CISO Daily Update - March 15, 2024
NEW DEVELOPMENTS
SIM Swappers Now Stealing Phone Numbers From eSIMs
Source: Bleeping Computer
SIM swappers have evolved their tactics to target phone numbers stored on eSIMs–exploiting the remote reprogramming capabilities of these digital cards found in modern smartphones. Russian cybersecurity firm F.A.C.C.T. highlights a surge in attacks where criminals hijack eSIMs to access bank accounts and other online services. By compromising a user's account with the service provider, attackers port the victim's number to their own device to gain access to authentication codes and two-factor authentication. To mitigate these threats, experts advise users to employ robust security measures, including complex passwords, two-factor authentication, and additional protection for sensitive accounts like e-banking and cryptocurrency wallets.
Meta Sues Former VP After Defection to AI Startup
Source: Infosecurity Magazine
Meta initiated legal action against its former Vice President of infrastructure, Dipinder Singh (TS) Khurana, accusing him of unlawfully taking employee and business contracts before resigning and joining an AI startup. The lawsuit was filed in a California state court on February 29, alleging Khurana violated his contract by absconding with proprietary and confidential documents related to Meta's business and personnel. Khurana purportedly transferred these documents to his personal Google Drive and Dropbox accounts before departing for Omniva, a stealth AI startup he joined in June 2023 along with several former Meta employees. A recent Code42 report found that 85% of cybersecurity leaders anticipate increased data loss from insider events over the next year.
RedLine Malware Top Credential Stealer of Last 6 Months
Source: SC Magazine
RedLine malware has emerged as the predominant credential stealer in the past six months–used by threat actors to steal over 170 million passwords. This represents 47% of all cyber incidents involving stolen passwords, overshadowing its closest competitor, Vidar, which stole over 65 million passwords (17%). Rounding out the top three is Raccoon Stealer, tied to over 42 million stolen passwords (11.7%). This data was compiled from breached password lists by KrakenLabs and Specops, reinforcing the pervasive threat of credential-stealing malware.
DarkGate Malware Exploited Recently Patched Microsoft Flaw in Zero-Day Attack
Source: The Hacker News
A DarkGate malware campaign recently exploited a previously patched Microsoft Windows security flaw (CVE-2024-21412) by utilizing deceptive PDFs containing redirects to distribute malicious installers. This campaign, orchestrated by a threat actor known as Water Hydra (or DarkCasino), targeted financial institutions with malware. The attack chain involves phishing emails with embedded links, open redirects, and fake software installers, reinforcing the importance of vigilance and caution when interacting with unsolicited attachments or downloads.?
Tech Support Firms Restoro, Reimage Fined $26 Million for Scare Tactics
Source: Bleeping Computer
Restoro and Reimage, two tech support firms, face a $26 million fine for employing scare tactics to coerce customers into purchasing unnecessary computer repair services. The U.S. Federal Trade Commission (FTC) took action against these Cyprus-based companies, citing deceptive marketing practices that preyed on consumers, particularly older individuals. The companies utilized fake system warnings, misrepresented scan results, and pressured customers into paying for repair plans. The FTC's proposed order prohibits Restoro and Reimage from engaging in deceptive telemarketing and misrepresenting security or performance issues to manipulate consumers.
RedCurl Cybercrime Group Abuses Windows PCA Tool for Corporate Espionage
Source: The Hacker News
The Russian-speaking cybercrime group RedCurl was identified as exploiting the Program Compatibility Assistant (PCA), a legitimate Microsoft Windows component, for malicious purposes. RedCurl, also known as Earth Kapre and Red Wolf, has been active since at least 2018 and is engaged in corporate cyber espionage targeting entities across various countries. The group employs sophisticated tactics, including abusing PowerShell, curl, and PCA, to execute malicious commands and evade detection within targeted networks.
Ande Loader Malware Targets Manufacturing Sector in North America
Source: The Hacker News
The threat actor Blind Eagle, also known as APT-C-36, has intensified its cyber operations by utilizing Ande Loader malware to deploy remote access trojans (RATs)--specifically targeting individuals in the Spanish-speaking manufacturing sector in North America. Their modus operandi involves phishing emails containing password-protected RAR or BZ2 archives, concealing malicious VBScript files. Once executed, these scripts establish persistence and initiate Ande Loader to facilitate the download and execution of RAT payloads. Blind Eagle's choice of RAT payloads varies based on the attack vector. In some instances, they deliver Remcos RAT via RAR archives, while in others, NjRAT is distributed through BZ2 archives disseminated via Discord content delivery network (CDN) links. To obfuscate their malware, Blind Eagle adds layers of encryption and concealment.
VULNERABILITIES TO WATCH
Patch Now: Kubernetes RCE Flaw Allows Full Takeover of Windows Nodes
Source: Darkreading
A major vulnerability in Kubernetes has been identified (CVE-2023-5528). This vulnerability allows attackers to run programs on Windows nodes in Kubernetes clusters with System rights. By changing Kubernetes volumes, attackers can extend their access to administrator privileges on compromised nodes. Versions of Kubernetes default installations older than 1.28.4 are vulnerable, and patching is required to reduce the danger of full node takeover. The discovery emphasizes the criticality of role-based access control (RBAC) and verification of Kubernetes configurations.
Cisco Fixed High-Severity Elevation of Privilege and DoS Bugs
Source: Security Affairs
Cisco released patches to address several high-severity vulnerabilities in its IOS XR software, including flaws that could result in privilege elevation and denial-of-service (DoS) conditions. One vulnerability (CVE-2024-20320) allows an authenticated, local attacker to escalate privileges on affected devices using SSH client commands. Another vulnerability (CVE-2024-20318) allows an unauthenticated, nearby attacker to reset line card network processors, resulting in DoS conditions in Layer 2 Ethernet services. A third vulnerability (CVE-2024-20327) affects ASR 9000 series routers that use PPP over Ethernet (PPPoE) termination, allowing an unauthenticated, nearby attacker to crash the ppp_ma process and cause a DoS condition for PPPoE traffic. Cisco has not observed any attacks that exploit these vulnerabilities in the wild, but users should apply updates as soon as possible.
Critical Vulnerabilities in Arcserve UDP Software Demand Urgent Action
Source: SecurityOnline.info
Security researchers from Tenable uncovered a critical chain of vulnerabilities within Arcserve Unified Data Protection (UDP), a widely used backup and disaster recovery solution. These vulnerabilities tracked as CVE-2024-0799, CVE-2024-0800, and CVE-2024-0801, affect versions 9.2 and 8.1 of Arcserve UDP, potentially allowing attackers to bypass authentication, upload malicious files, and disrupt critical backup systems. Immediate action is necessary to patch these vulnerabilities.
CVE-2024-22259: Spring Framework Update Fixes High-Severity Flaw
Source: SecurityOnline.info
A high-severity vulnerability, CVE-2024-22259, has been identified in the Spring Framework, a widely used component in Java-based applications. This flaw affects applications utilizing the UriComponentsBuilder functionality to process URLs from external sources. Attackers could exploit this vulnerability to conduct open redirect attacks or server-side request forgery (SSRF), potentially leading to phishing attacks or unauthorized data access. Immediate action is necessary to upgrade affected Spring Framework versions to mitigate these risks and ensure application security.
SPECIAL REPORTS
Shadow AI – Should I be Worried?
Source: Security Week
The proliferation of AI tools, particularly those utilizing Generative AI like ChatGPT, has raised concerns about potential security and privacy risks for organizations. With approximately 12,000 AI tools available, promising assistance across a wide range of job tasks, employers face challenges in controlling their usage effectively. Despite employees' growing adoption of these tools, many organizations lack clear policies and safeguards to manage AI risks, leading to potential data leakage and compliance issues. Furthermore, most of these AI tools lack robust privacy and data retention policies, leaving organizations vulnerable to unforeseen consequences. Security concerns also extend to prompt injection attacks, account takeovers, and the potential misuse of sensitive corporate data. While some organizations opt to implement blanket bans on AI tools, this approach may drive users to seek alternative, unvetted tools, ultimately exacerbating security risks. Instead, organizations should prioritize educating users on responsible AI use and develop pragmatic policies that balance security concerns with the potential productivity gains offered by AI tools.?
CISA Launches 911 Cybersecurity Hub: Empowering Emergency Responders
Source: The Cyber Express
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with SAFECOM and the National Council of Statewide Interoperability Coordinators (NCSWIC), launched the 911 Cybersecurity Resource Hub for nationwide Emergency Communications Centers (ECCs). This initiative provides ECCs with streamlined access to cybersecurity resources and expertise. Through close collaboration with state and local stakeholders, CISA ensures that the hub remains responsive to evolving cybersecurity challenges ECCs face. CISA's other initiatives, such as the Regional Resiliency Assessment Program (RRAP) and the Joint Cyber Defense Collaborative (JCDC), are also in place to enhance critical infrastructure resilience and combat cyber threats.?
New Report Suggests Surge in SaaS Assets, Employee Data Sharing
Source: Infosecurity Magazine
Recent DoControl research indicates a substantial spike in software-as-a-service (SaaS) assets, with an average of 286,000 new assets generated weekly in 2023–increasing 189% from the previous year. The report also highlights the frequency of insider threats, finding that one in every six employees shares company material via personal email accounts. Outdated access permissions and overly-permissioned third-party OAuth apps create additional security challenges. To overcome these issues, the research emphasizes that businesses must create centralized, automated data access controls for SaaS services.
Cybersecurity Leader & CISO driving innovation at Neuhaus Ventures | Servant leader to making this planet a safer place
11 个月Nice wrap-up