SAN MATEO, CA, March 4, 2024 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Bitfrost Linux malware evades detection by posing as VMware domain
- Crypto users vulnerable to new phishing kit that uses SMS and voice calls
- Silver SAML attacks successful against identity systems despite Golden SAML defenses
- Many video doorbell systems are alarmingly easy to hack
- Biden executive order seeks to ban the sale of Americans’ data to hostile nations
- LiteSpeed plugin bug puts 4 million WordPress sites at risk
- FBI, HHS, and CISA warn that ALPHV ransomware gang has sights set on healthcare industry
- Flaw in popular WordPress plugin puts 200K websites at risk of attack
- More than 8K subdomains of trusted brands used for spam operation
- LockBit ransomware defiantly restores operations after law enforcement disruption
- More cybersecurity news
Bitfrost Linux malware evades detection by posing as VMware domain
A new variant of the Bitfrost RAT targets Linux systems and uses unique evasion techniques to avoid detection. An uptick in Bitfrost instances prompted researchers at Unit 42 to investigate the RAT, leading them to notice the new variant and its features. Bitfrost can now use a deceptive domain, “download.vmfare[.]com,” which is made to appear as part of VMware. An ARM version of the malware was also observed, signaling that the attackers behind the campaign cast a wider net for possible victims. “On the technical side of the malware, the binary is compiled in stripped form without any debugging information or symbol tables, making its analysis harder.” While not the most complex or sophisticated RAT in circulation, administrators must keep an eye on it as it is clearly under active development and will likely continue gaining features and further evasive tactics. Read more.
Crypto users vulnerable to new phishing kit that uses SMS and voice calls
Researchers at Lookout have observed a new phishing kit that impersonates the login pages of popular crypto services. “This kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs, and even photo IDs from hundreds of victims, mostly in the United States,” says Lookout. The sites circumvent flagging by only displaying their fake login pages after a victim completes a CAPTCHA and have been seen being spread via phone calls and text messages that appear to be from crypto platforms’ customer service departments. It is unclear if a single individual or a cybercrime group is leading the campaign. Read more.
Silver SAML attacks successful against identity systems despite Golden SAML defenses
Researchers at Semperis have shared a report that indicates that a new attack technique called Silver SAML can be successful even when mitigations are in place to protect against Golden SAML attacks. SAML stands for Security Assertion Markup Language and “entails the abuse of the interoperable authentication standard to impersonate almost any identity in an organization.” Silver SAML attacks allow for “the exploitation of SAML to launch attacks from an identity provider like Entra ID against applications configured to use it for authentication, such as Salesforce.” Instances of Silver SAML attacks carried out in the wild have not been observed, but Semperis has created a proof-of-concept called SilverSAMLForger that organizations can use to build their own custom SAML responses. Read more.
Many video doorbell systems are alarmingly easy to hack
Consumer Reports has published research that reports doorbell cameras manufactured by EKEN are rife with security flaws that make them easy to hack. In one instance, a person close to one of the company’s cameras can download their official app and put the camera into waiting mode to take “full control” of it. They can then add the camera to their account. Another issue noted is that the cameras in question broadcast the owners’ IP addresses, wifi network, and still images over the internet, all of which can be intercepted. Consumer Reports has contacted online retailers Walmart and Temu regarding the security concerns resulting in both companies removing them from their storefronts. However, the cameras remain for sale on Amazon, Sears, and Shein. EKEN sells cameras under a handful of different brand names, making it challenging to remove them all. Read more.
Biden executive order seeks to ban the sale of Americans’ data to hostile nations
President Biden signed an executive order that makes it unlawful for data brokers to sell Americans’ personal data to companies, agencies, and organizations based in “countries of concern,” citing national security and individual privacy risks. According to the White House, said data can be used “to track Americans (including military service members), pry into their personal lives, and pass that data on to other data brokers and foreign intelligence services.” The order is expected to hit roadblocks, as many organizations that hold sensitive data don’t even understand what it is, whether or not it’s being shared, and where it may end up. In response to the executive order, the chief evangelist for data security at Symmetry Systems says, “It is clear to us as experts in this field that organizations do not currently have these capabilities, and more importantly, nor do data brokers.” Read more.
LiteSpeed plugin bug puts 4 million WordPress sites at risk
The LiteSpeed Cache WordPress plugin has been found to harbor a major vulnerability, according to research from Patchstack. LiteSpeed Cache has more than 4 million active installations, and the bug “stems from a lack of input sanitization and output escaping in the plugin’s code, combined with improper access control on one of its REST API endpoints.” The flaw was patched in a recent update, and all users are urged to update their systems immediately. Developers are encouraged to “implement proper input sanitization and output escaping in their code, particularly for data displayed in admin notices.” The flaw’s severity and the breadth of possible victims highlight the need to implement proactive security measures for WordPress plugins. Read more.
FBI, HHS, and CISA warn that ALPHV ransomware gang has sights set on healthcare industry
The FBI, the Department of Human Health and Services, and CISA have issued a report warning that the ALPHV ransomware gang has “been observed primarily targeting the healthcare sector” since December of 2023. While some criminal outfits deliberately avoid disrupting healthcare providers, likely due to the resulting heat it generates from authorities, ALPHV shows no such restraint, with most of the gang’s victims falling into that sector since last December. According to the joint report, “This is likely in response to the ALPHV Blackcat administrator’s post encouraging its affiliates to target hospitals after operational action against the group and its infrastructure in early December 2023.” The FBI took down the group’s operations in December, but they have moved to a new leak site. Rewards of up to $10 million are currently being offered for tips that could lead to identifying the group’s leaders. Read more.
Flaw in popular WordPress plugin puts 200K websites at risk of attack
A popular WordPress plugin called Ultimate Member has been found to harbor a critical security flaw. WordPress security company WordFence reports that the plugin is “vulnerable to SQL Injection via the ‘sorting’ parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query.” This issue only affects those with the “Enable custom table for usermeta” option selected in the plugin’s settings. An update to fix the bug is now available, and all users are urged to update their systems as soon as possible as WordFence reports that it has already stopped an attack, hoping to exploit it. Ultimate Member has more than 200,000 active installations, putting many users at risk. Read more.
More than 8K subdomains of trusted brands used for spam operation
Over 8,000 subdomains belonging to reputable companies and institutions, including ACLU, eBay, Lacoste, Marvel, McAfee, MSN, Pearson, PwC, Symantec, The Economist, UNICEF, and VMware, have been hijacked to use in a massive spam campaign, as reported Guardio Labs. A threat actor called ResurrecAds is allegedly responsible for the campaign, which has been operating since September 2022. The campaign “leverages the trust associated with these domains to circulate spam and malicious phishing emails by the millions each day, cunningly using their credibility and stolen resources to slip past security measures.” According to researchers, the “operation is meticulously designed to misuse these assets for distributing various malevolent ‘Advertisements,’ aiming to generate as many clicks as possible for these ‘ad network’ clients.” Read more.
LockBit ransomware defiantly restores operations after law enforcement disruption
Only five days after a law enforcement operation took down the group’s servers, the LockBit ransomware gang is back online with updated infrastructure and a new grudge against government agencies. Blaming the law enforcement breach on being “very lazy” with their PHP updates, LockBit has announced that their servers are updated and promised a reward to anyone able to crack into them. Much of LockBit’s announcements after the breach read like damage control, and it’s clear that the outfit wants to restore its credibility by downplaying the significance of the attack and law enforcement’s technical prowess. Time will tell if the group can fully reclaim its standing. Its announced intention to target government entities more frequently to “force” law enforcement to show whether or not they can attack the gang may prove to be LockBit’s undoing. Read more.
More cybersecurity news
- Last week’s news
- More cybersecurity news
- All articles brought to you by NetworkTigers
