Dec 28 2024
Welcome to Gone Phishing, your weekly cybersecurity newsletter that supports more white hats than a Beyonce halftime show 🥼💃🏾🤠 #EthicalHackers #WhiteHat #NoDiddy 💀💀💀
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Sonos, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🚨 Sophos Firewall Hotfixes Released for Critical Flaws 🔒
Sophos has issued hotfixes to address three security vulnerabilities in its Firewall products, including two rated Critical (CVSS 9.8). While no evidence of active exploitation exists yet, these flaws could lead to Remote Code Execution (RCE) and privileged system access under specific conditions.
🛠️ The Vulnerabilities:
CVE-2024-12727 (CVSS 9.8)
Type: Pre-auth SQL Injection
Impact: RCE when Secure PDF eXchange (SPX) and High Availability (HA) mode are configured together.
Affected Devices: ~0.05%.
CVE-2024-12728 (CVSS 9.8)
Type: Weak Credentials Vulnerability
Impact: Persistent weak SSH passphrase allows privileged access post-HA setup if SSH is enabled.
Affected Devices: ~0.5%.
CVE-2024-12729 (CVSS 8.8)
Type: Post-auth Code Injection
Impact: Authenticated users can execute RCE via the User Portal.
✅ Patched Versions:
Hotfixes are available for affected versions (21.0 GA and earlier), including:
v21 MR1+, v20 GA, v19.5 MR3+, and others.
📋 Verifying Hotfix Installation:
CVE-2024-12727:
Run: cat /conf/nest_hotfix_status (Hotfix applied if value is 320+).
CVE-2024-12728/12729:
Run: system diagnostic show version-info (Hotfix applied if value is HF120424.1+).
🔑 Mitigation Recommendations:
Restrict SSH access to dedicated HA links or disable WAN SSH access.
Use a long, random passphrase for HA setup.
Ensure User Portal and Webadmin are inaccessible from WAN.
⚠️ Background:
This comes shortly after U.S. authorities charged a Chinese national for exploiting a previous Sophos zero-day (CVE-2020-12271, CVSS 9.8) that compromised 81,000 firewalls globally.
🌐 Act Now:
Apply hotfixes or implement workarounds to safeguard your systems from potential threats! 🚀✨
Now, on to this week’s hottest cybersecurity news stories:
🐪 Iran's Charming Kitten deploys variant of BellaCiao malware 👾
👨🏽💻 N. Korean hackers ‘Madoff’ with $308M of Bitcoin from DMM 💱
🤖 OpenAI fined €15M by Italy for ChatGPT’s GDPR data violations 💸
The Iranian hacking group Charming Kitten is back, rolling out a C++ variant of its sneaky malware, BellaCiao, now called BellaCPP! 💻🦠
🔍 What Did Kaspersky Find?
During a recent investigation in Asia, Kaspersky discovered BellaCPP on a machine that was also infected with BellaCiao. This malware family has a track record of targeting the U.S., the Middle East, and India—a global cyber troublemaker! 🌍⚠️
💡 What’s Different About BellaCPP?
While BellaCiao relied on a web shell for uploading files, running commands, and maintaining persistence, BellaCPP skips the web shell but keeps its danger:
SSH Tunnels: Uses a mysterious DLL file to create covert communication tunnels.
Stealthy Payloads: Designed to load and execute additional malware.
Attribution: Still linked to domains and patterns previously tied to Charming Kitten.
👀 Who Are They?
Charming Kitten (a.k.a. APT35, Mint Sandstorm, TA453, and more!) is associated with Iran’s IRGC and loves using:
Social engineering tricks to lure victims.
Exploits in widely used software like Microsoft Exchange Server and Zoho ManageEngine.
🛡️ How to Stay Safe?
Patch your systems regularly! 🚨
Monitor for unusual network traffic or SSH activity.
Be cautious of phishing attempts—they're pros at it! 🎯
🐾 These kittens might sound cute, but their claws are sharp. Don’t let them pounce! 🛡️✨
VaultCraft launches V2 in partnership with Safe, lands $100M+ in Bitcoin
Matrixport entrusts VaultCraft with $100M+ Bitcoin
OKX Web3 rolls out Safe Smart Vaults with $250K+ rewards
Japanese and U.S. authorities have officially linked the May 2024 theft of $308 million in cryptocurrency from DMM Bitcoin to North Korean cyber actors! 😱💻
🕵️♀️ Who’s Behind It?
The culprits are part of TraderTraitor (a.k.a. Jade Sleet, UNC4899, Slow Pisces), a notorious North Korea-linked group that specializes in:
Social engineering: Targeting multiple employees of a company at once.
Malware-laced apps: Often disguised as cryptocurrency tools.
Sophisticated scams: Even posing as recruiters or collaborators on GitHub projects.
🧑💻 How Did They Do It?
🎯 Targeting Employees:
In March 2024, a Ginco employee (a crypto wallet company in Japan) was tricked by a fake recruiter into running a malicious Python script.
🌐 Compromising Systems:
Using session cookies, the attackers gained access to Ginco’s communication systems.
💳 Exploiting Transactions:
In May, they manipulated a legitimate DMM Bitcoin transaction, stealing 4,502.9 BTC!
🌐 What Happened Next?
The stolen funds were moved to TraderTraitor-controlled wallets.
To cover their tracks, they used tools like:
Bitcoin CoinJoin Mixing Service 🌀 for anonymity.
Bridging services to shuffle the money further.
Ultimately, funds reached HuiOne Guarantee, a company tied to cybercrime activities.
🛡️ Stay Safe!
💡 Tips to avoid being a target:
Be cautious of recruiters or unsolicited messages.
Double-check URLs before opening or downloading anything.
Regularly update your security measures and monitor for unusual activity.
👀 What’s Next?
This revelation follows other North Korean cyber activity, including:
Lazarus Group’s SmallTiger backdoor targeting South Korean companies.
Ongoing attacks on the Web3 sector.
💣 These hackers are relentless—don’t let them outsmart you! 🛡️💻
Italy’s data protection watchdog, Garante, has slapped OpenAI with a €15 million fine (~$15.66M) for mishandling personal data used to train ChatGPT.
🤷♂️ What’s the Issue?
OpenAI allegedly violated GDPR by:
Processing user data without proper legal justification.
Failing to notify authorities of a March 2023 data breach.
Not implementing age verification, exposing kids under 13 to potentially inappropriate content.
👉 What’s Next?
OpenAI must run a six-month public campaign to explain:
How ChatGPT collects and uses data.
Users’ rights to object, rectify, or delete their data.
🤖 OpenAI Responds
Called the decision disproportionate, noting the fine is 20x its Italian revenue.
Plans to appeal while staying committed to balancing AI innovation and privacy.
This marks another chapter in the global conversation around AI accountability—a sign of the times for tech and privacy regulation! 🚦💻
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!