SAN MATEO, CA, March 18, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- DarkGate malware spread through Windows SmartScreen flaw
- FortiClient EMS receives critical bug patch
- Google’s Gemini AI vulnerable to LLM threats
- North American manufacturing under malware attack
- RCE flaw in Kubernetes allows takeover of Windows nodes
- LockBit member emprisoned and ordered to pay $860K
- Biden Administration strengthens government security
- More than 15K Roku accounts hacked and sold
- Dropbox hackers steal credentials and bypass MFA
- 3300 WordPress sites infected with malware
- More cybersecurity news
DarkGate malware spread through Windows SmartScreen flaw
The DarkGate malware operation has exploited a recently patched Windows Defender SmartScreen vulnerability to automatically install fake software installers after bypassing security checks. “Attackers can exploit the flaw by creating a Windows Internet shortcut (.url file) that points to another .url file hosted on a remote SMB share, which would cause the file at the final location to execute automatically.” The flaw was fixed in February. However, systems that have not been updated are still under threat. DarkGate’s attack begins with a malicious email containing a PDF with links that “utilize open redirects from Google DoubleClick Digital Marketing (DDM) services to bypass email security checks.” Clicking the link sends a victim to a compromised web server hosting a shortcut file that links to a second shortcut file hosted on a WebDAV server controller by the criminals. Users are urged to update their systems immediately with Microsoft’s February 2024 patch update. Read more.
FortiClient EMS receives critical bug patch
Fortinet has patched a critical SQL injection vulnerability in its FortiClient endpoint management software. The UK’s National Cyber Security Centre discovered CVE-2023-48788, which affects FortiClientEMS 7.2, versions 7.2.0 to 7.2.2, and FortiClientEMS 7.0, versions 7.0.1 to 7.0.10. The company’s advisory states that “an improper neutralization of special elements used in an SQL Command (‘SQL Injection’) vulnerability [CWE-89] in FortiClientEMS may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted requests.” Fortinet’s advisory comes during a week when several other vulnerabilities were patched. No information about whether this most recent bug is exploited in the wild has been released. Read more.
Google’s Gemini AI vulnerable to LLM threats
A report from HiddenLayer indicates that Google’s Gemini LLM is vulnerable to threats that “could cause it to divulge system prompts, generate harmful content, and carry out indirect injection attacks.” One vulnerability causes Gemini to leak system prompts after an attacker gets around security guardrails in place to help the LLM generate better responses by asking it to output its “foundational instructions” in a markdown block. Another vulnerability involves using jailbreaking techniques that cause the model to generate false information and output potentially illegal or dangerous information, such as instructions on hot-wiring a vehicle after asking it to “enter into a fictional state.” Users can also create a “line of nonsensical tokens” to fool Gemini into outputting a confirmation message that includes information on the prompt or use a specially designed Google document designed to “override the model’s instructions and perform a set of malicious actions.” Read more.
North American manufacturing under malware attack
A malware called Ande Loader is being used by a group called Blind Eagle to deliver trojans to North American manufacturing companies. Blind Eagle is financially motivated and has a track record of targeting organizations in Ecuador and Colombia with a wide range of RATs. Still, this newly discovered campaign shows the group broadening its horizons and using phishing emails and a Discord content delivery network link to target Spanish-speaking victims. According to eSentire, “Blind Eagle threat actor(s) have used crypters written by Roda and Pjoao1578. One of the crypters developed by Roda has the hardcoded server hosting both injector components of the crypter and additional malware that was used in the Blind Eagle campaign.” Read more.
RCE flaw in Kubernetes allows takeover of Windows nodes
Popular container-management system Kubernetes has been found to harbor a bug that allows attackers to “remotely execute code with System privileges on Windows endpoints, potentially leading to a full takeover of all Windows nodes within a Kubernetes cluster.” According to Akamai researcher Tomer Peled, the bug is exploited by manipulating Kubernetes volumes, allowing data to be shared between pods on a cluster. Attackers must create pods and persistent volumes on Windows nodes to escalate admin privileges. “It is very easy to exploit this vulnerability because an attacker would only need to modify a parameter and apply 3 YAML files to gain RCE over the Windows endpoints,” says Peled. A patch has been created to remedy the vulnerability, and any system running a Kubernetes version earlier than 1.28.4 is vulnerable. Read more.
LockBit member emprisoned and ordered to pay $860K
Mikhail Vasiliev, a Russian-Canadian cybercriminal affiliated with the LockBit ransomware gang, has been sentenced to four years in prison by an Ontario court for participating with the group. A critical member of the gang, Vasiliev was involved in several LockBit’s attacks and has also been ordered to pay $860,000 in “restitution to his Canadian victims.” He is also expected to face additional charges in the US after extradition. Vasiliev was arrested as part of an operation that disrupted LockBit’s operations and saw several other members detained by law enforcement as well. The group remains active, although it seems to be struggling to regain its standing after being compromised by authorities. Read more.
Biden Administration strengthens government security
The Biden-Harris Administration has approved a secure software development attestation form to help implement the requirement that software used by the Federal Government is built with prioritized security from the ground up. According to a statement from CISA, implementation of the secure software development attestation will not only “strengthen the security of the Federal Government, but drive improvements for customers across the globe.” CISA also hopes that the new protocols will be adopted by state and local governments, as well as the private sector, to ensure tighter security. “By using software from producers that use sound secure development practices, the Federal Government not only protects its vital information systems, but also helps ensure that the Government runs on software made by companies that prioritize and focus on these critical practices.” Read more.
More than 15K Roku accounts hacked and sold
Roku has suffered a data breach, resulting in over 15,000 user accounts being used to make fraudulent hardware and subscription purchases. The result of a credential stuffing attack, the hack also saw criminals selling off the stolen Roku accounts, with some only asking for $0.50 per account. The company said that it secured the accounts affected by the hack, forced password resets onto them, and also investigated for any fraudulent charges made by the attackers so they could be canceled. A source reported to BleepingComputer that a recent change to Roku’s Dispute Resolution Terms is related to the ongoing attacks and fraud committed through compromised accounts. Read more.
Dropbox hackers steal credentials and bypass MFA
Research from Darktrace has revealed a novel phishing campaign that leverages Dropbox cloud storage infrastructure to bypass MFA, spotlighting hackers’ ability to abuse legitimate services to suit their needs. Using an email address associated with Dropbox, the attackers send their victims a link to a PDF file hosted on the platform named after a partner in their organization. The PDF file has a link that leads to a fake Microsoft 365 page built to steal credentials. The phishing victims in this campaign are highly targeted. The attacks are sophisticated, using stages of legitimacy before finally pushing their target to a fraudulent destination. This makes attacks harder to spot and lures victims in with trust so that they let their guard down. Read more.
3300 WordPress sites infected with malware
Outdated versions of the Popup Builder plugin are being exploited to inject malicious code into WordPress sites, reports Securi. The flaw exploited in the plugin is CVE-2023-6000, “a cross-site scripting (XSS) vulnerability impacting Popup Builder versions 4.2.3 and older, initially disclosed in November 2023.” Over 3,300 sites have been compromised in the campaign thus far, which seems to have the primary goal of “redirecting visitors of infected sites to malicious destinations such as phishing pages and malware-dropping sites.” Users are urged to update to the latest version of Popup Builder and to block traffic coming from “ttincoming.traveltraffic[.]cc” and “host.cloudsonicwave[.]com,” the domains that the attacks seem to be originating from. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
