Apr 19 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter thatโs not afraid of the big, bad cyber wolf ๐บ
Itโs Friday, folks, which can only mean one thingโฆ Itโs time for our weekly segment!
It goes by many names. Patch of the Week, Tweak of the week. Okay, thatโs it.
Congrats, the cybercriminals are no matchโฆ for your patch! ๐ฉน๐ฉน๐ฉน
๐จ Palo Alto Networks Releases Urgent Fixes for Critical PAN-OS Vulnerability! ๐ก๏ธ
Palo Alto Networks has swiftly responded to a maximum-severity security flaw impacting PAN-OS software, tracked as CVE-2024-3400, with a CVSS score of 10.0. The vulnerability, a case of command injection in the GlobalProtect feature, enables attackers to execute arbitrary code with root privileges on the firewall.
Hotfixes are available for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3, with more patches expected soon. While Cloud NGFW firewalls are unaffected, specific PAN-OS versions and feature configurations in the cloud are vulnerable. The threat actor, known as Operation MidnightEclipse, has been exploiting this flaw to deploy payloads and execute arbitrary commands since at least March 26, 2024.
Palo Alto Networks advises users to run a CLI command for potential compromise detection and emphasises the need for immediate patching. Technical details and exploit code have been disclosed by security researchers, highlighting the urgency of securing affected systems. ๐จ
Now, on to todayโs hottest cybersecurity news stories:
๐จโ๐ป Exploitation of OpenMetadata Vulnerabilities Spotted ๐ต๏ธ
โ ๏ธ Watch out! New Backdoor Threat Emerges on Google Ads ๐
๐ฎ International police smash โLabHostโ phishing, 37 arrested ๐
Threat actors are actively exploiting critical vulnerabilities in OpenMetadata, aiming to gain unauthorised access to Kubernetes workloads and utilise them for cryptocurrency mining operations, as per the Microsoft Threat Intelligence team.
๐ OpenMetadata, an open-source metadata management platform, has become a target due to flaws discovered by security researcher Alvaro Muรฑoz, including Spring Expression Language (SpEL) injection vulnerabilities and an authentication bypass vulnerability.
๐ก๏ธ Successful exploitation could lead to authentication bypass and remote code execution, providing attackers with full control over the compromised systems.
๐ Microsoft's investigation revealed a pattern where attackers target internet-exposed OpenMetadata workloads, leveraging unpatched vulnerabilities to execute code on containers running the OpenMetadata image.
๐ง Following initial access, threat actors conduct reconnaissance to gauge their level of access, gathering information about the environment and network configuration.
๐ Reconnaissance often involves contacting publicly available services, such as domains associated with Interactsh, to validate network connectivity without raising suspicions.
๐ฐ Ultimately, attackers aim to deploy crypto-mining malware onto compromised systems, establishing persistence through cron jobs and leaving behind personal notes justifying their actions.
๐ OpenMetadata users are urged to implement strong authentication methods, avoid default credentials, and ensure their images are up-to-date to mitigate these threats effectively.
๐ฅ This incident underscores the importance of maintaining fully patched workloads in containerized environments to prevent exploitation by malicious actors.
๐ Additionally, publicly accessible Redis servers with disabled authentication or unpatched flaws are targeted for Metasploit Meterpreter payloads, while Docker directory search permissions vulnerabilities are also being exploited for privilege escalation purposes.
๐ก Staying informed and vigilant is essential in defending against evolving cyber threats.
๐ฅ A fresh malvertising campaign orchestrated by threat actors has been discovered, leveraging a series of domains resembling a legitimate IP scanner software to propagate a previously undisclosed backdoor dubbed MadMxShell, according to researchers at Zscaler ThreatLabz.
๐ฏ Using a typosquatting technique, the adversaries registered multiple look-alike domains and utilised Google Ads to drive traffic to these sites, enticing victims with promises of port scanning and IT management software.
๐ The malvertising campaign, active between November 2023 and March 2024, marks the first instance of a sophisticated Windows backdoor being distributed via such means, raising concerns among cybersecurity experts.
๐ป Upon visiting the malicious sites and attempting to download the supposed software, victims unwittingly trigger the download of a ZIP archive containing a DLL file and an executable.
๐ก๏ธ The executable, employing DLL side-loading, loads the DLL and initiates the infection process, injecting shellcode into the system. This process culminates in the deployment of the MadMxShell backdoor, which exhibits DNS MX query-based command-and-control communication to evade detection.
โ ๏ธ MadMxShell is equipped with various evasion techniques, including anti-dumping mechanisms, to thwart memory analysis and forensic investigations.
๐ While the origins and motivations of the threat actors remain unclear, Zscaler researchers have identified their presence on underground forums, indicating a potential interest in perpetrating long-term malvertising campaigns.
๐ก Users are advised to remain vigilant, avoid downloading software from untrusted sources, and ensure their systems are equipped with up-to-date security solutions to mitigate the risks posed by such sophisticated threats.
๐ฅ This incident underscores the evolving tactics employed by cybercriminals to exploit legitimate platforms for malicious purposes, emphasising the need for robust cybersecurity measures and heightened awareness among users.
Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.
๐ Authorities from 19 countries have joined forces in a coordinated crackdown on LabHost, a notorious Phishing-as-a-Service (PhaaS) provider used by cybercriminals worldwide to pilfer personal credentials from unsuspecting victims.
๐ LabHost, described as one of the largest PhaaS platforms, targeted banks, prominent organisations, and service providers primarily in Canada, the U.S., and the U.K., offering sophisticated phishing pages to facilitate credential theft.
๐ฎโโ๏ธ The operation, dubbed PhishOFF and Nebulae, led to the arrest of 37 individuals, including key figures behind LabHost, as well as users across the globe. Notably, arrests were made in Melbourne and Adelaide, Australia, alongside apprehensions in the U.K.
๐ป Europol, spearheading the initiative, disclosed that LabHost's infrastructure, along with its network of phishing sites, has been seized, dealing a significant blow to the cybercrime ecosystem.
๐ LabHost, which surfaced in late 2021, boasted a vast array of phishing templates targeting popular brands globally, offering cybercriminals the tools needed to orchestrate large-scale credential theft campaigns.
๐ Trend Micro and Group-IB shed light on the extensive reach of LabHost, emphasising its pernicious capabilities, including real-time campaign management and the pilfering of two-factor authentication codes.
๐ก๏ธ The takedown underscores the global law enforcement community's commitment to combating cybercrime and highlights the effectiveness of collaborative efforts in disrupting sophisticated criminal operations.
๐ฐ Authorities estimate LabHost received over ยฃ1 million ($1,173,000) in criminal payments, underscoring the lucrative nature of cybercrime facilitated by PhaaS platforms.
โ ๏ธ The crackdown on LabHost serves as a stark reminder of the evolving threat landscape and the need for continued vigilance and cooperation to safeguard against cyber threats.
๐๏ธ Extra, Extra! Read all about it! ๐๏ธ
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
๐ก๏ธ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday ๐
๐ตย Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for ๐
๐ย Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future ๐พ
Let us know what you think.
So long and thanks for reading all the phish!