15 March 2024

Cyber Security Week in Review: March 15, 2024


Cyber Security Week in Review: March 15, 2024

Microsoft’s March 2024 security updates fix over 60 vulnerabilities

Microsoft has issued its monthly batch of security updates designed to address more than 60 vulnerabilities across the company’s products. While this month’s Patch Tuesday release doesn’t cover any actively exploited bugs, it contains fixes for a number of high-risk flaws that could lead to remote code execution or privilege escalation. More details are available here.

Fortinet addresses high-severity FortiClientEMS, FortiOS and FortiProxy vulnerabilities

Fortinet has fixed a number of high-risk vulnerabilities affecting its products. One of the patched flaws is CVE-2023-48788, an SQL injection issue in the FortiClientEMS endpoint management software. The flaw affects FortiClientEMS 7.2 – versions 7.2.0 to 7.2.2 – and FortiClientEMS 7.0 – versions 7.0.1 to 7.0.10.

The company has also addressed two flaws affecting FortiOS and FortiProxy captive portal (CVE-2023-42789 and CVE-2023-42790). The first one is an out-of-bounds write issue that can lead to remote code execution, while the second is a stack-based overflow vulnerability that can allow compromise of the system.

QNAP issues patches for multiple vulnerabilities in NAS products

Taiwan-based Network Attached Storage (NAS) device manufacturer QNAP Systems released security updates to address a number of vulnerabilities impacting its products, including a flaw that could potentially lead to unauthorized access to devices. One of the vulnerabilities, CVE-2024-21899, is an improper authentication issue, presenting a pathway for users to compromise system security via network access. This flaw affects QNAP's QTS, QuTS hero, and QuTScloud products.

In addition to CVE-2024-21899, the NAS maker addressed two vulnerabilities, tracked as CVE-2024-21900 and CVE-2024-21901, categorized as medium-severity issues. While these vulnerabilities can allow command execution or code injection over a network, their exploitation requires authorization and, in the case of CVE-2024-21901, administrator credentials.

DarkGate malware exploits recently patched Windows SmartScreen zero-day bug

Trend Micro analysts have uncovered a sophisticated DarkGate campaign, part of a more broader campaign by a threat actor tracked as Water Hydra (aka DarkCasino), which has been exploiting a recent Windows SmartScreen vulnerability as a zero-day to distribute malware since mid-January 2024.

Tracked as CVE-2024-21412, zero-day is a Microsoft Defender SmartScreen bypass vulnerability. The issue exists due to improper input validation when handling Internet shortcut files. A remote attacker can trick the victim into clicking on a specially crafted shortcut file and executing arbitrary code on the system. The flaw was fixed as part of Microsoft’s February 2024 Patch Tuesday updates.

JetBrains TeamCity bugs exploited in BianLian ransomware attacks

Threat actors behind the BianLian ransomware operation have added two security flaws (CVE-2024-27198 and CVE-2024-27199) in JetBrains TeamCity software to their arsenal. The flaws impact all TeamCity On-Premises versions through 2023.11.3. The issues have been fixed in version 2023.11.4.

The threat actor leveraged CVE-2024-27198 or CVE-2023-42793 to gain initial access to the victim environment. The attacker then created users in TeamCity, executed malicious commands under the TeamCity product's service account, and deployed a PowerShell backdoor.

US cybersecurity agency targeted via Ivanti vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) fell victim to hackers who exploited vulnerabilities in Ivanti products. CISA officials confirmed the breach, stating that the agency detected suspicious activity indicating the exploitation of Ivanti product vulnerabilities approximately a month ago. The breach impacted two critical systems within CISA's infrastructure, prompting immediate action to take them offline.

Magnet Goblin exploits Ivanti, Magento, Qlink Sense flaws to drop malware

A financially motivated threat actor called “Magnet Goblin” is targeting public-facing servers with one-day vulnerabilities to deploy Linux backdoors and credential stealers. The threat actor has attacked Ivanti Connect Secure (CVE-2023-46805 and CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893), (CVE-2022-24086), Qlik Sense business analytics servers (CVE-2023-41265, CVE-2023-41266, and CVE-2023-48365) and, possibly, Apache ActiveMQ servers to gain unauthorized access.

Russian cyber spies infiltrated Microsoft’s systems, accessed source code

Microsoft said that a Russian government-backed group tracked as Midnight Blizzard that compromised Microsoft’s corporate systems in November 2023, used the stolen data to access some of the company’s source code repositories and internal systems. There’s no evidence that customer systems were affected by the incident, Microsoft said.

Blind Eagle threat group uses Ande Loader to deliver Remcos RAT and NjRAT

eSentire researchers uncovered a new campaign by a threat actor tracked as ‘Blind Eagle’ or ‘APT-C-36’ targeting Spanish-speaking users in the manufacturing industry based in North America. The campaign employs a loader called ‘Ande Loader’ to deliver Remcos RAT and NjRAT remote access trojans.

Pro-Hamas hackers claim to have hacked Viber

Handala Hack, a pro-Palestinian hacktivist collective, claims that it has compromised the Viber instant messaging service and stole more than 740GB of data from the company's servers, including Viber's source code. This data is being offered for sale, with Handala Hack requesting eight bitcoins, equivalent to approximately $544,000.

Threat actors abuse Dropbox in phishing attacks

Darktrace researchers detailed a sophisticated phishing attack utilizing the widely used cloud-based storage platform Dropbox.

PixPirate Android banking trojan uses a new trick to evade detection

IBM released a technical report highlighting a new tactic leveraged by PixPirate, a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. So far, IBM researchers have observed this malware attacking banks in Brazil. The new tactic involves hiding the trojan’s icon, which have never been seen in financial malware before. The trick allows the malware to operate stealthily in the background without triggering victim’s attention.

Threat actors distribute VCURMS and STRRAT RATs via AWS and GitHub

Fortinet’s FortiGuard Labs came across a phishing campaign that distributes new VCURMS and STRRAT RATs through public services like Amazon Web Services (AWS) and GitHub. The attacker attempts to use email as its command and control throughout the attack campaign.

Windows PCA tool abused for corporate espionage

The Russian-speaking threat actor Earth Kapre (aka RedCurl and Red Wolf) has been actively conducting phishing campaigns targeting organizations in Russia, Germany, Ukraine, the United Kingdom, Slovenia, Canada, Australia, and the US. It uses phishing emails that contain malicious attachments (.iso and .img), which lead to successful infections upon opening. After unsuspecting recipients open these files, the malware swiftly infiltrates the system, laying the groundwork for potential data theft and espionage operations.

New BIPClip campaign steals mnemonic phrases used to recover crypto wallets

Threat hunters at ReversingLabs spotted several packages within the Python Package Index (PyPI) repository designed to pilfer BIP39 mnemonic phrases used for recovering cryptocurrency wallet private keys.

Dubbed ‘BIPClip,’ the campaign targets developers engaged in projects related to the creation and safeguarding of cryptocurrency wallets.

Roku data breach exposes 15,000 users to fraudulent purchases

US streaming giant Roku disclosed a data breach impacting more than 15,000 customers, leading to fraudulent transactions and unauthorized access to accounts. The breach, identified as a credential-stuffing attack, targeted credentials compromised in previous data breaches of third-party services.

Cybercriminals exploited login and password combinations leaked from unrelated third-party breaches to hijack Roku accounts. With some users employing the same credentials across multiple platforms, threat actors managed to gain access to Roku accounts and change login information, and, in some cases, attempted to buy streaming subscriptions.

French unemployment agency data breach affects over 40M people

France Travail (previously Pôle Emploi), the French governmental body tasked with the registration of unemployed persons, dispensation of financial assistance, and facilitation of job placements, disclosed a security breach that potentially resulted in the leakage of the personal information of nearly 43 million individuals.

The agency revealed that hackers obtained information belonging to job seekers enlisted with the agency over the past two decades during a cyber intrusion occurring between February 6 and March 5. Additionally, the data of individuals possessing a job candidate profile has been compromised.

Nissan confirms about 100,000 people in Australia and New Zealand affected in December attack

Japanese car manufacturer Nissan has disclosed that approximately 100,000 individuals in Australia and New Zealand had their personal information compromised during a cyberattack reported by the company in December.

The automaker released additional findings from the investigation into the breach, revealing that it has initiated the process of informing affected parties. These include customers, dealers, as well as certain current and former employees.

Bitcoin Fog mixer operator faces decades in prison for laundering $400 million

A US court convicted Roman Sterlingov, a dual Russian-Swedish national, for his central role in operating Bitcoin Fog, a notorious darknet cryptocurrency mixer. Sterlingov, 35, was found guilty of orchestrating a sophisticated money laundering scheme that facilitated the laundering of approximately $400 million worth of cryptocurrency over the span of a decade, from 2011 to 2021.

LockBit affiliate gets a four-year sentence in Canada

A key member of the LockBit ransomware group, Mikhail Vasiliev, a Russian-Canadian, has been handed a nearly four-year jail sentence in Canada for his involvement in over a thousand cyber attacks, allegedly yielding more than $100 million in ransom. Vasiliev pleaded guilty to eight counts of cyber extortion, mischief, weapons charges, and affiliation with the cybercrime syndicate.

In addition to the prison term, Vasiliev has to pay a restitution of $860,000. Furthermore, he awaits trial in the United States, where he could face additional penalties for his cybercrimes.

Two tech support firms fined for antivirus scam

Two companies, Restoro and Reimage, settled with the US Federal Trade Commission (FTC) for $26 million after being accused of deceiving consumers, particularly older adults, into purchasing unnecessary computer repair services.

The FTC alleged that since January 2018, both companies, based in Nicosia, Cyprus, have utilized fake Microsoft Windows pop-up ads about potential damage from hacks as a scare tactic to trick users into paying for software to fix nonexistent problems, ranging from $27 to $58.

Victims who called a provided phone number to activate the software were subjected to upselling tactics by telemarketers, who gained remote access to their computers and offered additional services performed by technicians at higher costs, amounting to hundreds of dollars more.

Incognito Market admins pull exit scam, extort users

Administrators of Incognito Market, a dark web narcotics bazaar, are extorting all of its users, demanding between $100 and $20,000 for not publishing all of their cryptocurrency transactions and chat records. The development comes after Incognito Market admins reportedly exit scammed, leaving the platform’s users unable to withdraw millions of dollars worth of funds. The Incognito Market exit scam began on February 19, 2024, with Bitcoin transactions suddenly ceasing on the platform.

Tor introduces a new anti-censorship protocol

The Tor Project unveiled its latest anti-censorship tool called WebTunnel, a Tor bridge that operates as a concealed server that remains unlisted in Tor's public directory. WebTunnel emulates encrypted web traffic by wrapping the connection payload within a WebSocket-like HTTPS connection. This process makes it indistinguishable from standard HTTPS (WebSocket) connections to network observers. This means that to an outside observer unaware of its existence, WebTunnel traffic appears as regular HTTP traffic to a webpage server, creating the illusion of typical web browsing activity.

Google updates Safe Browsing in Chrome

Google has introduced real-time browsing protection to Chrome, aimed at safeguarding user privacy. This feature, according to Google, conceals visited URLs and is now accessible through the default Standard mode of Safe Browsing on Chrome.

Back to the list

Latest Posts

New EagleMsgSpy surveillance tool linked to Chinese authorities

New EagleMsgSpy surveillance tool linked to Chinese authorities

The Android-based tool has been in operation since at least 2017.
12 December 2024
Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Russian Turla APT exploits other threat actors’ tools to attack Ukraine

Secret Blizzard used the Amadey bot malware to deliver its custom backdoor called “KazuarV2” onto specifically selected systems in Ukraine.
12 December 2024
Global police op shuts down major DDoS platforms

Global police op shuts down major DDoS platforms

As part of the effort, three suspected administrators were arrested in France and Germany.
11 December 2024