Top 5 Cybersecurity Updates: Last Week's Key Highlights in the Digital Sphere

1. Microsoft Rolls Out Patches for 73 Flaws, Including 2 Windows Zero-Days

Microsoft's February 2024 Patch Tuesday addressed 73 security flaws, including two zero-days actively exploited (CVE-2024-21351 and CVE-2024-21412) affecting Windows SmartScreen and Internet Shortcut Files. The updates cover 5 Critical, 65 Important, and 3 Moderate vulnerabilities, alongside fixes for 24 Edge browser flaws. CVE-2024-21351 allows code injection into SmartScreen, and CVE-2024-21412 enables attackers to bypass security checks with user interaction. Both vulnerabilities are now in the U.S. CISA's Known Exploited Vulnerabilities catalog, with federal agencies urged to update by March 5, 2024.?

The patch also includes fixes for five critical vulnerabilities in Windows Hyper-V, Windows PGM, Microsoft Dynamics, Microsoft Exchange Server, and Microsoft Outlook, with the Exchange Server flaw highlighted for its exploitation potential. Additionally, a 24-year-old DNSSEC design flaw (CVE-2023-50387) causing denial-of-service was fixed. Other vendors have also released updates for various products, highlighting the broad scope of cybersecurity efforts.?

?

2. 4 Ways Hackers use Social Engineering to Bypass MFA

Hackers use social engineering tactics to bypass multi-factor authentication (MFA) , highlighting the importance of strong passwords alongside MFA for security. These tactics include:?

• Adversary-in-the-middle (AITM) attacks: Hackers deceive users with fake websites to intercept passwords and MFA prompts, manipulating users into granting access.?
• MFA prompt bombing: Attackers send continuous MFA prompts to users until they mistakenly approve one, granting the hacker access.?
• Service desk attacks: By pretending to be legitimate users, attackers trick service desks into bypassing MFA, enabling unauthorized access.?
• SIM swapping: Hackers transfer a victim's phone service to a SIM card they control, intercepting MFA prompts.?

Despite MFA's effectiveness, it's not infallible. Hackers can bypass MFA using these methods, especially when targeting weak or reused passwords. Organizations are advised to maintain strong password policies in conjunction with MFA to enhance security.? ?

?3. CISA and OpenSSF Release Framework for Package Repository Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is collaborating with the Open Source Security Foundation's Securing Software Repositories Working Group to introduce the "Principles for Package Repository Security" framework. This initiative aims to enhance the security of package repositories, crucial for the open-source ecosystem, by establishing foundational security rules for package managers. The framework outlines four security maturity levels across authentication, authorization, capabilities, and CLI tooling, encouraging repositories to achieve at least basic security maturity (Level 1) and progress towards advanced security measures. This effort responds to increasing cybersecurity threats and the recognition of open-source software's vulnerabilities in critical sectors, such as healthcare.?

?

4. Ivanti Vulnerability Exploited to Install 'DSLog' Backdoor on 670+ IT Infrastructures

Threat actors are exploiting a server-side request forgery (SSRF) vulnerability, CVE-2024-21893, in Ivanti Connect Secure, Policy Secure, and ZTA gateways to deploy a backdoor named DSLog, granting them persistent remote access. This exploitation began shortly after the public release of a proof-of-concept code. The backdoor is inserted into an existing Perl file to avoid detection, with unique hashes used for each appliance to complicate analysis. Orange Cyberdefense detected the initial compromises on February 3, with evidence of attackers attempting to erase logs to hide their tracks. Despite efforts to patch the vulnerability, 670 compromised assets were initially found, decreasing to 524 by February 7. Ivanti recommends a factory reset of appliances before applying patches to eliminate any backdoor persistence.?

?

5.?PikaBot Resurfaces with Streamlined Code and Deceptive Tactics

The PikaBot malware has undergone significant changes, simplifying its code by removing advanced obfuscation techniques and altering its network communications, according to Zscaler ThreatLabz. Initially identified in May 2023, PikaBot serves as a malware loader and backdoor, capable of executing commands and deploying payloads from a command-and-control (C2) server. Recent updates include simpler encryption algorithms, the removal of per-element encryption in favor of storing bot configurations in plaintext, and modifications to C2 server communication protocols. Despite these changes, PikaBot remains a notable cyber threat. This development is part of broader cybercriminal activities, including a cloud account takeover campaign targeting Microsoft Azure environments, reported by Proofpoint, indicating a persistent and evolving threat landscape.?

?

?

?

?