Saturday, Jun 22 2024 // (IG): BB // ShadowNews // Coffee for Bob
*Started adding the Proof Of Concepts (PoC) if available for mentioned CVE’s :
A Proof of Concept (PoC) is a small exercise to test a certain hypothesis or demonstrate that a potential project can be viable. It's primarily used to verify that certain concepts or theories have the potential for real-world application. The purpose of a PoC is to showcase the feasibility, functionality, and potential of a concept before proceeding to the development of the full-scale project. *
Russia's Midnight Blizzard Seeks to Snow French Diplomats
Bottom Line Up Front (BLUF): The Russian-backed APT group Midnight Blizzard (also known as Nobelium, APT29, Cozy Bear) has been targeting French diplomatic entities since at least 2021, according to a warning from French CERT. The group's ongoing campaign, dubbed "Diplomatic Orbiter," aims to exfiltrate strategic intelligence from embassies and diplomats.
Analyst Comments: This ongoing campaign by Midnight Blizzard demonstrates Russia's persistent cyber espionage efforts against Western allies, particularly as geopolitical tensions remain high. The targeting of French diplomatic entities, including those involved with the upcoming Paris Olympics, suggests a coordinated attempt to gather strategic intelligence and potentially disrupt international relations. The group's use of compromised legitimate email accounts for phishing attacks highlights the sophisticated tactics employed by state-backed threat actors. While many attacks have reportedly been unsuccessful, the persistent nature of this campaign underscores the need for heightened cybersecurity measures within diplomatic circles.
FROM THE MEDIA: Midnight Blizzard has targeted various French entities, including the Ministry of Culture, National Agency for Territorial Cohesion, Ministry of Foreign Affairs, and the French embassy in Ukraine. The group typically uses compromised diplomatic staff email accounts for phishing campaigns against diplomatic institutions. Once gaining initial access, they attempt to deliver custom loaders to execute tools like Cobalt Strike or Brute Ratel C4 for network access, persistence, and data exfiltration. French CERT emphasized that many of these attacks have been unsuccessful.
READ THE STORY: DarkReading // OODALoop
US Adds Sanctions of Kaspersky Executives to Ban on Company Software
Bottom Line Up Front (BLUF): The Biden administration has sanctioned 12 executives and senior leaders of Kaspersky Lab, following the Commerce Department's ban on the sale of Kaspersky's antivirus software in the US. The sanctions are based on alleged cooperation with Russian military and intelligence authorities.
Analyst Comments: This two-pronged approach of sanctions and a commercial ban represents a significant escalation in US efforts to isolate Kaspersky from the American market. The exclusion of CEO Eugene Kaspersky from the sanctions list is notable and may be a strategic decision to leave room for potential dialogue or future negotiations. The timing of these actions, amid heightened geopolitical tensions with Russia, suggests a broader effort to reduce potential cybersecurity vulnerabilities in the US. This move could have far-reaching implications for international technology companies, particularly those based in countries viewed as geopolitical rivals by the US.
FROM THE MEDIA: The Treasury Department sanctioned 12 Kaspersky Lab executives and board members, making it harder for them to start businesses in the US. The Commerce Department banned Kaspersky from conducting new business in the US and prohibited existing users from downloading software updates, with a September 29th deadline to find alternatives. The Commerce Department also placed Kaspersky's US, Russian, and UK operations on its Entity List. These actions stem from allegations of Kaspersky's cooperation with Russian military and intelligence authorities in support of cyber intelligence objectives.
READ THE STORY: The Record // The Verge
Chinese Hackers Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign
Bottom Line Up Front (BLUF): A Chinese-speaking threat actor dubbed SneakyChef has been conducting a global espionage campaign since August 2023, primarily targeting government entities across Asia and EMEA regions. The group is using two custom malware strains: SugarGh0st and the newly discovered SpiceRAT.
Analyst Comments: This campaign demonstrates the evolving sophistication of Chinese cyber espionage operations. The use of multiple custom malware strains and varied infection vectors indicates a well-resourced and adaptable threat actor. The focus on government targets, particularly Ministries of Foreign Affairs and embassies, suggests an intent to gather sensitive diplomatic intelligence. The expansion of targets from initial campaigns in South Korea and Uzbekistan to a broader range of countries across multiple regions highlights the group's growing ambitions and capabilities. Organizations, especially government entities, should be on high alert for phishing attempts using official-looking document lures and implement robust security measures to detect and prevent the deployment of these custom malware strains.
FROM THE MEDIA: Cisco Talos researchers uncovered SneakyChef's activities, linking them to previous campaigns using SugarGh0st RAT. The group has expanded its targets to include Angola, India, Latvia, Saudi Arabia, and Turkmenistan. They employ sophisticated infection chains, including Windows Shortcut (LNK) files, self-extracting RAR archives, and DLL side-loading techniques. The newly discovered SpiceRAT malware uses multiple propagation methods and includes anti-debugging features. Both SugarGh0st and SpiceRAT provide extensive capabilities for further network compromise and data exfiltration.
READ THE STORY: The Record // Cisco Talos Blog // THN
Dangerous RAT Mostly Lurks in Outdated Android Phones
Bottom Line Up Front (BLUF): A powerful remote access trojan (RAT) called Rafel is increasingly targeting outdated Android phones, with over 87% of affected victims running end-of-life Android versions that no longer receive security updates. The malware is capable of remote access, surveillance, and data exfiltration, and has persistence mechanisms, making it a potent tool for covert operations.
Analyst Comments: The prevalence of Rafel RAT in outdated Android devices highlights a critical vulnerability in mobile security. This trend underscores the importance of regular software updates and the risks associated with using devices past their support lifecycle. The malware's sophisticated capabilities, including its ability to bypass multi-factor authentication and potentially act as ransomware, represent a significant threat to user privacy and data security. The involvement of state-sponsored actors like APT-C-35 (DoNot Team) suggests that this threat extends beyond typical cybercriminal activities to potential nation-state espionage, adding a geopolitical dimension to the security concerns.
FROM THE MEDIA: According to research by Check Point, the Rafel RAT is primarily affecting Android phones running outdated versions of the operating system. Android 11, which reached end-of-life almost five months ago, accounts for 21.4% of detected infections. Nearly half of the Rafel RAT instances were found on phones running Android versions 6-10, with an additional 18% on Android 5 devices. The malware often disguises itself as legitimate apps like Instagram or WhatsApp and can request extensive permissions upon installation. It can steal 2FA messages, potentially bypassing multi-factor authentication. Check Point identified around 120 command and control servers associated with this RAT. The most targeted countries are the United States, China, and Indonesia, with Samsung devices being the most affected. The threat actor APT-C-35 (DoNot Team) has been identified as one of the most active users of Rafel RAT, reportedly conducting espionage activities for the Indian government.
READ THE STORY: Cybernews
Chemical Facilities Warned of Possible Data Exfiltration Following CISA Breach
Bottom Line Up Front (BLUF): The US Cybersecurity and Infrastructure Security Agency (CISA) disclosed a breach of its Chemical Security Assessment Tool (CSAT) by a malicious actor exploiting a zero-day vulnerability in an Ivanti Connect Secure appliance. CISA has warned chemical facilities that sensitive data, including personally identifiable information (PII) of facility personnel and visitors, may have been exfiltrated.
Analyst Comments: This breach highlights the ongoing vulnerability of critical infrastructure to sophisticated cyber attacks, particularly those exploiting zero-day vulnerabilities. The targeting of CSAT, a tool used for regulating high-risk chemical facilities, raises concerns about potential threats to national security and public safety. The incident underscores the importance of robust cybersecurity measures for government agencies handling sensitive information, as well as the need for rapid response and disclosure in the event of a breach. The possible exfiltration of PII and Chemical-terrorism Vulnerability Information (CVI) could have far-reaching implications for individuals and facilities involved in the Chemical Facility Anti-Terrorism Standards (CFATS) program.
FROM THE MEDIA: CISA detected potentially malicious activity on the CSAT Ivanti Connect Secure appliance on January 26, 2024, and immediately took the system offline. A forensic investigation revealed that a malicious actor had installed an advanced web shell capable of executing malicious commands. The attacker accessed the webshell several times over two days. While no evidence of data exfiltration was found, CISA warned that PII of facility personnel and unescorted visitors, as well as account information, may have been accessed. The breach occurred shortly after Ivanti reported active exploitation of vulnerabilities in its products, including by Chinese state actors.
READ THE STORY: InfoSecMag
SolarWinds Serv-U Vulnerability Under Active Attack - Patch Immediately
Bottom Line Up Front (BLUF): A recently patched high-severity vulnerability (CVE-2024-28995) in SolarWinds Serv-U file transfer software is being actively exploited by malicious actors. The flaw allows unauthenticated attackers to read sensitive files on the host machine, potentially leading to further compromise.
Analyst Comments: This active exploitation of a newly patched vulnerability in SolarWinds Serv-U software represents a significant threat to organizations using the affected products. The ease of exploitation and the potential for accessing sensitive system files make this vulnerability particularly dangerous. The rapid transition from vulnerability disclosure to active attacks underscores the importance of prompt patching and the ongoing risks associated with file transfer solutions. Organizations should prioritize updating to the patched version (Serv-U 15.4.2 HF 2) immediately to mitigate the risk of data exfiltration and potential follow-on attacks.
FROM THE MEDIA: The vulnerability (CVE-2024-28995) is a directory traversal bug with a CVSS score of 8.6. It affects all versions of Serv-U prior to and including 15.4.2 HF 1. Rapid7 described the flaw as trivial to exploit, allowing unauthenticated attackers to read any arbitrary file on disk. GreyNoise has detected attempts to exploit the vulnerability, including attacks originating from China. Successful exploitation could lead to information disclosure and potentially serve as a stepping stone for more extensive system compromise through credential theft and attack chaining.
READ THE STORY: THN // PoC: CVE-2024-28995
UEFIcanhazbufferoverflow Flaw In Intel Processors Impacts 100s of PCs & Servers
Bottom Line Up Front (BLUF): A high-severity vulnerability (CVE-2024-0762) has been discovered in Phoenix SecureCore UEFI firmware affecting multiple generations of Intel processors. This flaw could allow local attackers to elevate privileges and execute remote code within the UEFI firmware during runtime, potentially impacting hundreds of PC and server products.
Analyst Comments: This vulnerability in UEFI firmware presents a significant security risk due to its widespread impact across multiple Intel processor generations and various OEM products. The ability of attackers to execute code at the firmware level could lead to deeply persistent threats that are difficult to detect and remove. The involvement of the TPM configuration in the vulnerability is particularly concerning, as TPMs are meant to enhance system security. This highlights the ongoing challenges in securing the low-level components of modern computing systems. Manufacturers and users will need to prioritize firmware updates to mitigate this risk, but the process of patching such a widely distributed vulnerability could be complex and time-consuming.
FROM THE MEDIA: The vulnerability, dubbed UEFIcanhazbufferoverflow, was initially identified on Lenovo ThinkPad models but is now known to affect multiple versions of Phoenix Technologies' SecureCore firmware. It impacts Intel processor families including AlderLake, CoffeeLake, CometLake, IceLake, JasperLake, KabyLake, MeteorLake, RaptorLake, RocketLake, and TigerLake. The flaw lies in the UEFI code handling TPM configuration, leading to a buffer overflow that could allow malicious code execution. Exploitation depends on the configuration of the TCG2_CONFIGURATION variable, which varies by platform. Successful attacks could potentially evade operating system-level security measures and be difficult to detect.
READ THE STORY: CyberSecurityNews // MSN // HNS
Polish Investigators Seize Pegasus Spyware Systems as Part of Probe into Alleged Abuse
Bottom Line Up Front (BLUF): Polish prosecutors have seized Pegasus spyware systems from government agencies in Warsaw as part of an investigation into alleged abuse of the surveillance tool by the previous government to spy on opposition politicians. Nearly 600 people, mostly opposition figures, were reportedly targeted.
Analyst Comments: This seizure marks a significant escalation in Poland's investigation into the misuse of Pegasus spyware. The broad scope of the seizure, including hardware and documents from multiple agencies, suggests a comprehensive probe into both the technical capabilities of Pegasus and the legality of its use. The high number of reported targets (nearly 600) indicates potentially widespread abuse of the technology for political purposes. This case highlights the growing global concern over the use of commercial spyware by governments against their citizens, particularly political opponents. It may lead to increased scrutiny of spyware vendors like NSO Group and calls for stricter international regulations on the sale and use of such powerful surveillance tools.
FROM THE MEDIA: Polish prosecutors seized Pegasus systems from the Central Anticorruption Bureau in Warsaw on June 20-21, 2024. They also collected documents from multiple government agencies regarding the purchase and use of Pegasus. The investigation, announced in March, covers the period from November 2017 to December 2022. Key political figures, including former Deputy Prime Minister Jarosław Kaczyński, have already testified. In April, Poland's justice minister revealed that nearly 600 people, mostly opposition politicians, were targeted with Pegasus under the previous government. A Senate commission previously found "gross violations of constitutional standards" in the use of Pegasus against an opposition politician in 2019.
READ THE STORY: The Record // TVN24
Ticketmaster Data Breach: Hacker Claims Release of 1 Million Customer Records for Free
Bottom Line Up Front (BLUF): A hacker group claims to have stolen data from 680 million Ticketmaster customers and has released 1 million records for free on a dark web forum. The breach, confirmed by Live Nation (Ticketmaster's parent company), occurred on May 20, 2024, and involved unauthorized access to a database hosted on Snowflake, a third-party cloud storage provider.
Analyst Comments: This data breach represents a significant security incident with far-reaching implications for Ticketmaster and its customers. The release of 1 million records for free is likely an escalation tactic by the threat actors to pressure Ticketmaster into meeting their demands, initially set at $100,000. The breadth of personal information exposed (including names, addresses, partial credit card details, and more) creates substantial risks for identity theft and fraud. Ticketmaster's apparent lack of response, as claimed by the hackers, raises questions about the company's incident response capabilities and commitment to customer data protection. This incident underscores the ongoing challenges companies face in securing cloud-based data storage and the potential consequences of failing to adequately protect sensitive customer information.
FROM THE MEDIA: The hackers claim Ticketmaster is not responding to their request to purchase the stolen data. In response, they released 1 million customer records for free on a dark web forum. The compromised data includes names, addresses, IP addresses, emails, dates of birth, credit card types, last four digits of credit cards, and expiration dates. Live Nation confirmed the breach in a regulatory filing, stating it occurred on May 20, 2024, and involved unauthorized access to a database hosted on Snowflake. The company claims the incident is not expected to have a material impact on its business operations or financial condition.
READ THE STORY: The Cyber Express
VicOne Solutions for Detection of Zero-Day Vulnerabilities and Contextualized Attack Paths
Bottom Line Up Front (BLUF): VicOne, an automotive cybersecurity company, has announced that its xNexus and xZETA solutions are now available on AWS Marketplace. These solutions aim to protect the automotive software supply chain against zero-day vulnerabilities and cyberattacks.
Analyst Comments: This announcement represents a significant step in making advanced automotive cybersecurity solutions more accessible to a wider range of customers through the AWS Marketplace. The integration of these tools with cloud platforms like AWS highlights the increasing convergence of automotive technology and cloud computing. The focus on zero-day vulnerabilities and software supply chain security is particularly relevant given the growing complexity of software-defined vehicles (SDVs) and the increasing cyber risks they face. VicOne's use of large language models (LLM) for customized reporting and their patent-pending Vulnerability Impact Rating (VVIR) technology demonstrate innovative approaches to automotive cybersecurity that could set new standards in the industry.
FROM THE MEDIA: VicOne has made its xNexus and xZETA solutions available on AWS Marketplace. xNexus is a next-generation vehicle security operations center (VSOC) platform that uses LLM for customized reporting and provides contextualized attack paths. xZETA is an automotive vulnerability and software bill of materials (SBOM) management system that scans vehicle software for various types of vulnerabilities. Both solutions aim to protect the automotive software supply chain against zero-day vulnerabilities and cyberattacks. VicOne emphasizes the importance of aligning with ISO/SAE 21434 processes for automotive cybersecurity.
READ THE STORY: DarkReading
ASUS warns Customers about the latest Authentication Bypass Vulnerability detected Across seven Router Models
Bottom Line Up Front (BLUF): ASUS has issued a critical firmware update to address a severe authentication bypass vulnerability (CVE-2024-3080) affecting seven router models. The flaw allows remote attackers to gain administrative control over affected routers without credentials.
Analyst Comments: This vulnerability poses a significant security risk to ASUS router users, potentially exposing their networks to unauthorized access and manipulation. The high severity score (CVSS 9.8) underscores the critical nature of this flaw. The range of affected models, including some popular consumer routers, means a large number of users could be impacted. ASUS's swift response with firmware updates is commendable, but the challenge lies in ensuring users apply these updates promptly. The fact that some affected models are end-of-life and won't receive updates is concerning, as it leaves those users vulnerable. This incident highlights the ongoing security challenges in consumer networking equipment and the importance of regular firmware updates and strong security practices.
FROM THE MEDIA: ASUS has released firmware updates for seven router models affected by CVE-2024-3080, an authentication bypass vulnerability with a CVSS score of 9.8. The flaw allows remote attackers to gain administrative control without credentials. Affected models include several ZenWiFi and RT series routers. ASUS recommends immediate firmware updates and provides mitigation steps for users unable to update immediately, such as creating strong passwords and disabling internet-accessible services. The company also updated its Download Master utility to address five additional vulnerabilities.
READ THE STORY: SecurityBoulevard
'ONNX' MFA Bypass Targets Microsoft 365 Accounts
Bottom Line Up Front (BLUF): A sophisticated phishing-as-a-service (PhaaS) operation called ONNX Store is targeting Microsoft 365 accounts of financial institutions across the Americas and EMEA regions. The campaign uses advanced tactics including MFA bypass, QR codes, and JavaScript encryption to evade detection and maximize success rates.
Analyst Comments: This PhaaS operation demonstrates the evolving sophistication of cybercriminal services targeting enterprise accounts. The use of QR codes to bypass endpoint detection and the implementation of real-time credential theft via WebSockets show a high level of technical proficiency. The potential connection to the previously known "Caffeine" operation suggests continuity and evolution in the PhaaS ecosystem. The focus on financial institutions highlights the ongoing targeting of high-value sectors by cybercriminals. Organizations, especially in the financial sector, need to enhance their email security, employee training, and multi-factor authentication methods to counter these advanced phishing techniques.
FROM THE MEDIA: EclecticIQ researchers discovered the ONNX Store PhaaS operation targeting financial institutions with sophisticated phishing attacks. Key features include use of QR codes in PDF attachments to redirect victims to phishing URLs, a 2FA bypass mechanism using encrypted JavaScript, typosquatting to mimic Microsoft 365 login interfaces, and real-time credential and 2FA token theft using WebSockets. The operation may be connected to the previously known "Caffeine" PhaaS. Researchers recommend countermeasures including blocking PDF attachments from unverified sources, implementing DNSSEC, using FIDO2 hardware security keys, and enhancing security monitoring.
READ THE STORY: DarkReading
Mailcow Mail Server Vulnerability Let Attackers Execute Remote Code
Bottom Line Up Front (BLUF): Two critical vulnerabilities (CVE-2024-31204 and CVE-2024-30270) in Mailcow versions before 2024-04 allow attackers to execute arbitrary code on the server by sending specially crafted emails to administrators.
Analyst Comments: These vulnerabilities highlight the ongoing security challenges in widely-used email server software. The combination of XSS and file path vulnerabilities creates a particularly dangerous attack vector, potentially giving attackers full control over the server. The ability to exploit these flaws through specially crafted emails sent to administrators demonstrates the importance of securing not just user-facing components, but also administrative interfaces. The maintainers' quick response in patching and implementing additional security measures is commendable, but this incident underscores the need for constant vigilance and proactive security testing in email server software.
FROM THE MEDIA: CVE-2024-31204 is an XSS vulnerability in Mailcow's admin panel due to improper HTML entity escaping. CVE-2024-30270 allows arbitrary file overwriting due to insufficient input validation. Attackers can exploit these by sending malicious emails with crafted background images or query strings. The vulnerabilities stem from issues in exception handling, template caching, and input validation. Mailcow maintainers have patched the vulnerabilities by encoding HTML special characters, strengthening validation logic, and implementing new security checks to differentiate between API and web requests.
READ THE STORY: GBhackers
Items of interest
New Threat Actor 'Void Arachne' Targets Chinese Users with Malicious VPN Installers
Bottom Line Up Front (BLUF): A newly discovered threat actor group called Void Arachne is targeting Chinese-speaking users with malicious Windows Installer (MSI) files that deliver the Winos 4.0 backdoor. The campaign uses SEO poisoning and social media platforms to distribute malware disguised as VPN software, AI tools, and language packs.
Analyst Comments: This campaign demonstrates the evolving sophistication of cyber threats targeting specific language groups. The use of legitimate software installers bundled with malware exploits users' trust and desire for privacy tools like VPNs, which are particularly sought after in China due to internet restrictions. The inclusion of AI-powered deepfake and voice manipulation tools in the malicious packages is especially concerning, as it could facilitate various forms of online abuse and fraud. The modular nature of the Winos 4.0 backdoor, with its extensive plugin system, provides the attackers with a highly flexible and powerful tool for compromising target systems. This campaign highlights the need for improved user awareness around software downloads and the importance of robust endpoint security measures.
FROM THE MEDIA: Void Arachne uses SEO poisoning and Telegram channels to distribute malicious MSI files disguised as popular software like Google Chrome, VPNs, and Chinese language packs. The malware installs the Winos 4.0 backdoor, which has capabilities including file management, DDoS attacks, webcam control, and keylogging. The campaign also promotes compromised installers for AI-powered deepfake and voice manipulation tools. Researchers found the group targeting Chinese-speaking users since early April 2024, potentially reaching a substantial audience in East Asia.
READ THE STORY: THN // Trendmicro // The Record // The Cyber Express
Run your own AI (but private) (Video)
FROM THE MEDIA: Unlock the power of Private AI on your own device with NetworkChuck! Discover how to easily set up your own AI model, similar to ChatGPT, but entirely offline and private, right on your computer. Learn how this technology can revolutionize your job, enhance privacy, and even survive a zombie apocalypse. Plus, dive into the world of fine-tuning AI with VMware and Nvidia, making it possible to tailor AI to your specific needs. Whether you're a tech enthusiast or a professional looking to leverage AI in your work, this video is packed with insights and practical steps to harness the future of technology.
You've been using AI Wrong (Video)
FROM THE MEDIA: Join NetworkChuck as we delve into the revolutionary AI tool, Fabric, designed to augment human capabilities by seamlessly integrating AI into daily tasks. In this comprehensive tutorial, NetworkChuck breaks down how to set up and utilize Fabric to enhance productivity and streamline workflows. Discover how Fabric's open-source, crowd-sourced prompts, known as patterns, can solve specific problems and how you can even create your own. Whether you're a tech enthusiast or a professional looking to leverage AI in practical ways, this video is your gateway to mastering Fabric and transforming your digital interactions.
These open-source products are reviewed by analysts at InfoDom Securities, providing possible context about current media trends related to the realm of cyber security. The stories selected cover a broad array of cyber threats and are intended to aid readers in framing key publicly discussed threats and overall situational awareness. InfoDom Securities does not endorse any third-party claims made in their original material or related links on their sites; the opinions expressed by third parties are theirs alone. For further questions, please contact InfoDom Securities at dominanceinformation@gmail.com.