8 March 2024

Cyber Security Week in Review: March 8, 2024


Cyber Security Week in Review: March 8, 2024

Apple releases patches to fix actively exploited zero-day flaws

Apple issued security updates to address a number of vulnerabilities, including two zero-day flaws exploited by hackers.

The two zero-days are: CVE-2024-23225 - A buffer overflow issue in the OS kernel that can be exploited by a local application to trigger memory corruption and execute arbitrary code on the target system.

CVE-2024-23296 - A buffer overflow issue affecting the RTKit real-time operating system (RTOS). A malicious application can trigger memory corruption and execute arbitrary code on the target system.

Both security issues were addressed with improved validation in iOS 17.4, iPadOS 17.4, iOS 16.7.6, and iPadOS 16.7.6.

Critical JetBrains TeamCity flaws come under active attacks

Two recently disclosed vulnerabilities (CVE-2024-27198 and CVE-2024-27199) in JetBrains’ TeamCity On-Premises continuous integration and continuous delivery (CI/CD) server are now targeted by threat actors. The flaws impact all TeamCity On-Premises versions through 2023.11.3. The issues have been fixed in version 2023.11.4.

Multiple security researchers are observing attempts to exploit CVE-2024-27198, with the first attacks spotted on March 5, 2024.

The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-27198 to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the flaw is targeted in the wild.

Critical ScreenConnect flaws exploited to deploy Babyshark malware variant

A threat actor has been observed exploiting a recently disclosed critical vulnerability in the ConnectWise ScreenConnect remote access tool to deploy a malware strain similar to the Babyshark malware family associated with a North Korean state-backed cyberespionage group known as Kimsuky, Thallium and Velvet Chollima.

The new campaign, detected by Kroll's threat response team, involved the exploitation of CVE-2024-1708 and CVE-2024-1709, two ScreenConnect vulnerabilities patched last month. CVE-2024-1709 is an authentication bypass issue, which can allow a remote non-authenticated attacker to bypass the authentication process and gain full access to the system, while CVE-2024-1708 is a path traversal issue that can be used to conduct directory traversal attacks. When exploited in tandem, the vulnerabilities could be used to perform remote code execution post-authentication.

Cisco patches a high-severity flaw in its Secure Client

Network equipment giant Cisco released patches to address a couple of high-severity vulnerabilities in its Secure Client enterprise VPN application. The first flaw, tracked as CVE-2024-20337, is a CRLF injection issue that impacts the Linux, macOS, and Windows versions of Secure Client and could be exploited by a remote attacker to inject arbitrary data in a server response.

The second flaw (CVE-2024-20338) is an insecure DLL Loading that could be used by a local attacker to execute arbitrary code via a specially crafted .dll file.

VMware fixes high-risk bugs in ESXi, Workstation and Fusion

Virtualization and cloud computing software vendor VMware released security updates to remedy a number of vulnerabilities affecting ESXi, Workstation and Fusion products that could be exploited by a remote attacker to compromise the vulnerable system or gain access to sensitive data.

North Korean hackers compromised at least two semiconductor firms in South Korea

A threat actor linked to the North Korean government has infiltrated at least two semiconductor manufacturers in South Korea, according to South Korea’s National Intelligence Service (NIS). North Korean hackers breached the servers of the targeted firms, absconding with valuable product design blueprints and facility images. The intruders employed a technique known as “living off the land,” which involves the use of legitimate tools and features already present in the target system to evade detection by security software.

New phishing attack steals Windows NTLM authentication hashes

Proofpoint uncovered a sophisticated phishing campaign orchestrated by the notorious threat actor known as TA577. The group has adopted a new tactic involving ZIP archive attachments in phishing emails, with the specific objective of pilfering NT LAN Manager (NTLM) hashes.

Cops take down the largest German-speaking underground market

The German police announced they dismantled the largest German-speaking illegal trading platform called “Crimemarket,” which offered goods ranging from drugs and weapons to illegal services such as money laundering, instructions on cybercrime activities and “real crime,” up to commissioned crimes. The police officers conducted a total of 102 searches nationwide, with three alleged Crimemarket’s operators, including the 23-year-old main suspect, arrested and numerous pieces of evidence seized. These include mobile phones, IT equipment, and data carriers.

US guardsman pleads guilty to leaking classified info, faces 11 years in prison

Jack Teixeira, a member of the Massachusetts Air National Guard, pleaded guilty to the leak of highly classified military information, including sensitive documents related to the conflict in Ukraine and other national security matters. The plea deal mandates a minimum of 11 years in prison for his offenses.

Teixeira confessed to six counts of willful retention and transmission of national defense information under the Espionage Act, nearly a year following his arrest. His illegal actions involved collecting and disseminating some of the nation's most confidential data via Discord, a social media platform often used by gamers.

Another US military man, David Franklin Slater, 63, was charged with sharing classified information about Russia’s war with Ukraine on a foreign online dating platform with someone claiming to be a woman in Ukraine. Slater signed a top secret nondisclosure agreement on August 23, 2021, prosecutors said, and had undergone numerous training sessions on handling classified materials. He pleaded not guilty to the charges.

Additionally, Korbein Schultz, a US Army analyst has been arrested and charged with selling sensitive military secrets to a contact in China.

Speaking of China, a Google engineer, Linwei Ding aka Leon Ding, was accused by the US authorities of stealing artificial intelligence trade secrets from the tech giant while secretly working with two Chinese-based companies in the AI industry. He is charged with four counts of theft of trade secrets. If convicted, the man faces up to 10 years in prison for each count.

A US court orders NSO Group to hand over the Pegasus code to WhatsApp

Israeli spyware maker NSO Group was ordered by a US court to turn over the Pegasus source code to Meta’s WhatApp. The ruling is part of a lawsuit WhatsApp filed against NSO in October 2019, claiming that NSO’s surveillance malware infected the phones of around 1400 WhatsApp users, including journalists and human rights activists.

The judge ruled that NSO Group must disclose to WhatsApp “all relevant spyware” for a period of one year before and after the two weeks in which WhatsApp users were allegedly hacked. The spyware maker was also ordered to provide WhatsApp information “concerning the full functionality of the relevant spyware”.

The US sanctions Predator spyware vendor for targeting officials and journalists

The US authorities slapped sanctions on two individuals and five entities associated with the Intellexa Consortium for their role in developing, operating, and distributing commercial spyware used to target government officials, journalists, and policy experts.

AlphV/BlackCat reportedly pulls an exit scam, fakes its own takedown

The infamous ALPHV/BlackCat ransomware gang responsible for the recent UnitedHealth Group breach appears to have pulled an exit scam, posting a bogus message about the law enforcement takedown on their data leak site. In a message on the hacker forum, ALPHV administrators said that they decided to shut down the operation and are now selling ransomware source code for $5 million.

Novel GTPDOOR Linux backdoor targets telco networks

Security researcher HaxRob shared details about a novel Linux backdoor named ‘GTPDOOR’ designed to target mobile carrier networks. The new backdoor is likely the work of a threat actor tracked as UNC1945 (Mandiant) or LightBasin (CrowdStrike), known for its attacks against the telecommunications sector on a global scale.

Threat actors distribute RATs via fake Skype, Google Meet, and Zoom websites

Threat actors are exploiting the popularity of online meeting platforms to disseminate malware, according to new research from Zscaler’s ThreatLabz.

Since December 2023, threat actors have been leveraging fake websites mimicking Skype, Google Meet, and Zoom, targeting both Android and Windows users. The attacker utilized shared web hosting, hosting all these fake online meeting sites on a single IP address. The malicious websites, predominantly in Russian, closely resemble the legitimate platforms, prompting users to download malicious files, infecting their devices with Remote Access Trojans (RATs).

TA4903 spoofs the US government, small businesses in phishing, BEC attacks

Cybersecurity firm Proofpoint released a report detailing a new campaign by a financially motivated threat actor it tracks as TA4903. Starting in December 2021, Proofpoint observed a series of campaigns spoofing various federal US government entities. In the recent attacks, the malicious actor has been consistently creating new domains mimicking government bodies and private companies across various sectors, including construction, energy, finance, food and beverage, healthcare, manufacturing, and more.

China-linked Evasive Panda targets Tibetans with the novel Nightdoor backdoor

ESET researchers have uncovered a cyberespionage campaign targeting Tibetans since at least September 2023. It involves a watering hole attack and a supply-chain compromise using trojanized installers of Tibetan language translation software. The attackers aim to infect visitors with malicious downloaders for Windows and macOS, delivering the MgBot malware framework and a previously undocumented backdoor dubbed ‘Nightdoor.’

A researcher links UAC-0050 threat actor to Russian hacker-for-hire The DaVinci Group

A security researcher who goes online as BushidoToken released a report linking a threat actor tracked as UAC-0050, known for its attacks against entities in Ukraine, to the Russian semi-professional mercenary hackers The DaVinci Group.

Most PLCs are vulnerable to novel IronSpider attack

Researchers from Georgia Tech’s College of Engineering have developed a web-based programmable logic controller (PLC) malware named “IronSpider” capable of targeting PLCs from major manufacturers. They tested its efficacy by compromising a popular PLC model in a real-world ICS testbed. Their findings revealed that the malware could exploit legitimate channels or vulnerabilities in PLC admin portal web applications to push front-end code to the PLC without user notification or firewall intervention. Furthermore, IronSpider demonstrated the ability to persistently execute in the environment or erase all traces of infection to thwart forensic investigations.

In related news, Cornell Tech researchers created the first worm able to spread across generative AI systems. Dubbed “Morris II,” the worm is designed to target GenAI ecosystems through the use of adversarial self-replicating prompts.

Security agencies share guides on zero-trust, best practices for securing cloud services

The US National Security Agency (NSA) released new guidance to help organizations enhance their cybersecurity by adopting zero-trust framework principles.

Additionally, the NSA and CISA have issued five joint advisories on how to secure cloud services. The documents can be found here, here, here, here, and here.


Back to the list

Latest Posts

Cyber Security Week in Review: December 20, 2024

Cyber Security Week in Review: December 20, 2024

In brief: A suspected Russian cyberattack hits Ukraine's state registries, new ICS malware targets Mitsubishi and Siemens systems, and more.
20 December 2024
Major phishing campaign abuses HubSpot to steal credentials from European firms

Major phishing campaign abuses HubSpot to steal credentials from European firms

The attackers exploited the service’s legitimate functionality to create convincing phishing pages.
19 December 2024
UAC-0125 malware campaign targeting Ukrainian military personnel

UAC-0125 malware campaign targeting Ukrainian military personnel

Victims are lured to fraudulent websites offering to download a malicious version of the Army+ app.
19 December 2024