WEEKLY TOP TEN: June 03, 2024, 09:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- The Ticketmaster “Breach” — What You Need to Know
This week, Ticketmaster is in the news due to claims of a massive breach. The leakers are claiming to have details and information on 560 million customers. Since this is a massive dataset, some researchers have doubts on its validity; this discourse has led to x user, vxunderground, revealing samples of the breach as proof. Ticketmaster has yet to respond to inquiries about the leak and has not confirmed nor denied the event. - RedTail Cryptominer Threat Actors Adopt PAN-OS CVE-2024-3400 Exploit
The RedTail Cryptominer, first identified in 2023 by the CSA, has been updated with advanced capabilities and techniques. Researchers at Akami have found that RedTail is now utilizing the recent Palo Alto PAN-OS CVE-2024-3400 vulnerability; additionally, it is now equipped with anti-analysis techniques.
When Akami monitored this vulnerability, they found alarming malicious activity linked to RedTail. Utilizing a combination of static and dynamic analysis, the researchers found that RedTail has grown much more sophisticated since 2023. The malware no longer uses wallets and instead mines from private pools or pool proxies, along with advanced mining algorithms that increase performance. These findings indicate that a nation-state may sponsor the hackers behind RedTail. - Lilacsquid: The Stealthy Trilogy of Purpleink, Inkbox and Inkloader
Cisco Talos has labeled a previously undocumented APT as LilacSquid, which has been targeting various sectors worldwide since at least 2021. PurpleInk gains initial access in two ways: by utilizing compromised RDP credentials or exploiting vulnerable web applications.
Talos reveals two different kill chains, depending on the method used for initial access. The group has a custom version of QasarRAT named “PurpleInk,” which is installed during the kill chain by InkBox and InkLoader. InkBox and InkLoader are custom malware loaders that initiate PurpleInk on the target system. This kill chain ends with control of the victim’s environment and data exfiltration. - Exposed and Vulnerable: Recent Attacks Highlight Critical Need to Protect Internet-Exposed OT Devices
Microsoft has noticed an increasing amount of cyberattacks targeting internet-exposed OT devices, specifically equipment in water and wastewater systems in the US. A successful cyberattack on these systems can give miscreants control of critical infrastructure, resulting in malfunctions and outages.
Microsoft also states that OT devices in general have poor security posture, which makes them a prime target, as they are usually directly connected to the internet and easily discoverable. Statistics from Microsoft show 78% of industrial network devices monitored by Microsoft Defender have known vulnerabilities. - Cybercriminals Pose as “helpful” Stack Overflow Users to Push Malware
The pcTattletale application is a form of commercial spyware, marketed as employee and child monitoring software. This application allows for monitoring of the infected device, including real-time screenshots and other common spyware functionality. Recently, a security researcher discovered an IDOR (Insecure Direct Object Reference) vulnerability in the pcTattletale API. This vulnerability was reported to pcTattletale; however, no fix was published, and an attacker took it upon themselves to exploit this vulnerability, dumping the entire pcTattletale database for public access and defacing the site. - CVE-2024-24919: Check Point Security Gateway Information Disclosure
Check Point has disclosed a new zero-day (CVE-2024-24919) that affects Check Point Security Gateway devices configured with either “IPSec VPN” or “Mobile Access” software blade. This vulnerability has been observed in-the-wild since April 7, 2024. A PoC was released on May 30th by watchTowr. The vulnerability allows read access to arbitrary files. - Talos Vulnerability Roundup
Security firm Cisco Talos’ has disclosed twenty vulnerabilities they found in the past three weeks. Starting with Adobe Acrobat Reader, there are two out-of-bounds vulnerabilities that can allow an attacker to view arbitrary memory, leading to the exposure of sensitive data.
A privilege escalation vulnerability was reported in Foxit PDF reader, where a low-privilege user can trigger an update action that elevates privileges to SYSTEM level. Talos also found six vulnerabilities in a C++ library, libigl. These range from heap buffer overflow to out-of-bounds.
Finally, there were several vulnerabilities found in the AutomationDirect P3 line of CPU models, which are used in U.S. critical infrastructure and ICS networks. Notably, one vulnerability found allows for remote code execution (CVE-2024-23601). All of these vulnerabilities have been patched, which highlights the importance of updating your software and hardware. - US Dismantles 911 S5 Botnet Used for Cyberattacks, Arrests Admin
Law enforcement has taken down the 911 S5 proxy botnet that YunHe Wang was in charge of and has also arrested Wang. Wang created malicious VPNs, which he distributed starting in 2011, and added compromised devices to the 911 S5 proxy botnet.
The network spanned over 19 million IPs and 150 dedicated servers worldwide. Advertisements for free VPN services seduced the victims. The FBI has also made a guide available to help you determine whether the botnet has compromised your system. - Hackers Phish Finance Orgs Using Trojanized Minesweeper Clone
A new Python script containing a version of Minesweeper is being used to hide malware. Cert-UA is tracking attribution to a group known as “UAC-0188,” which appears to be targeting financial and insurance institutions across the US and EU. The malware contains an encoded base64 string that, when decoded assembles a ZIP file that installs a RAT. - Exploit Released for Maximum Severity Fortinet RCE Bug, Patch Now
Fortinet’s SIEM solution was vulnerable to command injection, which enabled remote command execution as root without authentication. These vulnerabilities (CVE-2024-23108)(CVE-2024-23109) were patched on Feburary 8th 2024. On May 28th, security researchers at Horizon3 released a PoC and deep dive into the vulnerability. This greatly increases the chance of exploitation on unpatched solutions.