CISO Daily Update - April 11, 2024
NEW DEVELOPMENTS
AT&T Now Says Data Breach Impacted 51 Million Customers
Source: Bleeping Computer
AT&T contacted 51 million past and current customers of a data incident in which their personal information was exposed on a hacking forum. AT&T first denied ownership of the exposed data, but later recognized it. Although the leak affected nearly 70 million individuals, AT&T confirmed that 51,226,382 customers were affected. Names, email addresses, phone numbers, social security numbers, and other information were exposed beginning in June 2019. AT&T has not disclosed how the data was taken or why confirmation took nearly five years.
X Fixes URL Blunder That Could Enable Convincing Social Media Phishing Campaigns
Source: The Register
In a security lapse, the social media platform X (formerly Twitter) implemented a flawed rule that automatically changed any mention of "Twitter" in URLs to "X," even in potentially malicious links. For example, “NetfliTwitter[.]com” would automatically change to “Netflix[.]com” on the platform. As such, this issue would allow bad actors to create convincing phishing campaigns by displaying legitimate-looking URLs that redirect users to malicious sites. The issue went unresolved for several hours before being fixed.
Beware: GitHub's Fake Popularity Scam Tricking Developers into Downloading Malware
Source: The Hacker News
Threat actors are exploiting GitHub's search functionality to trick developers into downloading malicious repositories that contain malware. They create fake repositories with popular names and topics, and use techniques like automated updates and fake stars to boost search rankings and deceive users. The malware is designed to download next-stage payloads from a remote URL, and in some cases, it can divert cryptocurrency transactions to attacker-owned wallets. Developers should exercise caution when downloading source code from open-source repositories and not solely rely on reputation as a metric for trustworthiness.
Malicious PowerShell Script Pushing Malware Looks AI-Written
Source: Bleeping Computer
A recent cybersecurity incident involving the distribution of the Rhadamanthys information stealer in Germany highlights the emergence of AI-generated malicious PowerShell scripts. Researchers at Proofpoint identified a threat actor targeting numerous organizations with a malicious PowerShell script likely created with AI assistance. The script is distributed via phishing emails, impersonates the Metro cash-and-carry brand, and executes the Rhadamanthys payload in memory to bypass traditional detection methods.
Cagey Phishing Campaign Delivers Multiple RATs to Steal Windows Data
Source: Darkreading
A sophisticated phishing campaign is targeting Windows users with malicious invoice emails. These emails contain SVG file attachments that unleash a multi-layered attack when opened. Obfuscated scripts and tools like ScrubCrypt and BatCloak cloak the attackers' activities, allowing them to bypass detection and deploy the data-stealing malware VenomRAT. This malware grants remote access to attackers to steal sensitive information and potentially download additional malicious plugins for further malicious activities.
Telegram Dismisses Claims of ‘High-risk’ RCE Bug in its Desktop Application
Source: The Cyber Express
Telegram dismissed claims of a 'high-risk' remote code execution (RCE) vulnerability in its desktop application–refuting allegations made by CertiK, a blockchain security firm. Despite CertiK's warnings regarding potential exploitation through specifically crafted media files, Telegram asserts that the video proof of the alleged vulnerability is likely a hoax. The company encourages users to report any vulnerabilities through its bug-bounty program, offering rewards ranging from $100 to $100,000.
Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files
Source: The Hacker News
Threat actors discovered a new method to distribute the Raspberry Robin malware–spreading it through malicious Windows Script Files (WSFs) since March 2024. These malicious WSF files function as downloaders to retrieve the main DLL payload but first perform anti-analysis checks and configure Microsoft Defender exclusions to evade detection. This latest campaign demonstrates the evolving tactics of Raspberry Robin which has expanded from USB-based distribution to also delivering other payloads like SocGholish, Cobalt Strike, and ransomware variants.
领英推荐
Researchers Resurrect Spectre v2 Attack Against Intel CPUs
Source: Security Week
Researchers from the VUSec cybersecurity group at VU Amsterdam developed a new variation of the Spectre v2 attack that can target the latest-generation Intel CPUs–including the Linux kernel. The attack, dubbed "Branch History Injection (BHI)," bypasses existing hardware and software mitigations by leveraging newly discovered kernel-level "gadgets" that can be exploited. The researchers created a "InSpectre Gadget" tool that automatically identifies exploitable gadgets. Additionally, the VUSec cybersecurity group demonstrated the attack's ability to leak sensitive data like root password hashes at a rate of 3.5 Kb/sec. In response, Intel updated its guidance on mitigation methods, though future processors are expected to address the BHI attack in hardware.
VULNERABILITIES TO WATCH
Multiple Fortinet Vulnerabilities Let Attackers Execute Arbitrary Code
Source: Cyber Security News
Fortinet fixed many vulnerabilities in FortiOS and FortiProxy, including administrator cookie leakage, arbitrary code execution, and sensitive information exposure. These vulnerabilities are identified as CVE-2023-41677, CVE-2023-48784, and CVE-2024-23662s. Severity varies from medium to high, with potential implications including unauthorized data access and arbitrary code execution. Users are encouraged to upgrade to the most recent versions to mitigate these risks.
Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks
Source: The Hacker News
A critical vulnerability named "BatBadBut" in the Rust standard library exposes Windows systems to command injection attacks–a critical risk with a 10.0 CVSS score. This flaw (CVE-2024-24576) affects versions of Rust prior to 1.77.2 and arises when batch files are invoked with untrusted arguments. Attackers can exploit this vulnerability to execute arbitrary shell commands by bypassing the escaping mechanism in the Rust standard library. Implementing best practices for command execution on Windows such as restricting access to batch files and validating input is critical in preventing potential attacks.
SPECIAL REPORTS
Top MITRE ATT&CK Techniques and How to Defend Against Them
Source: Darkreading
Command and scripting interpreters (T1059) and phishing (T1566) dominate the field of MITRE ATT&CK techniques–as highlighted by D3 Security's analysis of over 75,000 recent cybersecurity incidents. Malicious scripts constitute the most common attack method and were utilized in 52.22% of incidents–commonly written in PowerShell and Python. Phishing, encompassing general and spear-phishing, follows at 15.44%. Defenders can focus on mitigating these threats by implementing thorough incident response plans, education and awareness campaigns, multifactor authentication (MFA), and vigilant security monitoring.
Women Experience Exclusion Twice as Often as Men in Cybersecurity
Source: Infosecurity Magazine
A new report by Women in Cybersecurity (WiCyS) and DEI firm Aleria found that women in cybersecurity experience exclusion at a rate twice as high as men across various categories–including respect, career growth, access, and recognition. The main sources of exclusion were leadership and direct managers, with women citing a "glass ceiling" in their careers around the 6-10 year mark. However, companies that partner with WiCyS showed 49% fewer instances of exclusion and 64% higher employee satisfaction, highlighting the tangible business benefits of addressing these disparities through inclusive policies. The report reinforces the need to create more equitable and supportive work environments for women in the male-dominated cybersecurity industry.
What’s Going On With the National Vulnerability Database?
Source: Cybersecurity Dive
The National Vulnerability Database (NVD), the federal government's repository for cybersecurity vulnerability data, is struggling to keep up with the rapidly increasing number of software and hardware flaws being disclosed. As such, a growing backlog is affecting security professionals, researchers, and vendors who rely on the authoritative NVD data. Faced with a record-breaking 33,000 vulnerability disclosures in 2022, a 318% increase since 2005, the National Institute of Standards and Technology has had to scale back NVD operations and prioritize only the most severe or actively exploited flaws–resulting in less comprehensive coverage and problems downstream as the cybersecurity community deals with the NVD's temporary slowdown and long-term sustainability challenges.