Apr 12 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that's got that Friday feeling πππ
Itβs Friday, folks, which can only mean one thingβ¦ Itβs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatβs it.
Congrats, the cybercriminals are no matchβ¦ for your patch! π©Ήπ©Ήπ©Ή
π‘οΈ Microsoft Rolls Out Record-Breaking Security Updates for April 2024! π
This month sees a whopping 149 flaws addressed, with 2 actively exploited vulnerabilities detected in the wild! π± Among these are CVE-2024-26234 (Proxy Driver Spoofing) and CVE-2024-29988 (SmartScreen Bypass). π΅οΈββοΈ
While Sophos uncovered a sneaky backdoor, Microsoft flags 26 Secure Boot flaws! π¨ Additionally, there's a concerning CVE-2024-29990 (Azure Kubernetes Service) with a CVSS score of 9.0! π»
Stay vigilant as other vendors also release patches to address vulnerabilities. Check out who else made the list! π οΈ
Now, on to todayβs hottest cybersecurity news stories:
π§ͺ Varonis Threat Labs exposes two new techniques to trick SharePoint π¨βπ»
π£ Revisiting RUBYCARP: a closer look at the recently resurfaced malware πΎ
π₯ Hackers are targeting the IT help desks of hospitals, says US Health Dept ποΈ
Varonis Threat Labs uncovers two sophisticated techniques within SharePoint enabling users to bypass audit logs and evade detection while exfiltrating sensitive data. These methods pose significant risks to organisations, as they can circumvent traditional security measures, including cloud access security brokers, data loss prevention systems, and SIEMs.
Technique #1: Open in App Method
Exploiting SharePoint's "Open in App" feature, threat actors can access and download files without triggering download events, leaving behind only access logs. Whether executed manually or through PowerShell scripts, this method facilitates rapid and stealthy data exfiltration. ππ»
Technique #2: SkyDriveSync User-Agent
By leveraging the Microsoft SkyDriveSync User-Agent, attackers obscure file downloads as sync events, concealing their malicious activities from audit logs and detection systems. π΅οΈββοΈπ
Disclosure and Response
Despite Varonis researchers disclosing these vulnerabilities to Microsoft in November 2023, they remain unaddressed, designated as 'by design.' Consequently, organisations are left vulnerable to exploitation unless proactive measures are taken.
Recommendations for Organizations
Varonis urges organisations to meticulously scrutinise access events across SharePoint and OneDrive audit logs for signs of suspicious activity, including unusual access patterns, volume spikes, or anomalous device usage. Leveraging Varonis' UEBA and AI capabilities can aid in detecting and thwarting such nefarious activities. π΅οΈββοΈπ
As cyber threats evolve, it is imperative for organisations to stay ahead of adversaries by implementing robust security measures and remaining vigilant against emerging tactics. Varonis stands ready to fortify your defences and safeguard your valuable assets against the ever-changing landscape of cyber threats. π‘οΈπ
A recent research study has illuminated the extensive activities of the Romanian cyber threat group RUBYCARP, shedding light on their decade-long operation involving cryptocurrency mining and phishing techniques. π΅οΈββοΈπ»
Key Findings
The study, published by Sysdig, unveils RUBYCARP's utilisation of a sophisticated script capable of deploying multiple cryptocurrency miners simultaneously. By executing these miners concurrently, the group minimises attack duration and detection risks, primarily targeting XMRig/Monero miners. ππ°
Phishing Operations
In addition to cryptocurrency mining, RUBYCARP conducts phishing operations to pilfer valuable financial assets, including credit card numbers. The study uncovers a phishing template impersonating the logistics company Bring, targeting Danish users. Compromised email accounts linked to these attacks utilise a PHP script named "ini.inc" for phishing email dissemination. π£π³
Tools and Techniques
Further analysis reveals RUBYCARP's arsenal of cyber weapons, including specific commands within shell bot code for phishing email transmission. The study also uncovers evidence of potential phishing landing pages targeting European entities, such as Swish Bank and Nets Bank. πΌπ‘οΈ
Involvement in Cyber Weapons Development
RUBYCARP's involvement in the development and sale of cyber weapons is highlighted, indicating a rare combination of offensive cyber capabilities. The group's communication methods, predominantly through IRC, remain consistent over the years, with a community dynamic involving mentoring newcomers to the cyber threat scene. π¬πΌ
Security Recommendations
Sysdig emphasises the importance of diligent vulnerability management, robust security posture, and runtime threat detection in defending against RUBYCARP. The group's multifaceted approach and breadth of capabilities necessitate proactive security measures to mitigate risks effectively. π¨π
As RUBYCARP continues to evolve its tactics and expand its cyber arsenal, organisations must remain vigilant and proactive in safeguarding their assets against emerging threats. Sysdig's research underscores the critical need for comprehensive cybersecurity strategies to counter the ever-evolving landscape of cyber threats. ππ‘οΈ
Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
The U.S. Department of Health and Human Services (HHS) has issued a stark warning, revealing that hackers are employing sophisticated social engineering tactics to infiltrate IT help desks within the Healthcare and Public Health (HPH) sector. ππ»
Alert from HC3
According to the Health Sector Cybersecurity Coordination Center (HC3), attackers are leveraging social engineering ploys to manipulate IT helpdesk personnel and gain unauthorised access to organisations' systems. By posing as employees from the financial department and providing stolen ID verification details, including corporate ID and social security numbers, these threat actors deceive help desk staff into enrolling their own multi-factor authentication (MFA) devices. ππ
The Modus Operandi
Once armed with control over MFA devices, attackers exploit their newfound access to redirect bank transactions in business email compromise attacks. The threat actor's specific focus lies on gaining access to payer websites, submitting forms to alter ACH payments, and rerouting legitimate transactions to attacker-controlled accounts. ππ³
AI Voice Cloning Tactics
To further complicate matters, attackers may employ AI voice cloning tools to mimic trusted voices, making remote identity verification more challenging. This increasingly popular tactic adds another layer of complexity to the already intricate landscape of cyber threats. π€π
Parallels with Scattered Spider
The tactics employed bear a striking resemblance to those attributed to the notorious Scattered Spider threat group, notorious for employing phishing, MFA bombing, and SIM swapping techniques. This cybercrime syndicate has targeted numerous high-profile organisations, including MGM Resorts and tech giants like Microsoft and Twitter. π·οΈπΌ
Defense Strategies
To combat these threats, organisations in the health sector are urged to implement rigorous verification processes, including callbacks for password resets and MFA device requests, monitoring for suspicious ACH changes, and conducting in-person validations for sensitive matters. Training help desk staff to recognize and report social engineering techniques is also crucial in fortifying defences against evolving cyber threats. π‘οΈπ
As the healthcare industry grapples with escalating cyber risks, proactive measures and heightened vigilance are imperative to safeguarding sensitive data and preserving organisational integrity. πͺπ₯
ποΈ Extra, Extra! Read all about it! ποΈ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
π‘οΈ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday π
π΅Β Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for π
πΒ Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future πΎ
Let us know what you think.
So long and thanks for reading all the phish!