SAN MATEO, CA, January 29, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Cisco issues update to patch remote takeover vulnerability
- Critical GitLab flaw puts thousands of servers at risk of attack
- Hewlett-Packard Packard breached by Russian hackers for over six months.
- New ransomware operation Kasseika disables antivirus software by installing vulnerable driver
- Parrot traffic redirection system puts millions at risk via thousands of compromised servers
- New macOS malware uses cracked apps to access user systems
- Securities and Exchange Commission X account was hacked due to SIM swapping
- Apple patches critical zero-day bug for users across all devices
- InMarket Media found to be selling precise customer location data without consent
- Atlassian Confluence servers are under attack
- More cybersecurity news
Cisco issues update to patch remote takeover vulnerability
A severe flaw impacting Cisco’s Unified Communications and Contact Center Solutions products has received a patch from the company. CVE-2024-20253 is an issue that results from “improper processing of user-provided data.” According to Cisco’s advisory, “a successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the privileges of the web services user” to “establish root access on the affected device.” Cisco is recommending that users “establish access control lists (ACLs) on intermediary devices that separate the Cisco Unified Communications or Cisco Contact Center Solutions cluster from users and the rest of the network to allow access only to the ports of deployed services” if updating their systems immediately is not possible. Read more.
Critical GitLab flaw puts thousands of servers at risk of attack
A GitLab vulnerability tracked as CVE-2023-7028 lets threat actors send password reset messages to email addresses of their choosing, opening the door for account takeover. The bug was introduced in GitLab 16.1.0, as a new feature included in the update gave users the option to have password reset messages sent to an email address other than their primary. With a CVSS score of 10, GitHub users must patch their systems immediately to protect against exploitation. GitLab warns that more than 5,000 servers have yet to be updated and are considered at high risk. In a post on X, the company said, “Running GitLab? We are sharing instances vulnerable to CVE-2023-7028 (Account Takeover via Password Reset without user interactions) – 5379 instances found worldwide (on 2024-01-23). Top: US (964) & Germany (730).” Read more.
Hewlett-Packard Packard breached by Russian hackers for over six months.
Tech giant Hewlett Packard Enterprise (HPE) has fallen victim to a hack by Russian hacker group APT29, known as Midnight Blizzard, Cozy Bear, or Nobelium. The same group has been implicated in the recent hack of Microsoft’s corporate emails. It is also responsible for the 2020 hack of SolarWinds and the 2016 breach of the Democratic National Convention. The hackers are reported to have maintained persistence within HPE’s network for over six months. The company’s operations remain unaffected. However, the hackers have “accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.” Further details regarding the nature of the stolen data have not been disclosed. Read more.
New ransomware operation Kasseika disables antivirus software by installing vulnerable driver
Trend Micro has reported on their discovery of a new ransomware operation called Kasseika that uses Bring Your Own Vulnerable Driver (BYOVD) techniques to disable antivirus protection on a targeted system before encrypting a victim’s files. Trend Micro notes that Kasseika shares traits and code similar to BlackMatter, leading them to believe that former group members may have developed it. Kasseika is spread via phishing emails that harvest login credentials and abuses the Windows PsExec tool to launch malicious .bat files. It then scans for a process named Martini.exe, terminates it, and replaces it with the vulnerable ‘Martini. sys’ driver. By exploiting this driver, Kasseika can access privileges allowed by antivirus, security, analysis, and system utility tools. Read more.
Parrot traffic redirection system puts millions at risk via thousands of compromised servers
A traffic redirect system (TDS) called Parrot has been active since 2021, but the hackers behind it have recently been observed changing their tactics to evade detection better. Parrot controls thousands of servers across the globe, using them to infect victims with various instances of malicious code. While this is not a remarkable tactic, Parrot is noteworthy due to its “wide scope and ability to threaten millions of potential victims,” according to researchers at Unit 42. Parrot threat actors use a technique that employs multiple lines of JavaScript, making their malicious code harder to parse out from the benign. Unit 42 has created a list of indicators of compromise and mitigation suggestions on its website. Read more.
New macOS malware uses cracked apps to access user systems
Researchers at Kaspersky have observed a newly discovered macOS malware that uses cracked software versions to invade users’ systems and install a crypto stealer. Called Activator.app, the malware contains a “Python 3.9.6 installer and an extra Mach-O file named ‘tool’ within the Resources folder” hidden behind a “seemingly unsophisticated GUI with a PATCH button.” Kaspersky researchers note that the developers of this new malware “show unusual creativity by hiding a Python script in a DNS server’s record, increasing malware’s level of stealth in the network’s traffic.” Users are advised to avoid cracked or pirated software at all costs, as it is becoming an effective vector for various types of malware and hacks. Read more.
Securities and Exchange Commission X account was hacked due to SIM swapping
The US Securities and Exchange Commission (SEC) has reported that the hack of its X account to make a fake announcement regarding the approval of Bitcoin on security exchanges was carried out through a SIM swapping attack. In a press statement, the SEC said they “determined that the unauthorized party obtained control of the SEC cell phone number associated with the account” when a threat actor could fool a victim’s mobile carrier into porting their phone number. Once the hacker had control of the phone number, they gained control of the SEC’s X account, changed the password, and made the post. The SEC also stated that, due to issues logging into the account, multi-factor authentication was not enabled on it. Read more.
Apple patches critical zero-day bug for users across all devices
Apple has issued an update for iOS, iPadOS, macOS, tvOS, and Safari to patch a vulnerability that has been observed being exploited. The flaw is a “type confusion bug in the WebKit browser engine that could be exploited by a threat actor to achieve arbitrary code execution when processing maliciously crafted web content.” Apple’s statement regarding the bug states the company’s awareness “of a report that this issue may have been exploited,” but did not elaborate on the nature of the threats. Last year saw Apple, a company previously known for rarely being attacked, patch 20 actively exploited zero-days. This update marks Apple’s first zero-day patch of 2024. Read more.
InMarket Media found to be selling precise customer location data without consent
InMarket Media, the developer behind apps such as CheckPoint, ListEase, and over 300 other apps that use its software development kit, has run afoul of the Federal Trade Commission after selling precise user location data for advertising and marketing purposes without user permission. InMarket also “did little to ensure that third-party apps that embed the company’s SDK have obtained users’ express consent.” Additionally, InMarket’s five-year data retention policy put customer information at further risk, as the FTC described it as “unnecessary to carry out the purposes for which it was collected.” The FTC has banned InMarket from selling, licensing, transferring, or sharing any product or service that categorizes or targets consumers based on sensitive location data.” Read more.
Atlassian Confluence servers are under attack
CVE-2023-22527, a remote code execution vulnerability affecting outdated versions of Atlassian Confluence servers, is under active attack. The bug is “a template injection weakness that allows unauthenticated, remote attackers to execute code on vulnerable Confluence Data Center and Confluence Server endpoints, versions 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, and 8.5.0 through 8.5.3.” 11,100 instances of Atlassian Confluence are reported to be accessible over the public internet, but no data regarding how many of them are unpatched was disclosed. Administrators are urged to update any unpatched Confluence versions and treat versions not updated previously as if they are compromised. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
