GBHackers Weekly Round-Up: Cyber Attacks, Vulnerabilities, Threats & New Cyber Stories

With our weekly GBHackers news summary, explore and learn about the most recent developments in the cybersecurity field. 

This practice will allow you to remain up-to-date on the newest developments, weaknesses, groundbreaking progress, hacking incidents, potential dangers, and fresh narratives within the relevant field or industry. 

⁤Doing so will help you avoid missing out on important news and information. ⁤

⁤Within our summary report, you will discover new cyber threats and ways to deal with them. ⁤⁤This entails reporting the latest malicious techniques that may damage your trusted devices. ⁤

⁤Staying current about these critical cybersecurity issues allows for timely safeguarding measures and preventive actions. ⁤

⁤Moreover, this ongoing awareness ensures that you have a comprehensive understanding of the cybersecurity landscape and can secure your systems properly against a continually changing set of risks.

Tools 

  1. OpenCTI

ANY.RUN now integrates with OpenCTI, a cyber threat intelligence platform that allows automatic enrichment of OpenCTI observations with malware data directly from ANY.RUN analysis. 

Users can access indicators like TTPs, hashes, IPs, and domains without manual data source checks. 

The data from interactive analysis sessions within the ANY.RUN sandbox can further enrich the observations that centralize threat analysis information from various sources for efficient investigation.

  1. CloudGrappler

CloudGrappler is an innovative open-source tool designed to detect the presence of notorious threat actors in cloud environments.

This tool is a beacon of hope for security teams struggling to keep pace with the sophisticated tactics of groups like LUCR-3, also known as Scattered Spider.

CloudGrappler leverages the power of CloudGrep, a tool developed by Cado Security, to offer high-fidelity, single-event detections of activities associated with well-known threat actors in popular cloud platforms such as AWS and Azure.

  1. FUD APK Crypter

Cybersecurity experts have identified a new tool promoted in the internet’s darker corners.

Dubbed the “FUD APK Crypter,” this software claims to offer the ability to encrypt and obfuscate payloads created by Android Remote Administration Tools (RATs), making them fully undetectable (FUD) by security systems.

  1. Threat Intelligence Platforms & Sandboxes

Organizations have many tools when investigating cyber threats, but two stand out: Threat Intelligence Platforms (TIPs) and sandboxes.

Each solution provides distinct advantages, yet combining their capabilities can lead to a more practical approach to detecting, analyzing, and responding to threats that can save resources and improve operations.

  1. AutoIt Malware

Hackers have been found utilizing weaponized LNK files to deploy a strain of AutoIt malware, raising alarms across the cybersecurity community.

The infection chain begins with a seemingly innocuous LNK file, which, upon closer inspection, reveals a malicious command disguised as an image file.

This command is designed to download and execute an HTA file using PowerShell from a remote server.

  1. Microsoft Copilot For Security

Microsoft Copilot for security was a generative AI solution that can help security and IT professionals handle their security operations much more efficiently.

This was claimed to be the industry’s first generative AI solution for strengthening an organization’s security expertise. 

However, Microsoft has announced that Microsoft Copilot for security will be available worldwide by April 1, 2024.

  1. Bitcoin Fog Operator

A federal jury in Washington, D.C., has convicted Roman Sterlingov, a dual Russian-Swedish national, for operating the notorious darknet cryptocurrency mixer, Bitcoin Fog.

This service, which has operated since 2011, facilitated the laundering of approximately $400 million in cryptocurrency, marking a significant victory against cybercrime.

  1. Top Ten Best Practices For Cloud Environments

Threat actors aim at Cloud environments because of their wide acceptance and one-stop storage of important information. 

Exploiting shortcomings in cloud security may enable unauthorized access to sensitive data, interruptions in infrastructure, or earning money.

The systems are highly scalable and interconnected, making them good cyber-attack targets.

  1. Aviation Risk Identification And Assessment Software Program

The Massachusetts Institute of Technology’s (MITRE) Aviation Risk Identification and Assessment (ARIA) software program is a powerful tool to enhance aviation safety and efficiency.

Developed by the MITRE Corporation, a non-profit organization that operates federally funded research and development centers, ARIA is a software program that provides a comprehensive approach to aviation risk identification and assessment.

Threats

  1. Magnet-Goblin

A new threat actor, Magnet Goblin, emerged by rapidly exploiting recently disclosed vulnerabilities (CVE-2023-46805 & CVE-2023-21887) in Ivanti Connect Secure VPN, which allowed them to deploy custom Linux backdoors on vulnerable systems.

Magnet Goblin has a history of targeting platforms like Magento, Qlik Sense, and potentially Apache ActiveMQ, using similar tactics to gain financial advantage.

Their strategy involves quickly adopting newly discovered vulnerabilities to establish backdoors on compromised systems. These backdoors enable them to steal data or gain unauthorized access by exploiting one-day vulnerabilities for potential financial gain.

  1. Hackers Attacking Asset Management Companies

The Andariel threat group was observed conducting persistent attacks against domestic businesses, specifically installing MeshAgent for remote screen control while performing the attack.

MeshAgent collects basic system information for remote management and performs activities such as power and account management, chat or message pop-ups, file upload/download, and command execution. 

It also has remote desktop support. In particular, the web supports remote desktop protocols like RDP and VNC.

  1. Muddled Libra Hackers

Threat actors use pentesting tools to identify vulnerabilities and weaknesses in target systems or networks.

These tools provide a simulated environment for testing potential attack vectors that allow threat actors to exploit security gaps and gain unauthorized access. 

By using pentesting tools, threat actors can assess the effectiveness of their methods and refine their strategies to maximize the impact of their attacks.

  1. Viber VOIP

Viber, known for its encrypted messaging and voice services, boasts millions of users worldwide who rely on its platform for secure communication.

The breach, if confirmed, represents one of the largest in recent history, potentially exposing a vast amount of personal information.

  1. 150k+ Vulnerable Devices Exposed

The “State of the UAE—Cybersecurity Report 2024,” a collaborative effort by the UAE Cyber Security Council and CPX Holding, has released the United Arab Emirates (UAE) cybersecurity landscape.

The report presents a detailed examination of the cyber threats that the nation faces, highlighting the critical need for advanced cybersecurity measures.

The report has uncovered over 155,000 vulnerable assets within the UAE, with 40 percent of critical vulnerabilities left unaddressed for over five years.

  1. Malicious PyPI Packages

Threat actors use malicious PyPI packages to infiltrate systems and execute attacks like data exfiltration, ransomware deployment, or system compromise. 

All these packages can easily bypass security measures by masquerading as legitimate Python libraries. 

This allows it to infect the unsuspecting users’ environments and potentially cause widespread damage.

  1. Adobe Reader Installer

An infostealer disguised as the Adobe Reader installation has been observed. The file is disseminated in PDF format and prompts users to download and run it.

According to AhnLab Security Intelligence Center (ASEC), the fake PDF file is written in Portuguese and instructs users to download and install Adobe Reader. 

It urges users to download and install malware by informing them that Adobe Reader is needed to open the file.

  1. CyberGate RAT Mimic As Dorks

Threat actors target a niche group of internet users, security researchers, penetration testers, and even cybercriminals.

The weapon of choice is malicious software known as CyberGate Remote Access Trojan (RAT), which has been lurking in the cyber realm for several years.

The latest twist in its deployment involves a cunning disguise, where the RAT is being distributed under the guise of a URL to a seemingly harmless Dork converter tool.

  1.  Malicious Emails Bypassing Secure Email Gateways

The frequency of malicious emails successfully circumventing Secure Email Gateways (SEGs) has doubled in the past year.

This surge highlights the evolving sophistication of cyber threats and the challenges organizations face in protecting digital assets.

According to Cofense’s analysis, a malicious email bypasses SEGs every minute, signifying a relentless assault on corporate defenses.

  1. Ex-Google Engineer Arrested

An Ex-Google engineer has been arrested for stealing trade secrets, particularly those related to artificial intelligence (AI) technology.

Linwei Ding, also known as Leon Ding, is a 38-year-old software engineer who lives in Newark, California. A federal grand jury has indicted him on four counts of theft of trade secrets.

The indictment, returned on March 5 and unsealed on March 8, alleges that Ding transferred sensitive Google trade secrets to his account while secretly working with companies based in the People’s Republic of China (PRC) active in the AI industry.

  1. Weaponized PDF

In a sophisticated cyberattack campaign, malicious actors impersonating Colombian government agencies target individuals across Latin America.

The attackers are distributing emails containing PDF attachments, falsely accusing recipients of traffic violations or other legal infractions.

These deceptive communications are designed to coerce victims into downloading an archive that harbors a VBS script, initiating a multi-stage infection process.

  1. OpenAI’s ‘Sora’

The Italian Data Protection Authority (DPA) has initiated a thorough investigation into OpenAI, the American tech giant, following its recent announcement of a cutting-edge AI model named ‘Sora.’

This new model can generate dynamic, realistic, and imaginative scenes from simple text prompts.

Amidst growing concerns over data privacy, the DPA is examining the potential impact ‘Sora’ could have on handling personal data within the European Union, with a specific focus on Italian users.

Cyber Attack 

  1. RA World Ransomware

The RA World ransomware, previously known as the RA Group, has been a significant threat to organizations worldwide since its emergence in April 2023.

Focusing on the healthcare and financial sectors, ransomware has predominantly targeted entities in the United States while also affecting organizations in Germany, India, and Taiwan.

  1. French Government-DDoS Attack

Several French government websites faced disruptions due to a severe Distributed Denial of Service (DDoS) attack, marking a concerning escalation in cyber threats against state infrastructure.

The attack commenced in the early hours of Sunday, rapidly escalating in intensity.

Cloudflare’s Radar service detected the onslaught, which saw a brief lull before resurging to sustain a significant level of disruption for approximately six hours.

  1. RedLine Malware

The cybersecurity landscape has been shaken by the discovery that a single piece of malware, known as RedLine, has stolen over 170 million passwords in the past six months.

This alarming statistic has placed RedLine at the forefront of cyber threats, accounting for nearly half of all stolen credentials analyzed during this period.

  1. Chrome Real-Time Phishing Protection

Google has announced an upgrade to its Safe Browsing technology, which will provide Chrome users with real-time protection against phishing, malware, and other malicious sites.

This enhancement is set to revolutionize how users navigate the web, ensuring safety without compromising privacy.

For over 15 years, Google Safe Browsing has been a bulwark against online threats, safeguarding users across more than 5 billion devices worldwide.

  1. Hackers Abuse Amazon & GitHub

Hackers target these platforms due to their hosting of valuable resources and data.

Hackers intrude on these platforms to steal data, deploy malicious software, or launch other cyber attacks, usually for financial gain or sinister motives.

Cybersecurity analysts at FortiGuard Labs uncovered that hackers actively abuse Amazon and GitHub to deploy Java-based malware.

  1. Hackers Deliver MSIX Malware

Cybercriminals use free apps to exploit the many people who use them freely. 

The broader user base serves as a larger attack surface that ensures the effective distribution of malware. 

In addition, this could happen if third-party plugins or features have been integrated into freemium apps, which the attackers can exploit to gain unauthorized access.

  1. KrustyLoader Backdoor Attack

Recent developments within the cybersecurity landscape have included the emergence of KrustyLoader, a sophisticated Rust-based backdoor that has caught the attention of multiple industry experts.

This malware boasts Windows and Linux variants and has been implicated in targeted attacks, with significant implications for cybersecurity defenses across platforms.

  1. Akira Ransomware Attack

In the wake of the LockBit ransomware group’s takedown, a shift has occurred within the cybercriminal underworld, leading to a sharp rise in activities by the Akira ransomware collective.

This group, known for its sophisticated attacks, particularly against healthcare entities in the US, has seen an influx of talent from the remnants of the notorious Conti group, specifically from its post-Ryuk faction.

  1. Matanbuchus Malware-as-a Service

The Matanbuchus malware has been reported to initiate a new campaign, exploiting XLS files to compromise Windows machines.

This sophisticated threat, known for its loader-as-a-service model, has been active for several years and poses a risk to users worldwide.

Matanbuchus, a name that has become increasingly familiar among cybersecurity experts, has found a new method to infiltrate systems.

  1. Legitimate Data-Exfiltration Tools to Hack Systems

The cybersecurity landscape has witnessed a significant evolution in ransomware attacks in recent months, with perpetrators deploying increasingly diverse data-exfiltration tools.

Symantec’s latest findings reveal that attackers have utilized at least a dozen tools for data exfiltration in the past three months alone.

This trend underscores a strategic shift towards leveraging malware and dual-use tools—legitimate software repurposed for malicious intent—to siphon data from victim organizations.

  1. VMware ESXi 

VMware’s ESXi, Workstation, and Fusion products could allow attackers to execute malicious code on affected systems.

VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.

The company has released updates to address these issues in the affected software.

  1. DoNex Ransomware

Enterprises across the United States and Europe are on high alert as a new ransomware strain, dubbed “DoNex,” has been actively compromising companies and claiming victims.

This emergent threat has cybersecurity experts working overtime to understand the attack’s full scope and develop countermeasures.

The DoNex ransomware group has made its presence known by listing several companies as victims on their dark web portal, accessible via the Onion network.

  1. Watering Hole Attack

Evasive Panda, dubbed BRONZE HIGHLAND and Daggerfly, is a Chinese-speaking APT group that has been operating since at least 2012. It has been spotted conducting cyber espionage targeting individuals in mainland China, Hong Kong, Macao, and Nigeria. 

Southeast and East Asian governments, notably those in China, Macao, Myanmar, the Philippines, Taiwan, and Vietnam, were the targets of attacks. The targets included other Chinese and Hong Kong groups.

Since 2020, Evasive Panda has been capable of using adversary-in-the-middle attacks to spread its backdoors by obtaining updates from legitimate software.

  1. Malspam Attack

Threat actors target email addresses, as they provide a way to access personal and confidential information.

Emails often hold valuable data such as financials, login credentials, and personal messages.

The attackers could start different kinds of cyber-attacks and propagate malware via compromised email addresses.

Vulnerabilities

  1. Kubernetes Vulnerability

A new vulnerability, CVE-2023-5528, has been discovered with Kubernetes. This vulnerability is associated with a command injection vulnerability that leads to remote code execution with SYSTEM-level privileges on the compromised Windows node. The severity of this vulnerability has been given as 7.2 (High).

Several prerequisites are required for a threat actor to exploit this vulnerability, including applying malicious YAML files to the cluster, access to create a persistent volume that can be utilized during the command injection process, and some level of user privilege on the affected Kubernetes cluster.

After identifying this one, two additional vulnerabilities with the exact underlying cause were identified: an insecure function call and inadequate user input sanitization.

  1. Windows SmartScreen Vulnerability

The operators of DarkGate successfully leveraged a patched Windows Defender SmartScreen vulnerability, identified as CVE-2024-21412, as a zero-day attack to disseminate the complex and ever-evolving DarkGate malware.

The vulnerability tracked as CVE-2024-21412, with a CVSS base score of 8.1, is a Microsoft Defender SmartScreen vulnerability revolving around internet shortcuts.

It enables an unauthorized attacker to bypass SmartScreen security measures by deceiving a target into clicking on a specially crafted file.

  1. Critical ChatGPT Plugins Flaw

Threat actors can exploit ChatGPT’s ecosystem for several illicit purposes, such as crafting prompts to generate malicious code, phishing lures, and disinformation content.

Even threat actors can exploit ChatGPT’s exceptional capabilities to craft and launch many sophisticated and stealthy cyberattacks.

Besides this, they can also exploit the vulnerabilities in ChatGPT extensions or plugins to gain unauthorized access to user data or external systems.

  1. Document Publishing (DDP) Websites Abuse

Threat actors have been observed hosting phishing documents on legitimate digital document publishing (DDP) sites as part of continuous session harvesting and credential attempts. 

Since DDP sites are unlikely to be blocked by web filters, have a good reputation, and could give visitors the impression that they are trustworthy, hosting phishing lures on these sites increases the chance of a successful phishing attack.

“Digital Document Publishing sites” are online platforms that let users upload and share PDF files in a browser-based flipbook format.

  1. Fortinet FortiOS

Fortinet has disclosed a critical vulnerability in its FortiOS and FortiProxy captive portal systems. The vulnerability could allow attackers to execute arbitrary code through specially crafted HTTP requests.

This revelation underscores the ongoing challenges in safeguarding digital infrastructures against sophisticated threats.

  1. SAP Security Patch

Organizations using SAP products are urged to prioritize patching vulnerabilities outlined in the latest SAP Security Notes, released on 12 March 2024, SAP Security Patch Day.

SAP Security Notes are official communications from SAP that detail newly identified vulnerabilities within their software products.

  1. Stanford University Hack

The Stanford University data breach involved a ransomware attack by the Akira ransomware gang.

The breach occurred between May 12, 2023, and September 27, 2023, with the university discovering the attack on September 27, 2023.

The compromised information varied but could include dates of birth, Social Security numbers, government IDs, passport numbers, driver’s licenses, and potentially biometric data, health/medical information, email addresses with passwords, usernames with passwords, security questions and answers, digital signatures, and credit card information with security codes.

  1. Google’s Gemini AI Vulnerability

Researchers at HiddenLayer have unveiled a series of vulnerabilities within Google’s Gemini AI that could allow attackers to manipulate user queries and control the output of large language models (LLMs).

This revelation has raised concerns over the security and integrity of AI-driven content generation and its implications for misinformation spread and data privacy.

The Gemini suite, Google’s latest foray into the realm of LLMs, comprises three different model sizes: Nano, Pro, and Ultra.

  1. ChatGPT-Next-Web SSRF Vulnerability

There are advantages to using standalone AI chatbots over cloud-based alternatives such as OpenAI; however, there are also some security risks.

Research shows NextChat, a popular standalone chatbot with over 7500 exposed instances, is vulnerable to a critical SSRF vulnerability (CVE-2023-49785) that allows attackers to access internal systems and data potentially.

The vulnerability was reported to the vendor in November 2023, but since no patch was available after 90 days, technical details were publicly released.

  1. WordPress Plugin Flaw

Over 200,000 websites have been left vulnerable to Cross-Site Scripting (XSS) attacks due to a flaw in the Ultimate Member plugin for WordPress.

This vulnerability, discovered by a researcher known as stealthcopter, underscores the ongoing risks in the digital ecosystem and highlights the critical role of cybersecurity firms like Wordfence in safeguarding the web.

  1. Hackers Hijacked TeamCity Servers

BianLian attackers exploited a TeamCity vulnerability (CVE-2024-27198 or CVE-2023-42793) to gain initial access and move laterally within the network. 

They deployed a PowerShell backdoor disguised as legitimate tools that use two-layer obfuscation with encryption and string substitution to communicate with a Command and Control (C2) server. 

Researchers at Guidepoint Security linked this backdoor to the BianLian group based on its functionalities, SSL communication, and communication with a server identified as running BianLian’s GO backdoor.

  1. WordPress Builder Plugin Flaw

A recent surge in attacks from a new malware campaign exploits a known vulnerability in the WordPress plugin Popup Builder, infecting over 3,300 websites with XSS attacks.

A recent Balada Injector campaign discovered in January exploited a cross-site scripting (XSS) vulnerability tracked as CVE-2023-6000, with a CVSS base score of 8.8.

According to Sucuri, they have noticed an increase in attacks over the last three weeks from an ongoing malware campaign aiming to take advantage of the same Popup Builder vulnerability in versions 4.2.3 and before.

  1. QNAP Vulnerabilities 

QNAP has disclosed a series of vulnerabilities within its operating systems and applications that could potentially allow attackers to compromise system security and execute malicious commands.

These vulnerabilities, identified as CVE-2024-21899, CVE-2024-21900, and CVE-2024-21901, pose significant risks to users of affected QNAP devices.

The company has promptly responded by releasing updates to mitigate these vulnerabilities.

  1. PoC Exploit Released

A Proof of Concept (PoC) exploit has been released for a vulnerability in the OpenEdge Authentication Gateway and AdminServer.

This vulnerability, CVE-2024-1403, affects multiple versions of the OpenEdge platform and could allow unauthorized access to sensitive systems.

  1. Nigerian National Pleads Guilty

Henry Onyedikachi Echefu, a 32-year-old Nigerian national, has admitted to his role in a sophisticated business email compromise (BEC) scheme and money laundering activities.

This case highlights the global nature of cybercrime and the importance of international cooperation in bringing perpetrators to justice.

Henry Onyedikachi Echefu, originally from Nigeria and residing in South Africa during his criminal activities, has recently faced the consequences of his actions in a United States courtroom.