16-Feb-24: In Security News Today

Rise in PDF Threats: Malware Spread Through PDFs on the Rise, HP Report Finds

A new report by HP Wolf Security reveals a 7% increase in PDF threats in Q4 2023 compared to Q1 of the same year. Cybercriminals are spreading malware, including WikiLoader, Ursnif, and DarkGate, through PDFs. Malicious PDF attachments are being used to trick users into installing malware, with the DarkGate campaign using ad tools to track victims and evade detection. Organizations are advised to follow zero trust principles and isolate risky activities like opening email attachments and clicking on links to protect against these threats.

Spear Phishing Campaigns Targeting EU Organizations Exploit Political and Diplomatic Events

According to the EU’s Computer Emergency Response Team (CERT-EU), spear phishing campaigns targeting organizations based in the EU have been leveraging EU political and diplomatic events. These campaigns have been particularly prevalent in 2023, with threat actors sending spear phishing emails containing malicious attachments, links, or decoy PDF files related to EU affairs and policies. The industries most targeted by these campaigns were the diplomacy, defense, and transport sectors. CERT-EU also observed emerging spear phishing tactics, including the use of instant messaging apps and social media, and highlighted the threat of spear phishing operations combined with information operations in the upcoming EU elections of May 2024.

RustDoor macOS Backdoor Targets Cryptocurrency Firms with Fake Job Offers

Cryptocurrency firms are being targeted by a new macOS backdoor called RustDoor. The malware is distributed by posing as a Visual Studio update and is disguised as job offers in PDF files. The backdoor is capable of harvesting and uploading files, gathering information about infected machines, and communicating with a command-and-control infrastructure.

NSO Group’s MMS Fingerprint Technique Uncovered

A novel “MMS Fingerprint” technique used by NSO Group for spying, revealed through a contract detail, allows identification of device and OS without user interaction, targeting Android, BlackBerry, and iOS. This method, exploiting MMS and binary SMS vulnerabilities for silent device probing, facilitates tailored attacks or phishing by revealing device specifics. Security firm Enea’s investigation confirms its feasibility, emphasizing the stealth and potential misuse of such capabilities for espionage or malware deployment.

Ex-employees Admin Credentials Used In US Gov Agency Hack

A US government agency was compromised using admin credentials of a former employee, highlighting the importance of proper account deactivation protocols. Attackers accessed internal systems and executed reconnaissance activities, exploiting the lack of multifactor authentication (MFA). This incident underscores the critical need for organizations to enforce MFA, regularly audit and remove outdated accounts, and adhere to robust cybersecurity practices to mitigate the risk of unauthorized access.

Meta’s “Pay for Privacy” Proposal Faces Opposition

Civil rights groups are urging the EU to reject Meta’s proposal that allows European users to pay for opting out of data tracking, arguing it violates EU privacy laws. The scheme, introduced in November 2023, offers subscriptions to stop targeted advertising, sparking debate over privacy as a paid service. Critics, including NOYB and the Irish Council for Civil Liberties, argue this undermines the fundamental right to data protection, framing privacy as a commodity.

Ivanti Discovers New Zero-Day Vulnerability in Its Products

Ivanti, an IT software provider, has disclosed a new authentication bypass vulnerability in its Connect Secure, Policy Secure, and ZTA gateways. The vulnerability, identified as CVE-2024-22024, allows remote attackers to gain access to restricted resources on unpatched appliances without user interaction or authentication. Akamai has observed malicious activity targeting this vulnerability, and the Shadowserver Foundation has identified over 3,900 vulnerable Ivanti endpoints. Ivanti denies any exploitation of the vulnerability and refutes claims that the US Cybersecurity and Infrastructure Agency (CISA) has instructed federal agencies to replace Ivanti products.

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

The U.S. CISA issued a warning about the Akira ransomware exploiting a now-patched vulnerability (CVE-2020-3259) in Cisco ASA and FTD software, allowing attackers to retrieve memory contents. Akira ransomware group has been targeting vulnerable Cisco Anyconnect SSL VPN appliances, with no publicly available exploit code for the vulnerability. The ransomware landscape is evolving, with new players like Akira and Alpha emerging, prompting calls for enhanced oversight and security measures from government agencies and cybersecurity experts.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.