Welcome to our bi-weekly cyber threat roundup, where we delve into the ever-evolving landscape of cyber security to bring you the latest insights on malicious activities, malware attacks, data breaches, and beyond. In today's interconnected world, the digital realm is fraught with risks, with threat actors constantly seeking new vulnerabilities to exploit and sensitive information to compromise. Amongst the latest threats is a data breach in the Cisco Duo Service and APT28's exploitation of a Windows Print Spooler vulnerability.
Read more about the most recent threats in the below.
Backdooring Firewalls in Palo Alto Networks Since March
Suspected nation-state actors have been capitalising on a zero-day vulnerability within Palo Alto Networks firewalls, officially designated as CVE-2024-3400, since March 26.
These intruders have leveraged the compromised devices to infiltrate internal networks, absconding with both data and credentials.
Palo Alto Networks issued a cautionary alert recently, highlighting ongoing exploitation of an unauthenticated remote code execution flaw in its PAN-OS firewall software. They assured users that patches would be made available by April 14.
Given the active exploitation, Palo Alto Networks chose to disclose the vulnerability promptly and provide interim measures to safeguard customers' devices until patches were finalised.
In a recent report, further insights were revealed regarding how hackers have exploited the vulnerability since March. They've engineered a custom backdoor to infiltrate the targeted internal networks and pilfer sensitive data.
Identified as UTA0218, this malicious campaign is strongly suspected to be orchestrated by state-backed threat actors. The sophistication of the attack, the profile of targeted victims, and the adeptness demonstrated in deploying the Python backdoor all point towards this conclusion.
The exploitation timeline traces back to March 26, with initial detection on April 10, within the GlobalProtect feature of Palo Alto Networks PAN-OS. Subsequent investigations unveiled an operation, with threat actors exploiting the vulnerability to its fullest potential.
Cisco Duo Service Data Breach
Cisco’s Duo authentication service has experienced a significant data breach exposing sensitive information, particularly SMS multi-factor authentication (MFA) logs, of users. This authentication service is used for securing access to various online platforms. The breach exposed sensitive information, particularly SMS MFA logs, of users relying on Duo's services. MFA has been a cornerstone of modern cyber security practices, offering an additional layer of protection beyond passwords. However, this breach underscores the potential risks associated with SMS-based MFA.
As data protection regulations such as General Data Protection Regulation (GDPR) are rigorous, the exposure of sensitive information like MFA logs raises significant concerns. Businesses are obligated to safeguard customer data and ensure compliance with regulatory requirements. Any breach that compromises the security of personal information can result in severe financial penalties and damage to the organisation's reputation.
Malware in GitHub Comments on Microsoft Repos
The GitHub platform, either due to a flaw or intentional design, is being manipulated by malicious actors to disseminate malware through URLs linked to Microsoft repositories, thereby lending an air of legitimacy to the files.
While the primary focus of this malicious activity revolves around URLs associated with Microsoft GitHub repositories, this loophole could potentially be exploited across any public repository on the platform, enabling threat actors to construct highly convincing bait.
While GitHub has taken action against malware in Microsoft repositories, threats persist with other repositories like httprouter and Aimmy, prompting ongoing efforts to address the issue.
APT28 Exploits Windows Vulnerability Disclosed by NSA
Microsoft cautions about the exploitation of a Windows Print Spooler vulnerability by the Russian APT28 group, enabling privilege escalation and data theft via a novel hacking tool dubbed GooseEgg.
This threat, active since at least June 2020 and potentially earlier, was addressed by Microsoft in their October 2022 Patch Tuesday release, although not labeled as actively exploited in their advisory.
APT28, attributed to Russia's GRU Military Unit 26165, utilizes GooseEgg to execute malicious payloads, command executions with SYSTEM-level permissions, and deploy additional malware.
APT28 has a history of high-profile cyberattacks, including exploiting Cisco router vulnerabilities with Jaguar Tooth malware and evading detection using hacked Ubiquiti EdgeRouters. They were also involved in breaches of the German Federal Parliament and hacking incidents during the 2016 U.S. Presidential Election.
Introducing Brokewell: Android Malware Targets Data
Recently uncovered, the Android banking trojan, Brokewell, has garnered attention from security experts due to its sophisticated capabilities, including data theft and remote control functions. It spreads via fake Google Chrome updates and has targeted financial services like Klarna in the past.
Developed by a threat actor known as Baron Samedit, Brokewell's advanced features pose challenges to device security, evading detection tools effectively. To mitigate risks, users should avoid unofficial app sources and enable Google Play Protect on their devices.
Millions of SQL Injection Attacks Target WP Automatic WordPress Plugin
A critical vulnerability in the WP Automatic plugin for WordPress has been exploited by cybercriminals, allowing them to create admin-level accounts and establish hidden access points.
This flaw affects versions prior to 3.9.2.0 and facilitates SQL injection attacks. Over 30,000 websites are at risk, with over 5.5 million attempted attacks recorded by WPScan.
To protect sites, update to version 3.92.1+ and maintain backups.
