WEEKLY TOP TEN: June 10, 2024, 09:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- AI Platform Hugging Face Breached
The AI platform Hugging Face detected unauthorized access to their spaces’ platform, gaining access to this platform allows attackers to access the authentication secrets of its members. The Hugging Faces Spaces is a repository of community submitted AI applications, allowing other community members to demo the uploaded applications. Hugging Face, in response, has revoked the stolen authentication tokens and notified the affected users by email. They are also working with external security experts to aid in the investigation and report to law enforcement and data protection agencies. - BoxedApp Products Abused by Cyber Criminals
Jiří Vinopal, a threat researcher at Check Point Research, discovered an increasing trend of threat actors using a legitimate application packer called BoxedApp over the past 12 months. The threat actors choose this packer because of its ability to use its SDK to create a custom packer that becomes unique enough to avoid static detection, as well as use the notable features of virtual storage, virtual processes, and virtual registry to aid in evading AV and EDR systems. - Remote Code Execution Bug found in Atlassian Confluence
Researchers at SonicWall Capture Labs have discovered a remote code execution within Atlassian Confluence. This vulnerability was giving the identifier CVE-2024-21683. There are so notable requirements to leverage this vulnerability: the threat actor needs to have network access and authenticate to a user account that has the privilege to add new macro languages. Fortunately, this vulnerability has already been patched in the newest release of Confluence server. - Microsoft Officially Deprecates Windows NTLM Authentication Protocol
Back in October of 2023, Microsoft released plans of deprecating the NTLM authentication protocol which was first released in 1993 as part of Windows NT 3.1. As of June, this protocol is no longer under active development and is being replaced by more secure alternatives such as Kerberos or Negotiate, due the extensive abuse of NTLM in cyber-attacks such as NTLM Relay attacks, pass-the-hash attack, and simply cracking the hash to get a user’s clear text password due to NTLMs weaker encryption compared to modern alternatives like Kerberos. - Threat Actors Use Cisco Webex Vulnerability to Compromise German Government Meetings
In March Russia-linked threat actors published a German military meeting where participants were discussing giving military support to Ukraine. The investigation of this breach lead to the discovery of an insecure direct object reference (IDOR) vulnerability with-in Cisco Webex that allowed the threat actors unauthorized access to information about the meeting, such as topics and participants. After the flaw was discovered, Cisco rolled out a patch on May 28, 2024, and notified customers who experienced observable attempts to access meeting information and metadata. - New Phishing Kit V3B Targets EU Banks
Security researchers at Resecurity discovered a new phishing kit named “V3B” is being promoted with Telegram, its related channel is growing fast, with 1,250 members already joined that channel. This new phishing kit is being marketed as a phishing-as-a-service, some of its notable features are the use of heavily obfuscated JavaScript code, along with the ability to evade anti-phishing and search engine bots. The kit was designed to work on both mobile and desktop with the objective of intercepting bank account credentials, credit card details, and other fanatical related personal information - FBI Obtained 7,000 LockBit Decryption Keys
The assistant director of the FBI cyber division Bryan Vorndran announced on June 5th that during the ongoing disruption of LockBit they have uncovered 7,000 decryption keys. This new discovery of keys is on top of the 2,500 decryption keys that were uncovered in February when law enforcement seized 34 servers connected to LockBit. - New Threat Campaign Abuses Data Sync Tool SyncThing
The Computer Emergency Response Team of Ukraine (CERT-UA) released information about a new campaign named “SickSync’ being ran by the threat group Vermin that has been targeting Ukrainian defense forces. The campaign uses a legitimate file-syncing software SyncThing and combining it with the malware named SPECTR. The attack starts off with the victim receiving a password protected archive file named “turrel.fop.wolf.rar”. When extracted it contains a bat file that executes sync.exe which is the SyncThing executable and the SPECTR malware that will extract passwords and other sensitive information that it finds on the infected machine. - Darkgate Switches up Its Tactics with New Payload, Email Templates
Researchers at Cisco Talos have seen a rise in DarkGate malware family after receiving widespread reports of a new attack pattern from their clients. This campaign is targeting a wide range of industries residing in the US.
The attack chain starts with an email containing a malicious excel attachment that will install DarkGate components. The threat actors are utilizing remote template injection in their payload which can bypass initial security settings as the document does not contain macros. Instead, the document will load a remote office template, which contains the malicious macros.
Finally, once macros are enabled, the last payload is downloaded through PowerShell, installing a malicious AutoHotKey script. - SolarWinds Fixes Severe Serv-U Vulnerability (CVE-2024-28995)
SolarWinds has released a patch for CVE-2024-28995, a directory traversal vulnerability that allowed unauthenticated attackers to read sensitive files on a host’s machine.
Serv-U is an enterprise solution for SFTP and file sharing; given the nature of the application and low-complexity of the vulnerability, it was rated a severity score of 8.6.
Multiple threat actors have previously abused Serv-U vulnerabilities in the past, signaling the importance of staying up to date with security patches.