28-Feb-24: In Security News Today

70% Increase In Public Ads Selling 0-day Exploits

Security researchers have observed a rise in threat actors utilizing zero-day exploits to enhance targeted attacks, with a 70% increase in public ads selling such exploits between 2022 and 2023. Additionally, there is a growing interest in compromising ChatGPT credentials to access sensitive corporate data, as these accounts often lack multi-factor authentication protection. The report highlights the risks posed by these tactics, including potential espionage activities and the sale of compromised credentials on the dark web.

Chinese Threat Actors Exploit Ivanti Connect Secure VPN Vulnerabilities

Mandiant reports that Chinese threat actors, specifically UNC5325, have been exploiting Ivanti Connect Secure VPN vulnerabilities even after they were patched on January 31. The attackers targeted a server-side request forgery (SSRF) vulnerability to deploy new malware families like LittleLamb.WoolTea, PitStop, Pitdog, PitJet, and PitHook. UNC5325 demonstrated a sophisticated understanding of Ivanti’s VPN appliance, deploying web shells and persistently injecting malware despite some persistence attempts failing.

FBI Warns of BlackCat Ransomware Targeting Healthcare Sector

The FBI has issued a warning about BlackCat ransomware attacks targeting the healthcare sector, with the group targeting hospitals following law enforcement actions against them. The ransomware group has been active despite law enforcement efforts, targeting critical infrastructure organizations and exploiting vulnerabilities in remote access software like ConnectWise’s ScreenConnect. Additionally, ransomware groups are evolving tactics, such as developing custom tools like MrAgent and selling direct network access for monetization.

Iran-Linked UNC1549 Hackers Target Middle East Aerospace & Defense Sectors

Iranian threat actor UNC1549 is conducting cyber espionage attacks targeting aerospace, aviation, and defense industries in the Middle East, including Israel and the U.A.E. The attacks involve the use of Microsoft Azure cloud infrastructure for command-and-control, social engineering tactics, and custom backdoors like MINIBIKE and MINIBUS. These activities are challenging for network defenders to prevent and detect, and the intelligence collected may be used for espionage or kinetic operations.

Microsoft Releases PyRIT – A Red Teaming Tool for Generative AI

Microsoft has introduced PyRIT, an open access automation framework designed to identify risks in generative artificial intelligence systems. The tool assesses the robustness of large language model endpoints against various harm categories and security risks. While PyRIT aims to provide empirical data on model performance, Microsoft emphasizes that it complements manual red teaming efforts and helps highlight risk areas for further investigation.

Increase in Compromised Roblox Accounts and Cybercriminal Activity

Between 2021 and 2023, there has been a significant increase in cybercriminal activity targeting the Roblox gaming platform, with 34 million credentials exposed on the dark web. The compromised accounts have surged by 231% over the past three years, reaching 15.5 million in 2023. Cybercriminals are employing deceptive methods like hiding infostealers within cheat code files or sharing malicious download links on popular platforms to exploit the trusting nature of young gamers.

Iranian Hacking Group Targets Aerospace and Defense Firms

The ‘Illusive’ Iranian hacking group UNC1549, also known as Smoke Sandstorm and Tortoiseshell, has been targeting Israeli and UAE aerospace and defense firms with customized cyberattack campaigns. The group tailors their attacks for each specific organization, posing a significant threat to the Middle East & Africa region.

Cybercriminals Target Mexican Organizations with ‘Timbre Stealer’ Infostealer Campaign

A new infostealer campaign called ‘Timbre Stealer’ is targeting organizations in Mexico through tax-themed phishing attacks, focusing on manufacturing and transportation sectors. The campaign, observed by Cisco Talos, employs anti-analysis techniques and collects diverse data once executed. Cybersecurity experts warn about the increased risk of tax-themed scams during this period and recommend user training to mitigate the threat.

Cybersecurity Advisory: Russian State-Sponsored Actors Exploiting Ubiquiti EdgeRouters

A joint Cybersecurity Advisory issued by FBI, NSA, US Cyber Command, and international partners warns about Russian state-sponsored cyber actors exploiting compromised Ubiquiti EdgeRouters. These actors, identified as APT28, Fancy Bear, and Forest Blizzard, are using the routers to harvest credentials, proxy network traffic, and host malicious landing pages. The advisory emphasizes the urgency of taking remedial actions to prevent future compromises, including conducting hardware resets, updating firmware, changing default credentials, and implementing robust firewall rules.

Threat Group Midnight Blizzard Leveraging Cloud Services for Attacks

The threat group Midnight Blizzard, associated with Russian intelligence services, is targeting organizations by exploiting cloud services accounts and dormant accounts to gain access to cloud environments. This shift in tactics has prompted warnings from cybersecurity agencies in the UK and the US, urging organizations to protect against the threat actor’s techniques. Midnight Blizzard’s methods include brute-force attacks on cloud service accounts, leveraging dormant accounts, and abusing authentication tokens to maintain persistence in compromised cloud environments.

Mac Malware Spread Through Calendar Meeting Links

Malicious hackers are targeting cryptocurrency individuals by adding links to their calendars on Calendly, leading to the installation of malware on macOS systems. The malware is distributed through fake video conference calls, impersonating established investors. The malware is a trojan linked to North Korean state-sponsored hackers, aiming to steal funds from cryptocurrency businesses.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.