21-Mar-24: In Security News Today

Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug

Atlassian has released patches for over two dozen security flaws, including a critical SQL injection vulnerability (CVE-2024-1597) in Bamboo Data Center and Server with a CVSS score of 10.0. The flaw in the org.postgresql:postgresql dependency could allow an unauthenticated attacker to exploit assets without user interaction, posing high risks to confidentiality, integrity, and availability. The PostgreSQL JDBC Driver versions prior to 42.7.2 are impacted by this vulnerability.

Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability

Ivanti has released a patch for a critical remote code execution vulnerability (CVE-2023-41724) affecting Standalone Sentry, with a CVSS score of 9.6. The flaw impacts versions 9.17.0, 9.18.0, and 9.19.0, and can allow unauthenticated threat actors to execute arbitrary commands. Additionally, a separate critical vulnerability (CVE-2023-46808) affecting on-premises versions of Neurons for ITSM has been patched, allowing authenticated remote attackers to perform arbitrary file writes and obtain code execution.

Fake Obituary Sites Send Grievers to Porn and Scareware Pages

Security researchers have identified a scheme involving fake obituaries created through generative AI to redirect visitors to adult entertainment sites and trigger antivirus popups. Scammers monitor Google search trends to target emotionally vulnerable individuals seeking obituaries. By utilizing SEO poisoning techniques, the scammers aim to profit from affiliate rewards and pay-per-impression revenue, potentially evolving into more malicious activities like malware delivery.

AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

AndroxGh0st malware targets Laravel applications to steal sensitive data by scanning .env files for login details related to AWS and Twilio. The malware exploits vulnerabilities in Apache HTTP Server, Laravel Framework, and PHPUnit for initial access, privilege escalation, and persistence. Threat actors use AndroxGh0st to exfiltrate data from various sources, emphasizing the importance of updating software and monitoring for suspicious activity in cloud environments.

Russia Hackers Using TinyTurla-NG to Breach European NGO’s Systems

The Russia-linked threat actor Turla breached systems of a European NGO using the TinyTurla-NG backdoor, as reported by Cisco Talos. The attackers established persistence, added exclusions to antivirus products, and used Chisel for data exfiltration and network pivoting. The attack, targeting specific organizations in Poland, involved evading detection by configuring Microsoft Defender exclusions and deploying the backdoor for reconnaissance and file exfiltration.

Unsaflok Flaw Can Let Attackers Unlock Millions of Hotel Doors

Researchers have discovered a series of vulnerabilities, named Unsaflok, in Saflok electronic RFID locks used in 13,000 hotels worldwide, allowing hackers to unlock any door by forging keycards. The flaws have been present for over 36 years, impacting 3 million doors, and while no confirmed exploits have been reported, the risk is heightened due to the extensive exposure period. Dormakaba, the manufacturer, is working on mitigations, but as of March 2024, 64% of the vulnerable locks remain unaddressed, posing a significant security concern for hotel guests and staff.

Session Takeover Bug in AWS Apache Airflow Reveals Larger Cloud Risk

A vulnerability in Amazon Web Services’ Managed Workflows for Apache Airflow (MWAA) allowed hackers to access users’ sessions, perform remote code execution, and move laterally within cloud environments. The issue stemmed from a misconfiguration threat affecting AWS, Microsoft Azure, and Google Cloud, potentially impacting a wide range of businesses. The vulnerability was addressed by AWS in September 2023, but the underlying shared domain issue that enabled the exploit remains a concern across major cloud platforms.

New phishing campaign targets US organizations with NetSupport RAT

A new phishing campaign named PhantomBlu is targeting US organizations by distributing malicious documents containing NetSupport RAT through sophisticated techniques like OLE template manipulation and PowerShell code. The attackers impersonate an accounting service, sending emails with password-protected .docx attachments through a legitimate email marketing service to evade spam filters. This campaign showcases a shift in tactics by using encrypted .docs and advanced evasion methods, highlighting the need for updated detection signatures.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.