Cyber Security Threat Report: March Digest

Welcome back to the Riela Cyber Security Threat Report, the March Digest! In this edition, get ready for cyber-world surprises, Ring doorbell drama, and plenty more. Let's dive right in...

NEWS

Four Years Behind Cyber Bars

Recently, a member of the notorious LockBit ransomware group faced sentencing, receiving a four-year prison term. The individual, identified as a Russian national, admitted guilt to charges of conspiracy to commit computer fraud and abuse, along with distributing and possessing malware. LockBit has gained infamy for its ransomware attacks, which involve encrypting victims' files and demanding substantial ransom payments for their release. This case emphasises the gravity of cyber threats posed by ransomware groups and underscores law enforcement's efforts to combat such criminal operations. It serves as a stark reminder of the consequences awaiting individuals involved in cyber crime and emphasises the importance of international cooperation in tackling these threats.

Shock in the Cyber World

In a recent article by Cyber Security News, they shed a light on the alarming features of the Android Brata RAT tool features that has sent shockwaves through the cyber security community, highlighting the ongoing battle against malware targeting Android devices. This sophisticated Remote Access Trojan (RAT) poses a significant threat to Android users, capable of evading detection and executing various malicious activities remotely. With its advanced capabilities, including the ability to bypass security measures and intercepts sensitive data, the Brata RAT underscores the importance of robust cyber security measures for mobile devices. As research continue to dissect its functionalities and explore mitigation strategies, users are urged to remain vigilant, update their devices regularly, and exercise caution when downloading app from untrusted sources. Stay informed, stay protected!???

Ding Dong

Cyber security experts at Trustwave have issued a cautionary alert to Ring doorbell customers and users of similar home security gadgets, highlighting the alarming trend of cyber hackers targeting these devices with phishing campaigns. Scammers are employing deceptive tactics, such as sending out fraudulent emails containing links disguised as account update requests. Once clicked, these links redirect users to fake Ring login pages aimed at illicitly harvesting sensitive information.

Additionally, unsuspecting recipients are being warned of an imminent suspension of their Ring accounts, with scammers citing outdated membership details as the cause. This concerning development underscores the importance of remaining vigilant and implementing robust cyber security measures to safeguard against such malicious threats.?

The 'AT&T Breach' - A Peak Behind the Cyber Curtain

Earlier this week, the data of over 70 million people was posted for sale on an online cyber crime forum. The person selling the data claims it stems from a 2021 breach at AT&T, the telecommunications company. However, AT&T denies the leak from 2021, and , now in 2024 confirming that they have no evidence of a breach.

No response was received to a follow-up question on whether that data could have come from a third-party provider. The information the was posted online included the likes of names, addresses, mobile numbers, dates of birth and other personal information. The first time this data was posted in 2021 some of the information had been encrypted but this time, the data has since been decrypted.?With origins of the leaked data still uncertain, questions linger about the adequacy of data protection measures and the potential implications for affected individuals.

Vans Customers: Lace up Your Cyber Security

A popular footwear company has issued a warning to its customers regarding a potential risk of fraud or identity theft following a data breach at its parent company, VF Group. The breach, detected in December 2023, revealed unauthorised activities on a segment of the company's IT systems. Aside from disruptions to its business operations, personal data belonging to more than 35 million of its customers was siphoned off.

While Vans assures that no detailed financial information or passwords were compromised, it cannot rule out the possibility of criminals attempting to misuse the customer data obtained. VF Group, which also owns other renowned brands like Timberland, The North Face, and Dickies, has taken proactive steps by contacting law enforcement agencies and related authorities. Additionally, Vans has pledged to review its cyber security policies to mitigate any future risks.?

UK's Cyber Dance with China: MP's and Voters Left Twiddling Their Digital Thumbs

In the wake of escalating cyber threats, the UK braces itself for heightened cyber security measures. Recent reports have shed light on a surge in cyber attacks originating from China, raising concerns about the integrity of critical infrastructure and national security. These attacks, targeting government institutions, businesses, and individuals alike, underscore the evolving landscape of cyber warfare and the urgent need for robust defence mechanisms. As the UK strengthens its cyber security posture, vigilance and collaboration across sectors become paramount in safeguarding against emerging threats. Stay tuned as we delve deeper into the evolving cyber security landscape in our upcoming editions.?

ALERTS

The below report emphasises the need for proactive strategies to tackle the threat of zero-day vulnerabilities. It stresses the importance of organisations understanding their own systems, assessing risks, and having a clear plan to respond effectively. ?

Without traditional patching options, alternative security measures and incident response plans become essential. By taking proactive steps and collaborating with stakeholders, organisations can effectively manage the risks posed by zero-day vulnerabilities and strengthen their cyber security defences.?

Actively Exploited Zero-Day Vulnerability Affecting Internet Shortcut Files

Internet Shortcut Files has received a patch for CVE-2024-21412, which has a severity of Important and a CVSS score of 8.1. This vulnerability allows an unauthenticated attacker to bypass a security feature called “Mark of the Web” (MotW) warnings on Windows machines. The targeted user would need to be convinced to click on a specially crafted file that is designed to bypass the displayed security checks. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.?

Actively Exploited Zero-Day Vulnerability Affecting Windows SmartScreen?

Windows SmartScreen has received a patch for CVE-2024-21351, which has a severity of Moderate and a CVSS score of 7.6. This security feature bypass vulnerability on Windows Defender SmartScreen can potentially lead to partial data exposure and/or issues with system availability. The attacker would need to convince the user to open a malicious file that could bypass SmartScreen and potentially gain code execution. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.?

Critical Vulnerabilities Affecting Microsoft Windows, Extended Security Update, Dynamics, Exchange Server and Microsoft Office?

CVE-2024-21410 is a Critical elevation of privilege (EoP) vulnerability affecting Microsoft Exchange Server and has a CVSS score of 9.8. An attacker that successfully exploits this vulnerability can relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange server and be authenticated as that user. NTLM hashes are important for gaining account access due to the use of challenge-response protocols in secure authentication. This vulnerability potentially allows attackers to crack NTLM hashes or deploy an NTLM relay attack.?

Prior to the Exchange Server 2019 Cumulative Update 14 (CU14), Exchange Server did not enable relay protections for NTLM credentials (called Extended Protection for Authentication or EPA) by default, which would have protected against one of the attack types mentioned earlier. Microsoft has provided a “Exchange Server Health Checker script” that provides an overview of the Extended Protection status of the customer’s Exchange server.?

CVE-2024-21413 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Outlook and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows the attacker to send a maliciously crafted link that bypasses the security feature. This can lead to credential exposure and RCE, enabling attackers to gain privileged functionality.?

CVE-2024-21380 is a Critical information disclosure vulnerability affecting Microsoft Dynamics Business Central (formerly known as Dynamics NAV) and has a CVSS score of 8.0. This vulnerability could allow the attacker to gain the ability to interact with other SaaS tenants’ applications and content. The user would have to be convinced by the attacker to click on a specially crafted URL, and the execution would need to win a race condition for a successful exploitation. This can lead to unauthorized access to the victim’s account.?

CVE-2024-21357 is a Critical RCE vulnerability affecting Windows Pragmatic General Multicast (PGM) network transport protocol and has a CVSS score of 7.6. The attack complexity is high due to the additional actions a threat actor would need to take for successful exploitation. Exploitation is limited to within the same network or virtual network systems that are connected.?

CVE-2024-20684 is a Critical denial of service (DoS) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 6.5. Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host. Because this is a local DoS attack, Microsoft deems exploitation less likely.?

Thank you for taking the time to read our March Cyber Security Threat Report. We look forward to sharing more with you in April. In the meantime, keep up to date with the latest news by checking out our Cyber Blog here.?