Nov 01 2024
Welcome to Gone Phishing, your daily cybersecurity newsletter that wishes all of you a Happy Halloween!! And don’t forget to keep an eye on your Zombie Processes, Ghost Protocols, and Attack Vectors 🎃👻🍬🦇💀🧡
Patch of the Week! 🩹
First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳
Congrats to VMware, the cybercriminals are no match… for your patch! 🩹
Check out this freshly hatched patch 🐣
BEware! 👀
🚨 VMware vCenter Server RCE Flaw Repatched – Update Now! ⚠️
VMware has reissued patches for a critical vulnerability, CVE-2024-38812 (CVSS 9.8), in vCenter Server that could enable remote code execution. 📡
This heap-overflow bug in the DCE/RPC protocol allows attackers with network access to send specially crafted packets to take control of vCenter Server. Originally discovered by team TZL during the Matrix Cup competition, the flaw remained only partially patched from the September release. ⚠️🔧
The updated fixes are available in vCenter Server versions 8.0 U3d, 8.0 U2e, 7.0 U3t, and for VMware Cloud Foundation 5.x, 5.1.x, 4.x. 🛡️ Although there's no evidence of active exploitation, VMware urges users to update immediately to secure against potential threats. 🌐💥 With recent legislation in China mandating swift vulnerability disclosures, concerns rise over zero-day stockpiling—stay protected! 🚀🔒
Now, on to this week’s hottest cybersecurity news stories:
🐞 OS downgrade vulnerability targets Microsoft Windows kernel 🖥️
👨🏻💻 Four member of Russian ransomware collective REvil sentenced ⚖️
🧨 Infamous TeamTNT deploys new cloud attacks for crypto mining ⛏️
What’s Going On? 💻 A fresh hack has been uncovered that can bypass Microsoft’s Driver Signature Enforcement (DSE) on fully updated Windows systems. This new trick allows attackers to load unsigned kernel drivers, which could help them sneak in dangerous rootkits. These rootkits could hide malicious activity, disable security, and stay hidden on your system! 😨
How It Works 🔄
Researchers found that this method exploits a tool called “Windows Downdate,” which lets attackers downgrade parts of the Windows OS to older, unpatched versions. Essentially, they trick Windows Update into using vulnerable files, opening the door to exploit older security flaws.
Key Exploits Discovered 🚨
Two key vulnerabilities, CVE-2024-21302 and CVE-2024-38202, were previously addressed by Microsoft but can be exploited by this new method to reintroduce old vulnerabilities! Once attackers downgrade Windows to an older version, they can bypass the DSE, load unapproved drivers, and gain kernel-level control.
Why This is Dangerous ⚠️
Unlike past techniques like “Bring Your Own Vulnerable Driver” (BYOVD) attacks, this downgrade method directly targets core Windows components. This allows attackers to achieve a high level of control without being detected.
Can It Be Stopped? 🔒
Virtualization-Based Security (VBS) can help stop these attacks, but only if it’s fully enabled with UEFI lock and a “Mandatory” setting. In default settings, VBS might be disabled, letting attackers tamper with registry keys to turn it off and proceed with the exploit. Microsoft recommends careful setup of VBS to prevent this.
Final Thoughts 💡
To stay safe, Microsoft urges users to fully enable VBS and set the UEFI lock. And security tools should be designed to detect and stop downgrades like this before they cause harm.
Explore common challenges admins face in safeguarding Salesforce data, including accidental deletions, cyber threats, and compliance audits.
49% of Salesforce data loss stems from human error.
Learn best practices to effortlessly protect your Salesforce data with Rubrik.
What Happened? 🎩 Four members of the notorious REvil ransomware gang, known for massive cyberattacks worldwide, have been sentenced in Russia, marking a rare move against cybercriminals within the country. A court in St. Petersburg handed down prison terms for hacking and money laundering, showing that even in Russia, cybercrime doesn’t always go unpunished! 👩⚖️
Who Are They? 🕵️♂️
The convicted hackers include Artem Zaets, Alexei Malozemov, Daniil Puzyrevsky, and Ruslan Khansvyarov. Sentences range from 4.5 to 6 years, with the longest terms going to Puzyrevsky and Khansvyarov, who were also found guilty of using and distributing malware. These four are part of a larger group of 14 people initially detained in 2022, with several more facing ongoing charges.
REvil’s Rise and Fall 📉
Once among the most feared ransomware gangs, REvil (aka Sodinokibi) was responsible for high-profile attacks worldwide. However, Russian authorities eventually took down the group in a rare international crackdown, announcing the arrests of several members.
Global Impact 🌍
REvil’s reach extended beyond Russia. Earlier this year, Yaroslav Vasinskyi, a Ukrainian linked to REvil, was sentenced to 13 years in the U.S. after conducting over 2,500 ransomware attacks and demanding $700 million in ransoms.
The Bigger Picture 🖼️
This sentencing comes as Russia recently opened investigations into other entities like Cryptex and UAPS, which allegedly provided money-laundering services to cybercriminals. With global pressure mounting, Russia’s actions suggest an emerging stance on tackling cybercrime within its borders.
Could this signify a turning point in global cybersecurity? Only time will tell, but for now, cybercriminals should beware!
Explore a vibrant, community-built world
Connect through enhanced avatars and social interactions
Complete daily quests and mini-games
TeamTNT’s New Playbook 📒 The notorious crypto jacking group TeamTNT is back, preparing for a large-scale campaign targeting cloud environments for cryptocurrency mining and renting out compromised servers! They’re ramping up attacks on exposed Docker environments using Sliver malware, a powerful cyber worm, and cryptominers.
How It Works 🔍
According to Assaf Morag from Aqua, TeamTNT’s approach starts by scanning for open Docker API endpoints on nearly 16.7 million IP addresses. They then deploy a container with malware using Docker Hub accounts under their control. Once inside, they use a shell script called “Docker Gatling Gun” (TDGGinit.sh) to begin malicious activities. The infected servers join a Docker Swarm, pooling computational resources for mining cryptocurrencies and even renting out power to third parties.
Adapting Tactics: From Tsunami to Sliver 🕹️
In a notable twist, TeamTNT has swapped their usual Tsunami backdoor for the Sliver C2 framework, enhancing their control over breached servers. They continue to use recognizable names like “Chimaera” and “bioset,” classic markers of TeamTNT campaigns, and have also introduced anondns, a tool that keeps their DNS activity anonymous.
Cloud Attacks for Crypto Mining 💸
These cloud-native attacks let TeamTNT infiltrate Docker and other cloud services, stealthily mining Monero cryptocurrency and renting compromised servers to others through platforms like Mining Rig Rentals. They exploit vulnerabilities with brute-force tactics, especially on Remote Desktop Protocol (RDP) and Server Message Block (SMB) services, spreading malware like Prometei to maintain control.
Summary ✍️
TeamTNT’s latest campaign highlights their adaptability and persistence in cloud attacks. Cloud security teams should be vigilant, as TeamTNT continues to evolve and diversify its monetization strategies.
🗞️ Extra, Extra! Read all about it! 🗞️
Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!
🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅
💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓
📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾
Let us know what you think.
So long and thanks for reading all the phish!