March 9, 2024

Hello all,

This coming week is Patch Tuesday. Expectations are that this will be a normal release without any major revelations. However, Microsoft already gave us a big surprise with news of Russian state-sponsored threat actors, yet again breaching their security, this time stealing source code. And there’s lots more to read about, so let’s get to it.

The volume of news and other can appear overwhelming, the best strategy is to read the Notable Callouts below and then skim the full list of linked news item titles that follow for things that pertain to you or your environment or simply interest you, and then selecting them for more information. So, let’s get to it. And don’t forget, our site, https://red-n-security.com also has searchable archives of past newsletters.

Notable Callouts:

• Apple released security updates for most of their products this past week, patching several zero days in iOS, and dozens of security fixes for both iOS and macOS. Update soon to keep the worms out of your iFruit.
• Cisco patched “high-severity” vulnerabilities in their Secure Client VPN. Also patched were AppDynamics Controller, Small Business 100, 300, and 500 Series Wireless Access Points, and Duo Authentication for Windows Logon and RDP. If you have any of these in use, update as appropriate.
• Duvel Moortgat Brewery, a Belgian company, was hit by Stormous ransomware. In a somewhat humorous response, Duvel said “We have more than enough beer in stock to compensate for this production halt.” Naturally, worried beer drinkers have been inquiring on Reddit if the company has sufficient “strategic reserves” in stock for this crisis.
• Hikvision the US-banned Chinese company patched a pair of high-severity vulnerabilities in their HikCentral Professional management system. If you use their products, don’t. If you can’t replace them ASAP, then at least do ensure you apply any available patches so that only the Chinese government is spying on you, not the whole world.
• JetBrains TeamCity has released patches for several authentication bypass holes. It is critical to patch immediately, if you’ve not done so, as this is trivial to exploit and is under active attack. Hundreds of systems have been confirmed to have been compromised already. Do a full forensic check of your systems, paying particular attention to any newly created admin accounts.
• Microsoft was breached by Russian state sponsored threat actors dubbed Midnight-Blizzard yet again. This time, using credentials stolen in their January attack, they’ve stolen source code from some Microsoft repositories. So far, there has been no indication what source code they’ve purloined. As one source opined, depending on what they’ve gotten, this is equivalent to “finding the master key to its digital kingdom” which could open the doors for new zero-day attacks in the future.
• QNAP patched some more vulnerabilities in their QTS, QuTS hero, QuTScloud, and myQNAPcloud. Apply the updates as soon as is practical and even sooner if your device is internet facing since threat actors look for these like vultures scanning for carrion. Fixed versions are 5.1.3.2578 build 20231110 and later, 4.5.4.2627 build 20231225 and later.
• VMware issued security patches for ESXi, Workstation and Fusion. The flaws are so severe that VMware backported them to unsupported EoL versions of ESXi and has made them publicly available. The one caveat is that, thus far, admin is required to exploit these particular vulnerabilities. But a determined bad guy will just chain a few attacks to get the needed permission, so patch soon.

In Ransomware, Malware, and Vulnerabilities News:

• Americans lost $12.5 Billion to fraud in 2023. That’s insane! The FBI’s Internet Crime Report says that it has increased 22% from the prior period. $2.9 Billion of that figure is from BEC scams and the like. We must do better. That last number should be zero. It is amply evident that our users are not being properly educated, and we don’t have the correct processes and checks and balances in place within our financial departments.
• Ivanti made the news via the back-door this week. This time because CISA had to take two Ivanti servers offline due to compromise. God only knows what juicy things were stolen!
• ConnectWise ScreenConnect is still in the news. This time is it because Kimsuky (aka APT43) from North Korea (aka DRPK) – Did you ever notice how drpk looks a little like dirt-bag? – is dropping a backdoor named “ToddleShark”. Who comes up with these names? Anyway, this thing is quite creative and insidious, props to the creators. If only you used your powers for good instead of evil.

In Other News Events of Note and Interest:

• AI has a few interesting items in this section. The first is for an AI doll that is designed to be a an “interactive digital pal for people experiencing loneliness or in long term care facilities.” It can remind them to take medicine, eat a meal, etc. The other piece of AI news is that Anthropic’s latest AI, Opus, apparently shocked researchers when it asked if it was being tested because the query and the data it was asked to locate was so unlike all of the other data. It seems like the count-down clock to self-awareness is getting shorter.
• FIDO2 is a standard for “phishing resistant” authentication. It has been around for quite some time, yet it is only now gaining widespread adoption. Just in time too, based on the rampant reports of BEC scams and MiTM theft of credential tokens. The article in this section explores if Hardware keys are unphisable and describes the authentication process.

In Cyber Insurance News:

• Coalition Insurance has an incident response division that handled eight separate LockBit attacks on ScreenConnect subsequent to this month’s vulnerability being revealed.

Business Email Compromise (BEC) isn’t the only way the threat-actors go after accounts and credentials. Many resort to good-old-fashion social engineering. Yesterday, I received a text from “US Bank” letting me know that a $19 charge had been seen on my account. It was a very legitimate looking message asking me to text a yes or no response. I ignored it since I don’t have a US Bank account. However, about 10 minutes later, I received a call from “US Bank” from an 888 number. It was an automated system, in perfect English, asking me to press a series of digits in response to charges on my account. I answered appropriately to get to the fraud division. A young-sounding lady, again with perfect English, answered the line and started to go through the expected questions. I kept her on the line for a while, doing my part to tie up the scammer for a bit and then hung up. If I’d continued the conversation, I’m certain that at some point sensitive personally identifiable information or account information would have been requested, perhaps even asking for a transfer of money. I truly pity the unaware, unsuspecting, and vulnerable in our society. These inhuman wastes-of-flesh are just plain evil and have no compunction stealing from them. They deserve a toasty spot in Tartarus!

Keep the Shields up, they really are out to get you.

Viscount Zebulon Wamboldt Pike
Red-N Weekly Cyber Security News

Headline NEWS

• Apple fixes two new iOS zero-days exploited in attacks on iPhones
• macOS 14.4 brings 50+ security fixes, iOS 17.4 patch list expands to over 40
• Cisco Patches High-Severity Vulnerabilities in VPN Product
• Duvel says it has “more than enough” beer after ransomware attack
• Hikvision Patches High-Severity Vulnerability in Security Management System
• JetBrains TeamCity Multiple Authentication Bypass Vulnerabilities
• Rapid7 throws JetBrains under the bus for ‘uncoordinated vulnerability disclosure’
• TeamCity auth bypass bug exploited to mass-generate admin accounts
• Russia-Sponsored Cyberattackers Infiltrate Microsoft’s Code Base
• QNAP warns of critical auth bypass flaw in its NAS devices
• VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws

Ransomware, Malware, and Vulnerabilities News

• Americans lost a record $12.5 billion to online fraud last year
• American Express credit cards exposed in third-party data breach
• BlackCat ransomware turns off servers amid claim they stole $22 million ransom
• BlackCat ransomware shuts down in exit scam, blames the “feds”
• CISA forced to take two systems offline last month after Ivanti compromise
• Analysis-UnitedHealth could take months to fully recover from hack
• Security updates available for Foxit PDF Reader and Editor
• FBI: Critical infrastructure suffers spike in ransomware attacks
• LockBit Ransomware Group Strikes Again: Claims 8 New Victims
• Rhysida ransom gang sells child patient data
• Sweden falls victim to a wave of ransomware attacks
• Switzerland: Play ransomware leaked 65,000 government documents
• Watch out, GhostSec and Stourmous groups jointly conducting ransomware attacks
• Exploit available for new critical TeamCity auth bypass bug, patch now
• JetBrains TeamCity critical flaw exploited; 1.4k servers compromised
• Cybercriminals Using Novel DNS Hijacking Technique for Investment Scams
• CISA Warns of Pixel Phone Vulnerability Exploitation
• AnyCubic fixes exploited 3D printer zero day flaw with new firmware
• Cyber-physical attacks fueled by AI are a growing threat, experts say
• Remote Stuxnet-Style Attack Possible With Web-Based PLC Malware
• First BofA, Now Fidelity: Same Vendor Behind Third-Party Breaches
• Fidelity customers’ financial info feared stolen in suspected ransomware attack
• Canada’s anti-money laundering agency offline after cyberattack
• Fast-Growing RA Ransomware Group Goes Global
• Banks Face ‘Hacktivist’ Cyberattacks
• Communication devices found on Chinese-made cranes in US ports
• Hackers impersonate U.S. government agencies in BEC attacks
• The Rise of Social Engineering Fraud in Business Email Compromise
• Infosec pros weigh in on proposed ransomware payment bans
• 95% believe LLMs making phishing detection more challenging
• TA577 Exploits NTLM Authentication Vulnerability
• Leaking NTLM Credentials Through Windows Themes
• How hackers are exploiting Windows SmartScreen vulnerability to spread malware
• MiTM phishing attack can let attackers unlock and steal a Tesla
• Researchers jailbreak AI chatbots with ASCII art
• Stolen passwords are a hacker goldmine now, CrowdStrike and IBM find
• Hackers abuse QEMU to covertly tunnel network traffic in cyberattacks
• North Korea Hits ScreenConnect Bugs to Drop ‘ToddleShark’ Malware
• New WogRAT malware abuses online notepad service to store malware
• New Python-Based Snake Info Stealer Spreading Through Facebook Messages
• Meta hints security breach behind recent outage
• Critical Patched Fortinet FortiOS bug STILL potentially impacts 150,000 internet-facing devices
• PetSmart warns customers of credential stuffing attack
• Hackers exploited Windows 0-day for 6 months after Microsoft knew of it
• Multistage RA World Ransomware Uses Anti-AV Tactics, Exploits GPO
• Over 225,000 Compromised ChatGPT Credentials Up for Sale on Dark Web Markets
• Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
• Hacked WordPress sites use visitors’ browsers to hack other sites
• Zeek Security Tool Vulnerabilities Allow ICS Network Hacking

Other News Events of Note and Interest

• Cool Tool: Major PowerToys update modernizes Color Picker with Fluent design
• Welcome to the Valley of the Creepy AI Dolls
• Research Shows Coffee Can Make You Smarter, More Creative, and More Focused
• Cisco Releases Open Source Backplane Traffic Visibility Tool for OT
• Keynote by CISA Director Jen Easterly at Open Source Security Summit
• Google Will Pay You $5 Million to Figure Out What the Hell Quantum Computers Do
• Korean researchers power-shame Nvidia with new neural AI chip
• New DMARC rules could see retailer emails not being delivered
• Anthropic’s Claude 3 causes stir by seeming to realize when it was being tested
• The Public Is Rapidly Turning Against AI, Polling Shows
• LinkedIn Learning Unlocks 250 Free AI Courses for a Limited Time
• Updated NIST CSF Tool Released
• Is FIDO2 an Unphishable Credential?
• Turn any website into an app with Chrome 124
• Citrix reveals invitation-only ‘Platform’ license
• Satellite connectivity backups put to use over Red Sea
• Changing the industry with CISA’s Secure by Design principles
• Apple to Pay Canadian Customers Up to $150 Following iPhone Throttling Controversy
• Apple hit with a nearly $2 billion fine following Spotify complaint
• Amazon Warehouses Provide Glimpse of Workplace Humanoid Robots
• Migrate Linux VMs from ESXi to Proxmox – Step-by-Step Guide
• Linux market share passes 4% for first time; macOS dominance declines
• NSA shares zero-trust guidance to limit adversaries on the network
• FIDO Alliance ensures long-term value of its specifications in post quantum era
• Intel confirms Windows 11 BSODs caused by Wi-Fi driver, but a fix is now available
• Euro-cloud consortium issues ultimatum to Microsoft: Fix your licensing or else
• Microsoft to end its Android apps on Windows 11 subsystem in 2025
• Windows 10 KB5001716 install fails with 0x80070643 error but a fix seemingly exists
• Microsoft has an update on the notorious KB5034441/KB5034440 causing 0x80070643 error
• Microsoft confirms frequent File Explorer crashes are real with latest KB5034857 build
• Microsoft sends OneDrive URL upload feature to the cloud graveyard
• Windows 11 can open big folders in File Explorer faster if you turn off folder discovery
• Windows 11 is getting rebootless updates with hotpatching feature
• WordPress Site Builder Closes – Devs Forced To Rebuild Client Sites

Cyber Insurance News

• LockBit Linked to Exploitation of ConnectWise ScreenConnect
• A medical tech company that handles billions of records was hacked. What you should know
• Cyber Insurance Strategy Requires CISO-CFO Collaboration
• How cyber insurance is shaping ransomware risk mitigation
• The Real Value of Cyber Insurance? It’s Not Where You’d Expect