CISO Daily Update - April 15, 2024
NEW DEVELOPMENTS
Gmail And YouTube Hackers Bypass Google’s 2FA Account Security
Source: Forbes
Google users reported on support forums that their Gmail and YouTube accounts were compromised even with 2FA security enabled. The attackers appear to be part of a cryptocurrency scam that somehow bypasses 2FA protections. The most likely method is a session cookie hijacking attack where attackers capture the authentication cookies after a user successfully logs in–allowing them to replay those cookies and gain access without needing the 2FA code. Google acknowledges this as a longstanding security challenge and says users have up to 7 days to recover their accounts using their original recovery factors if 2FA and other settings have been changed. The issue extends to YouTube, where threat actors distribute information-stealing malware through compromised gamer-focused channels; they use pirated game content as bait.
CISA Issues Emergency Directive After Midnight Blizzard Microsoft Hits
Source: Darkreading
CISA issued an emergency directive after a Russian state-sponsored threat group (Midnight Blizzard) targeted Microsoft email accounts in a recent campaign. While federal agencies were primary targets, CISA advises all organizations to enhance their security measures due to the high risk. The directive requires affected agencies to assess and secure their Microsoft email systems, reset compromised credentials, and safeguard privileged Azure accounts. Additionally, CISA emphasizes the importance of robust security practices including strong passwords and multifactor authentication for all organizations.
US Sanctions Hamas ‘Cyber Influence’ Leader
Source: The Record
The US Treasury Department sanctioned Hudhayfa Samir Abdallah al-Kahlut, a Hamas leader who is believed to run the "cyber influence department" of the organization's military arm in Gaza. Officials allege al-Kahlut acquired servers and domains in Iran to host the official al-Qassam Brigades website and has been the group's public spokesperson since 2007. The penalties are intended to impede Hamas' cyber and unmanned aerial vehicle capabilities, and the Treasury Department warns that it will continue targeting the organization's facilitation networks. The penalties come amid rising concerns that the conflict between Hamas and Israel would intensify regionally, with Iran-linked hacking organizations threatening retaliation attacks on US water systems.
Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack
Source: The Hacker News
Cybersecurity researchers uncovered a zero-day attack exploiting a critical vulnerability in Palo Alto Networks' PAN-OS software–enabling unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The threat actors, tracked as "Operation MidnightEclipse," have been actively exploiting the flaw since March 26, 2024–weeks before it was disclosed publicly. The attack involves deploying a Python-based backdoor to fetch commands from an external server, leverage legitimate firewall files to hide the command outputs, and gain remote access to target networks to steal sensitive data. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog and Palo Alto Networks expected to release fixes by April 14, prompting organizations to monitor for signs of lateral movement from their Palo Alto Networks GlobalProtect firewall devices.
Crooks Manipulate GitHub’s Search Results to Distribute Malware
Source: Security Affairs
Threat actors are manipulating GitHub search results to distribute persistent malware to developers. They create malicious repositories with popular names and topics, then use tactics like automated updates and fake stars to boost search rankings. When developers access these repositories, they risk downloading and executing code that can compromise their systems. The attackers conceal payloads in Visual Studio project files and employ evasion techniques like padding executables to bypass security solutions.
领英推荐
FatalRAT Targets Cryptocurrency Users With DLL Side-loading Techniques
Source: The Cyber Express?
Cybersecurity researchers uncovered a sophisticated phishing campaign that leverages the notorious FatalRAT malware to target cryptocurrency users. The phishing campaign closely mimics the Exodus cryptocurrency wallet interface to lure unsuspecting users, grant attackers unauthorized access, and enable interception of sensitive information and transactions. The campaign uses DLL side-loading techniques to evade detection, and technical analysis indicates the involvement of a known threat group given similarities to previous campaigns.
Firebird RAT Creator and Seller Arrested in the U.S. and Australia
Source: Bleeping Computer
Law enforcement agencies, including the Australian Federal Police (AFP) and the FBI, arrested and charged two individuals believed to be behind the development and distribution of the "Firebird" remote access trojan (RAT)--later rebranded as "Hive." The Firebird/Hive RAT was promoted as a remote administration tool, but its features such as stealthy access, password recovery, and privilege elevation exploits revealed its intended malicious use. The Australian man faces charges for the production, control, and supply of data to commit computer offenses, while the U.S. defendant is accused of marketing the Hive RAT, facilitating Bitcoin transactions, and providing support to purchasers–some of whom intended to use the tool for illegal activities.
VULNERABILITIES TO WATCH
Exploitation of Unpatched D-Link NAS Device Vulnerabilities Soars
Source: Security Week
Cybersecurity researchers identified a surge in exploitation attempts targeting unpatched vulnerabilities in D-Link network-attached storage (NAS) devices. Identified as CVE-2024-3272 and CVE-2024-3273, these flaws allow unauthenticated attackers to remotely access the device's web management interface and execute arbitrary commands. The number of unique IP addresses attempting to exploit these vulnerabilities has risen dramatically, with threat intelligence firms observing over 150 IPs targeting the D-Link NAS devices–some associated with Mirai-like botnets. The US Cybersecurity and Infrastructure Security Agency (CISA) added both vulnerabilities to its Known Exploited Vulnerabilities catalog, requiring government agencies to address them by May 2, and included an additional 16 D-Link product vulnerabilities in its advisory. The affected products have reached end-of-life and will not receive patches.?
Telegram Fixes Windows App Zero-Day Used to Launch Python Scripts
Source: Bleeping Computer
Telegram addressed a zero-day vulnerability in its Windows app that allowed Python scripts to execute automatically without security warnings. Initially disputed, the flaw involved a typo in Telegram's code that enabled the execution of Python scripts without user consent. Attackers could exploit this by sending malicious files disguised as videos, which trigger script execution upon click. Telegram implemented a server-side fix appending the ".untrusted" extension to Python files, preventing automatic execution and providing a security warning instead.
SPECIAL REPORTS
Top 10 Most Common WordPress Vulnerabilities to Look Out For in 2024
Source: The Cyber Express
WordPress, which powers 63.3% of the CMS market share, faces significant security challenges with over 13,000 daily hack attempts. Most vulnerabilities (97%) arise from plugins. Zombie plugins and abandoned developers exacerbate risks, with 5,948 vulnerabilities reported recently. XSS vulnerabilities rank highest (53.3%), followed by CSRF (16.9%) and broken access control (12.9%). Addressing these vulnerabilities requires vigilance in updates, user authentication, and good hosting quality. Understanding causes like weak credentials and outdated software is crucial, with proactive measures and adherence to security best practices required for risk mitigation.