CISO Daily Update - March 28, 2024

NEW DEVELOPMENTS

Facebook May Have Exploited User Devices to Spy on Competitors, Documents Show

Source: Cybernews

Recently unsealed court documents reveal Facebook's covert project, codenamed "Ghostbusters," aimed at acquiring, decrypting, and utilizing private analytics from Snapchat, YouTube, and Amazon. The project, initiated in 2016 at Mark Zuckerberg's request, involved intercepting encrypted app traffic using a "man-in-the-middle" approach to gain competitive insights. Dubbed the In-App Action Panel ("IAAP") program, it operated until May 2019, allegedly violating wiretapping laws. Despite some internal dissent, the program, facilitated by Facebook's acquisition of Onavo, deployed spyware against YouTube and Amazon and impacted Snapchat's product efforts. The revelations come amidst a class-action lawsuit accusing Meta of deceptive data collection practices.

Article Link

Alert: New Phishing Attack Delivers Keylogger Disguised as Bank Payment Notice

Source: The Hacker News

A recent phishing campaign discovered by Trustwave SpiderLabs delivers the Agent Tesla keylogger disguised as a bank payment notice. The attackers use a malicious loader to deploy Agent Tesla, employing obfuscation techniques and polymorphic behavior to evade detection. The loader, written in .NET, bypasses antivirus defenses and the Windows Antimalware Scan Interface (AMSI). It retrieves the payload from remote servers and executes Agent Tesla in memory, allowing attackers to exfiltrate sensitive data via SMTP.? Another phishing action by cybercrime group TA544 leverages PDFs disguised as legal invoices to distribute WikiLoader.?

Article Link

Apple ID ‘Push Bombing’ Scam Campaign Hits Cyber Startup Founders

Source: SC Media

A sophisticated Apple ID phishing campaign employing "push bombing" and caller ID spoofing targets tech professionals, including startup founders and cybersecurity experts. Victims receive a barrage of system-level notifications requesting Apple ID password resets, followed by spoofed calls impersonating Apple Support. Armed with accurate personal information, the attackers attempt to extract one-time passwords (OTPs) sent to victims' phones. Despite warnings, the spam persists, suggesting attackers only need victims' phone numbers to continue the attack. While no reported successful attacks exist, the consequences could be significant–potentially leading to iCloud account takeover and device wiping. Apple, while not confirming investigations, advises users to recognize and report suspicious activities while reiterating its policy of never soliciting passwords or verification codes.?

Article Link

New Darcula Phishing Service Targets iPhone Users via iMessage

Source: Bleeping Computer

Darcula offers a wide range of phishing templates targeting various brands and organizations across more than 100 countries. Unlike traditional phishing methods, Darcula leverages Rich Communication Services (RCS) for Android and iMessage for iOS to send phishing messages–enhancing the perceived legitimacy of the communication. This departure from SMS-based tactics allows attackers to circumvent certain security measures and deliver malicious payloads more effectively. Darcula's phishing kit includes over 200 templates, high-quality landing pages localized for different regions, and a setup process facilitated by Docker and Harbor. The platform's use of purpose-registered domains and Cloudflare-backed infrastructure further contributes to its sophistication. However, users can still protect themselves by remaining vigilant and skeptical of unsolicited messages containing URLs, especially if the sender is unfamiliar. Additionally, paying attention to phishing indicators such as suspicious offers and requests for urgent action can help users identify and avoid falling victim to such attacks.

Article Link

Hackers Developing Malicious LLMs After WormGPT Falls Flat

Source: Bank Info Security?

After tools like WormGPT fell short of meeting their needs, cybercriminals seek to develop custom malicious large language models (LLMs). Discussions in underground forums reveal plans to exploit guardrails in AI-powered chatbots, with cybercriminals recruiting AI experts to jailbreak existing LLM restrictions and to create sophisticated, malicious versions. Threat actors leverage generative AI for malware development, detection evasion, and intelligence extraction. As AI's accessibility grows, security measures must advance–including stricter validation for private LLMs. Recommendations emphasize multilayered malware detection and branding to combat evolving cyber threats.

Article Link

Worldwide Agenda Ransomware Wave Targets VMware ESXi Servers

Source: Darkreading

Agenda ransomware, previously known for its Golang-based attacks, has evolved with a new Rust variant targeting VMware vCenter and ESXi servers. This sophisticated malware is delivered through Cobalt Strike or RMM tools and spreads rapidly to lock out owners by changing root passwords. It boasts enhanced functionalities, including privilege escalation and virtual machine cluster disabling, while leveraging bring-your-own-vulnerable-driver (BYOVD) tactics for stealth. Trend Micro's report on this evolved variant highlights the escalating risk of ransomware in virtualized environments and emphasizes proactive security measures for organizations.

Article Link

VULNERABILITIES TO WATCH

CISA Adds Microsoft SharePoint Bug Disclosed at Pwn2Own to Its Known Exploited Vulnerabilities Catalog

Source: Security Affairs?

CISA included the CVE-2023-24955 Microsoft SharePoint Server Code Injection Vulnerability demonstrated at Pwn2Own 2023 in its Known Exploited Vulnerabilities catalog. This critical flaw allows remote code execution. Microsoft addressed the vulnerability, but it remains a target for cyberattacks and requires immediate action from both government and private organizations to mitigate risks to their networks. Other vulnerabilities like CVE-2023-48788 and CVE-2021-44529 have also been included in the CISA catalog.

Article Link

Organizations Informed of 10 Vulnerabilities in Rockwell Automation Products?

Source: Security Week

As reported in recent advisories by the company and CISA, Rockwell Automation addressed 10 vulnerabilities in its FactoryTalk, PowerFlex, and Arena Simulation products. These vulnerabilities include high-severity arbitrary code execution flaws and denial-of-service issues discovered and reported by researcher Michael Heinzl. Exploitation typically requires users to open malicious files, with risks including information disclosure and DoS attacks. While patches are available for some vulnerabilities, others await mitigation measures.

Article Link

Microsoft Edge Bug Could Have Allowed Attackers to Silently Install Malicious Extensions

Source: The Hacker News

A now-patched security flaw in Microsoft Edge could have allowed attackers to install arbitrary extensions on users' systems without their knowledge. Tracked as CVE-2024-21388, the vulnerability enabled the exploitation of a private API intended for marketing purposes–granting attackers the ability to covertly install extensions with broad permissions. While Microsoft addressed the issue in Edge version 121.0.2277.83, the bug highlights the potential risks posed by insufficient validation and the need to balance user convenience with security. Although there is no evidence of exploitation in the wild, the flaw demonstrates how browser customizations can inadvertently introduce new attack vectors

Article Link

Code Execution Flaws Haunt NVIDIA ChatRTX for Windows

Source: Security Week

NVIDIA issues urgent patches for ChatRTX for Windows due to two high-risk vulnerabilities (CVE?2024?0082 and CVE-2024-0083) that could lead to code execution, privilege escalation, and data tampering. These flaws, affecting versions 0.2 and earlier, pose risks of cross-site scripting attacks and improper privilege management, potentially enabling attackers to execute harmful code and tamper with data. Users are urged to update their software to mitigate these risks.

Article Link

BlueDucky: A New Tool Exploits Bluetooth Vulnerability With 0-Click Code Execution

Source: Cyber Security News

BlueDucky, a new tool, streamlines the exploitation of a critical Bluetooth pairing flaw, allowing for 0-click code execution on vulnerable devices. Building upon Marc Newlin's proof of concept script targeting CVE-2023-45866, BlueDucky automates the process, eliminating manual steps and increasing accessibility to attackers. Operating on Raspberry Pi 4 or rooted Android devices, it scans for nearby Bluetooth devices and executes scripts–posing a significant threat to unpatched systems.

Article Link

SPECIAL REPORTS

Only 3% of Businesses Resilient Against Modern Cyber Threats

Source: Infosecurity Magazine

According to Cisco's 2024 Cybersecurity Readiness Index, only 3% of organizations demonstrate resilience against modern cybersecurity threats–a marked decline from last year. Most businesses fall into the formative and beginner categories, with larger companies exhibiting higher readiness levels. Despite increased cybersecurity budgets, over half of organizations experienced incidents, with malware and phishing being the most common. Concerns about future disruptions exist, exacerbated by a significant cyber skills gap and evolving threat landscape.

Article Link

Zero-Day Vulnerabilities Surged by Over 50% Annually, Says Google

Source: Infosecuirty Magazine

According to Google's 2023 year in review, zero-day vulnerabilities surged by over 50% compared to 2022, reaching 97. While end-user platform vendors have made strides in reducing exploitability, enterprise-focused technologies saw a 64% increase in zero-day discoveries notably targeting security software and appliances. The report also highlights a shift towards exploiting third-party components and commercial spyware companies' significant role in zero-day attacks. Additionally, China led in government-driven zero days, while financially motivated actors contributed to a smaller portion of the total.

Article Link