Cyber News - 16/02/2024
Your Cyber News of the day ! "Be Cyber Smart, Be Cyber Secure."
Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor
Description:
The Russia-linked threat actor known as Turla has been observed using a new backdoor called TinyTurla-NG as part of a three-month-long campaign targeting Polish non-governmental organizations in December 2023.
"TinyTurla-NG, just like TinyTurla, is a small 'last chance' backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems," Cisco Talos said in a technical report published today.
Date: Thu, 15 Feb 2024
Source: https://thehackernews.com/2024/02/russian-turla-hackers-target-polish.html
Ivanti Pulse Secure Found Using 11-Year-Old Linux Version and Outdated Libraries
Description:
A reverse engineering of the firmware running on Ivanti Pulse Secure appliances has revealed numerous weaknesses, once again underscoring the challenge of securing software supply chains.
Eclypsiusm, which acquired firmware version 9.1.18.2-24467.1 as part of the process, said the base operating system used by the Utah-based software company for the device is CentOS 6.4
Date: Thu, 15 Feb 2024
Source: https://thehackernews.com/2024/02/ivanti-pulse-secure-found-using-11-year.html
Chinese Hackers Using Deepfakes in Advanced Mobile Banking Malware Attacks
Description:
A Chinese-speaking threat actor codenamed GoldFactory has been attributed to the development of highly sophisticated banking trojans, including a previously undocumented iOS malware called GoldPickaxe that's capable of harvesting identity documents, facial recognition data, and intercepting SMS.
Date: Thu, 15 Feb 2024
Source: https://thehackernews.com/2024/02/chinese-hackers-using-deepfakes-in.html
Volt Typhoon Hits Multiple Electric Utilities, Expands Cyber Activity
Description:
The portion of China's Volt Typhoon advanced persistent threat (APT) that focuses on infiltrating operational technology (OT) networks in critical infrastructure has already performed reconnaissance and enumeration of multiple US-based electric companies, while also targeting electric transmission and distribution organizations in African nations.
Date: Thu, 15 Feb 2024
Cyberattack Disrupts German Battery-Production Lines
Description:
It's unclear what kind of cyberattack VARTA AG is facing, but it has shut down its systems until it can become operational again.
Date: Thu, 15 Feb 2024
Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug
Description:
Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting.
CVE-2024-21410 is an elevation of privilege vulnerability that gives a remote, unauthenticated attacker a way to disclose and then relay Windows NT Lan Manager (NTLM) hashes to impersonate legitimate users on Exchange Server.
AWS SNS Hijackings Fuel Cloud Smishing Campaign
Description:
Showcasing a previously unseen cyberattack technique, threat actors are using Amazon Web Services Simple Notification Service (AWS SNS) and a custom bulk-messaging spam script called SNS Sender to fuel an ongoing "smishing" campaign that impersonates the US Postal Service.
Date: Thu, 15 Feb 2024
Source: https://www.darkreading.com/cloud-security/aws-sns-compromises-fuel-cloud-smishing-campaign
Rhysida ransomware cracked! Free decryption tool released
Description:
A group of South Korean security researchers have uncovered a vulnerability in the infamous Rhysida ransomware that provides a way for encrypted files to be unscrambled. Read more in my article on the Tripwire State of Security blog.
Date: Thu, 15 Feb 2024
Source: https://www.tripwire.com/state-of-security/rhysida-ransomware-cracked-free-decryption-tool-released
North Korea successfully hacks email of South Korean President’s aide, gains access to sensitive information
Description:
The office of South Korean president Yoon Suk Yeol has confirmed that North Korea hacked into the personal emails of one of its staff members. Read more in my article on the Hot for Security blog.
Date: Thu, 15 Feb 2024
Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison
Description:
Ukrainian national Vyacheslav Igorevich Penchukov, one of the heads of the notorious JabberZeus cybercrime gang, has pleaded guilty to charges related to his leadership roles in the Zeus and IcedID malware groups.
Penchukov (also known as 'tank' and 'father') was arrested in Switzerland in October 2022 while traveling to meet his wife in Geneva and extradited to the United States in 2023.
Date: Thu, 15 Feb 2024
US offers up to $15 million for tips on ALPHV ransomware gang
Description:
The U.S. State Department is offering rewards of up to $10 million for information that could lead to the identification or location of ALPHV/Blackcat ransomware gang leaders.
An additional $5 million bounty is also available for tips on individuals trying to take part in ALPHV ransomware attacks, likely to discourage affiliates and initial access brokers.
Date: Thu, 15 Feb 2024
RansomHouse gang automates VMware ESXi attacks with new MrAgent tool
Description:
The RansomHouse ransomware operation has created a new tool named 'MrAgent' that automates the deployment of its data encrypter across multiple VMware ESXi hypervisors.
RansomHouse is a ransomware-as-a-service (RaaS) operation that emerged in December 2021 and is using double extortion tactics. In May 2022, the operation set up a dedicated victim extortion page on the dark web.
Date: Thu, 15 Feb 2024
OpenAI blocks state-sponsored hackers from using ChatGPT
Description:
OpenAI has removed accounts used by state-sponsored threat groups from Iran, North Korea, China, and Russia, that were abusing its artificial intelligence chatbot, ChatGPT.
The AI research organization took action against specific accounts associated with the hacking groups that were misusing its large language model (LLM) services for malicious purposes after receiving key information from Microsoft's Threat Intelligence team.
Date: Thu, 15 Feb 2024
Over 13,000 Ivanti gateways vulnerable to actively exploited bugs
Description:
Thousands of Ivanti Connect Secure and Policy Secure endpoints remain vulnerable to multiple security issues first disclosed more than a month ago and which the vendor gradually patched.
The flaws are CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888. Their severity ranges from high to critical and they concern authentication bypass, server-side-request forgery, arbitrary command execution, and command injection problems.
Date: Thu, 15 Feb 2024
Three critical application security flaws scanners can’t detect
Description:
In today's interconnected world, web application security is crucial for business continuity. Yet, web application attacks are now involved in 25% of all breaches.
Three key limitations of automated vulnerability scanners will be explored in this article, with an emphasis on the significance of enhancing security through manual pen testing.
Logic flaws and business rule bypasses
Incomplete coverage and inaccurate risk assessment
Detection of advanced attack techniques
Date: Thu, 15 Feb 2024
New Qbot malware variant uses fake Adobe installer popup for evasion
Description:
The developer of Qakbot malware, or someone with access to the source code, seems to be experimenting with new builds as fresh samples have been observed in email campaigns since mid-December.
One of the variants observed uses on Windows a fake installer for an Adobe product to trick the user into deploying the malware.
Date: Thu, 15 Feb 2024
Last updated
