Jan 12 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that’s got that Friday feeling ???? but then remembered it’s Dry January ????????????
It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.
Congrats, the cybercriminals are no match… for your patch! ????????????
Check out these freshly hatched patches ????????????
???? Microsoft Patch Tuesday – Jan ’24 ????
???? Updates: 48 flaws fixed, 2 critical, 46 important. No known active attacks. ????️
⚠️ Criticals:
CVE-2024-20674 (CVSS 9.0): Windows Kerberos Bypass
CVE-2024-20700 (CVSS 7.5): Hyper-V Remote Code Execution
???? Highlights:
2nd consecutive month with no zero-days.
9 Edge browser vulnerabilities addressed.
Zero-day exploit (CVE-2023-7024) fixed.
????️ Fixes:
CVE-2024-20653 (CVSS 7.8): CLFS Privilege Escalation
CVE-2024-0056 (CVSS 8.7): SQL Security Bypass
CVE-2024-20677 (CVSS 7.8): FBX file insertion disabled.
???? Notes:
CVE-2024-20674 needs network access.
CVE-2024-20700 allows remote execution with conditions.
Use GLB format in Office for security.
For more, check Microsoft advisories. Stay secure! ????️
Cisco Fixo
???? Cisco Security Updates – Jan ’24 ????️
⚠️ Critical Flaw in Unity Connection:
CVE-2024-20272 (CVSS 7.3): Allows arbitrary command execution.
Vulnerable Versions: 12.5 and earlier (Fixed in 12.5.1.19017-4), 14 (Fixed in 14.0.1.14006-5).
???? Details:
File upload bug in web-based interface.
Lack of authentication in a specific API.
Uploading arbitrary files can lead to system compromise.
????️ Mitigation:
Update to fixed versions to prevent potential threats.
No evidence of exploitation in the wild.
Stay secure! ????️
Now, on to today’s hottest cybersecurity stories:
???? Experts predict ransomware ‘Armageddon’ in 2024 ????
????️ Mandian’s (cybersec firm) X hacked in ‘brute force’ attack ????
???? F*ckBot is coming to a cloud or SaaS platform near you ????
giphy.com
In the tumultuous landscape of 2023, ransomware emerged as a relentless adversary, making headlines weekly with high-profile targets like MGM, Johnson Controls, Chlorox, and others falling victim.
Among the various cyber threats, phishing-driven ransomware looms largest, constituting 90% of data breaches and causing over $10 billion in losses, according to reports from CISA and Cisco.
GenAI ????
Enter the era of Generative Artificial Intelligence (GenAI), a game-changer in the realm of cybercrime. Exploiting human vulnerabilities rather than technological weaknesses, phishing stands as a potent strategy for cybercriminals.
GenAI tools, like fraudulent versions of ChatGPT, enable the creation of highly personalised and context-aware phishing messages, making them virtually indistinguishable from genuine human communication. These attacks pose a significant challenge to traditional anti-phishing solutions, as GenAI-generated content lacks the typical signs of phishing.
I see your GenAI, and raise you a Next-Gen MFA ????
In response to this evolving threat landscape, the spotlight shifts to Next-Generation Multi-Factor Authentication (Next-Gen MFA). Legacy MFA technology, often two decades old, proves insufficient against GenAI attacks.
Next-Gen MFA, leveraging FIDO2-compliant wearables, emerges as a robust defence mechanism, virtually phishing-proof by eliminating human vulnerabilities.
As GenAI-powered phishing attacks escalate, adopting wearable Next-Gen MFA devices, such as the Token Ring, becomes imperative. These devices offer a formidable defence against the sophistication of modern phishing threats, ensuring constant user safety and robust cybersecurity.
Upgrade to Next-Gen MFA to stay ahead in the evolving landscape of cyber threats.
In a recent incident, Mandiant’s X (formerly Twitter) account fell victim to a likely “brute-force password attack,” linked to a drainer-as-a-service (DaaS) group. Despite the usual reliance on two-factor authentication (2FA), the breach occurred due to team transitions and a change in X’s 2FA policy, leaving the account inadequately protected.
???? FYI: A brute force attack is a hacking method that uses trial and error to crack passwords, login credentials, and encryption keys. It is a simple yet reliable tactic for gaining unauthorised access to individual accounts and organisations’ systems and networks.
The attack, occurring on January 3, 2023, allowed the threat actor to seize control of Mandiant’s X account. The perpetrator distributed links to a phishing page housing the cryptocurrency drainer CLINKSINK, known for facilitating the theft of digital assets from victims’ wallets after deceptive transaction approvals.
???? CLINKSINK Operations
CLINKSINK’s illicit operations involve multiple threat actors leveraging the drainer since December 2023, targeting Solana (SOL) cryptocurrency users. The DaaS operators recruit affiliates, offering a cut (typically 20%) of stolen assets.
???? Illegal Profits
The activity cluster, identified by Mandiant, comprises at least 35 affiliate IDs and 42 unique Solana wallet addresses, yielding over $900,000 in illegal profits.
???? Attack Chains
Attack chains utilise social media platforms like X and Discord to distribute cryptocurrency-themed phishing pages, enticing victims to connect wallets for a fake token airdrop.
???? Drainer Accessibility
Security researchers emphasise that the drainer, including variants like Chick Drainer, exhibits a low barrier to entry and high profit potential, making them appealing for financially motivated actors.
???? Cryptocurrency Threat Trend
This incident follows a broader trend of attacks targeting verified X accounts, amplifying the risk of cryptocurrency scams.
???? Anticipated Rise
Mandiant anticipates a continued rise in drainer operations given the lucrative nature of cryptocurrency and the accessibility of drainer tools.
Stay vigilant and consider enhancing security measures to safeguard against evolving threats. ????️
Get access to the info
Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
A recently discovered Python-based hacking tool, F*ckBot, has emerged as a threat to web servers, cloud services, content management systems (CMS), and SaaS platforms, including Amazon Web Services (AWS), Microsoft 365, PayPal, Sendgrid, and Twilio.
???? Key Features
F*ckBot, according to SentinelOne security researcher Alex Delamotte, specialises in credential harvesting for spamming attacks, AWS account hijacking, and enabling assaults on PayPal and various SaaS accounts. It stands alongside other cloud hacking tools like AlienFox, GreenBot, Legion, and Predator.
???? Distinct Characteristics
While related to other hacking tool families, F*ckBot distinguishes itself by not referencing AndroxGh0st’s source code. However, it shares similarities with Legion. The ultimate goal of the tool is to hijack cloud, SaaS, and web services, monetizing access by selling it to other threat actors.
???? Functionalities
Generates API keys for AWS and Sendgrid.
Creates random IP addresses and runs reverse IP scanners.
Validates PayPal accounts and associated email addresses.
Extracts credentials from Laravel environment files.
???? Usage Indications
Uncovered samples date from July 2022 to the present, suggesting active use in the wild.
F*ckBot appears to be a product of private development, potentially distributed through a smaller-scale operation.
The trend aligns with the emergence of bespoke “private bots” for tailored attacks, akin to the AlienFox builds.
????️ Security Implications
Given its active deployment, the security community emphasises the need for heightened vigilance against evolving threats. Continuous monitoring and robust security measures are crucial to safeguard against such sophisticated tools.
Stay informed, stay secure, and have a great weekend, folks! ????️
????️ Extra, Extra! Read all about it! ????️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.
Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran ‘Wealthy Primate’ might be able to help you climb that tree ???????? with his stick and banana approach ????????
Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)
Let us know what you think.
So long and thanks for reading all the phish!
???? CACTUS ransomware exploits flaws in Qlik Sense ????