THN Summary: Major Cybersecurity Risks, Tools, and Techniques (Oct 28 – Nov 03)

Nov 04, 2024The Hacker NewsWeekly Summary / Cybersecurity

This past week turned out to be a chaotic digital scenario! Cybercriminals seemed determined to disrupt normalcy by targeting various digital facets, from web browsers to sophisticated surveillance cameras reminiscent of espionage movies. (Yes, those cameras that twist and turn to capture all angles! 🕵️‍♀️)

The week saw the emergence of password-snatching bots, discreet browser extensions that monitor activities, and even adept cloud intruders! 🥷 This may compel one to consider tossing their mobile device into the sea. (But hold that thought, you’ll need it to peruse this newsletter!)

The bright side? We have exclusive insights into all the recent commotion. Consider this newsletter as your secret weapon for navigating the digital chaos. We will decode the major risks and equip you with the wisdom to outsmart those bothersome cyber attackers. Let’s dive in!

⚡ Risk Highlight of the Week

Play Ransomware Linked to North Korean Hackers: In a significant development blurring the lines between state-sponsored and criminal cyber groups, it has come to light that the North Korean state-backed hacking unit known as Andariel potentially collaborated with the Play ransomware operators in a digital ransom attack that occurred in September 2024. The initial infiltration took place in May 2024. The incident coincided with an intrusion campaign that targeted three U.S. organizations in August 2024 for likely financial purposes.

Polish Your Cybersecurity Proficiency with SANS at CDI 2024 + Grab a $1,950 Perk!

Access top-notch cybersecurity education at SANS CDI 2024, scheduled for December 13-18 in Washington, DC. Armed with over 40 expert-taught courses, you’ll acquire practical skills along with a $1,950 benefit, encompassing extended lab privileges and a GIAC certification attempt when you undertake in-person training! Offer expires on November 11.

Enhance Your Expertise Now!

🔔 Major Updates

• Chinese Threat Actor Utilizes Quad7 Botnet for Password Spraying: Microsoft has identified a Chinese threat actor dubbed Storm-0940 that is leveraging a botnet named Quad7 (also known as CovertNetwork-1658) to orchestrate sophisticated password spray attacks. These attacks facilitate the pilfering of credentials from various Microsoft clients, subsequently enabling network infiltration and post-exploitation maneuvers.
• Opera Rectifies Vulnerability Potentially Exposing Confidential Data: A new browser flaw dubbed CrossBarking has been disclosed in the Opera web browser, compromising private application programming interfaces (APIs) to allow illicit access to sensitive data. The attack mechanism involves the use of a malicious browser extension to execute malevolent code within sites possessing access to said private APIs. These sites encompass Opera’s internal sub-domains as well as external domains like Instagram, VK, and Yandex.
• Evasive Panda Adopts Fresh Tool for Harvesting Cloud Information: The China-associated threat actor identified as Evasive Panda infected a governmental entity and a religious body in Taiwan with a novel post-compromise toolset bearing the alias CloudScout, designed for extracting data from Google Drive, Gmail, and Outlook. The illicit operation was detected between May 2022 and February 2023.
• Operation Magnus Disrupts RedLine and MetaStealer Malware: A coordinated law enforcement operation spearheaded by the Dutch National Police resulted in dismantling the infrastructure tied to RedLine and MetaStealer malware. This initiative led to the closure of three servers in the Netherlands and the seizure of two domains. Concurrently, one unnamed individual has been apprehended, while a Russian national named Maxim Rudometov has been indicted for serving as one of RedLine Stealer’s architects and administrators.
• Windows Rollback Exploited for Kernel-Level Code Execution: Recent investigations have revealed a tool capable of reverting an up-to-date Windows version to a prior iteration could potentially be weaponized to nullify a patch for Driver Signature Enforcement (DSE) evasion, permitting the loading of unsigned kernel drivers and thereby enabling arbitrary code execution at an elevated state. Microsoft is actively developing a security patch to counter this threat.

‎️‍🔥 Trending Vulnerabilities

CVE-2024-50550, CVE-2024-7474, CVE-2024-7475, CVE-2024-5982, CVE-2024-10386, CVE-2023-6943, CVE-2023-2060,CVE-2024-45274, CVE-2024-45275, CVE-2024-51774

📰 Cyber World News

• PTZ Cameras Vulnerabilities: Malicious actors are actively exploiting two previously unknown vulnerabilities in pan-tilt-zoom (PTZ) live streaming cameras that are commonly used in industrial, healthcare, business conferences, government, religious institutions, and courtroom environments. The affected cameras run on VHD PTZ camera firmware version < 6.3.40, which is present in devices from PTZOptics, Multicam Systems SAS, and SMTAV Corporation utilizing Hisilicon Hi3516A V600 SoC V60, V61, and V63. These vulnerabilities, identified as CVE-2024-8956 and CVE-2024-8957, allow threat actors to bypass passwords and execute unauthorized operating system commands, resulting in complete device takeover. According to GreyNoise’s report, “Exploiting these vulnerabilities could grant an attacker full control over the camera, enabling them to manipulate or view video streams, and gain illicit access to sensitive data. In addition, the compromised devices could be conscripted into botnets for launching denial-of-service attacks.” PTZOptics has released firmware updates to address these security issues.
• NetIQ iManager Vulnerabilities: A series of security weaknesses have been uncovered in OpenText NetIQ iManager, an enterprise directory management tool. Some of these flaws can be chained together by an attacker to achieve pre-authentication remote code execution. Moreover, a threat actor with valid credentials could exploit these vulnerabilities to escalate their privileges within the platform, eventually leading to post-authenticated code execution. The identified vulnerabilities were patched in version 3.2.6.0300 released in April 2024.
• Phish ‘n’ Ships Fraud Scheme: A large-scale fraud operation known as Phish ‘n’ Ships has been discovered, involving the infection of legitimate websites with malicious code to direct users to a network of counterfeit online stores. Upon clicking on fake product links, unsuspecting users are redirected to rogue websites controlled by the attackers, where they are prompted to submit their credit card details for purchases. This operation, ongoing since 2019, has infected over 1,000 websites and set up 121 fraudulent online shops to deceive consumers. HUMAN, in its statement revealed, “The perpetrators exploited various well-known vulnerabilities to compromise a wide range of websites and create fake product listings that would prominently appear in search engine results. The payment process diverts users to a different online store that interfaces with one of four payment processors to complete the transaction. The attacker receives the payment, but the purchased item is never delivered.” Phish ‘n’ Ships shares similarities with another criminal e-commerce network named BogusBazaar, which surfaced earlier this year.
• Funnull’s Involvement in Scams: Funnull, the Chinese company that recently acquired the Polyfill[.]io JavaScript library, has been associated with investment scams, phony trading applications, and questionable gambling networks. This malicious infrastructure network has been codenamed Triad Nexus. In a recent incident, the company was caught injecting malware into polyfill.js files, causing users to be redirected to gambling websites. Silent Push indicated in its report, “Before the polyfill[.]io supply chain attack, ACB Group – the parent entity owning Funnull’s CDN – operated a public webpage under ‘acb[.]bet,’ which is now offline. ACB Group claims ownership of Funnull[.]io and several other sports and betting brands.”
• Fix for AC Charging Controllers Security Issues: Researchers in the field of cybersecurity have recently uncovered a series of security flaws in the firmware of Phoenix Contact CHARX SEC-3100 AC charging controllers. These vulnerabilities could enable a remote unauthenticated attacker to reset the account password to its default state, upload unauthorized scripts, elevate privileges, and execute arbitrary code with root-level access.

🔥 Helpful Resources, Guidelines & Insights

🎥 Expert Webinar

Discover LUCR-3’s Strategies for Identity Exploitation and How to Prevent Them — Participate in an exclusive webinar hosted by Ian Ahl to delve into LUCR-3’s sophisticated identity-centric attack methodologies targeting cloud and SaaS ecosystems.

Gain valuable insights into identifying and mitigating breaches to safeguard your organization against these advanced threats. Don’t miss out—secure your spot now and fortify your defenses.

🔧 Cybersecurity Utilities

• SAIF Risk Evaluation — Google has introduced the SAIF Risk Assessment, a crucial tool for cybersecurity practitioners to bolster AI security protocols. This tool offers tailored checklists to address risks like Data Poisoning and Prompt Injection, translating complex frameworks into actionable insights. It provides instant vulnerability reports for your AI systems, helping you rectify issues such as Model Source Tampering.
• CVEMap — A new user-friendly tool designed for navigating the intricate landscape of Common Vulnerabilities and Exposures (CVE). This command-line interface (CLI) utility streamlines the process of exploring diverse vulnerability databases, making it easier to access and manage information pertaining to security vulnerabilities.

🔒 Tip of the Week

Essential Strategies for Mobile Security — To strengthen your mobile security posture, prioritize using vetted open-source applications endorsed by cybersecurity experts to mitigate latent threats. Implement network monitoring tools such as NetGuard or AFWall+ to create personalized firewall regulations that control internet access for apps, ensuring only trusted applications are granted connectivity. Scrutinize app permissions with advanced permission manager tools that unveil the scope of background and foreground access levels. Leverage a DNS resolver like NextDNS or Quad9 to block harmful websites and thwart phishing attempts before they reach your device. Opt for privacy-focused web browsers like Firefox Focus or Brave for secure browsing experiences that block trackers and advertisements by default. Monitor device activity logs using utilities such as Syslog Viewer to identify unauthorized processes or potential data breaches. Deploy secure app containment mechanisms like Island or Shelter to isolate apps requiring critical permissions. Choose applications that have undergone independent security audits and configure VPNs with WireGuard for encrypted, low-latency network connections. Routinely update your firmware to patch vulnerabilities and consider using a secure mobile operating system featuring robust security enhancements like GrapheneOS or LineageOS to minimize your attack surface and defend against prevalent exploits.

Conclusion

That’s all for this week’s cyber escapades! Quite an eye-opener, isn’t it? Here’s a mind-boggling statistic: Did you know that a new cyberattack emerges somewhere in the world every 39 seconds? Stay vigilant out there! And for those aspiring cyber-ninjas, make sure to explore our website for the latest hacker updates. See you next week! 👋