New Threat Alert: AndroxGh0st

Mar 22 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that saw โ€œยฃ40 FREE CASHโ€ trending on X in the UK and thought damn, thatโ€™s rife for exploitation ๐Ÿ‘€๐Ÿ˜ฌ๐Ÿ’€ #stupidisasstupiddoes ๐Ÿ™ˆ๐Ÿ™ˆ๐Ÿ™ˆ

Itโ€™s Friday, folks, which can only mean one thingโ€ฆ Itโ€™s time for our weekly segment!

It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโ€™s it.

Congrats, the cybercriminals are no matchโ€ฆ for your patch! ๐Ÿฉน๐Ÿฉน๐Ÿฉน

Check out this freshly hatched patch ๐Ÿฃ

Atlassian bamboozles hackers with Bamboo bug patch ๐Ÿ˜

๐Ÿšจ Atlassian Releases Patches for Critical Security Vulnerabilities ๐Ÿ”’

Atlassian has addressed over two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server, identified as CVE-2024-1597, with a CVSS score of 10.0.

๐Ÿ› ๏ธ SQL Injection Vulnerability: Described as an SQL injection flaw rooted in the org.postgresql:postgresql dependency, it poses a severe risk, potentially allowing unauthenticated attackers to expose assets susceptible to exploitation without user interaction.

๐Ÿ” Vulnerability Details: Versions of the PostgreSQL JDBC Driver prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are impacted.

๐Ÿ”ง Mitigation Steps: While Bamboo and other Atlassian Data Center products are unaffected, users are urged to update to the latest versions to mitigate potential threats.

๐Ÿ” Credit to Researcher: The flaw's discovery is credited to SonarSource security researcher Paul Gerste, underscoring the importance of prompt updates to safeguard against cybersecurity risks.

Stay secure by staying updated! ๐Ÿ›ก๏ธ๐Ÿ”

Now, on to todayโ€™s hottest cybersecurity stories:

  • ๐Ÿ‘ป Beware of the AndroxGh0st that lurks in Laravel apps ๐Ÿ•ฏ๏ธ

  • ๐Ÿป Russian TinyTurla-NG is back targeting European NGOs ๐ŸŒ

  • โ˜ ๏ธ Russiaโ€™s insatiable, targeting Ukrainian telecoms w/ โ€˜AcidPourโ€™ ๐Ÿงช

Call The Police, thereโ€™s a Gh0st in the Machine ๐ŸŽถ๐Ÿ‘ฎ๐ŸŽธ

๐Ÿšจ New Threat Alert: AndroxGh0st Targeting Laravel Applications ๐Ÿ›ก๏ธ

Cybersecurity researchers have uncovered a concerning tool known as AndroxGh0st, specifically crafted to target Laravel applications and pilfer sensitive data.

๐Ÿ” Detection Details: AndroxGh0st operates by scanning and extracting crucial information from .env files, revealing login credentials tied to AWS and Twilio.

๐Ÿšจ Severity Level: Classified as an SMTP cracker, the malware exploits SMTP vulnerabilities through credential exploitation, web shell deployment, and vulnerability scanning tactics.

๐Ÿ“… Activity Timeline: Since at least 2022, threat actors have been leveraging AndroxGh0st to access Laravel environment files and steal credentials for cloud-based applications like Amazon Web Services (AWS), SendGrid, and Twilio.

๐Ÿ”’ Vulnerability Exploitation: Attack chains involving this Python malware exploit known security flaws in Apache HTTP Server, Laravel Framework, and PHPUnit for initial access, privilege escalation, and persistence.

โš ๏ธ Recent Warnings: Recent warnings from U.S. cybersecurity agencies highlight the escalating threat posed by AndroxGh0st, with attackers utilising it to create botnets for victim identification and exploitation.

๐Ÿ› ๏ธ Mitigation Measures: With the malware exploiting vulnerabilities like CVE-2021-41773, CVE-2017-9841, and CVE-2018-15133, users are urged to update their instances promptly to mitigate risks.

Stay vigilant and keep software updated to safeguard against evolving threats in the cybersecurity landscape. ๐ŸŒ๐Ÿ”’

Russian hackers prove size doesnโ€™t matter with TinyTurla-NG ๐Ÿ’€

๐Ÿšจ Turla Strikes European NGO with TinyTurla-NG Backdoor ๐Ÿšช

Reports from Cisco Talos reveal that the Russia-linked threat actor Turla has targeted an undisclosed European non-governmental organisation (NGO), infecting multiple systems with the notorious backdoor TinyTurla-NG.

๐Ÿ›ก๏ธ Initial Compromise: According to the report, Turla compromised the first system, establishing persistence and adding exclusions to antivirus products to evade detection.

๐Ÿ“ก Communication Channels: Turla then expanded its foothold by opening additional communication channels via Chisel, facilitating data exfiltration and enabling access to other systems in the network.

๐Ÿ“… Timeline of Breach: Evidence suggests that the systems were breached as early as October 2023, with Chisel deployment occurring in December 2023, followed by data exfiltration around January 12, 2024.

๐ŸŒ Targeted Campaign: The deployment of TinyTurla-NG was first observed in connection with a cyber attack targeting a Polish NGO supporting democracy and Ukraine during the Russian invasion.

๐Ÿ”’ Sophisticated Tactics: The attack chain involves Turla exploiting initial access to configure antivirus exclusions, dropping TinyTurla-NG, and creating persistent malicious services to maintain access.

๐Ÿ› ๏ธ Ongoing Investigation: While TinyTurla-NG acts as a backdoor for reconnaissance and file exfiltration, the exact intrusion pathway is still under scrutiny by Talos researchers.

This incident underscores the importance of robust cybersecurity measures and constant vigilance against advanced threat actors targeting organisations worldwide. ๐ŸŒ๐Ÿ›ก๏ธ

๐ŸŽฃ Catch of the Day!! ๐ŸŒŠ๐ŸŸ๐Ÿฆž

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

Ukrainians be like: Pour old me ๐Ÿ˜ฌ๐Ÿ˜ฌ๐Ÿ˜ฌ Feels like an Acid flashback ๐Ÿ˜ตโ€๐Ÿ’ซ๐Ÿ’€

๐Ÿšจ New Threat Alert: AcidPour Targets Telecom Providers in Ukraine ๐Ÿ“ก

Recent findings from SentinelOne have unveiled a concerning development in cyber warfare, with the emergence of the data wiping malware AcidPour, potentially deployed in attacks against four telecom providers in Ukraine.

๐Ÿ” Malware Origins: AcidPour is identified as a variant of AcidRain, a wiper associated with Russian military intelligence, particularly targeting Ukrainian infrastructure during times of conflict.

๐Ÿ”’ Enhanced Capabilities: Security researchers have noted AcidPour's expanded capabilities, enabling it to disable embedded devices, networking systems, IoT devices, large storage systems, and potentially industrial control systems (ICS) running Linux x86 distributions.

๐Ÿ’ป Targeted Systems: Unlike its predecessor AcidRain, AcidPour is tailored to target Linux systems on x86 architecture, with a focus on embedded devices, Storage Area Networks (SANs), Network Attached Storage (NAS) appliances, and dedicated RAID arrays.

โš ๏ธ Persistent Threat: AcidPour's coding style and functionality suggest a continued threat from the UAC-0165 hacking crew, linked to Sandworm and known for targeting Ukrainian critical infrastructure.

๐ŸŒ Ongoing Impact: The discovery of AcidPour underscores the evolving tactics of threat actors, such as Solntsepyok, with suspected ties to Russian APT groups, highlighting the persistent threat to Ukraine's telecommunications infrastructure.

๐Ÿ”ง Mitigation Measures: While the full extent of AcidPour's usage remains unclear, organisations are urged to bolster their cybersecurity defences and remain vigilant against emerging threats.

As threat actors refine their tactics, cybersecurity remains a critical concern, emphasising the need for proactive defence measures and international cooperation to safeguard against destructive cyber attacks. ๐Ÿ›ก๏ธ๐ŸŒ

Thatโ€™s all for this week, you beautiful people. Live long and prosper ๐Ÿ–– See you Monday ๐Ÿ˜˜๐Ÿ˜˜๐Ÿ˜˜

๐Ÿ—ž๏ธ Extra, Extra! Read all about it! ๐Ÿ—ž๏ธ

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • ๐Ÿ›ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐Ÿ“…

  • ๐Ÿ’ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐Ÿ†“

  • ๐Ÿ“ˆย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐Ÿ‘พ

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter
  • ๐ŸŒต CACTUS ransomware exploits flaws in Qlik Sense ๐Ÿ’ป

Recent articles