Jan 19 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that eats cybercriminals for breakfast ????????????????☕
It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.
Congrats, the cybercriminals are no match… for your patch! ????????????
Check out these freshly hatched patches ????????????
What’s going Chrome? ????
???? Security Alert: Google Chrome Updates Released! ????️
On Tuesday, Google rolled out crucial updates for its Chrome browser, tackling four security issues, including a zero-day flaw (CVE-2024-0519) actively exploited by cyber threats. ????
This flaw involves an out-of-bounds memory access in the V8 JavaScript and WebAssembly engine, potentially allowing attackers to read secret values and bypass protection mechanisms. The issue, reported anonymously on January 11, 2024, is the first actively exploited zero-day fixed by Google in 2024. ????
Users are strongly advised to upgrade to Chrome version 120.0.6099.224/225 for Windows, 120.0.6099.234 for macOS, and 120.0.6099.224 for Linux to safeguard against potential threats. ????
Use your cranium ????, update your Chromium! ????
Users of Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also promptly apply the fixes as they become available. Stay secure online! ????????
Trump supporters be like: ‘BUILD THAT SonicWall!’ ????????????
Keep an eye out for this guy ????
???? SonicWall Firewalls Under Threat! Update Now! ????
???? Attention, SonicWall users! Over 178,000 firewalls are at risk due to exploitable flaws, potentially leading to denial-of-service (DoS) and remote code execution (RCE).
???? The Breakdown:
CVE-2022-22274: Stack-based overflow could lead to DoS or code execution.
CVE-2023-0656: Another stack-based overflow with potential for DoS and crashes.
Shockingly, despite being disclosed two years ago, over 146,000 devices are still vulnerable!
????️ Take action now! Update to the latest SonicOS version and ensure your management interface isn't exposed online. ???? Safeguard your SonicWall firewall and stay cyber-secure! ????????
Now, on to today’s hottest cybersecurity stories:
FML! When MFA misfires thanks to spamming, fatigue ????
???????? Crypto hijack attack! ‘Docker’ enslaves CPUs for mining ⛏️
???? Iranian invasion! Undercover hackers infiltrate universities ????️
In the ever-evolving digital landscape, traditional password-only authentication systems face increasing vulnerabilities, prompting a shift towards the adoption of Multi-Factor Authentication (MFA). ???? MFA demands users to provide multiple authentication factors, adding a crucial layer of defence against unauthorised access.
???? What is MFA Spamming?
MFA spamming involves bombarding a user's devices with numerous MFA prompts or codes, aiming to overwhelm and trick them into approving an unauthorised login. Hackers require the victim's credentials to initiate this attack, exploiting any unintentional approvals for unauthorised access.
???? Attack Techniques:
Tactics include automated flooding of verification requests, social engineering to deceive users, and exploiting MFA system APIs to send false authentication requests.
???? Notable Attacks:
Examples include hackers breaching Coinbase's SMS MFA in 2021, stealing cryptocurrencies, and flooding Crypto.com customers in 2022, resulting in significant cryptocurrency losses.
????️ Mitigating Strategies:
To combat MFA spamming, organisations should enforce strong password policies, conduct end-user training on vigilant MFA verification, implement rate limiting on authentication requests, and establish robust monitoring systems with immediate alerting capabilities.
???? Key Takeaways:
Strengthening password policies and employing advanced solutions like Specops Password Policy's Breached Password Protection (catchy name! ????) are crucial steps in fortifying security against MFA spamming attacks.
Stay vigilant, stay secure! ????????
???? Beware! A novel campaign is targeting vulnerable Docker services, deploying the XMRig cryptocurrency miner and the 9Hits Viewer software for a multi-pronged monetization strategy. ????️♂️ Cloud security firm Cado reports this as the first documented case of malware using 9Hits as a payload, showcasing adversaries' constant efforts to diversify strategies for compromised host monetization.
???? Attack Method:
The exact method for spreading malware to vulnerable Docker hosts is unclear but suspected to involve search engines like Shodan for target scanning. Once breached, malicious containers are deployed via the Docker API, fetching off-the-shelf images from Docker Hub for 9Hits and XMRig.
???? Campaign Impact:
The 9Hits container generates credits for attackers by visiting specified sites, while the XMRig miner connects to a private pool, causing resource exhaustion on compromised hosts. Legitimate workloads suffer as the miner consumes CPU, bandwidth, and memory. The campaign's scale and profitability remain elusive due to its stealthy nature.
⚠️ Potential Consequences:
This attack not only impacts server performance but could escalate to leaving a remote shell, posing a serious security breach risk. Vigilance and protective measures are crucial!
????️ Protective Measures:
Stay secure by regularly updating Docker, monitoring for unusual resource consumption, and employing security measures against potential breaches. Stay vigilant, fortify defences! ????????
Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
????️ Since November 2023, a sophisticated Iranian cyber espionage group known as Mint Sandstorm (APT35, Charming Kitten, TA453, Yellow Garuda) has been actively targeting high-profile individuals involved in Middle Eastern affairs across Belgium, France, Gaza, Israel, the U.K., and the U.S. ???? The Microsoft Threat Intelligence team identifies this subgroup as technically and operationally mature.
???? Attack Tactics:
Mint Sandstorm employs bespoke phishing lures to trick targets into downloading malicious files. The group, linked to Iran's Islamic Revolutionary Guard Corps (IRGC), has a history of resource-intensive social engineering campaigns, now enhanced with the use of breached accounts to send personalised phishing emails.
???? New Tactics:
This campaign involves a previously undocumented backdoor named MediaPl. The threat actors use legitimate but compromised accounts to send emails, build trust, and then attempt to deliver malware. The use of the curl command for connecting to the command-and-control infrastructure is also a new tactic.
???? Current Focus:
The latest campaign uses lures related to the Israel-Hamas war, with emails posing as journalists and high-profile individuals. Targets engaging with the threat actor receive a follow-up email containing a malicious link, leading to the retrieval of Visual Basic scripts and the deployment of custom implants like MischiefTut and MediaPl.
???? Evolution of Threat:
Mint Sandstorm continuously refines its tooling, making it more challenging to detect and enabling persistent remote access to compromised systems. This poses a significant threat to system confidentiality.
???? International Impact:
The disclosure coincides with revelations about a Dutch engineer's potential involvement in deploying an early variant of the Stuxnet malware in an Iranian nuclear facility in 2007. The cyber landscape remains dynamic, emphasising the need for heightened cybersecurity measures. ????????
That’s all for this week, cyber squad! You stay out there now, ya hear? Cheers!! ????????????
????️ Extra, Extra! Read all about it! ????️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.
Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran 'Wealthy Primate' might be able to help you climb that tree ???????? with his stick and banana approach ????????
Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)
Let us know what you think.
So long and thanks for reading all the phish!
???? CACTUS ransomware exploits flaws in Qlik Sense ????