Apr 05 2024
Sponsored by
Welcome to Gone Phishing, your daily cybersecurity newsletter that eats, sleeps, and breathes cybersecurity, just like Joe Biden eats, sleeps, and umm, you know, the thing π΄π΄π #WWIII π
Itβs Friday, folks, which can only mean one thingβ¦ Itβs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatβs it.
Congrats, the cybercriminals are no matchβ¦ for your patch! π©Ήπ©Ήπ©Ή
π¨ Google releases April patches for Android OS π±
ππ± Google's latest Android OS update patches 28 vulnerabilities, including a critical one affecting devices with Qualcomm chips. Users can find their device's Android version number and security update level in Settings, where they can also check for updates.
The updates are available for Android 12, 12L, and 13, but availability may vary among device vendors. Notably, CVE-2023-28582 poses a high risk, with a CVSS score of 9.8, allowing remote attackers to execute code due to a memory corruption in the Data Modem during DTLS handshake. Another concern is CVE-2024-23704, an elevation of privilege vulnerability in the System component affecting Android 13 and 14.
Pixel users face potential exploitation of CVE-2024-29745 and CVE-2024-29748, both resolved with the latest security patch. Stay protected with Malwarebytes for iOS and Android. π‘οΈπ²
Now, on to todayβs hottest cybersecurity news stories:
π Vietnam hackers engage in guerrilla cyber warfare w/ Asia via malware π¨βπ»
π£ Fresh phish! New campaign targets oil & gas w/ data-stealing malware π€π
β οΈ Donβt DoS about! New HTTP/2 vulnerability leaves web servers exposed π
Since May 2023, CoralRaider, a suspected Vietnamese-origin threat actor, has wreaked havoc across Asia and Southeast Asia, targeting victims primarily for financial gain. Tracked by Cisco Talos, their sinister schemes involve plundering valuable data in countries like India, China, and Vietnam.
Employing RotBot π€ and XClient stealer π°, they snatch credentials, financial data, and social media accounts. Their arsenal includes various stealer malware families and Telegram for data exfiltration π². With roots traced to Vietnam, the cybercriminals go the extra mile, even exploiting Facebook in malvertising campaigns, mimicking renowned AI tools to lure European users.
Bitdefender recently disclosed details of this pervasive malvertising campaign, revealing threat actors hailing from Vietnam, the U.S., Indonesia, the U.K., and Australia. Their modus operandi involves seizing existing Facebook accounts, tweaking their appearance, and expanding their influence through sponsored ads.
One imposter page, masquerading as Midjourney, amassed a staggering 1.2 million followers before being dismantled. Stay vigilant and fortify your defences against the CoralRaider onslaught! πππ‘οΈ
An updated version of the infamous information-stealing malware, Rhadamanthys, has reemerged in phishing campaigns targeting the oil and gas sector. Cofense researcher Dylan Duncan unveiled the sinister tactics, revealing phishing emails employing a unique vehicle incident lure and spoofing the Federal Bureau of Transportation in a PDF, threatening hefty fines.
The emails contain a malicious link leading to a supposed PDF document, which, upon clicking, downloads a ZIP archive housing the stealer payload. Crafted in C++, Rhadamanthys establishes connections with a command-and-control (C2) server to pilfer sensitive data from compromised hosts. This resurgence coincides closely with the law enforcement takedown of the LockBit ransomware group, hinting at potential collaboration or shared resources.
Trend Micro's August 2023 revelation of a Rhadamanthys variant bundled with a leaked LockBit payload suggests ongoing evolution within the malware landscape. Additionally, the emergence of new stealer malware families like Sync-Scheduler and Mighty Stealer, alongside the evolution of existing strains like StrelaStealer, underscores the persistent threat to cybersecurity. Stay vigilant against phishing attacks and fortify your defences! ππ
As the movement towards cloud-first continues, how can teams ensure their cloud security and compliance programs are optimized? On April 10, join leaders from Vanta, CrowdStrike, and AWS as they discuss ways to leverage continuous compliance and security to proactively monitor cloud infrastructure.
Recent research uncovered a vulnerability dubbed the HTTP/2 CONTINUATION Flood, allowing denial-of-service (DoS) attacks. Security researcher Bartek Nowotarski alerted CERT Coordination Center (CERT/CC) about this on January 25, 2024. π’π’Β π’Β
CERT/CC issued a warning on April 3, 2024, stating that many HTTP/2 implementations don't adequately limit CONTINUATION frames, enabling attackers to overload servers with a flood of frames, potentially causing crashes or performance issues. π¨
In HTTP/2, header fields are transmitted via header blocks, broken into fragments, and sent within HEADER or CONTINUATION frames. Attackers exploit this by sending multiple CONTINUATION frames without the END_HEADERS flag, overwhelming servers. π
This vulnerability π₯, more severe than previous threats, impacts various projects including Apache HTTP Server, Node.js, and Golang. Upgrading software is crucial to mitigate risks. If an update isn't available, consider temporarily disabling HTTP/2.
Stay vigilant! π‘οΈ Ensure your systems are protected against this emerging threat. For more details, refer to the CVE IDs associated with affected projects.
Thatβs all for this week folks and keep your eyes peeled for new exclusive content coming this weekend. πππ
Stay safe, cyber squad! π¦Ί
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!