Dec 13 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that treats cybercriminals like the government treats farmers 😬😬😬
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to WordPress’s Hunk plugin, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🚨 Critical WordPress Security Alert: Hunk Companion Plugin Vulnerability 🔌
A critical flaw in the Hunk Companion plugin (CVE-2024-11972, CVSS 9.8) is being actively exploited by attackers to install vulnerable plugins, paving the way for devastating attacks like Remote Code Execution (RCE), SQL Injection, and Cross-Site Scripting (XSS).
🔑 What’s Happening?
Attackers are exploiting this flaw to install plugins like the now-closed WP Query Console, which has its own unpatched RCE vulnerability (CVE-2024-50498, CVSS 10.0).
This creates backdoors, manipulates databases, and allows the execution of malicious PHP code.
🛠️ Impacted Versions:
Hunk Companion: All versions before 1.9.0.
The flaw bypasses a previous patch (CVE‑2024‑9707, CVSS 9.8).
✅ Fixed in:
Version 1.9.0
⚡ Action Required:
Update Hunk Companion immediately to version 1.9.0 or later to close this vulnerability.
Review and remove any suspicious plugins or scripts on your site.
🔒 Why It’s Critical:
Exploiting outdated or abandoned plugins is a key tactic for attackers, turning weak points into opportunities for total site compromise.
Stay secure, and keep your WordPress site up to date! 🌐✨
Now, on to this week’s hottest cybersecurity news stories:
👮 Europol FTW! Smashes 27 DDoS platforms across 15 nations 🌍
👾 Amadey is a weapon of MaaS disruption being deployed in Ukraine ☣️
🖥️ Windows users beware! New malware could exploit Windows UI ⚠️
A massive international law enforcement operation called PowerOFF has struck a blow against DDoS-for-hire services! Authorities in 15 countries joined forces to dismantle 27 booter and stresser platforms like zdstresser.net, orbitalstress.net, and starkstresser.net.
🎯 Key Highlights:
💻 Services Down: These platforms, used for launching DDoS attacks, are offline!
🕵️ Arrests: Three alleged administrators were nabbed in France and Germany, and over 300 users are now on law enforcement radars.
🌐 Countries United: Australia, Brazil, Canada, Japan, and others participated in the takedown.
🔎 What Are Stresser Sites?
These shady platforms allowed hackers and hacktivists to flood websites with traffic, making them inaccessible.
Customers could launch attacks for:
💰 Money
🎭 Hacktivism (think KillNet or Anonymous Sudan)
🕵️♂️ Sabotage
🚨 A Wake-Up Call for Businesses:
🛡️ With the takedown of these services, law enforcement is sending a clear message:
💔 Don’t rely on illegal stresser services—they might just lead back to you.
🔒 Strengthen your defenses against DDoS attacks.
🚀 Keep your security updated to counter emerging threats like Breaking WAF, a bug that bypasses web application firewalls.
🌐 The Bigger Picture:
This takedown comes amidst a surge in DDoS attacks, especially during high-traffic periods like Black Friday. According to Cloudflare, the most targeted industries in 2024 included Gambling, Finance, and Telecom.
🎉👏 A Victory for Cybersecurity!
The success of Operation PowerOFF shows that when nations unite 🌏, they can dismantle even the most complex cybercrime networks. For now, the internet breathes a little easier.
🚦Stay vigilant and stay secure! 💪✨
Everyone talks about AI, but no one has the time to learn it. So, we found the easiest way to learn AI in as little time as possible: The Rundown AI.
It's a free AI newsletter that keeps you up-to-date on the latest AI news, and teaches you how to apply it in just 5 minutes a day.
Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.
🕵️♂️ The Russian nation-state actor Secret Blizzard (aka Turla) is back in the spotlight, leveraging tools from other hacking groups to deploy the Kazuar backdoor against Ukrainian targets. Microsoft's latest report unveils a sophisticated and deceptive operation aimed at espionage and intelligence collection.
💡 Key Insights:
Hijacked Tools: Secret Blizzard used the Amadey bot malware to infiltrate Ukrainian military systems between March and April 2024.
🧩 Layered Attacks: Amadey was employed to download the Tavdig backdoor, which then installed an updated Kazuar variant.
🐾 Shadowy Operations: This marks the second instance since 2022 where Secret Blizzard leveraged another group's campaign to mask its tracks.
🔍 A Tactical Playbook of Deception
Secret Blizzard is known for covert and long-term intelligence gathering targeting:
🌍 Government offices, embassies, and ministries of foreign affairs.
🛡️ Defense departments and military-linked organizations.
Their methods include:
🌐 Watering Hole Attacks (compromising websites to target visitors).
📧 Spear-Phishing campaigns.
🕶️ Adversary-in-the-Middle (AitM) attacks.
🚨 The Role of Amadey Malware-as-a-Service (MaaS):
Access Techniques: Secret Blizzard may have stealthily accessed Amadey C2 panels or purchased access through the dark web.
Customized Payloads: A PowerShell dropper delivered encoded malware, contacting a Turla-controlled C2 server for further exploitation.
🛡️ Why This Matters:
Secret Blizzard’s strategy of commandeering tools from other actors—like Flying Yeti's COOKBOX backdoor—obscures its tracks and complicates attribution.
💻 Their adaptability in using shared or hijacked infrastructures frustrates threat analysts and enables stealthier campaigns.
🌍 Global Cybersecurity Implications
Evolving Espionage: The use of third-party access is a rare but increasingly effective obfuscation tactic.
🛡️ Resilience Required: Organizations need robust defenses, including endpoint monitoring and real-time threat intelligence, to detect sophisticated multi-layered attacks.
🔒 Final Thought:
Secret Blizzard’s operations reveal the lengths nation-state actors will go to remain undetected while achieving their goals. 🌐 Stay vigilant, adopt proactive security measures, and watch for evolving tactics in the cyber threat landscape! 💪✨
Elite performers demand peak performance from their bodies, and optimizing health is essential for achieving that edge. Our cutting-edge EMF protection technology is designed to help athletes shield themselves from the harmful effects of electromagnetic radiation, which can lead to fatigue, decreased recovery time, and impaired focus. By using Aires Tech products, athletes can minimize exposure to EMF from the devices they rely on daily—whether it's training gear, wearable tech, or even smartphones—allowing them to focus on maximizing their physical and mental capabilities. An official partner of UFC, WWE and Canada Basketball, Aires is committed to protect and optimize elite athletes through innovation and performance excellence.
💻 Cybersecurity researchers have uncovered a method to exploit the Windows UI Automation (UIA) framework for malicious purposes while bypassing endpoint detection and response (EDR) systems.
🔑 Key Takeaways
What It Does: Malicious programs can use UIA to:
Execute stealthy commands.
Harvest sensitive data (e.g., payment info).
Manipulate messaging apps like Slack or WhatsApp.
Redirect browsers to phishing sites.
Attack Scope: Local attackers can exploit UIA to control or interact with apps remotely by leveraging Component Object Model (COM) mechanisms.
🧩 How It Works
UIA, designed for assistive tech and automated testing, interacts with UI elements at high privilege levels when granted administrator permissions. These interactions can be exploited to read/write data or execute commands silently.
⚠️ Why It’s Dangerous
Defender Blindspot: Windows sees these malicious actions as intended features, not threats, allowing them to bypass defenses.
Hidden Interactions: Attackers can interact with UI elements not visible on the screen, enabling covert data theft or command execution.
🔐 DCOM: Another Threat Vector
In parallel, researchers at Deep Instinct uncovered a method to abuse the Distributed COM (DCOM) protocol for lateral movement:
Custom Payloads: Attackers can write DLLs, create backdoors, and execute arbitrary code.
Indicators of Compromise (IoCs): Though detectable, these attacks require the attacker and victim to be in the same domain.
🛡️ Stay Protected
Organizations should:
Monitor for unusual COM/DCOM activity.
Restrict admin-level privileges where possible.
Strengthen defenses against UI and accessibility abuse.
🌐 Takeaway: These findings underscore the creative exploitation of legitimate tools for malicious purposes. Vigilance and proactive security measures are essential! 🚀
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!