes deep into the security issues that are related to this technology, highlighting dangers as well as problems that can be encountered by users.
The document probably gives an indication of how these vulnerabilities can be exploited, and their consequences on systems employing PDF.js and React PDF.
Understanding these risks is necessary for improving security measures and defending against possible cyber attacks.
Ivanti Pulse Secure Vulnerabilities
A lot of hackers are misusing these drawbacks by implanting hidden or undiscovered malicious codes. The “PhantomBlue” campaign, which uses social engineering and advanced evasion techniques to deploy NetSupport RAT via email, is aimed at American organizations.
Russian hackers similarly attacked political parties using phishing campaigns with malware payloads in order to disrupt activities and disseminate fake news.
Moreover, hackers are gaining access to Google search ads for the purpose of delivering malware via MSI packages. This represents a significant shift in cybercriminal tactics, techniques, and procedures.
Acquisition
CrowdStrike & NinjaOne Announce Partnership
The report discusses the partnership between CrowdStrike and NinjaOne, aiming to bridge gaps between IT and SOC teams. This collaboration focuses on enhancing endpoint management tasks through a unified RMM solution.
By automating, managing, and remediating endpoint tasks, NinjaOne provides full visibility of managed devices and correlation with other data sources like Active Directory and WLCs.
The integration with Nutanix Prism further simplifies workflows by fetching detailed information on running VMs and Hosts, contributing to streamlined operations in the security ecosystem.
Akamai to Acquire API Security Startup Noname
With approximately $450 million, Akamai Technologies has declared its plan to purchase API security company Noname. The objective of this acquisition is to improve Akamai’s API Security solution, which ensures inclusive protection for clients in any setting.
Akamai will develop more sales and marketing capacity with Noname as a leading vendor of API security which strengthen its market position. This transaction is expected to be concluded by the end of the second quarter of 2024.
Updates
Google Simplifies Two-Factor Authentication Setup Process
Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors to verify themselves. As this enhances the security by adding an extra layer of protection beyond passwords.
It involves a combination of something the user knows like a password and something they have such as a security token or biometric factor.
2FA is crucial for safeguarding sensitive systems and data, making it harder for attackers to gain unauthorized access even if passwords are compromised.
Citrix NetScaler ADC & Gateway Flaw
In October 2023, two important security vulnerabilities that affect Citrix NetScaler ADC and NetScaler Gateway products were discovered – “CVE-2023-4966” and “CVE-2023-4967.”
The result of CVE-2023-4966 is sensitive information disclosure followed by denial of service in the case of CVE-2023-4967. In the wild, there are cases of unprotected appliances being exploited by CVE-2023‑4966.
Citrix is strongly advising its customers to upgrade to patched-up versions promptly to avert any possible exploitation attempt. Respectively, the CVSS scores for these vulnerabilities are 9.4 and 8.2 which means they have a high severity.
This report examines the source of new modifications to Atomic macOS Stealer (AMOS) malware, which is meant to collect confidential information from compromised Macs.
Trojans are used by these versions as a means of distribution and they appear as cracked programs with the aim of stealing passwords and cookies along with cryptocurrency wallets.
New types of AMOS such as “File Juicer” or “Debit & Credit” are just designed in order to make users believe that they download something harmless onto their computers.
To guard against these threats, it is advisable for users to install reliable antivirus programs and refrain from downloading from shady sources.
