CISO Daily Update - March 1, 2024
NEW DEVELOPMENTS
Twenty Billion Scam Calls Repelled by T-Mobile’s First Line of Defense
Source: Cybernews
T-Mobile reports a substantial decline in scam phone attempts in 2023 with the company discovering or blocking 19.8 billion bogus calls last year. The telecom attributed its achievement to network advances and government action–resulting in a 51% decrease in fraud attempts compared to the previous year. Despite the drop, T-Mobile highlights the continuous threat posed by scammers who continue to shift strategies. The report emphasizes the ubiquity of caller ID spoofing and the exploitation of seasonal moments to carry out their scams; healthcare and financial scams were reported as the most prominent scam types.
Airbnb Scammers Pose as Hosts, Redirect Users to Fake Tripadvisor Site
Source: Help Net Security
Scammers on Airbnb are employing deceptive tactics–e.g., feigning technical issues and inflated fees to lure users to a fraudulent Tripadvisor website to steal their money. Malwarebytes researchers uncovered the scam when attempting to book an apartment through Airbnb. The scammers prompt users to contact them via email and then redirect them to a spoofed Tripadvisor site. With over 220 related websites identified, users are urged to exercise caution, avoid off-platform bookings, and scrutinize emails and websites for authenticity.
Dark Web Market Revenues Rebound but Sector Fragments
Source: Infosecuirty Magazine
Dark web marketplaces saw a resurgence in cryptocurrency-based revenues in 2023, totaling an estimated $1.7 billion. This surge follows a challenging year in 2022 marked by the closure of Hydra, the largest player in the space. Despite the rebound, the sector has become more fragmented with specialized dark web markets replacing dominant players like Silk Road and AlphaBay. Chainalysis data reveals a shift towards niche-focused markets that offer specific goods and services such as cybercrime enablement, drug sourcing, and illicit laundering. Moreover, adopting third-party crypto-payment processors via API calls reflects market operators' efforts to reduce costs, enhance efficiency, and bolster security.
New Bifrost Malware for Linux Mimics VMware Domain for Evasion
Source: Bleeping Computer
A fresh Linux variant of the Bifrost remote access trojan (RAT) has emerged and includes sophisticated evasion tactics–e.g., using a deceptive domain that resembles a legitimate VMware domain. Palo Alto Networks' Unit 42 researchers observed a surge in Bifrost activity, leading to their discovery of this stealthier variant. With enhanced operational capabilities, encryption methods, and support for ARM architectures, the malware poses an evolving threat that requires increased vigilance.
New Backdoor Targeting European Officials Linked to Indian Diplomatic Events
Source: The Hacker News
A previously unknown threat actor named SPIKEDWINE has been identified targeting European officials associated with Indian diplomatic missions. The threat actor is using a newly discovered backdoor called WINELOADER. The attack, characterized by its low volume and advanced tactics, uses a malicious PDF file that pretends to be an invitation to a wine-tasting event from the Ambassador of India. The PDF contains a link to an HTML application that downloads and executes the WINELOADER malware–packed with modules for remote command and control communication and evasion techniques to avoid detection.
Golden Corral Restaurant Chain Data Breach Impacts 183,000 People
Source: Bleeping Computer
The well-known restaurant chain Golden Corral announced that a data breach affected approximately 180,000 persons, including beneficiaries and current and former workers. The breach occurred between August 11 and August 15, 2023, exposing sensitive personal information to hackers, such as social security numbers, bank account information, and medical records. In addition to tightening security and working with law enforcement, Golden Corral recommends people affected remain vigilant to avoid identity theft.??
Android Money Transfer XHelper App Exposed as Money Laundering Network
Source: Hackread
CloudSEK researchers have uncovered the XHelper app, distinct from the notorious XHelper malware, as a key player in Chinese scammers' large-scale money laundering operations. Operating under the guise of legitimate money transfer businesses, the XHelper app facilitates illicit activities such as fake payment gateways and illegal gambling. Through a network of recruited money mules and deceptive payment systems, the app enables the swift conversion of funds into cryptocurrencies and subsequent transfer to China; after deducting commissions, scammers receive payments in USDT (a cryptocurrency designed to maintain a stable price). The sophisticated operation, facilitated by the XHelper app, utilizes a pyramid-like structure and referral system to recruit agents and incentivize participation.?
VULNERABILITIES TO WATCH
Chinese Hackers Exploiting Ivanti VPN Flaws to Deploy New Malware
领英推荐
Source: The Hacker News
Chinese-linked cyber espionage groups UNC5325 and UNC3886 are leveraging security vulnerabilities in Ivanti Connect Secure VPN appliances to deploy sophisticated malware, including LITTLELAMB.WOOLTEA and PITSTOP. The exploitation of CVE-2024-21893, a server-side request forgery (SSRF) flaw in Ivanti products, has enabled UNC5325 to target a limited number of devices since January 19, 2024. Mandiant researchers have identified overlaps between UNC5325 and UNC3886, suggesting a coordinated campaign. Meanwhile, Dragos has attributed China-sponsored Volt Typhoon to reconnaissance activities targeting U.S. electric companies and telecommunications providers, expanding its victimology to include African electric transmission entities and linking it to UTA0178.
Lazarus Hackers Exploited Windows Kernel Flaw as Zero-Day in Recent Attacks
Source: The Hacker News
The infamous Lazarus Group utilized a zero-day privilege escalation vulnerability (CVE-2024-21338) in the Windows Kernel to gain kernel-level access and disable security software on affected systems. The flaw, patched by Microsoft in recent updates, allows attackers to exploit a driver already installed on target machines, surpassing traditional security checks. Lazarus leveraged this exploit to execute its FudModule rootkit, enhancing its evasion capabilities and disabling security solutions like AhnLab V3 Endpoint Security and Microsoft Defender Antivirus. The attack highlights the group's evolving sophistication and cross-platform focus, as previous campaigns target macOS systems.
Cisco Patches High-Severity Vulnerabilities in Data Center OS
Source: Security Week
Cisco released its semiannual FXOS and NX-OS security advisory bundle, which addresses four vulnerabilities including two high-severity flaws in NX-OS software. The first high-severity bug, CVE-2024-20321, enables an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition by flooding External Border Gateway Protocol (eBGP) traffic. The second high-severity issue, CVE-2024-20267, allows attackers to cause a DoS condition by exploiting a flaw in processing MPLS frames. These vulnerabilities affect various Nexus series switches and are mitigated in NX-OS software versions 9.3(12), 10.2(6), and 10.3(4a). Additionally, Cisco patched two medium-severity flaws, one involving Link Layer Discovery Protocol (LLDP) frame handling and the other related to ACL programming in port channel subinterfaces. Another medium-severity vulnerability affecting UCS fabric interconnects in Intersight Managed Mode (IMM) was also addressed. Cisco has not observed any active exploitation of these vulnerabilities.
Meta Patches Facebook Account Takeover Vulnerability
Source: Security Week
Meta has patched a critical vulnerability discovered by cybersecurity researcher Samip Aryal that could have been exploited to take over any Facebook account via a brute-force attack. The flaw, affecting Facebook's password reset process, allowed attackers to exploit the absence of brute-force protection on a six-digit unique authorization code sent to a different device for user identity verification. With knowledge of the target's username, attackers could use tools like Burp Suite to brute-force the code within the two-hour active window. Upon exploitation, the target received a notification from Facebook containing the code, either directly or through a tap-to-reveal prompt. Aryal reported the vulnerability to Meta on January 30, and it was patched by February 2. While the exact bug bounty amount received by Aryal remains undisclosed, it is presumed to be significant given the flaw's severity. Meta's bounty guidelines indicate payouts ranging from $5,000 to $130,000 for account takeover exploits, with zero-click exploits potentially earning the maximum reward.
CISA Adds Microsoft Streaming Service Bug to Its Known Exploited Vulnerabilities Catalog
Source: Security Affairs
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2023-29360 Microsoft Streaming Service Untrusted Pointer Dereference vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. With a CVSS Score of 8.4, this vulnerability allows attackers to gain SYSTEM privileges. Discovered by Thomas Imbert from Synacktiv through the Trend Micro Zero Day Initiative, the availability of proof-of-concept (PoC) code has enabled multiple threat actors to incorporate the exploit into their attack chains. Analysis of Raspberry Robin samples revealed exploitation of this vulnerability before October 2023. Public disclosure of the exploit occurred in June, with Raspberry Robin utilizing it in August. In accordance with Binding Operational Directive (BOD) 22-01, federal agencies must address this vulnerability by March 21, 2024, to protect their networks against exploitation. Private organizations are also advised to review the catalog and address vulnerabilities in their infrastructure to enhance security measures.
SPECIAL REPORTS
The Imperative for Modern Security: Risk-Based Vulnerability Management
Source: Security Week
The need for risk-based vulnerability management has arisen due to increased cyber threats. Organizations can enhance their resilience against attacks, optimize resource allocation, and adopt a proactive security stance by ranking vulnerabilities based on their potential impact and coordinating security tactics with business objectives. A full set of actions is needed to shift to a risk-based strategy, such as in-depth risk assessments, automation, integration with risk management frameworks, and continuous improvement. Vulnerability detection and repair processes can be streamlined by utilizing automation and AI-powered technologies, providing quicker response times and more effective resource use.
JCDC’s Strategic Shift: Prioritizing Cyber Hardening
Source: Help Net Security
In an interview with Help Net Security, Geoffrey Mattson , CEO of Xage Security, provides insights into the Joint Cyber Defense Collaborative's (JCDC) evolution since its inception in 2021 and outlines its strategic priorities for 2024. With a heightened focus on cyber hardening in response to escalating threats, JCDC aims to bolster national security by fortifying critical infrastructure, defending against advanced persistent threat (APT) operations, enhancing election security, and promoting the Secure by Design initiative.
CWE Version 4.14 Released: What’s New!
Source: Cyber Security News?
The Common Weakness Enumeration (CWE) project has unveiled version 4.14, significantly enhancing the community-developed list of common software and hardware weakness types. This latest release introduces new CWE entries focusing on microprocessor security, including vulnerabilities in hardware-level components. Additionally, a new view aligning with ISA/IEC 62443 standards aims to bolster industrial automation and control system security. Software security categorization and description improvements further enhance the understanding and mitigation of vulnerabilities throughout the software development lifecycle.
Senior Account Executive @ Holm Security | ?? Boosting Holm Security's Global Presence: Sales Expansion and Partner Growth for Europe's top rapidly expanding cybersecurity firm: Redefining Vulnerability Management! ??
1 年Staying on top of cybersecurity trends is crucial in today's evolving landscape. ???
Internal Audit, IT/OT Cybersecurity | AI Ops | ICS Security | Big 4 Alum | Lifelong Learner | MBA | MSc Cyber | AZ-104 | AZ-500 | CISM | PMP | CISA | CHIAP | CIA | CFE | CDPSE | CRISC | CRMA
1 年Great insights into the current cybersecurity landscape! Stay vigilant and keep up the good work. #cybersecurity
Project Manager - I help entrepreneurs test their business Ideas before launching their product/service.
1 年Great insights on the latest cybersecurity developments! ??? Your update will definitely help many in staying informed and prepared.
Helping tech CEOs and HR leaders fix leadership gaps, scale operations, and boost team accountability—without team turnover, leadership fatigue, or constant firefighting ?? Ask me about my Elite Performance Intensive
1 年Quite a comprehensive update! It's concerning to see the rise in dark web revenues and the sophistication of scams. Risk-based vulnerability management and cyber hardening seem like logical countermeasures.