WEEKLY TOP TEN: April 15, 2024, 16:30 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Google Pays $41,000 in Bug Bounties for Three Vulnerabilities
In the past Chrome security update three vulnerabilities reported by a Bug Bounty hunter were discovered and patched. The first issue was an out-of-bounds write vulnerability, the second was a sandbox escape via UI gestures, and the final issue was a heap corruption via malicious web pages. These types of vulnerability disclosure programs are a significant step forward in the overall security landscape and allow for zero-days to remain in the hands of responsible individuals. - Medusa Ransomware Gang Returns with New Double Extortion Methods
The Medusa ransomware gang has shifted to a double extortion method, both ransoming data and threatening to publish if no payment is made. This was seen in a recent attack against a Fort Worth municipal agency, capturing the data of over three-hundred property owners, threatening to publicly publish the stolen data if the one-hundred-thousand dollar ransom payment is not made. - Raspberry Robin Malware Employs a New Infection Chain
Raspberry Robin malware is a initial access trojan known previously to spread via infected USB devices. However recently there has been a shift in MO. As of March 2024 infections have been seen using malicious WSF (Windows Script Files) for infection rather than their previous methods. This new version comes with a slew of new defense evasion methods such as anti-analysis and anti-VM checks. - LG Smart TVs Vulnerable to Remote Takeover
Researchers at BitDefender have discovered several critical vulnerabilities in LG webOS, which is the operating system behind LG smart TVs. These vulnerabilities allow for attackers to take control of TVs remotely and perform actions such as data theft, malware installations, and even use the compromised TVs as a pivot point to access other devices within the network. These vulnerabilities apply to webOS versions 4-7, updates should be applied to all vulnerable devices immediately. - Palo Alto Firewall Zero Day Observed in the Wild
Palo Alto has warned users of firewalls running PAN-OS of a new critical zero-day vulnerability that has been observed in the wild under active exploitation. This vulnerability allows for command injection with no privileged access needed, and no user interaction required. This could lead to complete takeover of firewall appliances. There is currently no patch available however Palo Alto has forecasted a patch date of April 14th. - DarkVault Ransomware Group Spawns Rumors of LockBit Rebrand
Since the very public takedown and following resurgence of the LockBit ransomware group there have been several copycat and mimic groups claiming to be either current or former members of the LockBit group. Recently, a new ransomware group labeled DarkVault has appeared with a darkweb leak site with the same look and format of the LockBit leak site. The DarkVault logo was also discovered on the actual LockBit site, however this was later determined to be a mock or insult of the new group. - Half a Million Roku Accounts Compromised via Credential Stuffing
Roku has announced that a total of 576,000 accounts have been compromised in a credential stuffing attack, this follows an incident in March in which 15,000 accounts were compromised. Four-thousand of these accounts were used to make unauthorized purchases of streaming subscriptions, and many are being sold on dark web marketplaces. - Iranian Threat Actor Debut a new C2 Platform
The Iranian based threat actor dubbed MuddyWater has been observed using a new C2 (command & control) framework and associated infrastructure. This C2 framework has been dubbed DarkBeatC2. According to researchers this does not significantly impact their attack chain, but simply replaces their previous tools. - French Government Issues a Warning Following Cyberattack
The French government has issued an “alerte rouge” (red alert) warning after several municipalities were taken offline in a cyberattack targeting shared servers. It was stated by one municipality that the origin of the attack is currently unknown, however Anonymous Sudan has claimed responsibility online. This comes as the French government is making cybersecurity preparations for the 2024 Olympics which will take place in Paris. - MITRE Adds Two Sub-Techniques to the ATT&CK Framework
Following attacks from North Korean APTs, MITRE is adding two new sub-techniques to the ATT&CK framework. The first is Phantom DLL Hijacking, as a subset of DLL Hijacking, this attack leverages how Windows handles calls to non-existent DLL files. The second being TCC Abuse, which is a macOS based attack taking advantage of the TCC database.