SAN MATEO, CA, March 11, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- CISA warns about JetBrains TeamCity vulnerability under active exploitation
- January breach allowed Russian hackers to access Microsoft source code
- Apple issues emergency update to patch zero-day exploits
- PetSmart resets customer passwords following credential stuffing campaign
- Security professionals turn to cybercrime because of low salaries
- U.S. sanctions spyware firm targeting government officials and journalists
- Developers create new worm exploiting generative A.I. systems
- ALPHV shuts down servers
- U.S. critical infrastructure attacked by Phobos ransomware
- India-based content farm impersonates major news outlets
- More cybersecurity news
CISA warns about JetBrains TeamCity vulnerability under active exploitation
CISA has added a critical flaw impacting JetBrains TeamCity On-Premisis software to its Known Exploited Vulnerabilities catalog. The flaw, CVE-2024-27198, “refers to an authentication bypass bug that allows for a complete compromise of a susceptible server by a remote unauthenticated attacker.” JetBrains has issued a patch for the vulnerability as well as CVE-2024-27199, another flaw that is also being used to “deliver Jasmin ransomware as well as create hundreds of rogue user accounts, according to CrowdStrike and LeakIX.” Data shows that CVE-2024-27198 is being broadly exploited from over a dozen I.P. addresses, spiking after public disclosure of the bug. Users are urged to update their systems immediately, and federal agencies must do so by March 28. Read more.
January breach allowed Russian hackers to access Microsoft source code
A January breach of Microsoft’s corporate email servers by Russian hacker group Midnight Blizzard has allowed the threat actors to access source code repositories using information gleaned from the attack in recent weeks. According to a statement from Microsoft, “It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found. Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.” Midnight Blizzard’s initial breach was successful because they engaged in a password spray attack that gave them access to a test tenant account without multi-factor authentication. Microsoft says they have “increased our security investments, cross-enterprise coordination and mobilization, and have enhanced our ability to defend ourselves and secure and harden our environment against this advanced persistent threat.” Read more.
Apple issues emergency update to patch zero-day exploits
Two critical zero-day vulnerabilities able to compromise Apple iPhone users at the kernel level have been patched in an emergency update issued by the company. The bugs, CVE-2024-23225 and CVE-2024-23296, are being actively exploited in the wild, bringing the iOS zero-day bug total up to three so far for 2024. Apple has not yet provided further details regarding how these flaws are used. While the focus on iOS attacks often centers around spyware and state-sponsored activity, flaws that allow an attacker to bypass kernel protections can be used by financially motivated hackers to inject malware into a targeted iPhone, steal credentials, or perform any number of other tasks that can put an individual’s privacy and data at severe risk. Read more.
PetSmart resets customer passwords following credential stuffing campaign
PetSmart, the largest U.S. retailer of pet products and supplies, has warned its customers that they are in the crosshairs of a credential-stuffing campaign targeting their website. Because the company could not determine whether accounts were under the control of legitimate users or not, any that were logged in at the time of the attacks had their passwords reset. “In an abundance of caution to protect you and your account, we have inactivated your password on petsmart.com,” reads a message from the company. “The next time you visit petsmart.com, simply click the ‘forgot password’ link to reset your password.” Credential stuffing attacks usually result in the attackers making fraudulent purchases, sending spam, or selling the credentials to other hackers. Read more.
Security professionals turn to cybercrime because of low salaries
An investigation from the Chartered Institute of Information Security (CIISec) indicates that cybersecurity professionals are increasingly willing to step into the criminal world, seemingly in response to stagnating salaries for qualified workers that “do not reflect the long hours and high-stress environments that many security professionals find themselves in.” The study revealed that three main types of professionals are advertising their skills on criminal platforms: experienced pros, developers, testers, and prompt engineers in search of a “second job” and supplemental income, newcomers to the cybersecurity field looking for work and experience, and workers from fields that are not necessarily affiliated with I.T. such as consulting, content creation, and even an instance of a voice actor offering their talent for phishing campaigns. Read more.
U.S. sanctions spyware firm targeting government officials and journalists
The U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned five entities and two individuals associated with the Intellexa Alliance. The Intellexa Alliance is made up of several companies responsible for developing and proliferating commercial spyware often used by authoritarian regimes to surveil civilians, officials, and journalists. Of particular note is Predator, a spyware similar to NSO Group’s Pegasus in that it can infiltrate Android and iOS devices without the need for any interaction from the user. “The proliferation of commercial spyware poses distinct and growing security risks to the United States and has been misused by foreign actors to enable human rights abuses and the targeting of dissidents around the world for repression and reprisal,” said the OFAC. Read more.
Developers create new worm exploiting generative A.I. systems
Researchers from the Israel Institute of Technology, Intuit, and Cornell Tech have developed a computer worm designed to exploit generative A.I. systems, using them to spread malware and steal data. Called “Morris II,” the worm overwhelms A.I. systems by generating self-replicating prompts that cause the models to “replicate the input as output and engage in malicious activities.” The worm was tested against Google’s Gemini Pro, OpenAI’s ChatGPT 4.0, and LLaVA. The test results indicate that malware of this type could be used to launch cyberattacks across the entire generative A.I. ecosystem. The researchers have issued countermeasures that they urge developers to implement to mitigate the effectiveness of this sort of attack. Read more.
ALPHV shuts down servers
An affiliate of the ALPHV ransomware operation that allegedly used their software to attack Optum is accusing the group of stealing the entirety of the healthcare giant’s $22 million ransom and then shutting down their servers to make off with the money. The affiliate, posting under the username “notchy,” claims they still possess Optum’s sensitive data. ALPHV has issued a cryptic message that reads, “Everything is off, we decide,” leaving security experts to speculate about the group’s next move. A law enforcement operation recently breached ALPHV, and it appears the gang, buckling under pressure, has opted to make off with an affiliate’s payday and will likely begin to rebrand itself to restore faith in its operations. It’s unknown what notchy plans to do with Optum’s data. Read more.
U.S. critical infrastructure attacked by Phobos ransomware
The FBI, CISA, and the MS-ISAC have issued an advisory in response to Phobos ransomware attacks targeting critical U.S. infrastructure. “Structured as a ransomware as a service (RaaS) model, Phobos ransomware actors have targeted entities including municipal and county governments, emergency services, education, public healthcare, and critical infrastructure to successfully ransom several million in U.S. dollars,” the statement reads. Phobos ransomware attacks usually rely on phishing to gain initial access but have also used brute-force methods to exploit exposed RDP services in vulnerable networks. Once intrusion has been accomplished, remote access tools that execute malicious code and modify the Windows Registry are dropped into a victim network. Read more.
India-based content farm impersonates major news outlets
BleepingComputer has discovered an India-based network of nearly 60 fraudulent news websites spoofing major media companies such as the BBC, Bloomberg, CNN, the Washington Post, and many more. These websites plagiarize content from actual sources and repost it under an “admin” author account. It is believed that the content farm is meant to build SEO for the creator’s gambling ventures and sell fake product reviews and press release ads to users who believe these domains are legitimate. The campaign operators even go so far as to maintain Facebook pages for some of their impersonated sites and enroll them as Google News publishers. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
