Mar 01 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that’s on the verge of big, new, exciting things so stay tuned ????????????
It’s Friday, folks, which can only mean one thing… It’s time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it.
Congrats, the cybercriminals are no match… for your patch! ????????????
Check out these freshly hatched patches ????????????
Hackers: We’ll be safe once we make the jump to LiteSpeed ????
???? LiteSpeed Cache Plugin Vulnerability Exposed! ????
A security vulnerability ???? has been found in LiteSpeed Cache plugin for WordPress ⚠️. Tracked as CVE-2023-40000, it lets unauthenticated users boost their privileges.
Patchstack researcher Rafie Muhammad ????️ said it’s a cross-site scripting flaw ????️ fixed in version 5.7.0.1 ????️. LiteSpeed Cache, with over 5 million installations, released version 6.1 on February 5, 2024 ????.
The flaw is due to poor input sanitization and output escaping in the update_cdn_status() function, leaving any WordPress site vulnerable. Another XSS issue (CVE-2023-4372) was disclosed earlier by Wordfence, affecting version 5.7 ????.
Get updating, people! ????️
Now, on to today’s hottest cybersecurity stories:
???? Stop the WordPresses! LiteSpeed vulnerability puts 5M+ sites at risk ⚠️
???????? What happens when you cross European officials with Indian diplomacy? ????
???? Mass transfer of personal data to ‘high-risk’ nations blocked by Mr. Biden ????
giphy.com
A previously unknown threat actor named SPIKEDWINE has been spotted targeting officials in European countries with Indian diplomatic missions. They’re using a sneaky new backdoor called WINELOADER, as per a report from Zscaler ThreatLabz.
???? The Bait
The attackers sent emails with a PDF file, supposedly from the Ambassador of India, inviting diplomatic staff to a wine-tasting event on February 2, 2024. This PDF contained a malicious link disguised as a questionnaire.
???? Timeline
The campaign was first detected when a similar PDF file was uploaded from Latvia on January 30, 2024. However, evidence suggests that it might have been active since July 6, 2023.
???? Sophisticated Tactics
The attack is characterised by its low volume and advanced tactics. The malware embedded in the PDF retrieves WINELOADER from a specific domain, packed with modules for executing commands from the attacker’s server and evading detection.
????️ How It Works
Compromised websites are used for command-and-control and hosting payloads, making detection challenging. The C2 server responds to specific requests at certain times, enhancing its evasiveness.
???? Detection Challenges
The threat actor has gone to great lengths to avoid detection, including bypassing memory forensics and automated URL scanning solutions.
????️ Stay Vigilant
Officials and organisations should remain vigilant against such targeted cyber threats and ensure robust security measures are in place to prevent infiltration.
Stay alert and secure to safeguard against emerging cyber risks! ????️????
???? Breaking News: Cyber Espionage Threats from China! ????
Two suspected China-linked cyber espionage groups, known as UNC5325 and UNC3886, have been identified exploiting vulnerabilities in Ivanti Connect Secure VPN appliances. They’ve deployed sophisticated malware and demonstrated a deep understanding of the targeted systems.
???? The Exploits
UNC5325 abused CVE-2024-21893 to deliver a range of new malware, including LITTLELAMB.WOOLTEA and PITSTOP, aiming to maintain persistent access to compromised devices. UNC3886, on the other hand, has a history of exploiting zero-day flaws in Fortinet and VMware solutions.
???? Timeline
The exploitation of CVE-2024-21893 by UNC5325 dates back to January 19, 2024. This vulnerability allows unauthorised access to Ivanti appliances, leading to the deployment of malicious payloads.
????️ Modus Operandi
These threat actors use a variety of techniques, including leveraging legitimate Ivanti components to drop additional payloads and utilising living-off-the-land (LotL) methods to evade detection.
???? Detection Challenges
The attackers have demonstrated a nuanced understanding of the targeted appliances and have employed sophisticated evasion techniques to avoid detection.
???? Stay Secure
Organisations are urged to update their Ivanti VPN appliances promptly, apply the latest patches, and enhance their security measures to mitigate the risk of exploitation.
Be vigilant and proactive in safeguarding against cyber threats! ????️????
Get access to the info
Learn AI in 5 minutes a day. We’ll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
U.S. President Joe Biden has issued an Executive Order aimed at preventing the mass transfer of citizens’ personal data to countries of concern. The order includes safeguards to protect sensitive information like genomic data, biometric data, and personal health data.
????️ Combatting Threats
The U.S. government warns that threat actors could exploit this data for intrusive surveillance, scams, and blackmail. Countries of concern, including China, Russia, and Iran, have a track record of collecting and misusing Americans’ data.
???? Regulating Data Access
Federal agencies will establish regulations to safeguard sensitive data from access and exploitation. The Departments of Health and Human Services, Defense, and Veterans Affairs will ensure that federal grants and contracts do not facilitate access to sensitive data.
???? Concerns Raised
While the Executive Order is a step in the right direction, concerns remain about authoritarian regimes like Saudi Arabia and the U.A.E. accessing Americans’ data. Senator Ron Wyden emphasises the need for stricter regulations to prevent data misuse.
????️ Protecting Privacy
Efforts to regulate the data broker industry aim to protect privacy, counterintelligence, and national security. The U.S. government is taking action to prevent unauthorised access to sensitive data and mitigate the risks posed by hostile actors.
Stay tuned for further updates on this developing story! ????️????
Geez, don’t the weeks just fly by? See you on Monday folks. Have a good one! ????
????️ Extra, Extra! Read all about it! ????️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
????️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ????
???? Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ????
???? Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ????
Let us know what you think.
So long and thanks for reading all the phish!
???? CACTUS ransomware exploits flaws in Qlik Sense ????