Nov 03 2023
Welcome to Gone Phishing, your daily cybersecurity newsletter that looks forward to the day when cybercrime is no longer in the newsโฆ like the war in Ukraine. Except for the right reasons, not just because something bigger happened and people stopped caring ๐
Itโs Friday, folks, which can only mean one thingโฆ Itโs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs it.
Congrats, the cybercriminals are no matchโฆ for your patch! ๐ฉน๐ฉน๐ฉน
Check out these freshly hatched patches!! ๐ฃ๐ฃ๐ฃ
Atlassian has issued a warning about a severe security flaw, CVE-2023-22518, affecting Confluence Data Center and Confluence Server. A public exploit is now available, posing a significant risk to unpatched instances exposed on the internet. ๐๐ฑ
๐ Severity and Impact:
This improper authorisation vulnerability rates 9.1/10 in severity and can be exploited for data destruction attacks on affected servers. However, it cannot be used for data theft. Confluence Cloud sites accessed via atlassian.net are unaffected. ๐๐พ
๐ฉโ๐ป Action Required:
Admins must act immediately to protect their instances. Update to patched versions, including Confluence Data Center and Server versions 7.19.16, 8.3.4, 8.4.4, 8.5.3, and 8.6.1.
If immediate patching is not possible, apply mitigation measures like backups and blocking internet access to unpatched servers. These are temporary solutions; patching is essential. ๐
Now, on to todayโs hottest cybersecurity stories:
โ๏ธ Cybercrime is really taking off. Boeing suffers ransomware attack ๐ฐ
๐ฅ๏ธ 34 Windows drivers are vulnerable to FULL DEVICE TAKEOVER ๐จโ๐ป
๐ฑ HelloKitty ransomware group is exploiting Apache ActiveMQ flaws ๐
Aerospace giant Boeing is grappling with a "cyber incident" shortly after being linked to the LockBit ransomware gang's leak site. ๐ฑ
๐ Boeing Confirms Attack:
Boeing spokesperson Jim Proulx verified that the attack targeted "parts and distribution business" elements. Importantly, flight safety remains unaffected. Boeing is actively investigating the incident, collaborating with law enforcement and regulatory authorities, and notifying customers and suppliers. โ๏ธ๐
๐ LockBit's Involvement:
The Russia-linked LockBit gang claimed responsibility for the cyberattack on Boeing. ๐ท๐บ Recent U.S. government reports show LockBit's widespread impact, targeting over 1,800 systems worldwide since late 2019. ๐ฎ
๐ป Ransom Threats:
LockBit threatened to publish stolen data if Boeing didn't meet their ransom demand by November 2. Although the listing was removed, whether Boeing paid or not remains undisclosed. The U.S. government sanctions paying ransoms to such groups, as with Evil Corp, believed to be affiliated with LockBit. ๐ซ๐ฐ
๐ Uncertain Details:
LockBit claimed not to have contacted Boeing, while Boeing remains mum about the compromise and data exfiltration. However, they confirm being affected by a cybersecurity incident involving data exfiltration. ๐ค๐
๐ซ Past Incidents:
Boeing's subsidiary Jeppesen faced a cyber incident last year, leading to disruptions in flight planning. โ๏ธ๐ ๏ธ
Stay tuned for more updates on this developing situation! ๐ฐ๐จ
Cybersecurity is more important than ever, and your Mac or PC are no exception. Over time, your Mac or PC can accumulate junk files, malware, and other threats that can slow it down and make it vulnerable to attack.
That's where MacPaw comes in. MacPaw offers a suite of easy-to-use apps that can help you clean, optimize, and secure your Mac. With MacPaw, you can:
Remove junk files and malware to free up space and improve performance
Protect your privacy by erasing sensitive data
Optimize your startup settings to speed up boot times
Manage your extensions and apps to keep your Mac or PC running smoothly
Since 2008 MacPaw is trusted by over 30 million users worldwide, and it's the perfect solution for keeping your Mac or PC safe and secure.
A recent cybersecurity research by VMware Carbon Black has uncovered 34 vulnerable Windows Driver Model (WDM) and Windows Driver Frameworks (WDF) drivers. ๐ฑ
๐พ Potential Device Takeover:
These vulnerabilities can be exploited by non-privileged threat actors to gain full control over devices and execute arbitrary code on the underlying systems. This means they could erase/alter firmware and elevate operating system privileges. ๐จ๐ป
๐ Expanding Previous Research:
This study builds upon earlier research efforts like ScrewedDrivers and POPKORN, which used symbolic execution to identify these risky drivers. It specifically focuses on drivers with firmware access through port I/O and memory-mapped I/O.
๐ Vulnerable Driver Examples:
Some of the vulnerable drivers include:
AODDriver.sys
ComputerZ.sys
dellbios.sys, and more. ๐ฌ
๐ก๏ธ Security Implications:
Of the 34 drivers, six provide kernel memory access that can be exploited to elevate privilege and bypass security measures. Twelve drivers could undermine security mechanisms like KASLR. Seven drivers, including Intel's stdcdrv64.sys, can erase firmware, rendering the system unbootable. ๐ต
๐ Elevated Threat with WDF Drivers:
VMware also identified WDF drivers like WDTKernel.sys and H2OFFT64.sys that, while not vulnerable in terms of access control, can be easily weaponized by privileged threat actors, enabling BYOVD (Bring Your Own Vulnerable Driver) attacks. ๐คฏ
FYI, in BYOVD attacks, threat actors abuse vulnerabilities in legitimate, signed drivers, on which security products rely, to achieve successful kernel-mode exploitation and disable defence solutions.
๐ Wider Security Concerns:
These vulnerabilities can be leveraged by malicious actors to evade detection and gain elevated privileges, posing significant cybersecurity threats.
Stay vigilant, and ensure your systems are up to date with security patches! ๐ก๏ธ๐ป๐
Our new segment where we pick out some cool sites we like, reply to the mail and let us know what you think.
๐ย The Motley Fool: โFool me once, shame on โ shame on you. Fool me โ you can't get fooled again.โ Good olโ George Dubya ๐ Let us tell whoโs not fooling around though; thatโs the Crรผe ๐ at Motley Fool. Youโd be a fool (alright, enough already! ๐) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ๐ Kidding aside, if you check out their website theyโve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ๐คย (LINK)
๐ตย Wander: Find your happy place. Cue Happy Gilmore flashback ๐๏ธโณ๐๐๏ธ Mmmm Happy Placeโฆ ๐ So, weโve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, itโs easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ๐๏ธ๐ย (LINK)
๐ย Digital Ocean: If you build it they will come. Nope, weโre not talking about a baseball field for ghosts โพ๐ป๐ฟ (Great movie, to be fair ๐). This is the Digital Ocean whoโve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website youโll find yourself catching the buzz even if you canโt code (guilty ๐). But if you can and youโre looking for somewhere to test things out or launch something new or simply enhance what youโve got, weโd recommend checking out their services foโ sho ๐ And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ๐ฟย (LINK)
Cybersecurity experts have issued a warning about a critical security flaw in Apache ActiveMQ, an open-source message broker service. This vulnerability, identified as CVE-2023-46604, allows hackers to execute remote code, and it has a severity rating of 10.0 (the maximum). ๐จ
๐ก What Happened:
Hackers have been exploiting this flaw to deploy ransomware on targeted systems. The ransomware family responsible is HelloKitty, whose source code was leaked in October. ๐ฆ
๐ Affected Versions:
The vulnerability impacts various versions of Apache ActiveMQ, including 5.18.0 before 5.18.3, 5.17.0 before 5.17.6, and others. It's essential to check if your system is vulnerable.
๐ก๏ธ Protect Yourself:
To stay safe, update your ActiveMQ to the fixed versions released in the past month. The flaw has been actively exploited, and there's a proof-of-concept exploit code available. ๐
๐บ๏ธ Global Reach:
This issue affects thousands of internet-accessible ActiveMQ instances worldwide, with a significant number in China, the U.S., Germany, South Korea, and India. ๐
๐ต๏ธโโ๏ธ What to Do:
If you're using Apache ActiveMQ, act swiftly. Update to the patched versions and scan your network for any signs of compromise. Your security is paramount! ๐๐ป
Thatโs all for this week, folks. Stay safe, cyber squad ๐ค
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.
Libby Copa:ย The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.
Techspresso:ย Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)
Let us know what you think.
So long and thanks for reading all the phish!