14-Feb-24: In Security News Today

APT Groups Utilize ChatGPT for Cyber Operations

Microsoft has detected APTs from countries like Russia, China, North Korea, and Iran using ChatGPT to automate tasks such as vulnerability research, malware scripting, and target reconnaissance. These activities aim to support cyber operations and spear-phishing campaigns by leveraging generative AI for understanding and exploiting vulnerabilities, as well as evading detection. Microsoft and OpenAI have responded by disabling accounts linked to these threat actors.

DarkMe Malware Targets Traders Using Microsoft SmartScreen Zero-Day Vulnerability

A zero-day vulnerability in Microsoft Defender SmartScreen has been exploited by an advanced persistent threat actor called Water Hydra to target financial market traders. The vulnerability, CVE-2024-21412, allows the threat actor to bypass SmartScreen and infect victims with the DarkMe malware. The attack involves tricking victims into clicking on a booby-trapped URL distributed via forex trading forums, which leads to the installation of DarkMe in the background while displaying a stock graph to maintain the ruse.

SAP Addresses Critical Vulnerability

SAP patched a critical vulnerability (CVE-2024-22131) in the SAP ABA cross-application component, with a CVSS score of 9.1, that could allow attackers to execute code remotely, potentially impacting user and business data. The flaw was mitigated by adding checks on external function module calls, affecting various SAP ABA versions. This update was part of SAP’s February 2024 Security Patch Day, which also addressed other security issues across its product suite​​.

Battery Maker Varta Paralyzed by Cyberattack

Battery manufacturer Varta Group was targeted in a cyberattack, resulting in the shutdown of its production and administration systems. The extent of the impact and the nature of the attack are still being investigated, and it is unclear whether ransom demands have been made. Varta is working with cybersecurity experts to restore normal operations and mitigate the incident.

KeyTrap DNS Vulnerability Threat

Researchers have unveiled a critical DNSSEC flaw named KeyTrap (CVE-2023-50387), potentially the most severe DNS attack ever, capable of causing widespread internet disruption. This flaw allows for CPU resource exhaustion through a single crafted DNS packet, affecting over 31% of web clients using DNSSEC-validating resolvers as of December 2023. Despite patches being released by affected vendors, addressing KeyTrap requires a fundamental redesign of DNSSEC’s underlying philosophy​​.

Chipmakers AMD and Intel Address Critical Vulnerabilities

AMD and Intel have issued patches for over 100 vulnerabilities, with 21 of them being high-severity issues that could lead to privilege escalation, code execution, or denial-of-service (DoS) attacks. AMD’s advisories cover a range of products, including embedded processors and FPGA series devices, while Intel’s updates span various drivers, device firmware, and software products. Both companies aim to bolster security across their product lines, with no current reports of these vulnerabilities being exploited in malicious attacks​​.

Zoom Fixes Critical Windows Vulnerability

Zoom patched seven vulnerabilities, including a critical flaw (CVE-2024-24691) in its Windows applications that could allow privilege escalation through improper input validation. Affected versions before specific updates were susceptible, urging users to upgrade to secure their systems. This proactive measure by Zoom emphasizes the importance of maintaining updated applications to protect against potential cyber threats​​.

Ubuntu ‘command-not-found’ Tool Could Trick Users into Installing Rogue Packages

Researchers have discovered that the ‘command-not-found’ utility in Ubuntu can be exploited by threat actors to recommend their own malicious packages and compromise systems. The tool suggests packages to install when users attempt to run commands that are not available. Attackers can manipulate the tool through the snap repository, leading to deceptive recommendations of rogue packages. Users are advised to verify the source of packages before installation and developers are urged to register the associated snap name for their commands to prevent misuse.

Iran-Backed Hackers Undercut Public Support for Israel-Hamas Conflict, Google Confirms

Google’s Threat Analyst Group (TAG) has confirmed that Iran-backed hackers have used cyber capabilities to undermine public support for the Israel-Hamas conflict in the US and Israel. These hackers accounted for 80% of all government-backed phishing activity targeting users in Israel in the six months leading up to Hamas’s attack. The hackers employed tactics such as destructive attacks, hack-and-leak operations, information operations, and phishing campaigns to erode trust in critical organizations and turn global public opinion against Israel.

Prudential Financial Data Breach Notification

Prudential Financial disclosed a data breach to the SEC, occurring early February, affecting administrative and user data including employee and contractor accounts. While the exact impact remains under investigation, no customer or client data theft has been reported. The incident, potentially linked to a cybercrime group, is not expected to materially affect the company’s operations​​.

North Korean Hackers Target South Korean Presidential Staff

Presumed North Korean hackers breached the personal emails of a South Korean presidential staffer, exploiting commercial email services for official duties. The attack, detected before President Yoon Suk Yeol’s trip to Europe, did not compromise the office’s security systems. This incident underlines North Korea’s extensive cyber program, which targets foreign governments and businesses to finance its weapons development​​.

Water Hydra APT Group Exploits Zero-Day Vulnerability to Target Financial Traders

The Water Hydra APT group, also known as DarkCasino, has been targeting financial market traders using a complex zero-day attack chain. They exploited a critical vulnerability, CVE-2024-21412, to bypass Microsoft Defender SmartScreen and implant victims with the DarkMe malware. The attack involved manipulating Windows Explorer views and deceiving users into clicking malicious internet shortcut files.

Bank of America Warns Customers of Data Leak Due to Ransomware Attack on Technology Partner

Bank of America has notified customers of a data leak that occurred as a result of a ransomware attack on technology partner Infosys McCamish Systems. The breach affected at least 57,028 customers and exposed sensitive data, including names, Social Security numbers, addresses, and other account information. This incident highlights the importance of securing access to data and environments across third-party systems, and experts suggest strategies such as risk management, software bill of materials, and hosting third-party services on-premises to mitigate these threats.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.