Issue 12: Windows Users Face Error Nightmare; Dropbox Sign Breach Exposes Data, Lazarus Group's New RAT Emerges
CloudGuard
We help organisations proactively detect and automatically remediate cyber threats in real-time.
Top stories – 03 May 2024
Microsoft won't fix Windows 0x80070643 errors, manual fix required
Microsoft issued problematic updates during January 2024 Patch on Tuesday to address CVE-2024-20666. This is a BitLocker encryption bypass vulnerability affecting Windows 10 21H2/22H2, Windows 11 21H2, and Windows Server 2022. However, these updates caused '0x80070643 - ERROR_INSTALL_FAILURE' errors, particularly on systems with insufficient WinRE partition size.
Users were instructed to manually expand the WinRE partition by 250 MB or use a PowerShell script provided by Microsoft. Despite complaints about the complexity of these solutions, Microsoft confirmed it won't release an automated fix and advised users to manually resize the WinRE partition using provided guidance.
This manual action is necessary for successful update installation, but users are urged to back up their data beforehand due to potential partition damage during the resizing process.
Dropbox Discloses Breach of Digital Signature Service Affecting All Users
Dropbox revealed a breach of its digital signature product, Dropbox Sign (formerly HelloSign), on April 24, 2024, affecting all users. The attackers accessed emails, usernames, account settings, and for some users, phone numbers, hashed passwords, and authentication information.
Additionally, third parties involved in signed documents were exposed. Investigations found no evidence of data access beyond user details or payment information. The breach targeted an automated system configuration tool, compromising a service account to access the customer database. Dropbox reset passwords, logged users out, and is rotating API keys and OAuth tokens.
Law enforcement cooperation is underway, and further analysis continues. This marks the second breach targeting Dropbox in two years.
领英推荐
North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures
The Lazarus Group, a North Korea-linked threat actor, has been using fabricated job lures in a campaign called Operation Dream Job to target individuals in Asia. They employed a new remote access trojan (RAT) named Kaolin RAT to deliver the FudModule rootkit.
The rootkit exploits a patched admin-to-kernel vulnerability (CVE-2024-21338) to disable security mechanisms. The initial access vector involves tricking targets into launching a malicious optical disc image (ISO) file containing disguised files, one of which masquerades as a legitimate Amazon VNC client.
The infection chain then proceeds through multiple stages, ultimately leading to the deployment of the Kaolin RAT and the FudModule rootkit.
This sophisticated attack sequence shows Lazarus Group's significant investment in developing complex attack chains and adapting to evade security measures.
Thank you for reading Critical Chatter, CloudGuard’s weekly roundup of security articles curated by Guardians. This week’s news flash has been curated by Dafydd Davies (SOC Engineer).
If you like what you've read, subscribe so you don't miss next week's roundup!
Pssst! Just in case you missed it, here's our latest blog on How to Manage Your Microsoft Sentinel Costs, which includes practical tips and tricks from our tech team to reduce your Sentinel expenses.