The Hacker News Newsletter

"THN Recap-Top cybersecurity threats, tools, and practices."

Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents.  Accessed on 11 November 2024, 1627 UTC.

Content and Source:  https://hackernewsletter.com.

Please check link or scroll down to read your selections. Thanks for joining us today.

Russ Roberts (https://www.hawaiicybersecurityjournal.net).

 

THN Recap - Top Cybersecurity Threats, Tools, and Practices (Nov 04 - Nov 10)      Imagine this: the very tools you trust to protect you online—your two-factor authentication, your car’s tech system, even your security software—turned into silent allies for hackers. Sounds like a scene from a thriller, right? Yet, in 2024, this isn’t fiction; it’s the new cyber reality. Today’s attackers have become so sophisticated that they’re using our trusted tools as secret pathways, slipping past defenses without a  trace. For banks , this is especially alarming. Today’s malware doesn’t just steal codes; it targets the very trust that digital banking relies on. These threats are more advanced and smarter than ever, often staying a step ahead of defenses. And it doesn’t stop there. Critical systems that power our cities are at risk too. Hackers are hiding within the very tools that run these essential services, making them harder to detect and harder to stop. It’s a high-stakes game of hide-and-seek, where each move raises the risk. As these threats grow, let’s dive into the most urgent security issues, vulnerabilities, and cyber trends this week.

Threat of the Week FBI Probes China-Linked Global Hacks: The FBI is urgently calling for public assistance in a global investigation into sophisticated cyber attacks targeting companies and government agencies. Chinese state-sponsored hacking groups—identified as APT31, APT41, and Volt Typhoon—have breached edge devices and computer networks worldwide. Exploiting zero-day vulnerabilities in edge infrastructure appliances from vendors like Sophos, these threat actors have deployed custom malware to maintain persistent remote access and repurpose compromised devices as stealthy proxies. This tactic allows them to conduct surveillance, espionage, and potentially sabotage operations while remaining undetected. Tips for Organizations: Update and Patch Systems: Immediately apply the latest security updates to all edge devices and firewalls, particularly those from Sophos, to mitigate known vulnerabilities like CVE-2020-12271, CVE-2020-15069, CVE-2020-29574, CVE-2022-1040, and CVE-2022-3236. Monitor for Known Malware: Implement advanced security solutions capable of detecting malware such as Asnarök, Gh0st RAT, and Pygmy Goat. Regularly scan your network for signs of these threats. Enhance Network Security: Deploy intrusion detection and prevention systems to monitor for unusual network activity, including unexpected ICMP traffic that could indicate backdoor communications.

Microsoft 365 Cyber Resilience: 3 Keys to Success Unlock top-tier cybersecurity training at SANS CDI 2024, December 13-18 in Washington, DC. With over 40 expert-led courses, you'll gain practical skills and a $1,950 bonus, including extended lab access and a GIAC certification attempt when you train in-person! Offer ends November 11. WATCH NOW      Top News Android Banking Trojan ToxicPanda Targets Europe: A new Android banking trojan dubbed ToxicPanda has been observed targeting over a dozen banks in Europe and Latin America. It's so named for its Chinese roots and its similarities with another Android-focused malware named TgToxic. ToxicPanda comes with remote access trojan (RAT) capabilities, enabling the attackers to conduct account takeover attacks and conduct on-device fraud (ODF). Besides obtaining access to sensitive permissions, it can intercept one-time passwords received by the device via SMS or those generated by authenticator apps, which enables the cybercriminals to bypass multi-factor authentication. The threat actors behind ToxicPanda are likely Chinese speakers. VEILDrive Attack Exploits Microsoft Services: An ongoing threat campaign dubbed VEILDrive has been observed taking advantage of legitimate services from Microsoft, including Teams, SharePoint, Quick Assist, and OneDrive, as part of its modus operandi. In doing so, it allows the threat actors to evade detection. The attack has been so far spotted targeting an unnamed critical infrastructure entity in the U.S. It's currently not known who is behind the campaign. Crypto Firms Targeted with New macOS backdoor: The North Korean threat actor known as BlueNoroff has targeted cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices. Unlike other recent campaigns linked to North Korea, the latest effort uses emails propagating fake news about cryptocurrency trends to infect targets with a backdoor that can execute attacker-issued commands. The development comes as the APT37 North Korean state-backed group has been linked to a new spear-phishing campaign distributing the RokRAT malware. Windows Hosts Targeted by QEMU Linux Instance: A new malware campaign codenamed CRON#TRAP is infecting Windows systems with a Linux virtual instance containing a backdoor capable of establishing remote access to the compromised hosts. This allows the unidentified threat actors to maintain a stealthy presence on the victim's machine. AndroxGh0st Malware Integrates Mozi Botnet: The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, alongside deploying the Mozi botnet malware. While Mozi suffered from a steep decline in activity last year, the new integration has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before. ‎️‍ Trending CVEs Recently trending CVEs include: CVE-2024-39719, CVE-2024-39720, CVE-2024-39721, CVE-2024-39722, CVE-2024-43093, CVE-2024-10443, CVE-2024-50387, CVE-2024-50388, CVE-2024-50389, CVE-2024-20418, CVE-2024-5910, CVE-2024-42509, CVE-2024-47460, CVE-2024-33661, CVE-2024-33662. Each of these vulnerabilities represents a significant security risk, emphasizing the importance of regular updates and monitoring to protect data and systems.

Around the Cyber World Unpatched Flaws Allow Hacking of Mazda Cars: Multiple security vulnerabilities identified in the Mazda Connect Connectivity Master Unit (CMU) infotainment unit (from CVE-2024-8355 through CVE-2024-8360), which is used in several models between 2014 and 2021, could allow for execution of arbitrary code with elevated permissions. Even more troublingly, they could be abused to obtain persistent compromise by installing a malicious firmware version and gain direct access to the connected controller area networks (CAN buses) of the vehicle. The flaws remain unpatched, likely because they all require an attacker to physically insert a malicious USB into the center console. "A physically present attacker could exploit these vulnerabilities by connecting a specially crafted USB device – such as an iPod or mass storage device – to the target system," security researcher Dmitry Janushkevich said. "Successful exploitation of some of these vulnerabilities results in arbitrary code execution with root privileges." Germany Drafts Law to Protect Researchers Reporting Flaws: The Federal Ministry of Justice in Germany has drafted a law to provide legal protection to researchers who discover and responsibly report security vulnerabilities to vendors. "Those who want to close IT security gaps deserve recognition—not a letter from the prosecutor," the ministry said. "With this draft law, we will eliminate the risk of criminal liability for people who take on this important task." The draft law also proposes a penalty of three months to five years in prison for severe cases of malicious data spying and data interception that include acts motivated by profit, those that result in substantial financial damage, or compromise critical infrastructure. Over 30 Vulnerabilities Found in IBM Security Verify Access: Nearly a three dozen vulnerabilities have been disclosed in IBM Security Verify Access (ISVA) that, if successfully exploited, could allow attackers to escalate privileges, access sensitive information, and compromise the entire authentication infrastructure. The vulnerabilities were found in October 2022 and were communicated to IBM at the beginning of 2023 by security researcher Pierre Barre. A majority of the issues were eventually patched at the end of June 2024. Silent Skimmer Actor Makes a Comeback: Organizations that host or create payment infrastructure and gateways are being targeted as part of a new campaign mounted by the same threat actors behind the Silent Skimmer credit card skimming campaign. Dubbed CL-CRI-0941, the activity is characterized by the compromise of web servers to gain access to victim environments and gather payment information. "The threat actor gained an initial foothold on the servers by exploiting a couple of one-day Telerik user interface (UI) vulnerabilities," Palo Alto Networks Unit 42 said. The flaws include CVE-2017-11317 and CVE-2019-18935. Some of the other tools used in the attacks are reverse shells for remote access, tunneling and proxy utilities such as Fuso and FRP, GodPotato for privilege escalation, and RingQ to retrieve and launch the Python script responsible for harvesting the payment information to a .CSV file. Seoul Accuses Pro-Kremlin Hacktivists of Targeting South Korea: As North Korea joins hands with Russia in the ongoing Russo-Ukrainian War, DDoS attacks on South Korea have ramped up, the President's Office said. "Their attacks are mainly private-targeted hacks and distributed denial-of-service (DDoS) attacks targeting government agency home pages," according to a statement. "Access to some organizations' websites has been temporarily delayed or disconnected, but aside from that, there has been no significant damage." Canada Predicts Indian State-Sponsored Attacks amid Diplomatic Feud: Canada has identified India as an emerging cyber threat in the wake of growing geopolitical tensions between the two countries over the assassination of a Sikh separatist on Canadian soil. "India very likely uses its cyber program to advance its national security imperatives, including espionage, counterterrorism, and the country's efforts to promote its global status and counter narratives against India and the Indian government," the Canadian Centre for Cyber Security said. "We assess that India's cyber program likely leverages commercial cyber vendors to enhance its operations." Apple's New iOS Feature Reboots iPhones after 4 Days of Inactivity: Apple has reportedly introduced a new security feature in iOS 18.1 that automatically reboots iPhones that haven't been unlocked for a period of four days, according to 404 Media. The newly added code, called "inactivity reboot," triggers the restart so as to revert the phone to a more secure state called "Before First Unlock" (aka BFU) that forces users to enter the passcode or PIN in order to access the device. The new feature has apparently frustrated law enforcement efforts to break into the devices as part of criminal investigations. Apple has yet to formally comment on the feature.

Resources, Guides & Insights  Infosec Expert Webinar  Turn Boring Cybersecurity Training into Engaging, Story-Driven Lessons — Traditional cybersecurity training is outdated. Huntress SAT is using storytelling to make learning engaging, memorable, and effective. Gamification + phishing defense = a game-changing approach to security. Ready to transform your team’s security awareness? Join the webinar NOW!      How Certificate Revocations Impact Your Security (and How to Fix It Fast): Certificate revocations can disrupt operations, but automation is the game-changer! Discover how rapid certificate replacement, crypto agility, and proactive strategies can keep your systems secure with minimal downtime.  Cybersecurity Tools P0 Labs recently announced the release of new open-source tools designed to enhance detection capabilities for security teams facing diverse attack vectors.  YetiHunter - Detects indicators of compromise in Snowflake environments. CloudGrappler - Queries high-fidelity, single-event detections related to well-known threat actors in cloud environments like AWS and Azure. DetentionDodger - Identifies identities with leaked credentials and assesses potential impact based on privileges. BucketShield - A monitoring and alerting system for AWS S3 buckets and CloudTrail logs, ensuring consistent log flow and audit-readiness. CAPICHE Detection Framework (Cloud API Conversion Helper Express) - Simplifies cloud API detection rule creation, supporting defenders in creating multiple detection rules from grouped APIs.  Tip of the Week : Strengthen Security with Smarter Application Whitelisting Lock down your Windows system like a pro by using built-in tools as your first line of defense. Start with Microsoft Defender Application Control and AppLocker to control which apps can run - think of it as a bouncer that only lets trusted apps into your club. Keep an eye on what's happening with Sysinternals Process Explorer (it's like CCTV for your running programs) and use Windows Security Center to guard your browsers and folders. For older Windows versions, Software Restriction Policies (SRP) will do the job. Remember to set up alerts so you know when something suspicious happens. Don't trust any app until it proves itself - check for digital signatures (like an app's ID card) and use PowerShell safely by requiring signed scripts only. Keep risky apps in a sandbox (like Windows Sandbox or VMware) - it's like a quarantine zone where apps can't hurt your main system. Watch your network with Windows Firewall and GlassWire to spot any apps making suspicious connections. When it's time for updates, test them in a safe space first using Windows Update management tools. Keep logs of everything using Windows Event Forwarding and Sysmon, and review them regularly to spot any trouble. The key is layering these tools - if one fails, the others will catch the threat. Conclusion As we face this new wave of cyber threats, it’s clear that the line between safety and risk is getting harder to see. In our connected world, every system, device, and tool can either protect us or be used against us. Staying safe now means more than just better defenses; it means staying aware of new tactics that change every day. From banking to the systems that keep our cities running, no area is immune to these risks. Moving forward, the best way to protect ourselves is to stay alert, keep learning, and always be ready for the next threat. Don’t forget to subscribe for our next edition.

Follow Us for More Updates

You may unsubscribe or change your contact details at any time.

Powered by:

The Hacker News Newsletter

"The Hacker News:  THN recap-Top cybersecurity threats, tools, and practices."

Views expressed in this cybersecurity, cyber crime update are those of the reporters and correspondents.  Accessed on 04 November 2024, 1254 UTC.

Content and Source:  https://hackernewsnewsletter.com.

Please check link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (https://www.hawaiicybersecurityjournal.net).

 

THN Recap - Top Cybersecurity Threats, Tools, and Practices (Oct 28 - Nov 03)     This week was a total digital dumpster fire! Hackers were like, "Let's cause some chaos!" and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? ) We're talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas!   It's enough to make you want to chuck your phone in the ocean. (But don't do that, you need it to read this newsletter!) The good news? We've got the inside scoop on all the latest drama. Think of this newsletter as your cheat sheet for surviving the digital apocalypse. We'll break down the biggest threats and give you the knowledge to outsmart those pesky hackers. Let's go!

Threat of the Week North Korean Hackers Deploy Play Ransomware: In what's a sign of blurring boundaries between nation-state groups and cybercrime actors, it has emerged that the North Korean state-sponsored hacking crew called Andariel likely collaborated with the Play ransomware actors in a digital extortion attack that took place in September 2024. The initial compromise occurred in May 2024. The incident overlaps with an intrusion set that involved targeting three different organizations in the U.S. in August 2024 as part of a likely financially motivated attack.

Upgrade Your Cybersecurity Skills with SANS at CDI 2024 + Get a $1,950 Bonus! Unlock top-tier cybersecurity training at SANS CDI 2024, December 13-18 in Washington, DC. With over 40 expert-led courses, you'll gain practical skills and a $1,950 bonus, including extended lab access and a GIAC certification attempt when you train in-person! Offer ends November 11. Boost Your Skills Now!      Top News Chinese Threat Actor Uses Quad7 Botnet for Password Spraying: A Chinese threat actor tracked by Microsoft as Storm-0940 is leveraging a botnet called Quad7 (aka CovertNetwork-1658) to orchestrate highly evasive password spray attacks. The attacks pave the way for the theft of credentials from multiple Microsoft customers, which are then used for infiltrating networks and conducting post-exploitation activities. Opera Fixed Bug That Could Have Exposed Sensitive Data: A fresh browser attack named CrossBarking has been disclosed in the Opera web browser that compromises private application programming interfaces (APIs) to allow unauthorized access to sensitive data. The attack works by using a malicious browser extension to run malicious code in the context of sites with access to those private APIs. These sites include Opera's own sub-domains as well as third-party domains such as Instagram, VK, and Yandex. Evasive Panda Uses New Tool for Exfiltrating Cloud Data: The China-linked threat actor known as Evasive Panda infected a government entity and a religious organization in Taiwan with a new post-compromise toolset codenamed CloudScout that allows for stealing data from Google Drive, Gmail, and Outlook. The activity was detected between May 2022 and February 2023. Operation Magnus Disrupts RedLine and MetaStealer: A coordinated law enforcement operation led by the Dutch National Police led to the disruption of the infrastructure associated with RedLine and MetaStealer malware. The effort led to the shutdown of three servers in the Netherlands and the confiscation of two domains. In tandem, one unnamed individual has been arrested and a Russian named Maxim Rudometov has been charged for acting as one of RedLine Stealer's developers and administrators. Windows Downgrade Allows for Kernel-Level Code Execution: New research has found that a tool that could be used to rollback an up-to-date Windows software to an older version could also be weaponized to revert a patch for a Driver Signature Enforcement (DSE) bypass and load unsigned kernel drivers, leading to arbitrary code execution at a privileged level. Microsoft said it's developing a security update to mitigate this threat. Trending CVEs CVE-2024-50550, CVE-2024-7474, CVE-2024-7475, CVE-2024-5982, CVE-2024-10386, CVE-2023-6943, CVE-2023-2060, CVE-2024-45274, CVE-2024-45275, CVE-2024-51774

Around the Cyber World Security Flaws in PTZ Cameras: Threat actors are attempting to exploit two zero-day vulnerabilities in pan-tilt-zoom (PTZ) live streaming cameras used in industrial, healthcare, business conferences, government, religious places, and courtroom settings. Affected cameras use VHD PTZ camera firmware < 6.3.40, which are found in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. The vulnerabilities, tracked as CVE-2024-8956 and CVE-2024-8957, enable threat actors to crack passwords and execute arbitrary operating system commands, leading to device takeover. "An attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information," GreyNoise said. "Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks." PTZOptics has issued firmware updates addressing these flaws. Multiple Vulnerabilities in OpenText NetIQ iManager: Nearly a dozen flaws have been disclosed in OpenText NetIQ iManager, an enterprise directory management tool, some of which could be chained together by an attacker to achieve pre-authentication remote code execution, or allow an adversary with valid credentials to escalate their privileges within the platform and ultimately achieve post-authenticated code execution. The shortcomings were addressed in version 3.2.6.0300 released in April 2024. Phish 'n' Ships Uses Fake Shops to Steal Credit Card Info: A "sprawling" fraud scheme dubbed Phish 'n' Ships has been found to drive traffic to a network of fake web shops by infecting legitimate websites with a malicious payload that's responsible for creating bogus product listings and serving these pages in search engine results. Users who click on these phony product links are redirected to a rogue website under the attacker's control, where they are asked to enter their credit card information to complete the purchase. The activity, ongoing since 2019, is said to have infected more than 1,000 websites and built 121 fake web stores in order to deceive consumers. "The threat actors used multiple well-known vulnerabilities to infect a wide variety of websites and stage fake product listings that rose to the top of search results," HUMAN said. "The checkout process then runs through a different web store, which integrates with one of four payment processors to complete the checkout. And though the consumer’s money will move to the threat actor, the item will never arrive." Phish 'n' Ships has some elements in common with BogusBazaar, another criminal e-commerce network that came to light earlier this year. Funnull Behind Scam Campaigns and Gambling Sites: Funnull, the Chinese company which acquired Polyfill[.]io JavaScript library earlier this year, has been linked to investment scams, fake trading apps, and suspect gambling networks. The malicious infrastructure cluster has been codenamed Triad Nexus. In July, the company was caught inserting malware into polyfill.js that redirected users to gambling websites. "Prior to the polyfill[.]io supply chain campaign, ACB Group – the parent company that owns Funnull's CDN – had a public webpage at 'acb[.]bet,' which is currently offline," Silent Push said. "ACB Group claims to own Funnull[.]io and several other sports and betting brands." Security Flaws Fixed in AC charging controllers: Cybersecurity researchers have discovered multiple security shortcomings in the firmware of Phoenix Contact CHARX SEC-3100 AC charging controllers that could allow a remote unauthenticated attacker to reset the user-app account's password to the default value, upload arbitrary script files, escalate privileges, and execute arbitrary code in the context of root. The vulnerabilities have been addressed in firmware versions 1.5.1 and 1.6.3, or later.

Resources, Guides & Insights  Infosec Expert Webinar Learn LUCR-3’s Identity Exploitation Tactics and How to Stop Them — Join our exclusive webinar with Ian Ahl to uncover LUCR-3’s advanced identity-based attack tactics targeting cloud and SaaS environments.     Learn practical strategies to detect and prevent breaches, and protect your organization from these sophisticated threats. Don’t miss out—register now and strengthen your defenses.  Cybersecurity Tools SAIF Risk Assessment — Google introduces the SAIF Risk Assessment, an essential tool for cybersecurity professionals to enhance AI security practices. With tailored checklists for risks such as Data Poisoning and Prompt Injection, this tool translates complex frameworks into actionable insights and generates instant reports on vulnerabilities in your AI systems, helping you address issues like Model Source Tampering. CVEMap — A new user-friendly tool for navigating the complex world of Common Vulnerabilities and Exposures (CVE). This command-line interface (CLI) tool simplifies the process of exploring various vulnerability databases, allowing you to easily access and manage information about security vulnerabilities.  Tip of the Week Essential Mobile Security Practices You Need — To ensure robust mobile security, prioritize using open-source apps that have been vetted by cybersecurity experts to mitigate hidden threats. Utilize network monitoring tools such as NetGuard or AFWall+ to create custom firewall rules that restrict which apps can access the internet, ensuring only trusted ones are connected. Audit app permissions with advanced permission manager tools that reveal both background and foreground access levels. Set up a DNS resolver like NextDNS or Quad9 to block malicious sites and phishing attempts before they reach your device. For secure browsing, use privacy-centric browsers like Firefox Focus or Brave, which block trackers and ads by default. Monitor device activity logs with tools like Syslog Viewer to identify unauthorized processes or potential data exfiltration. Employ secure app sandboxes, such as Island or Shelter, to isolate apps that require risky permissions. Opt for apps that have undergone independent security audits and use VPNs configured with WireGuard for low-latency, encrypted network connections. Regularly update your firmware to patch vulnerabilities and consider using a mobile OS with security-hardening features, such as GrapheneOS or LineageOS, to limit your attack surface and guard against common exploits. Conclusion And that's a wrap on this week's cyber-adventures! Crazy, right?  But here's a mind-blowing fact:  Did you know that every 39 seconds, there's a new cyberattack somewhere in the world? Stay sharp out there!  And if you want to become a true cyber-ninja, check out our website for the latest hacker news. See you next week!

Follow Us for More Updates

You may unsubscribe or change your contact details at any time.

Powered by: