SAN MATEO, CA, February 26, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- ConnectWise ScreenConnect easily exploited by cybercriminals
- Russian disinformation group believed to be behind major election influence campaigns
- Hackers are using Google Cloud Run to spread banking trojans
- US government offers $15 million reward for LockBit ransomware top brass
- Hacker breakout time drops to one hour as attackers look to speed up their operations
- Redis server protection features disabled by Migo cryptojacker
- More than 28K Microsoft Exchange servers vulnerable to bug under active exploitation
- LockBit ransomware operation taken down by international authorities via Operation Cronos
- Hackers are attempting to hijack Israeli aircraft communications
- ALPHV hacker group takes credit for Prudential Financial and LoanDepot breaches
- More cybersecurity news
ConnectWise ScreenConnect easily exploited by cybercriminals
A maximum-security vulnerability affecting ConnectWise ScreenConnect is “trivial and embarrassingly easy” to exploit, according to security experts warning users about the danger. The software’s developer has stated that hackers are actively exploiting the bug, “described as an authentication bypass vulnerability that could allow an attacker to remotely steal confidential data from vulnerable servers or deploy malicious code.” ScreenConnect is a widely used remote access software that IT providers use to offer remote tech support on customer systems. Users of the cloud-based version of the software have patched their instances, but those using on-premise versions remain at risk until they update their systems. Read more.
Russian disinformation group believed to be behind major election influence campaigns
SentinelLabs and ClearSky Cyber Security have discovered a major disinformation campaign believed to be orchestrated by Doppelgänger, a Russia-aligned influence operation network. While the operation was first zeroed in on Ukraine, it now targets the US, Israel, France, and Germany. Germany has seen a significant uptick in activity with increased content related to socio-economic and geopolitical issues that focus on criticizing the ruling government. Doppelgänger maintains an extensive network of social media accounts on X, and it leverages them for “coordinated activities to amplify their messages and increase visibility,” such as regularly reposting content from popular profiles and engaging with other Doppelgänger-run accounts to create the illusion of discourse. The operation also uses fraudulent websites and news articles. Read more.
Hackers are using Google Cloud Run to spread banking trojans
Cisco Talos is reporting that they observed a massive banking trojan campaign in which attackers abused Google Cloud Run to distribute Astaroth, Mekotio, and Ousaban malware. Google Cloud Run has become a go-to resource for hackers looking for an inexpensive way to bypass most security filters, as it allows users to “deploy frontend and backend services, websites or applications, handle workloads without the effort of managing an infrastructure or scaling.” The campaign begins with phishing attacks designed to look like invoices, financial statements, or messages from the government that direct victims to malicious web services hosted on Google Cloud Run, where they become infected with malware. The campaign currently appears to be focused on Spanish-speaking countries in Latin America. Read more.
US government offers $15 million reward for LockBit ransomware top brass
Authorities continue to pressure LockBit ransomware gang members, with the US State Department now offering a $15 million bounty for information that could lead to the identification and arrest of the group’s leaders. This comes on the heels of an operation that saw three people accused of being involved in the operation and the takedown of the group’s infrastructure. LockBit remains characteristically confident in its ability to weather the storm, at least publicly, reporting to VX Underground that the individuals arrested are innocent and that international authorities are incompetent, lacking any information that could result in identifying LockBit’s members. The group has even said they will fork over $20,000 to anyone who could dox them, although collecting said funds seems logistically dubious. The statements, while bold, broadly indicate that the group is eager to maintain the appearance of integrity in the face of a significant blow to their credibility. Read more.
Hacker breakout time drops to one hour as attackers look to speed up their operations
“Breakout time,” a term used to describe how long a defender has to identify and contain a threat before attackers can dig in and start to inflict damage, has dropped by 35% to only 62 minutes over the last year. The data comes from Crowdstrike, who said the previous time was an average of 84 minutes. “Once an initial compromise occurs, it only takes seconds for adversaries to drop tools and/or malware on a victim’s environment during an interactive intrusion,” reads Crowdstrike’s report. With more than 88% of attack time focused on intrusion and initial access, hackers continually seek to expedite their operations to spend less time breaking in and more time targeting additional victims. The fastest recorded breakout time in 2023, according to Crowdstrike’s data, was only two minutes and seven seconds. Read more.
Redis server protection features disabled by Migo cryptojacker
A malware called Migo, discovered by cloud forensics provider Cado Security, targets Redis servers on Linux hosts to mine for cryptocurrency. The newly discovered malware is unique because it can turn off Redis security features to maintain persistence and continue cryptojacking undetected. After compromising an exposed server, Migo disables four major security options before downloading its payload. Cado researchers say Migo’s primary function is to “fetch, install, and launch a modified XMRig (Monero) miner on the compromised endpoint directly from GitHub’s CDN.” The malware’s attack chain illustrates that the threat actors behind it have a deep understanding of Redis servers and their functionality. Read more.
More than 28K Microsoft Exchange servers vulnerable to bug under active exploitation
Hackers are actively exploiting a critical severity escalation flaw in Microsoft Exchange servers. The company patched the flaw in a February 13 update, but 28,500 servers have still been identified as vulnerable to attack. The issue can allow an unauthorized actor to “perform NTLM relay attacks on Microsoft Exchange Servers and escalate their privileges on the system.” While 28,500 servers have been confirmed to be at risk of infiltration, threat monitoring service Shadowserver has stated that as many as 97,000 could be “possibly vulnerable.” There is no publicly available proof-of-concept exploit for the flaw, limiting the number of attackers able to use it. However, all users are urged to update immediately due to how serious the consequences are for victims. Read more.
LockBit ransomware operation taken down by international authorities via Operation Cronos
The LockBit ransomware outfit, called the “world’s most harmful cybercrime group,” has been shut down by international authorities, according to a statement from the UK National Crime Agency (NCA). The operation tasked with taking down the gang, called Operation Cronos, involved the participation of 10 different countries. It saw the freezing of 200 cryptocurrency accounts, the takedown of 34 servers, the closing of 14,000 rogue online accounts, and the law enforcement takeover of the group’s technical infrastructure and leak site. Two arrests were made in Poland and Ukraine, and Artur Sungatov and Ivan Gennadievich Kondratiev, two Russian nationals, have been accused of deploying LockBit against several US victims by the Department of Justice. Read more.
Hackers are attempting to hijack Israeli aircraft communications
Two El Al flights traveling from Thailand to Israel’s Ben Gurion International Airport suffered events in which cyber attackers attempted to hack their communications network to make them deviate from their pre-programmed routes. The pilots ignored the suspicious changes in their instructions and double-checked their information with air traffic controllers, keeping the planes on track as planned. No group has taken responsibility for the incident. However, unconfirmed sources have suggested that it could have been carried out by a threat actor group based in Somaliland, an unrecognized state in the Horn of Africa. A statement from the airline reads that “the disturbances are not aimed at El Al planes, and this is not a security incident,” but also compliments the “professionalism of the pilots who used the alternative means of communication and allowed the flight to continue on the planned route.” Read more.
ALPHV hacker group takes credit for Prudential Financial and LoanDepot breaches
Fortune 500 company Prudential Financial and mortgage lender LoanDepot have experienced network breaches for which the ALPHV ransomware gang is taking credit. Both companies are now on the group’s dark web leak site, with ALPHV stating that negotiations with the organizations failed and that their data will be for sale. ALPHV continues to target high-profile victims despite the US State Department’s recently announced $10 million reward for tips that could lead to members’ locations or identities. LoanDepot is the largest nonbank retail mortgage lender in the US, with more than $140 billion in serviced loans, and Prudential is the second-largest life insurance company in the country. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
