Cyber Security News Weekly Round-Up (Vulnerabilities, Threats & New Stories)
The weekly cybersecurity news wrap-up provides readers with the latest information on emerging risks, vulnerabilities, ways to reduce them, and harmful schemes to help make defensive measures proactive.
A well-developed knowledge base is necessary for securing networks from the newest targets and vulnerabilities in the face of the changing risk landscape.
Staying updated with the latest trends, reports, and news is completely necessary nowadays.
Cyber Attacks
CoralRaider Hackers Steal Data
XClient stealer and RotBot are two attack tools that Vietnamese threat actor CoralRaider uses to steal financial data, login credentials, and social media information from victims in Asian and Southeast Asian countries.
Since 2023, the group has been operational with complex approaches where they would integrate Vietnamese vocabularies into their payloads as a sort of hard coding.
The most recent campaign by this threat group involves using Windows shortcut files to distribute malware targeting South Korean, Bangladeshi, and Chinese nationals. This is a significant threat to individuals and businesses in the region.
Chinese Hackers Using AI Tools To Influence Upcoming Elections
The report concerns how Chinese hackers could use AI to influence the elections. While no instances are specifically mentioned in the report, it cautions against this cyber risk.
Not only that even AI can be used to generate deepfake videos, control social media sites and undertake highly developed cyber offences which makes it a very powerful tool to influence the elections.
Moreover, the report stresses on increasing cybersecurity defenses against such threats including improvements in detection and response capabilities.
While it highlights the need of remaining alert and proactive towards changing cyber risks especially in line with elections and politics at large.
Threat Actors Deliver Malware Via YouTube Video
The report highlights a recent malware campaign in which Vidar, StealC, and Lumma Stealer information-stealing malware are disseminated via YouTube videos by hackers.
These videos that pretend to be guides for getting free software or game upgrades have links to cracked video games and pirated software. These programs then compromise the users when they are executed.
Younger users are targeted by this campaign who trust popular computer games and credibility of YouTube. The use of bots is also referred to in the report as a way of boosting video’s authenticity, as well as distributing Lumma Stealer through Discord servers under the guise of game cheats.
AGENT TESLA Malware Targets Chrome & Firefox Login Credentials
The Agent Tesla malware went for American and Australian entities through the use of phishing emails that had fake purchase orders to make the victims open malicious links.
After clicking, there was a download of an obfuscated Agent Tesla sample protected by Cassandra Protector which would then steal keystrokes and login credentials. The investigation found two culprits, Bignosa who was the main threat, and Gods who used numerous servers for RDP connections, and a large email database for their malware campaigns.
This campaign required several steps of preparation before disseminating spam with malicious content. This is highly adaptable malware that can exploit different attack vectors such as email attachments, malicious URLs, document-based intrusions among others making it a big threat to organizations.
To stay safe from threats like Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise Malware & Ransomware etc., it is advisable to implement AI-Powered Email security solutions.
Recently, the Targus company became a victim of cyberattack. This is among other rising cases of cyber threats where in the last year alone, the incidence rates of malicious emails slipping through Secure Email Gateways (SEGs) has doubled.
Also, an Ex-Google engineer Linwei Ding was arrested separately for stealing trade secrets most specifically those on artificial intelligence (AI).
Concerning data privacy also, the Italian Data Protection Authority (DPA) has begun investigating OpenAI, the US tech company which recently unveiled a state-of-the-art AI model named ‘Sora.’
Still though, SolarWinds cyberattack that targeted this same US think tank three times and succeeded remains a big concern as analysts believe that about 18000 customers were pushed out with this attack. They say it was done by aligning clients in these sectors to develop a ransomware-as-a-service opportunity.
Traditional law enforcement tools will be used by the Department of Justice (DOJ) in targeting illicit crypto operations to bring down ransomware operators and threat actors.
The Qakbot botnet, which was taken down in 2023 during Operation Duck Hunt, has re-emerged with an altered DLL that utilizes the srtasks.exe procedure for persistence to ensure its survival during machine restarts.
Qakbot is still propagated through phishing campaigns and often uses IRS-themed email to target only a small number of hospitality industry users. The malware employs anti-analysis techniques, hides its components from detection by using a dropper and malicious DLL files, and manipulates Windows processes so that it can persist on the system.
According to recent findings from Morphisec Threat Labs’ cyber security analysts, hackers are currently carrying out Steganography malware hiding technique in PNG files. This method escapes detection by security systems thereby allowing malware execution in memory.
Threat Analysis
Microsoft Two-Step Phishing Campaign
The Microsoft Two-Step Phishing Campaign targets LinkedIn users by sending them messages with a malicious link disguised as a legitimate OneDrive document link.
What the attackers do is that they make the victims to click on a URL which will take them to the genuine page of OneDrive where there exists a Word document that contains malware and then embeds another URL in it so that the victims are directed through fake Cloudflare verification prompt into phishing webpages designed to steal Microsoft 365 credentials.
This campaign highlights how social media platforms like LinkedIn are increasingly becoming weak points due to publicly accessible information about their users, which can be used for phishing.
As in this case, threat actors were able to compromise accounts with MFA enabled because they can also bypass multifactor authentication (MFA) protection, as seen in a recent Microsoft 365 phishing campaign affecting over one hundred firms.
Vedalia APT Group Exploits Oversized LNK Files
Konni or “The Vedalia APT Group” has come up with a new way to install malware, they have been using oversized LNK files indicating some evolution in their modes of operation. The intention of this method is to go past the conventional security measures and affect targeted systems.
These LNK files have double extensions that effectively hide the malicious .lnk extension as well as make it more difficult for security software and analysts to identify the malwares commands lines embedded in them by employing excessive use of white spaces.
LNK files contain embedded command line script designed to search for and execute PowerShell commands. PowerShell’s legitimate system functions enable it to locate, deploy and unfold the hidden malicious files within.
This campaign highlights the changing landscape of cyber threats and reinforces the message that organizations and individuals need to maintain alertness, update their security solutions, and equip themselves with knowledge about these threats.
TA547 Hackers Launching AI-Powered Cyber Attacks
The TA547 hacker group’s escalating AI-powered cyber attacks deploying the Rhadamanthys malware pose a severe threat to German organizations.
These campaigns leverage advanced tactics like AI-generated PowerShell scripts and evasion techniques, potentially utilizing large language models.
This evolution of sophisticated, AI-driven attack strategies by threat actors highlights the urgent need for robust, advanced email security solutions capable of combating such complex, emerging threats.
Midnight Blizzard Email Hack Threatens Federal Agencies
In January 2024 it emerged that Microsoft had suffered a hack on its corporate email network, which can be traced to the Russian state-sponsored group Midnight Blizzard.
The group hacked into an inactive test account and used it to penetrate some of Microsoft’s official e-mail addresses, including those belonging to senior management officials as well as their colleagues in cybersecurity, law, and other sectors.
They took away with them some emails together with attached documents for attempting further intrusions into customer systems.
The hackers launched a password spray attack – a technique where they tried one password against multiple accounts – but there is no evidence that they accessed customer data, production systems, or proprietary source code.
The incident has raised concerns about national security implications, especially for federal organizations hence the issuance of an emergency directive from CISA. Microsoft has attempted to reduce the risk by alerting all federal agencies affected by these breaches and imposing distinct guidelines aimed at enhancing security in their systems.
Hackers Weaponize Suspended Domains
In an ongoing phishing campaign that has been aimed at Latin America, threat actors have resorted to weaponizing suspended domains. They managed to do this by using free and temporary email addresses with the domain “temporary.link” as well as a spoofed User-Agent field. This was done in order to make recipients of such emails wrongly download malware.
This implies a potentially malicious URL leading to a non-functional page that redirects victims to a two-step verification process containing a malicious RAR archive carrying a PowerShell script designed for collecting information from the victim’s machine.
The validity of URLs used in this phishing attack is questionable, and it stresses how dangerous dealing with suspicious emails or their attachments can be.
Fortinet Vulnerability Exploited
A Fortinet Forticlient EMS vulnerability (CVE-2023-48788) is a security hole that threat actors have exploited to plant unsanctioned RMM and PowerShell backdoor on machines.
The critical vulnerability was fixed by Fortinet in March 2024. The exploit consisted of an external IP being connected to the FCMdaemon process resulting in tool deployment which was malicious.
It only took a few minutes for the attackers to install the backdoors, highlighting how important it is to patch the vulnerabilities immediately. To avoid any possible attack users should upgrade from their current versions of Forticlient EMS that are affected.
Hackers Using Malware-Driven Scanning Attacks
Hackers are increasingly using malware-driven scanning attacks to target vulnerabilities in networks. By infecting devices with malware, attackers can scan target networks covertly, evade detection, and expand their botnets.
This method allows attackers to identify security flaws like open ports and software vulnerabilities, enabling unauthorized access and system disruption.
Recent scanning activities have shown a surge in targeting vulnerabilities, such as the MOVEit vulnerability (CVE-2023-34362), before it was publicly known, highlighting the growing threat of these sophisticated cyberattacks.
Hackers are actively targeting the infrastructure teams with fake ads for PuTTY and FileZilla to distribute the “Nitrogen” malware. Despite reports to Google, the malicious ads persist which leads to detailed sharing of defense strategies.
The attackers use sophisticated malvertising tactics, including cloaking techniques and similar sites, to deceive users. The malicious ads redirect users to download trojanized software installers, posing a significant threat to system administrators.
Data Breach
Dublin’s iCabbi has had a data leak that exposed the personal information of nearly 300,000 taxi passengers in the UK and Ireland including names, phone numbers, and email addresses.
Jeremiah Fowler, who is a cybersecurity researcher disclosed this breach as he came across a passwordless database that contained such sensitive information.
The data accessed also included a significant number of email addresses from different providers and private domains together with the contact details and user identifiers.
This occurrence stresses on the need for strong cyber security by companies holding customers’ delicate identities.
The 2024 Sisence Data Breach was a breach of Sisense, a data analytics service provider which resulted in the US Cybersecurity and Infrastructure Security Agency (CISA) urging its customers to reset their login details.
The incident affected the AI and machine-learning oriented analytics platform of Sisense, which is used by various sectors such as healthcare, technology, manufacturing, and finance. Such acts could have compromised users’ access keys as well as log-in passwords for accessing Sisense services.
The hackers responsible for this attack were reportedly unidentified third parties who found it out first while Brian Krebs stated that “many millions of credentials” might have been exposed indicating a massive personal data breach.
Sisense CISO has sent an email to its users while CISA advises anyone using Sisense to reset their credentials and look into any suspicious activities regarding other credentials that may have been exposed or used to gain access to Sisense services.
7.5mn personally identifiable information of customers, including their names, addresses, contact numbers, and e-mail IDs were exposed in the boAt data breach.
This breach happened when a hacker called ShopifyGUY breached boAt Lifestyle’s database and dumped approximately 2GB of data. The leaked data is said to be available on dark web forums at a low cost and this poses many risks to those who might have been victims as well as issues about how secure the company keeps its information.
However, none of this has been accepted or handled by boAt Lifestyle. Security experts keep on insisting that for boAt’s transparent and proactive response such as contacting all affected users, thoroughly investigating the range covered by the breach, and changing security protocols to protect against future vulnerabilities.
For 51 million current and former customers, AT&T has verified a major breach of data that disclosed personal information including social security numbers, email addresses, etc.
The breach was detected in March 2024 but is believed to have begun in or before June 2019. AT&T assures those affected that it would notify them and no personal financial as well as call history were accessed.
Customers are continuing to be urged to identify the source of the breach and reduce its impact.
Vulnerability
AI-As-A-Service Providers Vulnerability
The report stresses the security dangers that AI-as-a-Service providers are exposed to, with specific reference to Hugging Face. The research by Wiz Research and AI-as-a-Service companies found common security flaws that may put at risk users’ personal data and models.
These vulnerabilities include shared inference infrastructure takeover risk through untrusted pickle-serialized models and shared CI/CD takeover risk via malicious AI applications attacking the pipeline of supply chain attacks in the case of Hugging Face’s environment.
Without proper protection measures, these threats may cause cross-user breaches and enable access to millions of private AI models and apps within AI-as-a-service providers.
This report however strongly suggests the need for robust security in AI/ML systems involving careful consideration of potential attack vectors for each component like malicious input into models, insecure application code and pickled models that expose inference infrastructures.
Multiple Cisco Small Business Routers Vulnerable
The report points out a most serious vulnerability, CVE-2024-20362, in the Cisco Small Business RV Series Routers (RV016, RV042, RV042G, RV082, RV320 and RV325).
Unauthenticated remote attackers can exploit this vulnerability in order to carry out cross-site scripting (XSS) attacks as the web-based management interface does not have enough input validation.
This particular vulnerability has a base score of 6.1 on the Common Vulnerability Scoring System which is indicative of moderately severe impact.
It should be noted that Cisco has not released any software updates for these affected routers as they are already in their end-of-life cycle. To mitigate this risk users should disable remote management and block access to ports 443 and 60443.
Multiple CData Vulnerabilities
CData products may be attacked through path traversals if they use an embedded Jetty server in Java versions below 23.4.8843, potentially enabling unauthorized remote users to reach confidential information and possibly perform some limited system actions.
The main cause of these vulnerabilities is the way that embedded Jetty servers and CData servlets deal with incoming requests, which makes it possible for attackers to modify paths so as to access unintended directories.
The Common Vulnerability Scoring System (CVSS) has assigned high severity scores to them, showing that these security vulnerabilities are indeed very serious.
The report indicates Cisco IOS software for Catalyst 6000 series switches has a severe security vulnerability, which could result in a denial of service (DoS) attack. The vulnerability is known by CVE-2024-20276, having a base score of 7.4, and is triggered by improper handling of process-switched traffic.
Cisco IOS is a proprietary operating system that runs on Cisco Systems hardware like routers, switches, and other network devices. An unauthenticated local attacker can use this vulnerability to send crafted traffic to a vulnerable device forcing an unexpected reload.
Catalyst 6800 Series Switches with Supervisor Engine 2T or 6T and Catalyst 6500 Series Switches with Supervisor Engine 2T or 6T are affected by the identified vulnerability.
A significant vulnerability (CVE-2024-28182) has been discovered in the HTTP/2 protocol, which is widely used for secure communications on the Internet. It could allow hackers to launch Denial of Service (DOS) attacks on web servers.
Internet security professionals and experts are concerned about this vulnerability that prevents HTTP/2 from processing a large number of request related headers, while vendors have come out with different responses.
Entities like The Go Programming Language, SUSE among others have stated affected packages while users of such packages should be guided by the vendor’s advice and apply relevant patches or updates immediately in order to avoid possible attacks.
Around 92,000 D-Link NAS devices were affected by threat actors who used a serious vulnerability (CVE-2024-3273) for exploitation. At the risk of data thefts and malware downloads, it is an information security vulnerability that allows for remote code execution.
It is worth noting that the exploit consists of a common shell script pattern used by botnet operators thereby showing the pressing need for cyber-security alertness as well as quick repairs to prevent any potential attacks.
The Ahoi Attacks report points to a new threat against Confidential VMs (CVMs) that exploits malicious interrupts injected by a hypervisor.
Called after a pirate’s greeting “Ahoy,” these attacks are aimed at breaking into the security of CVMs applied to cloud-native confidential computing. Interruption handling in CVMs is exploited in Ahoi attacks, exposing vulnerabilities in Intel SGX, AMD SEV, Intel TDX, and ARM CCA technologies.
The analysis highlights the importance of protecting sensitive computations on public cloud platforms as well as the possible threats posed by these innovative attack techniques.
The report shows how two new methods found in SharePoint help attackers, avoid regular security measures and theft of sensitive information without detection.
The first one, “Open in App Method,” uses the SharePoint feature that permits users to open documents right from their applications. This allows malicious actors to access files and download them while leaving just an access event recorded on its audit log.
The second method is based on changing the User-Agent string for Microsoft SkyDriveSync as it is now called OneDrive. In this way, this helps them systematically move data out of an establishment unnoticed. Following this discovery, Varonis researchers disclosed these vulnerabilities to Microsoft as “medium” security threats.
Fortra For Windows Vulnerability
A significant flaw in versions of Fortra for Windows before 3.04, allowed low-privileged users to execute code maliciously by substituting the service executable with a malicious code.
This bug, known as CVE-2024-0259, lets attackers execute arbitrary code as a system which could compromise the security of the system. As such, this problem was resolved on March 20th, 2024 when version 3.04 was released.
It is recommended that system administrators update all affected agents to at least version 3.04 as soon as possible since this will reduce risks associated with unauthorized access and escalation of privileges.
Palo Alto RCE Zero-Day Vulnerability
An important zero-day vulnerability, CVE-2024-3400, has been discovered in the PAN-OS operating system used by Palo Alto Networks’ GlobalProtect Gateway. This remote code execution (RCE) vulnerability has been seen to be targeted in the real world where attackers have the ability to perform arbitrary OS commands on affected systems.
The impact on users is significant since it could allow unauthorized access, data theft, control of affected systems, system compromise, and disruption of operations. The flaw falls under CWE-77 which includes improper neutralization of special elements used in a command (Command Injection).
However, Palo Alto Networks moved fast and announced hotfix releases for the supported PAN-OS versions which are expected to be available by April 14th. Organizations should apply these updates as soon as they are available to minimize the risks associated with this vulnerability.
Bitdefender Labs discovered critical security vulnerabilities in over 90,000 LG smart TVs using WebOS, potentially allowing unauthorized access to the TV and home network.
The flaws arise from improper authentication mechanisms, enabling attackers to bypass security measures.
LG has been working on a patch to address these vulnerabilities, highlighting the importance of ensuring devices receive automatic updates to apply the security fix once released.
A number of active release lines of software within Node.js on Windows are in deep trouble. This flaw is a grave threat to Node.js based applications and services as it enables attackers to execute arbitrary commands on affected systems.
This issue originates from using child_process.spawn and child_process.spawnSync functions on Windows operating systems, which bypasses the shell option that was turned off. All users who have installed 18.x, 20.x, or 21.x release lines of Node.js are at risk.
To address this vulnerability, the affected versions have been patched by the Node.js project. Those running applications with Node.js on their Windows platform should upgrade now, review security measures, and keep up with new updates as well as advisories regarding security issues.
Critical Bitdefender Vulnerabilities
Bitdefender vulnerabilities report indicates that Bitdefender’s GravityZone Update Server, Endpoint Security for Linux, and Endpoint Security for Windows have critical security flaws. The most serious among these is CVE-2024-2224 which allows attackers to elevate their privileges on the affected systems.
These vulnerabilities allow system control by attackers with exploitation of server-side request forgery (SSRF) and possible update delivery disruption or malicious network injections.
To prevent these dangers, users are recommended to switch to patched versions of Bitdefender Endpoint Security for Linux version 7.0.5.200090, Endpoint Security for Windows version 7.9.9.381 and GravityZone Control Center (On-Premises) version 6.36.1-1 respectively.
Palo Alto Networks PAN-OS Zero-day
In the GlobalProtect Gateway, Palo Alto Networks has discovered a critical vulnerability tracked as “CVE-2024-3400” and is described as zero-day. This command injection flaw permits threat actors to launch any OS commands without proper authentication resulting in serious risks to systems affected by it.
This vulnerability is being actively exploited by threat actors implanting a Python backdoor on firewalls. The U.S. Cybersecurity and Infrastructure Security Agency placed this bug into its Known Exploited Vulnerabilities catalog with federal agencies required to apply patches by April 19.
Palo Alto Networks intends to fix the problem no later than April 14th. The vendor has specified that PAN-OS software versions are affected and anticipates hotfixes for those versions by April 14th.
New Stories
To simplify the complex nature of serverless application development, Cloudflare has recently acquired Baselime. This is a huge step forward for the company as it continues to work towards producing a more user-friendly and faster-performing cloud computing platform. It will do this using practices that Baselime employs to address distributed systems.
The fast development phase will be simplified by Cloudflare’s core functionalities being integrated into its ecosystem. Additionally, they will offer advanced AI features, direct codebase connections, and better observability for extensive language models as part of their roadmap.
Notepad++ Seeks Help Against Parasite Site
The developers of Notepad++ have sought the help of users in taking down a misleading website, notepad.plus that pretends to be an official source for downloading the software. Some users were left wondering whether this site is even legit.
This is because it is actually loaded with misleading adverts aimed at leading people into clicking them to make them compromise their own safety online.
Additionally, traffic is diverted from Notepad++’s legitimate website by this kind of site which damages community security and reliability. To support its elimination from the web as harmful, people need to report it on a consistent basis.
One of the biggest security updates in Microsoft’s history was addressed by Patch Tuesday in April 149 bugs were fixed with this update, including vulnerabilities like Office, SQL Server, and Windows OS and Azure having nine CVEs.
It is worth noting that there were three critical issues, 142 important issues, three moderate issues, and one low severity issue among which the most important was a zero-day vulnerability exploited in the wild as well as other things which makes it crucial to install cumulative update immediately to prevent any security breaches.
Over 90,000 LG WebOS TVs were found to be affected by Bitdefender’s uncovered serious flaws. These vulnerabilities which are named CVE-2023-6317 to CVE-2023-6320 allow for unauthorized root access which exposes a compromise in privacy and security.
Attackers could simply bypass authorization, acquire the root privileges, and then issue arbitrary commands that would result in compromising victims’ devices. The objective of Bitdefender’s research is to improve IoT security and users are required to update their LG TVs so as to mitigate these severe threats.
DuckDuckGo Launches Privacy Pro
DuckDuckGo is a search engine built on privacy principles, has recently introduced Privacy Pro as an all-inclusive subscription service, boosting the privacy of users across the World Wide Web. The service bundles VPN with additional privacy features embedded in DuckDuckGo’s existing browser.
Additionally, this kind of internet cover takes no time to run for only one click and it is available for all devices. Besides that, it actively searches out personal information about its customers from data brokers’ platforms.
This new offering shows DuckDuckGo’s commitment to user privacy by not keeping logs of people’s virtual private network (VPN) activities and disassociating them from their real names or what else they do on DuckDuckGo.
Google Adds V8 Sandbox in Chrome
Chrome has presented a new security feature called V8 Sandbox that is meant to combat memory corruption vulnerabilities. This compact sandbox is in process and is based on the V8 JavaScript engine that confines the code execution within a specified range of the process’s virtual address space, which helps keep it apart from the rest process activities.
The main idea behind implementing such kind of sandbox as V8 Sandbox was due to the fact that many bugs in V8 can be exploited for powerful and reliable attacks that cannot be mitigated by memory-safe languages or future hardware-assisted safety mechanisms like MTE or CFI.
As far as this problem is concerned, Sandbox ought to be implemented so that other parts of the process’s memories are not affected by memory corruption. Chrome version 123 onwards will have it activated by default on Android, ChromeOS, Linux, MacOS, and Windows.