Cyber Security News Weekly Round-Up May
To strengthen organizational protections, one must stay up to date with the constantly evolving nature of cybersecurity.
Such a weekly recap of cyber-security news is essential, as it can provide insight into newly emerging threats, vulnerabilities, data breaches, and countermeasures.
Mitigating risks promptly and securing critical assets against the latest attack vectors and cyber risks requires situational awareness in this dynamic threat landscape.
Threats
Hackers Weaponizing Microsoft Access Documents
Microsoft Access documents that have been hacked are used to run malicious programs causing loss of files, data thefts, and other related issues.
Recent incidents involve emails with ZIP archives that contain EXE files as well as ACCDB documents which have macros contacting PowerShell commands to download RMS or TALESHOT malware.
UAC-0006, a financially driven group targeted Ukraine using ZIP and RAR attachments in order to spread SMOKELOADER malware.
CERT-UA has observed the activities of this group and launched campaigns for the dissemination of SMOKELOADER malware. Company managers are consequently advised to urgently scale up security measures against such attacks.
Storm-0539’s Aggressive Gift Card Theft
The report highlighted by Microsoft shows the group of hackers, Storm-0539 (aka Atlas Lion), who have significantly increased their campaigns on the theft of gift cards majorly targeting organizations that produce gift cards.
Storm-0539 is a financially motivated Moroccan threat group that uses advanced methods like thorough reconnaissance and custom crafted phishing messages to conduct its gift card fraud.
Their modus operandi was similar to the state-sponsored hackers and they used cloud environments to create new gift cards which they sold on dark web markets or in stores for which they received payment.
To fight against cyber threats from Storm-0539, Microsoft suggests measures such as constant surveillance, conditional access policies, and employment of FIDO2 security keys.
The report talks about a computer security threat with the Kinsing malware that targets Apache Tomcat servers through vulnerabilities.
A campaign was identified where misconfigured Tomcat servers were used to distribute botnet malware and cryptocurrency miners.
The attack includes deploying a web shell script that enables remote command execution on compromised servers.
Recommendations include correctly configuring environments, scanning regularly for threats, and utilizing native cloud tools for securing. This highlights the growing threat of cryptojacking as well as stressing on how important is proactive cybersecurity.
The Chinese intelligence-backed hackers are known for their sophistication in the attack on the United Kingdom’s Ministry of Defence systems, which led to exposure of military personnel’s personal details.
This cyber attack targeted a contractor’s IT system that holds sensitive data. No such evidence was found on data exfiltration but only as a preventive measure.
The UK Defense Secretary is expected to talk about it and blame a hostile country, probably China.
Different bodies are involved in probing into this breach to underscore the need for cybersecurity watchdogs and provide assistance to servicemen affected.
A case of malware affecting MacOS is being addressed by cybersecurity researchers on the Python Package Index (PyPI) and NPM.
Some of these include “reallydonothing,” “jupyter-calendar-extension,” “calendar-extender,” “ReportGenPub”and “Auto-Scrubber” which specifically target MacOs by searching for files in standard directories such as /Users/Shared and /Library/Application Support.
These malicious software packages overwrite commands, execute OS commands, and demonstrate other suspicious characteristics that led to rules in the GuardDog tool. This program was designed to scan PyPI, NPM for any signs of malware.
As part of a wider push by security experts to interpret and mitigate malicious software packages within open-source repositories, it aims at safeguarding developers using open source programs better while providing valuable information about the ecosystem to researchers.
HTML That Masquerade As PDF Viewer Login Pages
There is a warning in the report about a high-level phishing method where HTML pages are used to look like PDF viewer login pages, to mislead people into disclosing their personal details.
This approach forms part of developing phishing attacks that try to deceive individuals into giving out confidential information.
These deceitful emails which impersonate PDF viewer login pages, are aimed at making innocent victims enter their credentials into them consequently they pose a major risk to online security.
Hackers Backdoored Courtroom Video Recording Software
At some point, hackers hacked malware into the official JAVS Viewer software installer that is used in thousands of courtrooms across the world.
On their website, there was a backdoored installer (version 8.3.7) which ran from February to May 2024 before being deleted. The malware helped in stealing sensitive data for its creators and could have established persistence on the network.
Affected devices have to be re-imaged, credentials reset and users should upgrade to a non-infected version of JVAS viewer as measures to mitigate this risk.
The attack originated from a supply chain compromise in which the real installer was substituted with a malicious one that was signed by an unauthorized certificate.
Ransomhub Attacking Industrial Control Systems
Critical security risks to industrial control systems (ICS) can be seen in RansomHub which is a new ransomware group that has targeted the SCADA system of a Spanish bioenergy plant, Matadero de Gijon.
The development indicates that RansomHub can encode and take away data from ICS environments. Previously, ALPHV/BlackCat ransomware group carried out an infamous cyber attack on Change Healthcare, a large healthcare payment processor.
After emerging following the occurrence at Change Healthcare, RansomHub is actively hiring former ALPHV members and has admitted responsibility for the attack on Matadero de Gijon.
Chinese Hackers Using ORB Proxy Networks
Operational relay box networks (ORBs) have been adopted by the Chinese cyber espionage groups in order to evade detection and make their activities more complicated.
It is a combination of leased virtual private servers, SOHO devices that were used or at the end of their lives, IoT equipment, and many others just like botnets.
This allows attackers to expand their ORB effortlessly, resulting in a dynamic mesh network that can be utilized for hiding spy activities.
The structures are often changed within 31 days making it difficult for defenders to trace where an attack came from as the source could be different every time. The increased use of ORBs by Chinese state-sponsored hackers complicates matters further for enterprise defense.
Sharp Dragon Hackers Attacking Government Entities
Sharp Dragon (formerly Sharp Panda), the Chinese Advanced Persistent Threat (APT) group has significantly expanded its operations into governmental organizations in Africa and the Caribbean.
Since November 2023, they have been using spear-phishing campaigns to target Africans and then in January 2024, compromised email infrastructure was used by them to attack multiple regional governments in the Caribbean.
The new infection chain of Sharp Dragon shows that target selection is more careful and the OPSEC knowledge has improved.
Command-and-control (C&C) servers based on dedicated servers have been abandoned in favor of compromised servers, while CVE-2023-0669 vulnerabilities were exploited by this cyber actor group on the GoAnywhere platform for pre-authentication command injection.
Sharp Dragon’s strategic shift is indicative of a broader effort by these Chinese cyber actors to increase their footprint and influence in this region, and this shows how Chinese cyber threats are evolving.
Ransomware Attacks Targeting VMware ESXi Infrastructure
VMware ESXi infrastructure is now being targeted by groups that use ransomware such as LockBit, HelloKitty, and BlackCat which are utilizing a new pattern of attack that involves the exfiltration of data before the systems are encrypted.
These threat actors take advantage of vulnerabilities and misconfigurations to hack into systems, gain more privileges, and scan for important information.
Once in, they turn off virtual machines and encrypt the folder ‘/vmfs/volumes’ which causes maximum disruption and makes it hard for victims to recover.
To stop these disastrous attacks organizations must adopt a defense-in-depth strategy involving timely patching, strong access controls, network segmentation, and robust incident response plans.
The GHOSTENGINE malware of the REF4578 cryptojacking campaign takes advantage of vulnerable drivers in order to disable EDR (Endpoint Detection and Response) agents and consequently make the installation of a cryptocurrency miner successful.
This highly advanced attack employs PowerShell scripts, downloads other payloads from a command-and-control server, and creates scheduled tasks for running malicious components.
Malware objectives typically include disabling security processes, erasing event logs, and making sure there is enough room for files downloaded.
The campaign demonstrates a strong complexity in maintaining persistence and avoiding detection, which poses a major threat to the cybersecurity of the organizations involved.
Letmeowin Harvest Credentials From Windows Systems
Researchers have done a study about the “LetMeOwn” tool for credential abuse, which is being used by threat actors to steal account names and passwords.
The tool uses operating systems’ vulnerabilities to evade authentication controls and get into unauthorized computers. LetMeOwn is openly available and fairly user-friendly consequently it is frequently selected by hackers.
According to the report, such credential abuse remains a dangerous practice since 45% of all data breaches in the past year started with an attempt of this kind.
To help prevent credential abuse, measures such as multi-factor authentication and strong password policies are suggested.
Vulnerabilities
DNSBomb is a pulsing denial of service (PDOS) attack that manipulates DNS query rate limits, timeouts, and response size settings to generate timed response floods.
It introduces response amplification by using specially crafted zones on the authority to give huge answers. Consequently, BIND 9 is immune from DNSBomb as it comes with some default settings that narrow down the extent of the attack.
The effectiveness of this attack can be mitigated further by configuring rate limits such as max-clients-per-query, recursive-clients, clients-per-query, and responses-per-second.
Recursive-clients limit restricts the amplification factor for this attack consequently making it less efficient in real life circumstances.
Apple’s Wi-Fi Positioning Abuse
Apple’s Wi-Fi Positioning System (WPS) is a major privacy vulnerability that allows anyone to track the locations of Wi-Fi access points and their owners worldwide, according to researchers from the University of Maryland.
As per the researchers, Apple’s WPS can be exploited by repeatedly probing the service with BSSIDs derived from IEEE’s public database of Organizationally Unique Identifiers (OUIs) assigned to device manufacturers.
During a year, over 2 billion BSSIDs located on every continent were precisely obtained by the research team. The significance of privacy is that this data can be used longitudinally to show how devices move as they connect to different Wi-Fi networks.
The owner of these devices may be traced through an attacker locating many others like travel routers since most APs are stationary.
A critical vulnerability, CVE-2024-36052, in WinRAR versions prior to 7.00 allows attackers to manipulate displayed file names using ANSI escape sequences which potentially trick users into running malicious files.
When a specially crafted ZIP archive with ANSI escape sequences in a file name is extracted, WinRAR fails to handle them correctly which leads to the execution of hidden malicious scripts.
This flaw affects WinRAR on Windows and highlights the importance of immediate system protection for users.
Critical Git RCE Vulnerability
A critical vulnerability in Git, CVE-2024-32002, has been found, which will permit remote code execution during repository cloning with submodules.
The publication of exploits that demonstrate exploitability (PoC) is causing anxiety in the cybersecurity community. To reduce this risk it is recommended that users do not clone from untrusted sources and that symbolic link support be disabled in Git.
For enhanced security purposes, consequently, patches have been released by Git to fix this vulnerability highlighting the significance of updating to the most recent versions as soon as possible.
External researchers have discovered 6 security bugs in this Chrome version (125.0.6422.76) which are now fixed by Google via a crucial security update.
The latest release is intended to correct high-severity issues on the Windows, Mac, and Linux operating systems.
Some of the main high-severity bug fixes were the use-after-free vulnerability in Scheduling, type confusion in V8, and the heap buffer overflow in ANGLE that may allow for remote code execution.
Chrome users should upgrade their browsers and restart them so that they can implement these new security measures completely.
Ivanti Endpoint Manager SQL Injection Flaw
Multiple critical SQL injection vulnerabilities have been discovered in Ivanti Endpoint Manager (EPM) that could allow unauthenticated attackers to execute arbitrary code on affected systems.
The vulnerabilities, which range in severity from 8.4 (High) to 9.6 (Critical), were found in the Core server of Ivanti EPM 2022 SU5 and prior versions.
Exploiting these flaws could enable attackers to carry out unauthorized actions such as Denial of Service attacks and remote code execution.
Veeam Enterprise Backup Manager Flaw
To address several dangerous vulnerabilities such as CVE-2024-29849 which enables anyone to access the Veeam Backup Enterprise Manager web interface without authentication, a well-known enterprise backup software called Veeam Backup and Replication has launched a security update.
For example, other examples of high-severity bugs include CVE-2024-29850 which allows NTLM relay for account takeover, and CVE-2024-29851 which permits service account’s NTLM hashes theft.
The resolution to these issues is getting an upgrade to version 12.1.2.172 from Veeam as it rates at 9.8 out of 10 concerning their criticality level.
Due to rising geopolitical issues and cyber threats all over the world, Rockwell Automation has advised its clients to disconnect devices from the internet.
The firm underscores the necessity of identifying assets that face the internet so that they can be disconnected, consequently minimizing the risk of cyber-attacks.
In order to improve cybersecurity defense mechanisms against potential threats, Rockwell Automation recommends applying security best practices as per their guidelines.
Critical VMware Vulnerabilities
Critical vulnerabilities have been fixed by VMware in its ESXi, Workstation, Cloud Foundation, and Fusion products recently, which could lead to the execution of malicious code within virtual machines consequently posing an immense security risk worldwide.
One of the identified vulnerabilities is an out-of-bounds read and write issue affecting storage controllers while another affects the VMware vCenter Server allowing partial file reads.
For users to address these vulnerabilities and protect their systems with the latest security measures in place, it is important that they apply the required patches.
Critical Unauthenticated RCE Vulnerability in Fortinet FortiSIEM
Fortinet FortiSIEM, discovered by Horizon3.ai analysts, had an unauthenticated critical remote code execution vulnerability that is known as CVE-2023-34992 with a CVSS score of 10.0.
An exploit of insufficient sanitization of user input within the doPost method of LicenseUploadServlet makes it possible for remote attackers to execute arbitrary commands.
The issue has been addressed by Fortinet through the release of patches for versions 7.0.3, 7.1.3, and 6.7.9 that are recommended for immediate installation.
Moreover, organizations must limit entrance to the management interface, do periodic system configuration audits, and review logs against anomalous activity to reduce such risks.
JavaScript execution Vulnerability in PDF.js
Mozilla has found a critical flaw, CVE-2024-4367, in PDF.js which is a widely used JavaScript-based PDF viewer it maintains.
This threat allows attackers to perform any type of arbitrary JavaScript code when opening a maliciously crafted PDF file that affects all Firefox users below version 126 and many web and Electron-based apps using PDF.js for their PDF preview functionalities.
The vulnerability originates from an oversight in the font rendering code of PDF.js, through this, an attacker can manipulate the commands going into the Function body and insert or execute arbitrary code by manipulating the fontMatrix array specified in the PDF metadata.
Proof-of-concept showing how this vulnerability can be exploited has been released.
Other Stories
NSA Releases Guidance On Zero Trust Maturity
The NSA has explained the seven central points of the Zero Trust framework, including such things as user experience, devices, networks, data, applications, automation, and visibility.
Enhancing network security is suggested by them through capability that emulates advanced maturity models. These recommendations concentrate on the restriction of lateral traffic within networks as well as reinforcing internal controls and resisting threats using Zero Trust principles.
Moreover, the NSA has developed its top ten best practices for cloud environments which cover cloud security and identity management among others like key management, network segmentation, and data protection to ensure proper safekeeping of cloud environments.
Japan To Launch Active Cyber Defense System
A consultant body is being formed by Japan for an active cyber defense system that can help them counter cyber attacks on important national infrastructure.
The government will partner with the railway, power, and telecoms sectors in order to exchange information on cyber threats and possible remedies including foreign incidents of cybercrime.
Intelligence analysis and coordinated defensive measures will be based on a newly formed central command. This joint venture seeks to increase active security mechanisms through enforcing staff security clearances.
LastPass has announced that it will encrypt URLs within its password vaults to enhance security and protect customer data.
This development is part of LastPass’s ongoing mission to maintain a seamless user experience while improving its zero-knowledge architecture.
The rollout of URL encryption will occur in two phases, with the first phase expected to be completed in June 2024.
During this phase, LastPass will automatically encrypt the primary URL fields of existing accounts and any new or edited accounts.
The second phase, is anticipated to be completed in the latter half of 2024 which will focus on additional URL-matching functionalities.
Zoom Announces Post-Quantum End-to-End Encryption
Zoom has announced the inclusion of quantum-resistant end-to-end encryption (E2EE) in its video conferencing platform, beginning with Zoom Meetings.
This new security feature uses sophisticated algorithms and protocols to safeguard user data against future potential threats from powerful quantum computers.
E2EE has been increasingly adopted by customers since it was launched in 2020, which shows that having a secure platform is essential.
Quantum post E2EE will be gradually added as a choice for users looking for maximum safety and subsequently developed much more extensively over the next several months as Zoom refines its execution.