Cybersecurity News Review - Week 46
From emerging vulnerabilities to high-profile data breaches, this week's edition offers a succinct overview of the cybersecurity realm.
More bugs in Palo Alto Expedition see active exploitation, CISA warns
A recent CISA alert warns of active exploitation of vulnerabilities in Palo Alto Networks' Expedition firewall management software. Two new bugs, CVE-2024-9463 and CVE-2024-9465, could expose firewall credentials in versions 1.2.96 and below. This follows last week's warning about CVE-2024-5910, affecting version 1.2.92 and older. Palo Alto Networks confirmed limited attacks on internet-exposed firewall management interfaces. The cybersecurity firm Horizon3.ai discovered three additional vulnerabilities. Palo Alto advises users to shut off Expedition if not in use, upgrade to the latest version, and check for indicators of compromise. Federal agencies are required to mitigate the risk within a set timeframe due to the addition of CVE-2024-5910 to the KEV catalog.
Windows Zero-Day Exploited by Russia Triggered With File Drag-and-Drop, Delete Actions
The article describes a newly patched Windows zero-day vulnerability (CVE-2024-43451) that can be exploited with minimal user interaction, such as deleting or right-clicking a file. This medium-severity flaw affects the MSHTM engine, potentially allowing attackers to steal NTLMv2 hashes and perform pass-the-hash attacks. Cybersecurity firm ClearSky discovered the vulnerability being exploited by a suspected Russian threat actor targeting Ukrainian entities through phishing emails containing malicious ZIP files. The exploit is more effective on Windows 10 and 11 systems and can trigger the download of malware like SparkRAT. The Computer Emergency Response Team of Ukraine (CERT-UA) attributes the zero-day exploitation to a group known as UAC-0194.
HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities
HPE has released security updates for multiple vulnerabilities in Aruba Networking Access Point products running Instant AOS-8 and AOS-10. Two critical flaws, CVE-2024-42509 and CVE-2024-47460, could allow unauthenticated remote code execution. Four other vulnerabilities were also addressed, ranging from authenticated remote command execution to path traversal. HPE recommends enabling cluster security or blocking access to UDP port 8211 for mitigation, depending on the AOS version. Users are advised to restrict access to management interfaces and apply patches promptly, as these vulnerabilities make Aruba Network access points attractive targets for threat actors due to the potential for privileged user access.
Veeam Patches High-Severity Vulnerability as Exploitation of Previous Flaw Expands
Veeam has released patches for a high-severity vulnerability (CVE-2024-40715) in Backup Enterprise Manager that could allow remote, unauthenticated attackers to bypass authentication through a man-in-the-middle attack. The company has issued a hotfix for version 12.2.0.334 and included it in repackaged images for related products. Users are urged to apply the hotfix promptly or upgrade using the latest ISOs. While there's no indication of this vulnerability being exploited in the wild, threat actors have previously targeted patched Veeam vulnerabilities, such as CVE-2024-40711, which has been exploited by multiple ransomware groups including Fog, Akira, and Frag.
Many Legacy D-Link NAS Devices Exposed to Remote Attacks via Critical Flaw
A critical command injection vulnerability (CVE-2024-10914) affects multiple discontinued D-Link NAS models, allowing unauthenticated attackers to execute arbitrary shell commands through crafted HTTP GET requests. The vulnerability stems from improper sanitization of the name parameter when adding new users. While a security researcher identified four affected models with over 61,000 internet-accessible devices, D-Link reports that 16 additional discontinued models are impacted. As these products have reached end-of-life status, D-Link won’t be providing security patches and recommends users retire the devices or migrate to supported ones. US customers continuing to use affected devices should ensure they have the latest firmware, while non-US users may consider third-party firmware options at their own risk.
Google Warns of Rising Cloaking Scams, AI-Driven Fraud, and Crypto Schemes
Google has uncovered various tactics used by scammers to deceive users, including landing page cloaking, AI-generated deepfakes, and app cloning. These techniques aim to manipulate search rankings, impersonate legitimate sites, and conduct investment fraud. The company has observed trends in redirecting users to scareware sites and phony customer support pages. Google plans to release biannual advisories on online fraud and scams to raise awareness. The tech giant has taken legal action against app developers and fake review sellers, partnered with anti-scam organizations, and implemented new security features like live scam detection in its Phone app and real-time alerts in Google Play Protect to combat these threats.
Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs
The Lazarus group, a North Korean state-backed APT, has developed a new macOS trojan called "RustyAttr" and a novel evasion technique that hides malicious code in extended attributes of files. This method, which has been in use since May 2024, makes the malware difficult to detect as the attributes are invisible by default. The attack typically involves a legitimate-looking application built with the Tauri framework, displaying fake job-related or cryptocurrency PDFs. The malicious script is hidden in a custom extended attribute and executed using JavaScript. While no confirmed victims have been identified, this new tactic demonstrates Lazarus' ongoing efforts to evade detection and compromise systems. Users are advised to verify file sources, keep macOS Gatekeeper enabled, and use advanced threat intelligence solutions for protection.
Malicious PyPI package with 37,000 downloads steals AWS keys
The malicious Python package 'fabrice' has been on PyPI since 2021, stealing AWS credentials from developers by typosquatting the popular 'fabric' library. With over 37,000 downloads, it executes platform-specific scripts for Windows and Linux. On Linux, it creates hidden directories and runs encoded shell scripts, while on Windows, it downloads and executes malicious payloads. The package's main goal is to steal AWS credentials using 'boto3' and exfiltrate them to a VPN server. It remained undetected due to the lack of retroactive scans by security tools. To mitigate risks, users should verify packages and consider using tools to detect typosquatting threats, while AWS admins should implement IAM for better access control.
North Korean hackers create Flutter apps to bypass macOS security
North Korean hackers have been targeting macOS systems using trojanized Notepad apps and minesweeper games created with Flutter, signed and notarized by a legitimate Apple developer ID. These apps, centered around cryptocurrency themes, temporarily bypassed Apple's security checks. Jamf Threat Labs discovered multiple apps on VirusTotal that appeared harmless but connected to servers associated with North Korean actors. The malware, built using Google's Flutter framework, makes detection more challenging. Some apps were signed with legitimate developer IDs and passed Apple's notarization process. While Apple has since revoked the signatures, it remains unclear if these apps were used in actual operations or merely for testing purposes to evaluate techniques for bypassing security software.
Sitting Ducks DNS Attacks Put Global Domains at Risk
A recent report by Infoblox Threat Intel reveals that over 1 million domains are potentially vulnerable to "Sitting Ducks" attacks, which exploit DNS misconfigurations to hijack domains for malicious purposes. The attack, active since 2018, takes advantage of "lame delegation" in DNS settings. Currently, 800,000 domains remain at risk, with 70,000 already hijacked. Cybercriminal groups like "Vipers" and "Hawks" are primary actors, using hijacked domains for various nefarious activities including spam operations, malware distribution, and phishing campaigns. The attacks are simple to execute but challenging to detect, impacting organizations, individuals, and security teams. Infoblox emphasizes the importance of regular DNS configuration reviews and increased awareness within the cybersecurity community to mitigate these risks.
New Apple security feature reboots iPhones after 3 days, researchers confirm
Apple's latest iPhone software includes a new security feature that automatically reboots the device if it remains unlocked for 72 hours. This "inactivity reboot" feature, confirmed by security researchers and forensic experts, enhances anti-theft protection by putting the iPhone in a more secure state, locking encryption keys in the secure enclave chip. While this makes it more challenging for law enforcement to access data from criminals' devices, it doesn't completely prevent access. The feature effectively transitions the iPhone from an "After First Unlock" state, where some data may be accessible, to a "Before First Unlock" state, which is significantly more difficult to compromise. This development continues Apple's trend of implementing security measures that have sometimes been opposed by law enforcement agencies.
Malware being delivered by mail, warns Swiss cyber agency
Switzerland's cybersecurity agency warned about fake letters purportedly from the national meteorological agency, which contain QR codes leading to malware. The malware, known as 'Coper' and 'Octo2', targets Android phones and can steal login details for over 383 mobile apps, including banking apps. This unusual use of postal mail for malware distribution mimics a legitimate weather app. The agency advises affected users to factory reset their devices and urges recipients of such letters to report them before destroying them. The extent of the impact remains undisclosed, and protective measures are being implemented.
Debt Relief Firm Forth Discloses Data Breach Impacting 1.5 Million People
Forth, a debt relief solutions provider, has disclosed a data breach affecting 1.5 million individuals, discovered on May 21, 2024. The breach compromised personal information including names, addresses, dates of birth, and Social Security numbers. The company began notifying affected individuals on November 8, including customers of Centrex Software due to a business relationship. Forth is offering 12 months of free identity theft protection services to those impacted and advising vigilance in monitoring financial accounts and credit reports for suspicious activity.
Amazon confirms employee data stolen after hacker claims MOVEit breach
Amazon has confirmed a data breach affecting employee work contact information after a security incident at a third-party property management vendor. The company stated that its own systems remain secure and that no sensitive data like Social Security numbers or financial information was compromised. This confirmation follows claims by a threat actor on a hacking forum to have published stolen Amazon data, allegedly obtained during the MOVEit Transfer exploitation in 2023. The hacker claims to have data from multiple organizations and threatens further releases. The MOVEit breach, attributed to the Clop ransomware gang, impacted over 1,000 organizations last year and is considered the largest hack of 2023.
Hungary confirms hack of defense procurement agency
Hungarian officials confirmed that the country's defense procurement agency was targeted by an international hacker group, identified as INC Ransomware. The group claimed access to the agency's data and posted sample screenshots online. While the Ministry of National Defense stated that the agency doesn't store sensitive military data, Prime Minister Orbán's chief of staff acknowledged that information about military procurement plans could potentially be accessed. Hungarian media reported that the hackers breached the agency's servers, encrypting files and leaking screenshots of documents related to military capabilities. The attackers are reportedly demanding a $5 million ransom, with some of the leaked data dating as recently as October 2024.
Surge in zero-day vulnerability exploits is new normal, says Five Eyes
The Five Eyes intelligence alliance has issued a warning about the increasing exploitation of zero-day vulnerabilities by hackers to access networks. This represents a shift from previous years when older software vulnerabilities were more commonly exploited. The advisory lists the top 15 most exploited vulnerabilities of 2023, with a Citrix NetScalers issue being the most widely used. Other significant vulnerabilities affected Cisco routers, Fortinet VPN equipment, and the MOVEit file transfer tool. For the first time, the majority of vulnerabilities on the list were initially exploited as zero-days, a trend that has continued into 2024. The NCSC's chief technology officer emphasized the importance of prompt patch application and the use of secure-by-design products to reduce these risks.
Lessons from a Honeypot with US Citizens’ Data
The Trustwave SpiderLabs team reports on a honeypot website set up to monitor attacks targeting the 2024 US presidential election. The honeypot attracted a wide range of malicious activities, including brute-force attempts, SQL injection, and directory enumeration from various threat actors like cybercriminal groups and nation-state APTs. The findings highlight the critical need for robust security practices, such as prompt patching, strong access controls, and network monitoring, to protect election infrastructure from exploitation.
Massive Telecom Hack Exposes US Officials to Chinese Espionage
Chinese hackers, believed to be associated with the group Salt Typhoon, have conducted a large-scale cyber espionage campaign targeting US telecommunications providers. The FBI and CISA reported that the hackers stole customer call records, compromised private communications of select individuals involved in government or political activities, and accessed information related to law enforcement requests. The campaign affected major telecom companies like Verizon, AT&T, and Lumen Technologies, and potentially compromised phones of political figures including Donald Trump and staff members from Kamala Harris's campaign. The US government has formed a multi-agency team to address the hack, while a similar campaign has also targeted Canadian government officials.
Subscribe and come back next week to get another quick overview of recent industry events.