Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection
Threat actors have modified the backdoor implanted on CISCO devices by exploiting a pair of zero-day flaws in the IOS XE software to escape visibility via previous fingerprinting methods. This is made possible because the implant has been upgraded to do an extra header check and respond only if the correct authorization HTTP header is set.
Although the activities of the implant have been reduced as reported by detection labs and engines like NCC Group’s Fox-IT team, Censys. however, CISCO confirmed the behavioural changes in its updated advisories, sharing a curl command that can be issued from a workstation to check for the presence of the implant on the devices.
https://www.infosecurity-magazine.com/news/generative-ai-a-boon-for/
Experts at the ISC2 Security Congress 2023 argue that generative AI is too valuable to abandon, despite the threats it poses to organizations. They liken the risks associated with generative AI to those present in other everyday technologies. They highlight its benefits, including enhancing security through quicker documentation, system configuration guidance, coding assistance, process facilitation, and private generative AI tools.
The experts also point out potential insider threats, such as unreliable results, disclosure of sensitive data, and copyright issues, and provide mitigation strategies. They conclude by emphasizing the need for responsible and cautious use of generative AI, considering its substantial advantages.
https://cybernews.com/news/boeing-lockbit-ransomware-attack/
Boeing was attacked by a ransomware gang called Lockbit and they managed to steal sensitive information. The group has been around since 2019 and has attacked countless victims around the world. It was posted on a dark leak site that they were to infiltrate Boeing and steal sensitive information. Supposedly if the group is not contacted in six days the group will publish all the information they have on Boeing. Boeing has over 150,000 employees worldwide which could potentially be affected by the group. The group claims that they have breached the company by a zero-day exploit using a ransomware variant Lockbit 3.0 which is considered to be the most evasive out of the others. It shares similarities with other ransomware blackmatter and blackcat. Lockbit 3.0 gains access to the victim’s networks by remote desktop protocol exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications. The group has been experiencing management problems which led to the group not publishing stolen data as it promises in their threats to victims. The group was relying on empty threats and their reputation to convince their victims to pay the ransom demands.
Mirth Connect, an open-source data integration platform used in healthcare organizations,
Mirth Connect is used by healthcare organizations for information management and is developed by NextGen HealthCare.
Mirth connects has been found to have a critical remote code execution (RCE) vulnerability, CVE-2023-43208. This vulnerability can be exploited without authentication, meaning that an attacker could gain access to a Mirth Connect server and execute arbitrary code without having to provide any credentials.
The vulnerability was discovered by cybersecurity firm Horizon3.ai, which reported it to NextGen Healthcare, the developer of Mirth Connect. NextGen Healthcare has released a patch for the vulnerability. But the patch does not address all potential attack vectors.
In August 2023. Mirth Connect version 4.4.0 was released to address the concern.
Horizon3.ai, a cybersecurity firm, investigated and discovered that the patch provided for CVE-2023-37679 can be bypassed. They reported their findings to NextGen HealthCare, who subsequently released Mirth Connect version 4.4.1 to address this new security issue.
My take in this article is, It’s essential for organizations to identify and address bypass vulnerabilities through thorough security testing, code reviews, and the timely application of security updates. Security researchers and attackers often search for and exploit these vulnerabilities to compromise systems, so it’s crucial to stay vigilant and keep software and systems up to date with security best practices.
Healthcare organizations that use Mirth Connect should patch their servers to version 4.4.1 as soon as possible. However, it is important to note that the patch does not address all potential attack vectors. Organizations should also implement additional security measures, such as network segmentation and intrusion detection systems, to protect their servers from attack.
“Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware”
A recent cyber attack campaign has been identified, utilizing fake MSIX Windows app package files for popular software like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a new malware loader called GHOSTPULSE. MSIX, a Windows app package format, requires access to code signing certificates, making it attractive to well-funded groups. Potential victims are likely tricked into downloading these MSIX packages through compromised websites, SEO poisoning, or malvertising. Upon installation, a PowerShell script downloads GHOSTPULSE from a remote server, masquerading as a legitimate binary bundled with Notepad++. The malware uses techniques like DLL side-loading and module stomping to evade detection and execute its final payload, including malware like SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
URL: https://thehackernews.com/2023/10/hackers-using-msix-app-packages-to.html
Cybercriminal Gang Used Spear-phishing to Steal 25.7M from Russian Banks
A group called Buhtrap stole money from Russian banks from August 2015 to February 2016, they took about $25.7 million. They started by tricking bank customers in 2014 and then targeted the banks themselves by 2015.
Buhtrap sent fake emails with word files. If someone opened these files, the group could see what they were doing on their computer and steal information.
Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure. If even one computer got infected, the whole network was at risk.
They used different tricks to spread the program, like sending emails pretending to be from the Central Bank. They also hacked some websites to trap bank workers.
They also messed with a real software to make it harmful.
They found a way to change payment directions in a bank software, so the money went to them.
The most they took from one bank was $9 million, and the least was $370,000.
Even though they stole a lot, their methods were simple. If banks were more careful and trained their workers better, this could be stopped.
The SEC has filed a lawsuit against SolarWinds’ former Chief Information Security Officer, Timothy Brown, for allegedly failing to disclose critical information related to the massive 2020 cyberattack on SolarWinds’ software supply chain. This attack, attributed to Russian hackers, affected government agencies and corporations using SolarWinds’ products, triggering investigations and regulatory scrutiny. The SEC claimed that Brown was aware of system vulnerabilities but did not adequately disclose them to investors.
Opinions on the lawsuit are divided. Some believe it is essential to hold CISOs accountable for cybersecurity responsibilities, emphasizing transparency. Others, including SolarWinds, fear it sets a precedent that may deter CISOs from sharing cyber threat information out of fear of legal action, hindering the industry’s ability to respond to attacks effectively.
Elastic Security Labs has uncovered a malware campaign exploiting MSIX packaging to infect Windows PCs, delivering a covert malware loader named Ghostpulse. Attackers guide users to download malicious MSIX packages through compromised websites or malvertising, often disguised as popular software installers. The multi-stage attack starts with an executable that initiates a discreet download of Ghostpulse, which then employs advanced techniques like Process Doppelganging to inject the final payload, comprising various infostealers, while evading detection. The campaign highlights the need for heightened security measures to protect against these sophisticated and evolving threats.
Just found out we have same News content with Nick.👌
here a another interesting article about iLeakage is a novel proof of concept exploit that enhances Spectre and MeltDown side-channel attack techniques, targeting Apple silicon devices running Safari. The exploit has demonstrated potential to steal sensitive user data, including Gmail content, text messages, login details, and YouTube watch histories, across various Apple devices manufactured in 2020 and beyond. Researchers highlight that while mitigation efforts have been underway since Spectre’s discovery in 2018, vulnerabilities persist. iLeakage takes advantage of speculative execution in CPUs, with a specific focus on WebKit in Safari, making iOS-based devices universally susceptible regardless of browser choice due to Apple’s sandboxing policies. Mitigations are available on macOS devices using Ventura 13.0 and above, though not enabled by default. Users are urged to stay vigilant, update devices regularly, and apply available security measures. https://www.csoonline.com/article/657625/ileakage-updates-spectre-for-novel-info-stealing-side-channel-attack.html
This article talks about the shortage of Cybersecurity workers. Specifically, right under 4 million. In a survey, 67% of cybersecurity professionals reported that their company has a shortage of cybersecurity staff for preventing and troubleshooting security problems. One factor that contributes to this is layoffs. Layoffs have caused 71% of the professionals experiencing a negative impact on workload and 57% recognizing their skill to respond to threats are affected as well. This article also talks about the sectors that have been affected by layoffs in cybersecurity. The automotive, entertainment, and construction sectors have been hit from layoffs. Not only is a worker shortage and layoffs affecting the cybersecurity industry, but so is finding employees who are skilled in cybersecurity and able to perform their job duties.
Ooreofeoluwa Koyejo says
https://thehackernews.com/2023/10/backdoor-implant-on-hacked-cisco.html
Backdoor Implanted on Hacked Cisco Devices Modified to Evade Detection
Threat actors have modified the backdoor implanted on CISCO devices by exploiting a pair of zero-day flaws in the IOS XE software to escape visibility via previous fingerprinting methods. This is made possible because the implant has been upgraded to do an extra header check and respond only if the correct authorization HTTP header is set.
Although the activities of the implant have been reduced as reported by detection labs and engines like NCC Group’s Fox-IT team, Censys. however, CISCO confirmed the behavioural changes in its updated advisories, sharing a curl command that can be issued from a workstation to check for the presence of the implant on the devices.
Bo Wang says
https://www.infosecurity-magazine.com/news/generative-ai-a-boon-for/
Experts at the ISC2 Security Congress 2023 argue that generative AI is too valuable to abandon, despite the threats it poses to organizations. They liken the risks associated with generative AI to those present in other everyday technologies. They highlight its benefits, including enhancing security through quicker documentation, system configuration guidance, coding assistance, process facilitation, and private generative AI tools.
The experts also point out potential insider threats, such as unreliable results, disclosure of sensitive data, and copyright issues, and provide mitigation strategies. They conclude by emphasizing the need for responsible and cautious use of generative AI, considering its substantial advantages.
Jon Stillwagon says
https://cybernews.com/news/boeing-lockbit-ransomware-attack/
Boeing was attacked by a ransomware gang called Lockbit and they managed to steal sensitive information. The group has been around since 2019 and has attacked countless victims around the world. It was posted on a dark leak site that they were to infiltrate Boeing and steal sensitive information. Supposedly if the group is not contacted in six days the group will publish all the information they have on Boeing. Boeing has over 150,000 employees worldwide which could potentially be affected by the group. The group claims that they have breached the company by a zero-day exploit using a ransomware variant Lockbit 3.0 which is considered to be the most evasive out of the others. It shares similarities with other ransomware blackmatter and blackcat. Lockbit 3.0 gains access to the victim’s networks by remote desktop protocol exploitation, drive-by compromise, phishing campaigns, abuse of valid accounts, and exploitation of public-facing applications. The group has been experiencing management problems which led to the group not publishing stolen data as it promises in their threats to victims. The group was relying on empty threats and their reputation to convince their victims to pay the ransom demands.
Celinemary Turner says
Critical Mirth Connect Vulnerability Could Expose Sensitive Healthcare Data
https://www.securityweek.com/critical-mirth-connect-vulnerability-could-expose-sensitive-healthcare-data/
Mirth Connect, an open-source data integration platform used in healthcare organizations,
Mirth Connect is used by healthcare organizations for information management and is developed by NextGen HealthCare.
Mirth connects has been found to have a critical remote code execution (RCE) vulnerability, CVE-2023-43208. This vulnerability can be exploited without authentication, meaning that an attacker could gain access to a Mirth Connect server and execute arbitrary code without having to provide any credentials.
The vulnerability was discovered by cybersecurity firm Horizon3.ai, which reported it to NextGen Healthcare, the developer of Mirth Connect. NextGen Healthcare has released a patch for the vulnerability. But the patch does not address all potential attack vectors.
In August 2023. Mirth Connect version 4.4.0 was released to address the concern.
Horizon3.ai, a cybersecurity firm, investigated and discovered that the patch provided for CVE-2023-37679 can be bypassed. They reported their findings to NextGen HealthCare, who subsequently released Mirth Connect version 4.4.1 to address this new security issue.
My take in this article is, It’s essential for organizations to identify and address bypass vulnerabilities through thorough security testing, code reviews, and the timely application of security updates. Security researchers and attackers often search for and exploit these vulnerabilities to compromise systems, so it’s crucial to stay vigilant and keep software and systems up to date with security best practices.
Healthcare organizations that use Mirth Connect should patch their servers to version 4.4.1 as soon as possible. However, it is important to note that the patch does not address all potential attack vectors. Organizations should also implement additional security measures, such as network segmentation and intrusion detection systems, to protect their servers from attack.
Nicholas Nirenberg says
“Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware”
A recent cyber attack campaign has been identified, utilizing fake MSIX Windows app package files for popular software like Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a new malware loader called GHOSTPULSE. MSIX, a Windows app package format, requires access to code signing certificates, making it attractive to well-funded groups. Potential victims are likely tricked into downloading these MSIX packages through compromised websites, SEO poisoning, or malvertising. Upon installation, a PowerShell script downloads GHOSTPULSE from a remote server, masquerading as a legitimate binary bundled with Notepad++. The malware uses techniques like DLL side-loading and module stomping to evade detection and execute its final payload, including malware like SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
URL: https://thehackernews.com/2023/10/hackers-using-msix-app-packages-to.html
Eyup Aslanbay says
Cybercriminal Gang Used Spear-phishing to Steal 25.7M from Russian Banks
A group called Buhtrap stole money from Russian banks from August 2015 to February 2016, they took about $25.7 million. They started by tricking bank customers in 2014 and then targeted the banks themselves by 2015.
Buhtrap sent fake emails with word files. If someone opened these files, the group could see what they were doing on their computer and steal information.
Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure. If even one computer got infected, the whole network was at risk.
They used different tricks to spread the program, like sending emails pretending to be from the Central Bank. They also hacked some websites to trap bank workers.
They also messed with a real software to make it harmful.
They found a way to change payment directions in a bank software, so the money went to them.
The most they took from one bank was $9 million, and the least was $370,000.
Even though they stole a lot, their methods were simple. If banks were more careful and trained their workers better, this could be stopped.
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cybercriminal-gang-used-spear-phishing-to-steal-25m-russian-banks
Edge Kroll says
https://www.securityweek.com/cisos-spooked-by-sec-lawsuit-against-solarwinds-ciso/
The SEC has filed a lawsuit against SolarWinds’ former Chief Information Security Officer, Timothy Brown, for allegedly failing to disclose critical information related to the massive 2020 cyberattack on SolarWinds’ software supply chain. This attack, attributed to Russian hackers, affected government agencies and corporations using SolarWinds’ products, triggering investigations and regulatory scrutiny. The SEC claimed that Brown was aware of system vulnerabilities but did not adequately disclose them to investors.
Opinions on the lawsuit are divided. Some believe it is essential to hold CISOs accountable for cybersecurity responsibilities, emphasizing transparency. Others, including SolarWinds, fear it sets a precedent that may deter CISOs from sharing cyber threat information out of fear of legal action, hindering the industry’s ability to respond to attacks effectively.
Yannick Rugamba says
https://www.csoonline.com/article/657475/new-malware-campaign-uses-msix-packages-to-infect-windows-pcs.html
Elastic Security Labs has uncovered a malware campaign exploiting MSIX packaging to infect Windows PCs, delivering a covert malware loader named Ghostpulse. Attackers guide users to download malicious MSIX packages through compromised websites or malvertising, often disguised as popular software installers. The multi-stage attack starts with an executable that initiates a discreet download of Ghostpulse, which then employs advanced techniques like Process Doppelganging to inject the final payload, comprising various infostealers, while evading detection. The campaign highlights the need for heightened security measures to protect against these sophisticated and evolving threats.
Yannick Rugamba says
Just found out we have same News content with Nick.👌
here a another interesting article about iLeakage is a novel proof of concept exploit that enhances Spectre and MeltDown side-channel attack techniques, targeting Apple silicon devices running Safari. The exploit has demonstrated potential to steal sensitive user data, including Gmail content, text messages, login details, and YouTube watch histories, across various Apple devices manufactured in 2020 and beyond. Researchers highlight that while mitigation efforts have been underway since Spectre’s discovery in 2018, vulnerabilities persist. iLeakage takes advantage of speculative execution in CPUs, with a specific focus on WebKit in Safari, making iOS-based devices universally susceptible regardless of browser choice due to Apple’s sandboxing policies. Mitigations are available on macOS devices using Ventura 13.0 and above, though not enabled by default. Users are urged to stay vigilant, update devices regularly, and apply available security measures.
https://www.csoonline.com/article/657625/ileakage-updates-spectre-for-novel-info-stealing-side-channel-attack.html
Hashem Alsharif says
https://www.csoonline.com/article/657598/cybersecurity-workforce-shortage-reaches-4-million-despite-significant-recruitment-drive.html
This article talks about the shortage of Cybersecurity workers. Specifically, right under 4 million. In a survey, 67% of cybersecurity professionals reported that their company has a shortage of cybersecurity staff for preventing and troubleshooting security problems. One factor that contributes to this is layoffs. Layoffs have caused 71% of the professionals experiencing a negative impact on workload and 57% recognizing their skill to respond to threats are affected as well. This article also talks about the sectors that have been affected by layoffs in cybersecurity. The automotive, entertainment, and construction sectors have been hit from layoffs. Not only is a worker shortage and layoffs affecting the cybersecurity industry, but so is finding employees who are skilled in cybersecurity and able to perform their job duties.