Mar 22 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that saw โยฃ40 FREE CASHโ trending on X in the UK and thought damn, thatโs rife for exploitation ๐๐ฌ๐ #stupidisasstupiddoes ๐๐๐
Itโs Friday, folks, which can only mean one thingโฆ Itโs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs it.
Congrats, the cybercriminals are no matchโฆ for your patch! ๐ฉน๐ฉน๐ฉน
Check out this freshly hatched patch ๐ฃ
Atlassian bamboozles hackers with Bamboo bug patch ๐
๐จ Atlassian Releases Patches for Critical Security Vulnerabilities ๐
Atlassian has addressed over two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server, identified as CVE-2024-1597, with a CVSS score of 10.0.
๐ ๏ธ SQL Injection Vulnerability: Described as an SQL injection flaw rooted in the org.postgresql:postgresql dependency, it poses a severe risk, potentially allowing unauthenticated attackers to expose assets susceptible to exploitation without user interaction.
๐ Vulnerability Details: Versions of the PostgreSQL JDBC Driver prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are impacted.
๐ง Mitigation Steps: While Bamboo and other Atlassian Data Center products are unaffected, users are urged to update to the latest versions to mitigate potential threats.
๐ Credit to Researcher: The flaw's discovery is credited to SonarSource security researcher Paul Gerste, underscoring the importance of prompt updates to safeguard against cybersecurity risks.
Stay secure by staying updated! ๐ก๏ธ๐
Now, on to todayโs hottest cybersecurity stories:
๐ป Beware of the AndroxGh0st that lurks in Laravel apps ๐ฏ๏ธ
๐ป Russian TinyTurla-NG is back targeting European NGOs ๐
โ ๏ธ Russiaโs insatiable, targeting Ukrainian telecoms w/ โAcidPourโ ๐งช
Cybersecurity researchers have uncovered a concerning tool known as AndroxGh0st, specifically crafted to target Laravel applications and pilfer sensitive data.
๐ Detection Details: AndroxGh0st operates by scanning and extracting crucial information from .env files, revealing login credentials tied to AWS and Twilio.
๐จ Severity Level: Classified as an SMTP cracker, the malware exploits SMTP vulnerabilities through credential exploitation, web shell deployment, and vulnerability scanning tactics.
๐ Activity Timeline: Since at least 2022, threat actors have been leveraging AndroxGh0st to access Laravel environment files and steal credentials for cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio.
๐ Vulnerability Exploitation: Attack chains involving this Python malware exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit for initial access, privilege escalation, and persistence.
โ ๏ธ Recent Warnings: Recent warnings from U.S. cybersecurity agencies highlight the escalating threat posed by AndroxGh0st, with attackers utilising it to create botnets for victim identification and exploitation.
๐ ๏ธ Mitigation Measures: With the malware exploiting vulnerabilities like CVE-2021-41773, CVE-2017-9841, and CVE-2018-15133, users are urged to update their instances promptly to mitigate risks.
Stay vigilant and keep software updated to safeguard against evolving threats in the cybersecurity landscape. ๐๐
Reports from Cisco Talos reveal that the Russia-linked threat actor Turla has targeted an undisclosed European non-governmental organisation (NGO), infecting multiple systems with the notorious backdoor TinyTurla-NG.
๐ก๏ธ Initial Compromise: According to the report, Turla compromised the first system, establishing persistence and adding exclusions to antivirus products to evade detection.
๐ก Communication Channels: Turla then expanded its foothold by opening additional communication channels via Chisel, facilitating data exfiltration and enabling access to other systems in the network.
๐ Timeline of Breach: Evidence suggests that the systems were breached as early as October 2023, with Chisel deployment occurring in December 2023, followed by data exfiltration around January 12, 2024.
๐ Targeted Campaign: The deployment of TinyTurla-NG was first observed in connection with a cyber attack targeting a Polish NGO supporting democracy and Ukraine during the Russian invasion.
๐ Sophisticated Tactics: The attack chain involves Turla exploiting initial access to configure antivirus exclusions, dropping TinyTurla-NG, and creating persistent malicious services to maintain access.
๐ ๏ธ Ongoing Investigation: While TinyTurla-NG acts as a backdoor for reconnaissance and file exfiltration, the exact intrusion pathway is still under scrutiny by Talos researchers.
This incident underscores the importance of robust cybersecurity measures and constant vigilance against advanced threat actors targeting organisations worldwide. ๐๐ก๏ธ
Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
Recent findings from SentinelOne have unveiled a concerning development in cyber warfare, with the emergence of the data wiping malware AcidPour, potentially deployed in attacks against four telecom providers in Ukraine.
๐ Malware Origins: AcidPour is identified as a variant of AcidRain, a wiper associated with Russian military intelligence, particularly targeting Ukrainian infrastructure during times of conflict.
๐ Enhanced Capabilities: Security researchers have noted AcidPour's expanded capabilities, enabling it to disable embedded devices, networking systems, IoT devices, large storage systems, and potentially industrial control systems (ICS) running Linux x86 distributions.
๐ป Targeted Systems: Unlike its predecessor AcidRain, AcidPour is tailored to target Linux systems on x86 architecture, with a focus on embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.
โ ๏ธ Persistent Threat: AcidPour's coding style and functionality suggest a continued threat from the UAC-0165 hacking crew, linked to Sandworm and known for targeting Ukrainian critical infrastructure.
๐ Ongoing Impact: The discovery of AcidPour underscores the evolving tactics of threat actors, such as Solntsepyok, with suspected ties to Russian APT groups, highlighting the persistent threat to Ukraine's telecommunications infrastructure.
๐ง Mitigation Measures: While the full extent of AcidPour's usage remains unclear, organisations are urged to bolster their cybersecurity defences and remain vigilant against emerging threats.
As threat actors refine their tactics, cybersecurity remains a critical concern, emphasising the need for proactive defence measures and international cooperation to safeguard against destructive cyber attacks. ๐ก๏ธ๐
Thatโs all for this week, you beautiful people. Live long and prosper ๐ See you Monday ๐๐๐
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!
๐ต CACTUS ransomware exploits flaws in Qlik Sense ๐ป