CISO Daily Update - May 15, 2024
NEW DEVELOPMENTS
Zscaler Confirms Only Isolated Test Server Was Hacked
Source: Security Week
Zscaler confirmed that the recent security incident claimed by IntelBroker only impacted an isolated test server environment containing no customer data. After IntelBroker advertised stolen Zscaler credentials and data for sale, Zscaler launched an internal investigation aided by third-party incident responders. Their investigation found that the compromise was limited to a non-production, internet-facing test server not hosted on Zscaler's infrastructure. IntelBroker has targeted various organizations and placed data for sale–Europol is listed as one of its recent victims.?
Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls
Source: The Hacker News
Researchers at Rapid7 detected an ongoing social engineering campaign flooding enterprises with spam emails and phone calls to gain initial access for further exploitation. Threat actors prompt users to download remote monitoring software under the guise of assistance–subsequently leveraging the remote access to deploy additional payloads for credential harvesting and persistence. While ransomware hasn't been executed, the activity overlaps with indicators linked to Black Basta ransomware operators.?
Phorpiex Botnet Sent Millions of Phishing Emails to Deliver LockBit Black Ransomware
Source: Security Affairs
According to New Jersey's Cybersecurity and Communications Integration Cell (NJCCIC), the Phorpiex botnet recently sent millions of phishing emails delivering the LockBit Black ransomware payload. The phishing campaign utilized ZIP attachments from spoofed email addresses. Opening the ZIP executed the LockBit ransomware and encrypting victims' files. Over 1,500 sending IPs across Kazakhstan, Uzbekistan, Iran, Russia, China, and more were identified in this large-scale Phorpiex botnet operation. To mitigate this threat, NJCCIC provides recommendations on security awareness training, strong passwords, prompt patching, endpoint security, email filtering, ransomware mitigation plans, and reporting phishing incidents to authorities.?
Telegram CEO Calls Out Rival Signal, Claiming It Has Ties to US Government
Source: The Register
Pavel Durov, CEO of Telegram, attacked Signal–alleging ties to US intelligence agencies and questioning its security. Durov referenced a City Journal report suggesting Signal's origins and association with US government funding, including connections to Katherine Maher, former Wikimedia Foundation and NPR CEO. He criticized Signal's encryption, claiming it's the same as WhatsApp and others and implying government influence. While Signal has not responded, critics note Durov's motivations–including potential financial incentives amid talks of Telegram going public.?
NIST Confusion Continues as Cyber Pros Complain CVE Uploads Stalled
Source: Infosecurity Magazine
The US National Vulnerability Database (NVD) faces its most significant historical crisis, with a three-month backlog in processing software vulnerabilities. Since mid-February 2024, only a fraction of the received 14,286 Common Vulnerabilities and Exposures (CVEs) were analyzed, leaving attackers ample room for exploitation. Despite assurances from the National Institute of Standards and Technology (NIST) that vulnerability processing continues, experts report a halt in new CVE uploads since May 9. The NVD's migration to a new CVE JSON format is cited as the cause. Private firms are stepping in to fill the gap, offering platforms like RiskHorizon[.]ai's NVD Backlog Tracker and releasing alternative APIs like VulnCheck NVD++. CISA also recently launched the 'Vulnrichment' program to enrich CVEs with metadata.
Hackers Use DNS Tunneling to Scan and Track Victims
Source: Infosecurity Magazine
Palo Alto Networks' Unit 42 uncovered threat actors using DNS tunneling to scan network vulnerabilities and track victim activity–revealing novel techniques beyond typical malicious traffic concealment. In various campaigns, attackers embed victim-specific information in DNS queries to monitor interactions with phishing emails. To defend against such threats, Unit 42 recommends limiting the DNS resolver service range and keeping the resolver software updated.
Android Malware Poses as WhatsApp, Instagram, Snapchat to Steal Data
Source: Hackread
A new Android malware campaign targets users by disguising malicious apps as popular services like WhatsApp, Instagram, Snapchat, and Google. Identified by SonicWall researchers, these fake apps request excessive permissions to gain device control, steal data like contacts and messages, and redirect victims to phishing login pages to capture credentials across platforms like Facebook, PayPal, and Microsoft accounts. Likely distributed through phishing, third-party stores, or bundled software, the malware abuses accessibility and admin permissions for unrestrained device access after deceiving users with familiar branding. To protect against this account theft and fraud threat, Android users must remain cautious of unusual permission requests, verify app authenticity through official channels like Google Play, and implement robust security practices to identify impostor applications masquerading as legitimate services.
领英推荐
VULNERABILITIES TO WATCH
Google Fixes Sixth Actively Exploited Chrome Zero-Day This Year
Source: Security Affairs
Google released an emergency Chrome update to patch a critical zero-day vulnerability (CVE-2024-4761) that allows threat actors to execute malicious code. The high-severity out-of-bounds write flaw exists in Chrome's V8 JavaScript engine and is actively exploited in the wild. Google patched the sixth Chrome zero-day of 2024 in versions 124.0.6367.207/.208 for Windows/Mac and 124.0.6367.207 for Linux–withholding technical details to prevent further abuse. Users should immediately update Chrome to mitigate the actively exploited vulnerability risk that could lead to remote code execution attacks. With multiple Chrome zero-days this year, prompt patching remains crucial for maintaining browser security.
Critical Flaws in Cacti Framework Could Let Attackers Execute Malicious Code
Source: The Hacker News
The Cacti network monitoring framework patched 12 vulnerabilities, including two critical flaws that enable unauthenticated remote code execution. CVE-2024-25641 allows authenticated users to write arbitrary files for code execution via the "Package Import" feature. CVE-2024-29895 permits unauthenticated command injection when PHP's "register_argc_argv" is enabled. Other high-severity issues like SQL injection (CVE-2024-31445) and file inclusion (CVE-2024-31459) could also lead to RCE. Impacting all versions before 1.2.27 except two flaws, users must urgently update to mitigate active exploitation risks after public proof-of-concept releases for previous critical Cacti vulnerabilities like CVE-2023-39361 and CVE-2022-46169.?
SAP Patches Critical Vulnerabilities in CX Commerce, NetWeaver
Source: Security Week
SAP released 17 security notes in its May 2024 updates–patching critical vulnerabilities in CX Commerce, NetWeaver, and Business Client. The hotfixes address a CSS injection bug (CVE-2019-17495), an Apache Calcite RCE flaw (CVE-2022-36364), a missing signature check allowing unauthenticated file uploads for complete system compromise (CVE-2024-33006), and 23 vulnerabilities in Business Client's Chromium browser–including three high-severity issues. Although not indicated as exploited, SAP product flaws are popular targets–prompt updates are recommended to prevent remote code execution, data exfiltration, and complete system takeover.
Apple Warns About iOS Zero-Day Exploit
Source: Cybernews
Apple issued a critical fix for a zero-day vulnerability (CVE-2024-23296) affecting older iPhones and iPads, warning that it may have been exploited. The vulnerability impacts RealtimeKit (RTKit) and allows attackers to bypass kernel memory protections–posing a risk of arbitrary kernel read and write capabilities. Additionally, Apple addressed a logic issue in the Foundation framework that could have exposed user-sensitive data.?
Microsoft Fixes Windows Zero-Day Exploited in QakBot Malware Attacks
Source: Bleeping Computer
Microsoft addressed the actively exploited zero-day privilege escalation vulnerability 9CVE-2024-300510 in a Windows Desktop Window Manager library. Discovered by Kaspersky, the heap-based buffer overflow flaw enabled escalating to SYSTEM privileges after compromising targeted systems. Threat actors leveraged this zero-day in attacks, delivering QakBot banking trojan and other malware payloads on vulnerable machines. With additional reports from Google's TAG, DBAPPSecurity, and Mandiant indicating widespread exploitation, prompt patching is crucial to mitigate risks associated with QakBot–which is known for facilitating ransomware deployments by Conti, REvil, and other cybercrime groups.
SPECIAL REPORTS
Tailoring Responsible AI: Defining Ethical Guidelines for Industry-Specific Use
Source: Help Net Security?
In an interview with Help Net Security, Chris Peake from Smartsheet shows the importance of tailoring responsible AI practices to each organization's needs. He highlights the need to define responsible AI based on industry, regulatory requirements, and risk assessment. Peake suggests implementing transparent AI principles and practices, including employee training and public disclosure of AI systems' workings. Regarding cybersecurity, ongoing skilling and training are recommended to combat AI-driven threats like sophisticated phishing attacks. Peake also discusses AI's role in crisis management and emphasizes the importance of transparency and accountability in AI governance to effectively address potential failures. He anticipates AI governance evolving to enhance data security but acknowledges challenges related to the rapid adoption of AI and ensuring customer awareness and consent.