WTF Happened Last Week!?!

Howdy Y'all! How y'all doing this Sunday? Y'all good? Remember to take some time for yaself dis holiday season! Love. Yo. Self. Now let's git ta da news in review!

• AutoSpill vulnerability allows malicious apps to steal login credentials from popular password managers.
• Impact widespread, affecting 1Password, LastPass, Enpass, and Keeper.
• Researchers, software vendors, and Google working to mitigate the vulnerability.
• Individuals can protect themselves by being app savvy, double-checking before filling, updating software, choosing secure password managers, and staying informed.

• ALPHV's negotiation and data leak sites remain down for over 30 hours, disrupting operations and negotiations.
• Rumors suggest potential law enforcement action similar to past interventions against REvil and Hive.
• ALPHV's history of rebranding and targeting critical infrastructure likely drew unwanted attention.
• The outage's impact includes halted negotiations, potential data recovery for victims, and a shift in the ransomware landscape.

• RaaS model lowers the barrier to entry for cybercriminals. Inexperienced actors can now launch attacks using pre-built tools, significantly accelerating attack times.
• Double extorsion adds a layer of complexity. Attackers now steal sensitive data, threatening to leak it if ransom demands are not met.
• Real-time intelligence fuels constant evolution. RaaS providers use customer feedback to improve their tools and adapt to new security measures.
• Defense requires proactive strategies. Implementing PTaaS, CTI, and other tools, along with reliable backups and disaster recovery plans, is essential to mitigate the risk of RaaS attacks.

• Limited Visibility: Silos prevent organizations from seeing the full picture of their security posture, making it difficult to identify and address vulnerabilities.
• Inefficient Incident Response: Silos slow down incident response and can lead to duplicated efforts and wasted resources.
• Poor Decision Making: Silos can lead to poor security decisions due to a lack of context and understanding of the overall risk landscape.
• Increased Risk of Data Breaches: Silos make it easier for attackers to exploit vulnerabilities and gain access to sensitive data.

• Austal USA, a vital U.S. Navy and Coast Guard shipbuilder, suffered a cyberattack by "Hunters International."
• The attackers claim to have stolen valuable information, including potentially sensitive engineering plans.
• Austal USA denies classified or personal data was compromised but faces pressure to secure systems and prevent further damage.
• This attack may be part of a larger campaign targeting other shipbuilders, potentially compromising maritime security.

• Hackers are actively exploiting a critical vulnerability in Adobe ColdFusion, CVE-2023-26360, to gain access to government servers.
• The vulnerability allows attackers to execute arbitrary code on vulnerable servers.
• CISA recommends upgrading ColdFusion to the latest available version, enforcing network segmentation, setting up a firewall or WAF, and enforcing signed software execution policies.
• Organizations should also consider implementing a vulnerability management program, a disciplined patching process, security awareness training, and an incident response plan.

• Risk management and incident response (IR) are two critical functions that work together to safeguard organizations against evolving threats.
• Risk management sets the stage for effective IR by proactively identifying and assessing potential threats.
• Incident response teams are tasked with swiftly containing, eradicating, and recovering from incidents to minimize damage.
• Risk management and IR work together in a symbiotic relationship to enhance overall cybersecurity.

• Microsoft has issued a warning about the Russian state-sponsored actor APT28 actively exploiting the CVE-2023-23397 Outlook flaw to hijack Microsoft Exchange accounts and steal sensitive information.
• The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East.
• Microsoft has also noted the work of the Polish Cyber Command Center (DKWOC) in helping detect and stop the attacks. DKWOC also published a post describing APT28 activity that leverages CVE-2023-38831.
• The recommended action to take right now, listed by priority, is the following: Apply the available security updates for CVE-2023-23397 and its bypass CVE-2023-29324. Use this script by Microsoft to check if any Exchange users have been targeted. Reset passwords of compromised users and enable MFA (multi-factor authentication) for all users. Limit SMB traffic by blocking connections to ports 135 and 445 from all inbound IP addresses Disable NTLM on your environment.

• Fake WordPress security advisories are circulating via email.
• These emails urge admins to install a plugin that fixes a critical security flaw.
• The plugin creates a hidden admin user and sends website info to attackers.
• Attackers can control the website, inject ads, steal visitor info, or blackmail owners.

• A previously unknown threat actor called AeroBlade has been targeting an aerospace organization in the United States for commercial and competitive cyber espionage.
• AeroBlade used spear-phishing emails with weaponized documents containing remote template injection and malicious VBA macros to deliver their attacks.
• The attacks occurred in two phases, the first in September 2022 and the second in July 2023. The second attack was more stealthy and used more obfuscation and anti-analysis techniques.
• The final payload of the attacks was a DLL that acted as a reverse shell to connect to a hard-coded C2 server, allowing attackers to take over the victim's machine.

I hope dat y'all have a great week and I'll see y'all next Sunday!