20-Feb-24: In Security News Today

Zero-Day Vulnerability in Microsoft Exchange Servers Potentially Affecting up to 97,000 Microsoft Exchange Servers

A recent zero-day vulnerability, CVE-2024-21410, potentially affects up to 97,000 Microsoft Exchange servers, enabling privilege escalation and pass-the-hash attacks. Microsoft has released patches, including for Exchange Server 2019, which lacked NTLM credential relay protection by default. Cybersecurity agency CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog, emphasizing the need for urgent patching and system checks by organizations.

New Migo Malware Targeting Redis Servers

A new malware campaign named Migo is targeting Redis servers to mine cryptocurrency on compromised Linux hosts. The malware uses novel system weakening techniques and persistence mechanisms to evade detection and establish mining operations. Migo also disables security defenses, deploys rootkits, and exhibits behaviors similar to known cryptojacking groups, showcasing the evolving tactics of cloud-focused attackers.

DDoS Attack Impacts Top UK Universities

Top UK universities, including the University of Cambridge, experienced a DDoS attack claimed by the Anonymous Sudan hacktivist group, impacting internet access and IT services. The attack targeted the Janet Network, affecting multiple universities and managed by Jisc. Cybersecurity professionals emphasize the need for universities to enhance their cybersecurity postures due to the increasing threat of cyber-attacks and the vulnerability of educational institutions.

Security Risks in Salesforce Apex Programming Language

A security advisory warns Salesforce users about common programming errors and misconfigurations in customized instances that can expose sensitive data. The Apex programming language, used to add functionality to Salesforce instances, can lead to vulnerabilities if not used securely. Security experts highlight the risks of misconfigurations, lax permissions, and the importance of following best practices to protect Salesforce applications from data leaks and unauthorized access.

Operation Cronos: Taking Down LockBit Ransomware Group

Operation Cronos, led by the UK’s National Crime Agency and the FBI, successfully dismantled the LockBit ransomware group, seizing servers, accounts, and tools. Europol and law enforcement agencies from multiple countries collaborated in this significant cybercrime operation. The takedown resulted in the recovery of decryption keys, aiding in the development of tools to assist LockBit victims, while cybersecurity experts express cautious optimism about the long-term impact on cybercrime.

Hacked Iraqi Voter Information Found for Sale Online

Researchers discovered a 21.58GB database for sale, containing stolen Iraqi voter information from the Independent High Electoral Commission (IHEC), highlighting a significant cybersecurity breach. This leak, believed to be from either an IT supply chain compromise or an insider threat, underscores the growing trend of electoral cyber threats, which have increased significantly worldwide. The incident emphasizes the need for heightened security around electoral systems and vigilance against cyberespionage, particularly as such data can be exploited for years, affecting future elections and democratic integrity.

Winter Vivern Exploiting XSS Vulnerabilities in Roundcube Webmail Servers

The Russia-aligned threat group Winter Vivern has been exploiting cross-site scripting (XSS) vulnerabilities in Roundcube webmail servers across Europe, targeting government, military, and national infrastructure in countries like Georgia, Poland, and Ukraine. The group, also known as TAG-70, TA473, and UAC-0114, utilized a Roundcube zero-day exploit to gain unauthorized access to targeted mail servers across various sectors. Defending against such cyber-espionage campaigns can be challenging, but organizations can mitigate the impact by encrypting emails, patching software, limiting sensitive information stored on servers, and practicing good cyber hygiene.

CISA Warning: Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning about the Akira ransomware exploiting a now-patched vulnerability in Cisco ASA and FTD software. The vulnerability, CVE-2020-3259, allows attackers to retrieve memory contents on affected devices. Akira ransomware has been targeting vulnerable Cisco Anyconnect SSL VPN appliances, with no publicly available exploit code for the vulnerability.

Ransomware Attacks on Financial Giants by BlackCat Group

The BlackCat/Alphv ransomware group has claimed responsibility for cyberattacks on LoanDepot and Prudential Financial, threatening to leak or sell the stolen data. LoanDepot confirmed a data breach affecting 16.6 million people, while Prudential Financial reported unauthorized access to administrative and employee data, with no customer data theft evidence. Despite law enforcement actions against BlackCat, the group has resumed operations, highlighting the persistent threat of ransomware to financial institutions.

Iran and Hezbollah Cyber Attacks Target Israel-Hamas Conflict

Iran and Hezbollah-backed hackers launched cyber attacks to influence public opinion during the Israel-Hamas conflict, targeting key Israeli organizations with destructive attacks, hack-and-leak operations, phishing campaigns, and information operations. The cyber operations were executed independently of kinetic actions, showcasing the use of cyber capabilities for regional influence without direct military confrontation. Iranian and Hezbollah groups collaborated to expand their attack focus beyond Israel, targeting countries perceived as aiding Israel, while Iranian groups slowed recent operations to develop more elaborate influence operations.

North Korean Hackers Targeting Defense Firms Worldwide

A joint advisory by Germany’s BfV and South Korea’s NIS reveals North Korean state-sponsored hackers are conducting cyber espionage campaigns targeting defense firms globally to steal advanced technologies. The Lazarus Group is implicated in using social engineering tactics like fake job offers to infiltrate the defense sector and distribute malware. The hackers employ various techniques, including software supply chain attacks, to compromise systems and steal sensitive information for strategic purposes.

Cactus Ransomware Group’s Attack on Schneider Electric

The Cactus ransomware group has confirmed hacking Schneider Electric, claiming to have stolen 1.5 terabytes of data from the company’s Sustainability Business division. The attack, disclosed by Schneider Electric at the end of January, compromised specific systems and led to the exfiltration of sensitive data, including passports and non-disclosure agreements. This incident underlines the ongoing threat posed by ransomware groups targeting critical infrastructure sectors and emphasizes the need for robust cybersecurity measures.

Exploitation of Bricks Builder Plugin Vulnerability

Cyber attackers are exploiting a vulnerability in the Bricks Builder WordPress plugin, identified as CVE-2024-25600, to execute remote code and deploy malware on websites. This flaw, allowing arbitrary PHP code execution without authentication, was patched with the release of Bricks Builder version Despite the patch, there have been observed exploitation attempts, underlining the critical need for users to update their installations to safeguard against potential attacks.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.