Black Basta ransomware has exploited windows

Jun 14 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s got that Friday feeling πŸ₯³πŸ₯³πŸ₯³

It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.

Congrats, the cybercriminals are no match… for your patch! 🩹🩹🩹

Microsoft goes hard πŸ’ͺ

🚨 Microsoft Patch Tuesday: June 2024 πŸ›‘οΈ

Microsoft released security updates fixing 51 flaws, including one Critical and 50 Important. πŸ› οΈπŸ”’ This also includes 17 fixes for the Edge browser. The most severe flaw (CVE-2024-30080) is a remote code execution (RCE) issue in MSMQ (CVSS 9.8). πŸ–₯️πŸ’₯ None of the flaws have been actively exploited yet. Notably, CVE-2023-50868 affects DNSSEC validation, causing CPU exhaustion. Other vendors like Adobe, AWS, and Google also issued security updates. πŸŒπŸ”

Google doesn’t Play, baby 🚫

🚨 Google Pixel June Security Update: Critical Fixes and New Features! πŸ”§

Google's June Pixel update includes multiple critical fixes and a high-severity vulnerability that "may be under limited, targeted exploitation." 🚨 Update your devices now! In addition to security patches, this quarterly drop features new AI enhancements for Pixel 8 and 8a, despite hardware concerns. πŸ“±πŸ€– Critical fixes address vulnerabilities that could allow local attackers to escalate privileges, potentially linking with other exploits. Meanwhile, the Android landscape remains risky, with reports of 90 malicious apps on Google Play, amassing over 5.5 million instals. βš οΈπŸ”’

Now, on to today’s hottest cybersecurity news stories:

  • πŸ’° Black Basta ransomware targets Windows zero-day flaw 🐞

  • πŸ₯’ Sleepy Pickle is the ghost in the machine learning models πŸ€–

  • 🐍 Arid Viper just dropped its AridSpy mobile espionage move πŸ•΅πŸ»β€β™‚οΈ

Basta Rhymes πŸ’€πŸ’€πŸ’€

🚨 Black Basta Exploits Windows Zero-Day! 🐞

Threat actors linked to the Black Basta ransomware have exploited a privilege escalation flaw in the Microsoft Windows Error Reporting Service (CVE-2024-26169), which was patched in March 2024. This flaw, with a CVSS score of 7.8, allows attackers to gain SYSTEM privileges.

πŸ›‘οΈ Exploiting the Flaw

Symantec's analysis reveals that an exploit tool used in recent attacks could have been compiled before the patch, indicating zero-day exploitation. The threat group, tracked as Cardinal (aka Storm-1811 or UNC4393), uses Black Basta ransomware, often leveraging access obtained via QakBot and DarkGate.

πŸ“§ Attack Vectors

In recent attacks, Black Basta has used legitimate Microsoft tools like Quick Assist and Teams. They impersonate IT personnel to gain trust, leading to credential theft with EvilProxy, execution of batch scripts, and persistence via SystemBC.

πŸ”§ Technical Details

The exploit abuses the Windows file werkernel.sys's null security descriptor when creating registry keys. It creates a registry key at 'HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsWerFault.exe', setting the 'Debugger' value to its executable path, starting a shell with admin privileges.

πŸ’» Compilation and Use

The malicious tool was compiled on February 27, 2024, weeks before the patch, with another sample dated December 18, 2023. While altering timestamps is common to avoid detection, Symantec suggests fewer reasons for such in this case.

πŸ› οΈ Mitigation

Microsoft's fix from March 2024 protects against this flaw. Users are advised to apply the latest updates. Microsoft's security software also includes detections against the malware.

🌐 Ransomware Trends

Ransomware attacks are on the rise, with a new family called DORRA (a Makop variant) emerging. Google-owned Mandiant reports a 75% increase in ransomware-related posts on data leak sites, with over $1.1 billion paid to attackers in 2023, up from $567 million in 2022.

"The resurgence in extortion activity is driven by the resettling of the cybercriminal ecosystem, new entrants, partnerships, and new ransomware service offerings," Mandiant noted.

Stay updated and secure! πŸŒπŸ”’

Don’t get yourself in a (Sleepy) Pickle πŸ₯’πŸ₯’πŸ₯’

🚨 Sleepy Pickle: New ML Model Exploitation Technique πŸ₯’

A new threat named "Sleepy Pickle" has emerged, highlighting the risks of the Pickle format used in machine learning (ML). Discovered by Trail of Bits, this technique corrupts ML models, posing severe supply chain risks.

πŸ’‘ What is Sleepy Pickle?

Sleepy Pickle is a novel attack targeting ML models, not the underlying system. It weaponizes the Pickle format, commonly used by ML libraries like PyTorch, to execute arbitrary code during deserialization.

πŸ› οΈ How It Works

Attackers insert a payload into a Pickle file using tools like Fickling and deliver it via adversary-in-the-middle (AitM) attacks, phishing, supply chain compromises, or system weaknesses. When the file is deserialized on a victim’s system, the payload executes, modifying the ML model in-place.

πŸ“‰ Impact on ML Models

The payload can backdoor models, control outputs, or tamper with processed data. This can lead to harmful outputs, data theft, or manipulated summaries pointing to phishing pages. Sleepy Pickle can maintain undetected access, compromising models when the Pickle file is loaded in Python.

πŸ”§ Mitigation Strategies

Hugging Face recommends:

  • Loading models from trusted users and organisations.

  • Using signed commits.

  • Loading models from TensorFlow or Jax formats with the from_tf=True auto-conversion mechanism.

🌐 Broader Attack Surface

Sleepy Pickle can corrupt local models if loaded together, broadening the attack surface. Control over any Pickle file in the supply chain can be enough to attack an organisation’s models, exploiting lower-level supply chain weaknesses.

🚨 Call to Action

Organisations must be vigilant about the sources of their ML models and the integrity of the files they load. Implementing robust security practices and staying updated with patches can help mitigate such advanced model-level attacks.

Stay secure and informed! πŸŒπŸ”’

🎣 Catch of the Day!! 🌊🐟🦞

Stay ahead of the curve with! πŸš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." πŸ€“πŸ’‘ That’s us, alright! 🀡 How about you? Visionary AI executive, much? πŸ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business πŸ€–πŸ‘©β€πŸ’»πŸŒ

Rest assured, the process is very straightforward.

You simply:

πŸ†• Sign Up & Create Campaign

πŸ“Š Define your audience, budget, and message to captivate your audience.

πŸš€ Launch your campaign, as Presspool’s AI matches it with ideal newsletter audiences for optimal reach and conversions. 🎯

πŸ•΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. πŸ“ˆ Elevate your marketing game and stay informed with! 🌟 Simples! 🦦

Presspool.aiΒ πŸ“°πŸŠπŸ€– may just have what you need to succeed. And if the product isn’t for you, the newsletter alone is a gamechanger. And we know newsletters πŸ˜‰

It’s the Turgid Viper 🐍🐍🐍

🚨 Arid Viper’s Mobile Espionage Unveiled πŸ•΅οΈβ€β™‚οΈ

The threat actor known as Arid Viper is behind a mobile espionage campaign using trojanized Android apps to deliver spyware called AridSpy. This malware is distributed through fake websites impersonating messaging apps, a job app, and a Palestinian Civil Registry app.

πŸ“± How It Works

ESET reports that AridSpy’s malicious code is added to legitimate apps, creating trojanized versions. These apps are distributed via dedicated websites. The activity spans five campaigns since 2022, with three still active. Arid Viper, also known as APT-C-23 and Desert Falcon, has targeted military personnel, journalists, and dissidents in the Middle East since 2017.

πŸ”§ Technical Details

AridSpy has evolved into a multi-stage trojan capable of downloading additional payloads from a command-and-control (C2) server. It targets users in Palestine and Egypt through fake apps like LapizaChat and a fraudulent Palestinian Civil Registry app.

🌐 Websites and Apps

  • Palestinian Civil Registry: Hosted on palcivilreg[.]com, advertised via a Facebook page. The app mimics a legitimate app but uses the real server to retrieve information.

  • Job Opportunity App: Found on almoshell[.]website, registered in August 2023. Unlike other apps, it's not based on any legitimate application.

πŸ›‘οΈ How It Works

  1. Initial Infection: Users download the trojanized app from a bogus site.

  2. Payload Deployment: The app checks for security software and downloads a first-stage payload if none is found.

  3. Persistent Threat: The first-stage payload downloads further components and remains active even if the initial app is uninstalled.

πŸŽ₯ Spyware Capabilities

  • Data Harvesting: Gathers data from the device, deactivates itself, or performs exfiltration based on commands or specific triggers.

  • Surveillance: Takes pictures using the front camera if the phone is locked/unlocked, every 40 minutes if the battery is above 15%.

🚨 Stay Vigilant

AridSpy’s stealthy and persistent nature underscores the importance of downloading apps only from trusted sources. Be cautious of unfamiliar websites and apps, and ensure your device has robust security measures in place.

Stay informed and secure! πŸŒπŸ”’

πŸ—žοΈ Extra, Extra! Read all about it! πŸ—žοΈ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • πŸ›‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday πŸ“…

  • πŸ’΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for πŸ†“

  • πŸ“ˆΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πŸ‘Ύ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles