Microsoft fixes two actively exploited zero-day bugs

Microsoft has released its monthly batch of security updates designed to fix more than 100 vulnerabilities, including two flaws said to have been exploited in the wild. The first zero-day (CVE-2024-29988) is SmartScreen prompt bypass in Microsoft Windows related to insufficient implementation of the Mark of the Web (MotW) feature. A remote attacker can supply a malicious file inside an archive to bypass EDR/NDR detection, bypass the SmartScreen prompt and compromise the affected system.

The second actively exploited bug is tracked as CVE-2024-26234 and described as an Improper Access Issue within the Windows proxy driver that can be used by a local user to execute arbitrary code on the system.

Apart from noting that the exploitation of this flaw in the wild has been observed, Microsoft has not provided any details regarding the nature of attacks.

However, cybersecurity firm Sophos released a report, according to which CVE-2024-26234 was used in the attack involving a malicious executable (“Catalog.exe” or “Catalog Authentication Client Service”) signed by a valid Microsoft Windows Hardware Compatibility Publisher (WHCP) certificate that was discovered in December 2023.

Palo Alto Networks warns of a PAN-OS zero-day exploited in the wild

Palo Alto Networks has patched an actively exploited zero-day vulnerability affecting its PAN-OS software. Tracked as CVE-2024-3400, the issue is a command injection flaws in the GlobalProtect feature, which may enable a remote attacker execute arbitrary code with root privileges on the firewall.

Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024, the company said. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted. The vendor has also noted that it is aware of limited exploitation attempts.

Over 92K D-Link NAS devices contain backdoor account

Thousands of outdated D-Link network-attached storage (NAS) devices contain a backdoor account that could be exploited by hackers for system takeover. The issue (CVE-2024-3272) stems from the presence of hard-coded credentials in the application code. The affected D-Link models are also plagued by another high-risk flaw - an OS command injection vulnerability (CVE-2024-3273) that could be abused by a remote hacker to execute arbitrary OS commands on the target system via specially crafted data.

The list of impacted models includes DNS-320L version 1.11, version 1.03.0904.2013, version 1.01.0702.2013, DNS-325 version 1.01, DNS-327L version 1.09, version 1.00.0409.2013, DNS-340L version 1.08.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added both bugs to its Known Exploited Vulnerabilities list, indicating that the flaws are being exploited in the wild. Users are recommended to retire or replace the impacted D-Link hardware as the vendor has no intention to release firmware updates for these products.

Sisense clients urged to reset credentials due to a data breach

Data analytics provider Sisense has suffered a data breach that appears to have impacted critical infrastructure organizations. At present, there’s very scarce information about the incident, with rumors circulating that a supply chain attack may have been involved. Infosec reporter Brian Krebs shared an alert sent to Sisense customers, indicating that the breach stems from the compromise of an internal Sisense server that stored customer data.

Following the breach, CISA urged Sisense customers to reset credentials and secrets potentially exposed to, or used to access, Sisense services.

Additionally, CISA issued an emergency directive in response to a cyber campaign by the Russian state-sponsored group Midnight Blizzard targeting Microsoft corporate email accounts. Federal agencies are ordered to analyze potentially affected emails, reset compromised credentials, and secure privileged Microsoft Azure accounts.

Last but not least, CISA released a new version of Malware Next-Gen, a malware analysis platform, which allows the public to submit malware samples other suspicious artifacts for analysis.

Microsoft resolves security breach exposing internal files and credentials

Microsoft has addressed a security incident involving its Azure cloud service that exposed internal company files and credentials to the internet. The breach has been disclosed by security experts from security company SOCRadar, who spotted an open and public storage server hosted on Microsoft's Azure cloud service. This server was found to contain internal information related to Microsoft's Bing search engine, including code, scripts, and configuration files. These files contained passwords, keys, and credentials utilized by Microsoft employees to access various internal databases and systems.

Apple enhances spyware threat notifications

Tech giant Apple has updated its spyware threat notification system to add alerts for users who may have been specifically targeted in tailored surveillance campaigns. Apple also updated its support page on spyware protection replacing the term “state-sponsored” with “mercenary spyware.”

US govt set to block Russian-made software over national security concerns

The US authorities are poised to issue an order preventing American individuals and companies from utilizing software made by a major Russian cybersecurity firm. The primary objective of the forthcoming order is to prohibit Kaspersky Lab from offering specific products and services within the United States due to potential risks to national security.

Exploit broker offers millions of dollars for iOS, Android zero-day exploits

Vulnerability acquisition company Crowdfense has updated its price list, according to which the firm is willing to pay up to $9 million for zero-click exploits that work via SMS or MMS and up to $7 million for iPhone zero-days. It is also offering up to $5 million for Android zero-days, up to $3.5 million for Safari exploits, up to $3 million for Chrome exploits, and for zero-click exploits in WhatsApp (up to $5 million), iMessage (up to $5 million), Signal, Telegram and other messaging services.

Chinese hackers are increasingly adopting AI tech for influence operations

China is increasingly attempting to influence global affairs through sophisticated cyber operations, according to a new report from the Microsoft Threat Analysis Center (MTAC) highlighting cyber activities originating from East Asia. The report details China’s deployment of fake social media accounts to poll American voters on divisive issues, aiming to sow discord and potentially sway the outcome of the US presidential election in their favor.

Microsoft has also said it has observed the use of AI-powered tools by North Korean actors, such as Emerald Sleet (aka Kimsuky, Velvet Chollima, Black Banshee, and Thallium), to enhance the efficiency and efficacy of their cyber operations.

New eXotic Visit Android espionage campaign targets India and Pakistan

ESET researchers uncovered an espionage campaign dubbed eXotic Visit by a threat actor they track as Virtual Invaders that is actively targeting Android users, particularly in Pakistan and India. The campaign employs fake messaging apps containing the XploitSPY malware distributed via dedicated websites and Google Play Store.

The latest MuddyWater attack framework discovered

Deep Instinct researchers discovered a fresh command-and-control infrastructure they named DarkBeatC2, which they linked to the Iranian threat group MuddyWater. This adds to the group's arsenal of tools, which already includes SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go.

New threat actor Starry Addax targets human rights defenders in North Africa

A new threat actor dubbed “Starry Addax” is targeting human rights activists associated with the Sahrawi Arab Democratic Republic (SADR) cause in North Africa using a novel mobile malware named “FlexStarling.” Starry Addax's modus operandi involves conducting phishing attacks, enticing victims into installing malicious Android apps that are disguised as legitimate tools. The apps impersonate the Sahara Press Service, serving as a means to deliver malware onto mobile devices, compromising sensitive information.

Hackers exploit Fortinet bug to install RMM tools and PowerShell backdoors

Malicious actors are exploiting a critical vulnerability in the Fortinet FortiClient EMS application to deploy unauthorized Remote Monitoring and Management (RMM) tools and PowerShell backdoors on the target systems. Tracked as CVE-2023-48788, the flaw is an SQL injection issue that allows a remote non-authenticated attacker to execute arbitrary SQL commands within the application database by sending a specially crafted request.

TA547 threat actor targets German orgs with Rhadamanthys info-stealer

The financially motivated cybercriminal threat group known as TA547 has launched a new phishing campaign targeting organizations across various industries in Germany, marking a shift from the gang’s previous modus operandi. Notable aspects of the observed campaign include the use of the Rhadamanthys information-stealing malware instead of TA547's usual payload, NetSupport RAT, and a novel attack vector - a PowerShell script suspected to have been generated by a Large Language Model (LLM) such as ChatGPT, Gemini, or CoPilot.

Romanian threat actors run decade-long botnet operation

Security researchers have published details about a sophisticated and long-running botnet operation orchestrated by a Romanian threat group. Dubbed ‘RUBYCARP’, the group is believed to have been active for over a decade. It employs a diverse array of tactics focused on financial gain through cryptomining and phishing. The modus operandi of RUBYCARP includes the deployment of botnets, facilitated by the exploitation of various public exploits and brute force attacks. The group is known to communicate through both public and private IRC networks, where it not only coordinates its operations but also develops hacking tools and targeting data.

Raspberry Robin is now spreading via Windows script files

Threat actors behind the Raspberry Robin worm have updated their methods, now employing Windows Script Files (WSF) alongside USB drives to spread the malware. The HP Threat Research team has observed new campaigns since March 2024, featuring highly obfuscated WSF files with anti-analysis measures. Originally discovered in 2021, Raspberry Robin was initially spread through USB drives.

Threat actors hide credit card skimmers in fake Facebook Pixel Tracker

Cybersecurity researchers have spotted a new campaign that involves a credit card skimmer concealed within a fake Meta Pixel tracker script. According to Sucuri, the malware infiltrates websites via customizable code tools like WordPress plugins such as Simple Custom CSS and JS, or through the “Miscellaneous Scripts” section of the Magento admin panel.

Cybercriminals exploit GitHub search functionality to distribute malware

Attackers are exploiting GitHub's search algorithm to distribute malware via deceptive repositories with popular names and topics. The malicious payload is often concealed within Visual Studio project files, such as .csproj or .vcxproj, enabling the malware to evade detection. The recent malware campaign involves a large, padded executable file that shares similarities with the “Keyzetsu clipper” malware, targeting cryptocurrency wallets.

Researchers warn of a surge in malware-driven scanning attacks

Security researchers at Palo Alto Networks' Unit 42 said they are observing a significant rise in malware-driven scanning attacks, involving the hijacking of infected hosts to conduct scans on targets. Instead of relying on direct scans, attackers are now leveraging malware-infected hosts to initiate scanning requests, significantly complicating detection and mitigation efforts.

CoralRaider cybercrime gang hunting for credentials and financial data

A new financially motivated threat actor believed to be of Vietnamese origin is targeting victims across various Asian and Southeast Asian countries to steal credentials, financial data, and social media accounts, including business and advertisement accounts.

Dubbed “CoralRaider,” the threat actor has been active since at least 2023. The malicious campaign, spotted by the researchers, is focused on multiple countries in Asia and Southeast Asia, including India, China, South Korea, Bangladesh, Pakistan, Indonesia and Vietnam. The group employs sophisticated techniques and utilizes specific tools such as RotBot, a customized variant of QuasarRAT, and the XClient stealer as payloads in their campaigns.

Google files a lawsuit against app developers for alleged fraud

Google has initiated legal action against two app developers accused of orchestrating an elaborate investment scam. The lawsuit alleges that Yunfeng Sun, also known as ‘Alphonse Sun’, and Hongnam Cheung, aka ‘Zhang Hongnim’ or ‘Stanford Fischer’, engaged in an “international online consumer investment fraud scheme” targeting users of the Google Play Store and other platforms.

According to Google's complaint, the defendants purportedly uploaded approximately 87 crypto-related applications to the Google Play Store, enticing users with promises of high returns on their investments. These apps, downloaded by over 100,000 users since at least 2019, allegedly served as the conduit for the fraudulent scheme, resulting in significant financial losses for unsuspecting victims.

LastPass employee targeted via a deepfake scam

LastPass said one of the company’s employees has been targeted in an audio phishing incident involving a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating LastPass’ CEO, Karim Toubba, via WhatsApp. According to LastPass, the attack has been unsuccessful and had no impact on the company.