Dec 20 2024
Welcome to Gone Phishing, your weekly cybersecurity newsletter that feels Fury towards cybercrime. Doesn’t it just make Usyk? 🤣 #FuryvsUsyk2 🥊🥊🥊
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to Apache, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
🚨 Critical Apache Struts Vulnerability Under Attack! 🚁
A newly disclosed security flaw in Apache Struts (CVE-2024-53677, CVSS 9.5) is being actively exploited by threat actors to enable Remote Code Execution (RCE).
🔍 What’s the Risk?
● Attackers exploit file upload parameters to perform path traversal, enabling malicious file uploads.
● This can lead to executing arbitrary commands, stealing sensitive data, or deploying additional malware.
🎯 Impacted Versions:
Struts 2.0.0 – Struts 2.3.37 (End-of-Life)
Struts 2.5.0 – Struts 2.5.33
Struts 6.0.0 – Struts 6.3.0.2
✅ Patched in:
Struts 6.4.0 or newer
🛡️ Mitigation Steps:
1. Update Apache Struts to version 6.4.0+ immediately.
2. Reconfigure your applications to use the new Action File Upload mechanism and related interceptor for added security.
💡 Why It Matters:
Apache Struts powers mission-critical business workflows, public-facing portals, and internal productivity apps. A flaw like this could lead to severe business disruption and data breaches if left unpatched.
⚡ Current Threat Activity:
Exploitation attempts matching a public proof-of-concept (PoC) are underway.
Attackers are scanning for vulnerable systems and deploying malicious scripts.
🌐 Protect Your Systems Now!
Patch immediately to stay ahead of this rapidly evolving threat. Stay secure! 🔒✨
Now, on to this week’s hottest cybersecurity news stories:
📱 Army+ MoD app spoofed by hackers to deceive military personnel 👨🏻✈️
👮 Interpol calls time on victim-blaming ‘pig-butchering’ term. Woke! 😉
💸 No Meta what they fine us. No Meta what we do… Meta fined €251 😳
The Computer Emergency Response Team of Ukraine (CERT-UA) has uncovered a new campaign by UAC-0125, a threat actor exploiting the Cloudflare Workers service to distribute malware disguised as the legitimate Army+ app, used by the Ministry of Defence to digitize operations.
🛡️ How the Attack Works
1. Fake Websites: Cloudflare Workers-hosted sites trick users into downloading a malicious Windows installer for Army+.
2. Malicious Payload: The installer, created with NSIS (Nullsoft Scriptable Install System), runs a decoy file while executing a PowerShell script to:
Install OpenSSH.
Generate RSA cryptographic keys.
Upload the private key to an attacker-controlled server via TOR.
3. Goal: The attackers aim to achieve remote access to compromised systems.
🎯 Threat Actor Ties
CERT-UA linked UAC-0125 to UAC-0002, also known as APT44, Sandworm, or Voodoo Bear — a group associated with Russia’s GRU Unit 74455, known for cyber-espionage and sabotage campaigns.
📈 Broader Context of Cloudflare Abuse
Phishing Surge: Reports by Fortra show a dramatic rise in abuse of Cloudflare services for phishing:
Cloudflare Pages: A 198% increase in attacks from 2023 to mid-2024.
Cloudflare Workers: A 104% rise over the same period.
Target: Hosting fake Microsoft 365 login and verification pages to steal credentials.
🌍 European Sanctions Against Russian Cyber Operations
The European Council has imposed sanctions targeting individuals and entities involved in Russia’s destabilizing activities:
GRU Unit 29155: Linked to assassinations, bombings, and cyberattacks in Europe.
Doppelganger Network: Disseminates pro-Russian disinformation to erode Western support for Ukraine.
High-ranking individuals, such as Sofia Zakharova and Nikolai Tupikin, face asset freezes and travel bans for their roles in malign influence campaigns.
🔍 What This Means
The campaign underscores how threat actors exploit legitimate platforms to mask malicious activities. It also highlights the increasing weaponization of disinformation and cyber tools in geopolitical conflicts.
💡 Stay Protected: Ensure all apps are downloaded from official sources, and monitor for unusual activity on devices! 🌐
AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.
Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.
INTERPOL is advocating for the term "romance baiting" to replace "pig butchering" in describing scams where victims are manipulated into fake cryptocurrency investments under the guise of romantic relationships.
💔 Why the Shift?
The term "pig butchering" shames and dehumanizes victims, discouraging them from seeking help.
"Romance baiting" highlights the scammers' tactics and shifts focus to their criminal actions.
📜 Background
Originating in China (2016), the scam is based on the term "杀猪盘" ("shā zhū pán"), meaning "pig butchering."
Scammers build trust over time, often via social media or dating apps, before stealing victims' funds through fake investments.
🌍 A Broader Problem
These schemes are linked to organized crime groups in Southeast Asia.
Victims aren’t limited to financial loss; some scammers are forced into these operations under trafficked labor conditions.
🛠️ Sophisticated Tactics
Fraudsters use convincing apps and websites built by tech teams to mimic real trading platforms.
Google has also taken action, suing app developers involved in these schemes.
🗣️ Words Matter
INTERPOL emphasizes the importance of respectful language, similar to evolving terms for domestic violence and child exploitation.
"Romance baiting" focuses on empathy for victims and accountability for scammers.
"It’s time to prioritize respect and hold fraudsters accountable," said Cyril Gout, Acting Executive Director of Police Services.
💡 Key Takeaway
Shifting language can reduce stigma, encourage reporting, and focus on stopping scammers. Always verify investments and be cautious of unsolicited online relationships! 💻❤️
Meta Platforms, the parent company of Facebook, has been fined €251 million ($263 million) by the Irish Data Protection Commission (DPC) for a 2018 breach that affected 29 million accounts globally, including 3 million in the EU and EEA.
🛡️ What Happened?
The breach, disclosed in September 2018, stemmed from a "View As" feature bug introduced in July 2017.
Attackers exploited the feature to obtain access tokens, gaining unauthorized entry to accounts and exposing personal data like names, emails, phone numbers, and posts.
📜 GDPR Violations
The DPC cited Meta for failing to:
Include necessary details in its breach notification.
Properly document and remedy the breach.
Protect data in system design.
Limit data processing to specific purposes.
💡 Key Takeaways
The DPC emphasized the importance of data protection in system design to prevent harm.
This marks Meta's second penalty from the DPC, following a €91M fine in September 2024 for another security lapse.
🌍 Broader Implications
Meta is also addressing privacy concerns globally, agreeing to a AU$50M settlement in Australia for misuse of personal data tied to the 2018 Cambridge Analytica scandal.
These cases underline the increasing accountability tech giants face for privacy violations under GDPR and other global frameworks.
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!