ConnectWise zero-day exploited to deploy LockBit ransomware, AsyncRAT, infostealers

US-based software company ConnectWise has released security updates to address two vulnerabilities in its SmartConnect remote access tool, one of which is under active exploitation. The zero-day flaw in question (CVE-2024-1709) is described as an authentication bypass issue, which can allow a remote non-authenticated attacker can bypass the authentication process and gain full access to the system. The vulnerabilities affect ScreenConnect 23.9.7 and prior.

According to a nonprofit security organization ShadowServer, CVE-2024-1709 is now widely exploited in the wild, with 643 IPs currently targeting vulnerable servers. The organization said it identified over 8,200 exposed instances.

Cybersecurity firm Sophos reported that it observed several LockBit attacks, apparently after exploitation of the recent ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708, CVE-2024-1709). The team said they have also seen the ScreenConnect vulnerability being abused to deploy AsyncRAT, infostealing malware, and SimpleHelp remote access client. It appears that despite LockBit’s takedown (full coverage on the topic below), some affiliates are still active and conducting attacks.

LockBit ransomware operation dismantled by a global police effort

A major multinational police effort codenamed 'Operation Cronos' has successfully disrupted the infamous LockBit ransomware operation, which has caused significant financial losses totaling billions of euros.

The operation led to the arrest of several alleged LockBit affiliates in Ukraine and Poland. Additionally, 34 LockBit servers were seized, and more than 14,000 online and web hosting accounts associated with previous LockBit attacks were identified and shut down. Furthermore, authorities took control of over 200 cryptocurrency accounts linked to LockBit.

The UK's National Crime Agency (NCA) took the lead in the operation, seizing LockBit's infrastructure, including its leak site used for publishing stolen data from ransomware victims. Moreover, over 1,000 decryption keys were obtained, enabling law enforcement to develop a decryption tool accessible through Europol’s “NoMoreRansom” platform.

In parallel, US authorities unsealed an indictment against two Russian nationals, Artur Sungatov and Ivan Kondratyev, also known as Bassterlord, for their alleged involvement in deploying LockBit ransomware against multiple victims. Kondratyev faces additional charges related to operating the REvil/Sodinikibi ransomware. Both individuals have been sanctioned by the US Department of Treasury's Office of Foreign Assets Control.

Furthermore, the US State Department has offered rewards of up to $10 million for information leading to the capture of LockBit’s leaders and up to $5 million for tips leading to the arrest and/or conviction of LockBit’s affiliates.

According to Trend Micro, LockBit was working on a new version of the malware dubbed ‘LockBit-NG-Dev’ (NG for Next Generation) likely to be released as LockBit 4.0. LockBit-NG-Dev is written in .NET and compiled using CoreRT. Currently, it has fewer capabilities compared to v2 (Red) and v3 (Black), but it is still under development, meaning new capabilities are likely to be added in the future.

The new version lacks the self-propagating mechanism and the ability to print ransom notes via the user’s printers, and the execution now has a validity period by checking the current date, likely to help the operators assert control over affiliate use and make it harder for automated analysis systems by security companies.

Over 28K Exchange servers found to be vulnerable to recent MS Exchange zero-day

Some 28,500 Microsoft Exchange servers are exposed to hacker attacks leveraging a recently disclosed zero-day vulnerability affecting MS Exchange Server.

The zero-day flaw in question (CVE-2024-21410) is a privilege escalation issue in Microsoft Exchange Server that can be exploited by a remote attacker to target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.

The flaw affects Microsoft Exchange Server versions 2016 CU22 Nov22SU 15.01.2375.037 through 2019 RTM Mar21SU 15.02.0221.018.

VMware urges admins to uninstall a vulnerable authentication plugin

VMware has strongly recommended system administrators uninstall a deprecated authentication plugin due to two critical security vulnerabilities posing risks to Windows environments. The two vulnerabilities, tracked as CVE-2024-22245 and CVE-2024-22250, enable threat actors to execute authentication relay and session hijack attacks.

Malicious actors can exploit CVE-2024-22245 to trick users with EAP installed in their web browsers into requesting and relaying service tickets for arbitrary Active Directory Service Principal Names (SPNs). Moreover, CVE-2024-22250 allows attackers with unprivileged local access to Windows operating systems to hijack privileged EAP sessions initiated by privileged domain users on the same system.

New WiFi authentication bugs affect Android, Linux, ChromeOS devices

Security researchers uncovered two authentication bypass vulnerabilities within open-source WiFi software that enable attackers to deceive victims into connecting to malicious clones of trusted networks and intercept traffic. Furthermore, threat actors can infiltrate ostensibly secure networks without requiring a password. The affected software includes wpa_supplicant and Intel’s iNet Wireless Daemon (IWD) open-source wireless network management software. Specifically, CVE-2023-52160 affects all Android devices and Linux distributions utilizing the default WiFi client, as well as ChromeOS devices. CVE-2023-52161 impacts the package managers of various Linux distributions.

Details on Apple’s Shortcuts zero-click vulnerability released

Bitdefender released an in-depth analysis of a now-patched high-severity bug (CVE-2024-23204) in Apple's Shortcuts app that could permit a shortcut to access sensitive information on the device without users' consent.

In related news, Apple has announced a new post-quantum cryptographic protocol called PQ3 for iMessage. The protocol will start rolling out with public releases of iOS 17.4, iPadOS 17.4, macOS 14.4, and watchOS 10.4, and is already included in developer preview and beta releases.

Signal will let users share usernames instead of phone numbers

Instant messaging app Signal introduced a new feature that will allow users to create a unique username (not to be mistaken with the profile name that’s displayed in chats) to initiate contact on Signal without sharing their phone number. Additionally, Signal says the users’ phone numbers will no longer be visible to everyone by default.

Operator of Raccoon Malware-as-a-Service extradited to the US

Mark Sokolovsky, a 28-year-old Ukrainian citizen, has been extradited from the Netherlands to the United States to face charges related to a cybercrime operation involving the infamous Raccoon Infostealer malware. Sokolovsky was charged in the US with fraud, money laundering, and aggravated identity theft.

Sokolovsky was arrested in March 2022 in Denmark. His arrest coincided with a joint effort by law enforcement agencies to dismantle the digital infrastructure behind the Raccoon Infostealer. Sokolovsky made his initial court appearance on February 9, 2024, and remains in custody awaiting trial.

Hacker arrested in Ukraine for stealing personal data of Americans and Canadians

Ukrainian police have apprehended a hacker who used malicious software to steal the personal data of residents of Canada and the United States. According to the police, a 31-year-old resident of Vinnytsia created malicious software to steal personal data from the Android operating system. The perpetrator then used the obtained information to hack into Google accounts. According to preliminary data, he earned at least 3.5 million (~$92,000) hryvnias through cybercriminal activity.

Threat actors are abusing open-source tool SSH-Snake for network attacks

The Sysdig Threat Research Team (TRT) said it discovered the malicious use of a new network mapping tool called SSH-Snake. It is a self-modifying worm that leverages SSH credentials discovered on a compromised system to start spreading itself throughout the network. The worm automatically searches through known credential locations and shell history files to determine its next move. SSH-Snake is actively being used by threat actors in offensive operations.

Russian cyberspies target military and govt RoundCube mail servers in Ukraine, Georgia and Poland

A Russia-linked state-backed threat actor has been abusing an XSS vulnerability in the popular RoundCube webmail software in a cyberespionage campaign targeting government, military, and national infrastructure-related entities across Europe, including Ukraine, Poland and Georgia.

According to a report from Recorded Future’s Insikt Group, the threat actor it tracks as TAG (Threat Activity Group)-70 (aka Winter Vivern, TA473 and UAC-0114), has targeted over 80 organizations since October 2023. Additionally, TAG-70 targeted Uzbekistan’s government mail servers and Iran’s embassies in Russia and the Netherlands as part of this campaign.

Mustang Panda uses Doplugs malware to target Asia

Trend Micro published a report detailing a customized variant of the PlugX malware dubbed ‘Doplugs’ utilized by the China-linked Earth Preta (aka Mustang Panda and Bronze President) APT.

Chinese hack-for-hire firm claims to have hacked multiple govts across the world

Chinese authorities are investigating a major leak of documents from a private security contractor I-Soon, associated with the country's top policing agency and other governmental entities. The cache of documents, which surfaced on GitHub last week, provides a rare glimpse into the alleged cyber espionage activities of the firm. The documents shed light on I-Soon's purported activities, including what appears to be hacking operations targeting both Chinese nationals and foreigners.

Meta removes 8 surveillance-for-hire operations from its platforms

Meta Platforms said it took steps to counter malicious activities orchestrated by eight different firms operating in the surveillance-for-hire industry across Italy, Spain, and the United Arab Emirates (UAE).

The eight companies identified in Meta Platforms' report are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries. These entities utilized various malware to carry out their surveillance activities across multiple platforms and devices.

Operation Texonto: Disinformation campaign targets Ukrainian speakers

Security researchers at ESET uncovered a disinformation campaign aimed at Ukrainian speakers both within Ukraine and abroad. Dubbed “Operation Texonto,” the campaign employs a variety of tactics aimed at sowing seeds of doubt and spreading false information among the Ukrainian populace.

The researchers spotted two waves of activity, the first occurring in November 2023, followed by a second surge in late December of the same year. The themes of the spam emails revolve around narratives typically used by Russian propaganda, such as heating interruptions, drug and food shortages.

Russia targets Germany with new influence op

Researchers at SentinelLabs and ClearSky Cyber Security shared details about a Russia-aligned influence operation network dubbed ‘Doppelgänger.’ This network has been extensively targeting German audiences. The primary tactic involves spreading propaganda and disinformation through news articles focusing on current socio-economic and geopolitical topics relevant to the general population.

Notably, Doppelgänger is disseminating content that criticizes the ruling government coalition and its support for Ukraine, likely with the aim of influencing public opinion ahead of the upcoming elections in Germany. The network utilizes a substantial network of accounts, known as X accounts, which actively engage in coordinated activities to increase visibility and engage with audiences.

PrintListener attack allows to recreate fingerprints from touchscreen sounds

Recent research has uncovered a weakness in biometric security systems, which can be abused to recreate fingerprints solely from the sounds they make on touchscreen devices. Devised by a collaborative effort between researchers in the United States and China, the new technique called ‘PrintListener,’ has demonstrated efficacy in cracking biometric security measures, achieving success rates of up to 27.9% for partial fingerprints and 9.3% for complete fingerprints within just five attempts.

In other news, researchers devised a new technique called “VoltSchemer,” which targets wireless chargers by manipulating power supply voltages. The attacks leverage voltage fluctuations originating from the power supply, eliminating the need for direct malicious modifications to the chargers themselves.

Avast is ordered to pay $16.5M for selling users’ browsing data

The US Federal Trade Commission (FTC) fined antivirus maker Avast $16.5 million for allegedly selling users' browsing data to advertisers despite promising its products would prevent online tracking. As part of the penalty, Avast is prohibited from selling or licensing web browsing data for advertising and must inform affected users whose data was illegally shared with third parties.