Hackers uploaded fake NFT and discount ads to nearly 2000 hacked WordPress sites to trap visitors and link their electronic wallets to crypto drainers, which automatically steal stored assets. The National Cyber ​​Security Institute reported the incident.


More

The United Kingdom and the United States have signed a landmark agreement to ensure joint work on advanced AI testing. This is the first bilateral agreement on the subject; according to the text signed on Monday, the two countries will collaborate to develop stable, reliable methods to ensure the safety of artificial intelligence tools and their supporting systems.

British Technology Minister Michelle Donelan mentioned that the agreement was formulated at the November 2023 AI Safety Summit held in Bletchley Park. The summit was attended by CEOs of leading AI companies, including OpenAI's Sam Altman, Google DeepMind's co-founder Demis Hassabis, and billionaire businessman and tech guru Elon Musk. During the meeting, the AI Safety Institutes was established by American and British parties to evaluate open and closed-source AI systems.

In both countries, most AI companies regulate themselves. Currently, companies operating exclusively in the USA are still inclined to cooperate, but regulatory authorities remain quite permissive. For instance, authorities have not yet demanded access to sensitive data that companies are reluctant to share, such as the environmental impact of operating artificial intelligences.

The European Union's AI Act, which is about to be enacted, will require certain AI systems to disclose sensitive information, such as the risks they pose and the data they use for operation. These measures are crucial, especially after OpenAI announced that it would not release its voice-mimicking software due to "high risk."

U.S. Commerce Secretary Gina Raimondo believes the agreement will help governments gain a deeper understanding of artificial intelligence, thus providing better guidance in developments.

More info

While 2023 was a challenging year for cybersecurity professionals, it is expected that 2024 will pose even more challenges for them.

Flashpoint, a threat analysis company, observed a drastic increase in various cybersecurity incident indicators in the first two months of this year alone. According to Flashpoint's statistics, there were 6,077 registered data protection incidents in 2023, during which attackers accessed more than 17 billion lines of personal data (a 34.5% increase compared to 2022). In the first two months of this year, this number increased by 429% compared to the first two months of last year. More than 60% of the incidents in 2023 affected the United States. The number of ransomware attacks increased by 84% in 2023, and a 23% increase was observed in the first two months of 2024.

Despite the large numbers of 2023, it's worth highlighting a cyberattack, MOVEit, and the associated cybercriminal group, LockBit. The exploitation of MOVEit accounted for 19.3% of the cyberattacks announced in 2023, putting 1,049 users at risk. LockBit's operations were interrupted on February 20, 2024, when international law enforcement agencies seized their servers and arrested some of its members (Operation Cronus). Since then, LockBit has created a new dark web site, claiming that they continue their activities uninterrupted. However, Flashpoint is not so sure about this, as they believe there are several indications that the aforementioned operation significantly impacted their operations.

Flashpoint highlighted that their data and statistics come from publicly available information. The company's data collection is based on various dark web sites, ransomware blogs, public publications, and NVD vulnerabilities. The company also draws attention to critical issues such as vulnerabilities that have not yet been assigned a CVE identifier. In February 2024, Flashpoint analysts found 330 vulnerabilities that cybercriminals exploit in real situations and do not yet have a CVE identifier. These critical flaws affect companies including Adobe, Apple, Google, Microsoft, Siemens, and SolarWinds.

securityweek.com

Cisco has fixed several vulnerabilities in its IOS and IOS XE software that could allow an unauthenticated attacker to cause a denial of service (DoS) condition.

The most severe issues addressed by the company include:

CVE-2024-20311 (CVSS score: 8.6) – Vulnerability in the Locator ID Separation Protocol (LISP) function of Cisco IOS software and Cisco IOS XE software. An unauthenticated, remote attacker could exploit this vulnerability to reboot the affected device.

CVE-2024-20314 (CVSS score: 8.6) – Vulnerability in the IPv4 Software-Defined Access (SD-Access) fabric edge node function of Cisco IOS XE software. An unauthenticated, remote attacker could exploit this flaw, causing high CPU utilization, halting all traffic processing, and resulting in a denial of service (DoS) condition on the affected device.

CVE-2024-20307 and CVE-2024-20308 (CVSS score: 8.6) – Multiple vulnerabilities in the IKEv1 (Internet Key Exchange version 1) fragmentation function of Cisco IOS software and Cisco IOS XE software. An unauthenticated, remote attacker could cause heap overflow or corruption in the affected system.

CVE-2024-20259 (CVSS score: 8.6) – Vulnerability in the DHCP snooping function of Cisco IOS XE software. An unauthenticated, remote attacker exploiting this vulnerability can reboot the affected device, potentially leading to a denial of service (DoS) condition.

CVE-2024-20303 (CVSS score: 7.4) – Vulnerability in the multicast DNS (mDNS) gateway function of the Wireless LAN Controller (WLC) IOS XE software. An unauthenticated attacker could exploit this flaw to cause a denial of service (DoS) condition.

The company also remediated several other high and medium severity vulnerabilities in the Access Point Software, Catalyst Center, and Aironet Access Point Software products.

Additionally, Cisco published a document containing recommendations to defend against password spraying attacks targeting Remote Access VPN (RAVPN) services. The tech giant highlighted that these attacks also aim at third-party VPN concentrators.

The company shared Indicators of Compromise (IoCs) associated with such attacks, including:

- Inability to establish a VPN connection using Cisco Secure Client (AnyConnect) if the firewall position (HostScan) is enabled;
- Unusual volume of authentication requests;

Cisco's recommendations for defending against these attacks are available HERE.

Security researchers have discovered a new version of the Vultur banking trojan for Android, featuring more advanced remote control capabilities and an improved evasion mechanism.

The latest Vultur infection chain starts with the victim receiving an SMS warning of an unauthorized bank transaction, urging them to call a provided number for guidance.

A scammer answers the call, convincing the victim to open a link sent in a second SMS, which leads to a website hosting a modified version of the McAfee Security app. Inside this trojanized McAfee Security app is the “Brunhilda” malware dropper.

Upon installation, the app decrypts and executes three payloads related to Vultur, gaining access to services, initializing remote control systems, and establishing connection with a C2 server.

The newest version of the Vultur malware analyzed by researchers retains several key features from older iterations, such as screen capture, keystroke monitoring, and remote access, allowing attackers real-time surveillance and control.

Compared to previous versions, the new Vultur introduces several new functions, including:

- File management operations on the device (download, upload, delete, install, search for files).
- Use of accessibility services to perform gestures like clicks, scrolls, and swipes.
- Blocking certain apps from running on the device, displaying custom HTML or a “Temporarily Unavailable” message to the user.
- Displaying custom notifications in the status bar to mislead the victim.
- Disabling Keyguard to bypass screen lock security and gain unrestricted access to the device.

Cybersecurity experts have warned that third-party plugins available for OpenAI's ChatGPT could pose a new risk surface for cybercriminals, potentially playing a role in the theft of sensitive data. According to new research published by Salt Labs, security vulnerabilities found within ChatGPT and its ecosystem could allow attackers to install malicious plugins without the users' knowledge. These plugins could enable cybercriminals to steal user accounts on other sites, such as GitHub. Salt Labs identified an OAuth vulnerability that allows attackers to access sensitive data and information without any interaction from the user (Zero-click exploit). The researchers also disclosed LLM side-channel attacks that exploit vulnerabilities in the encrypted communication of large language models (LLMs) to infer sensitive information. They recommend the use of random padding to conceal the actual length of tokens and suggest transmitting tokens in larger batches for protection.

(thehackernews.com)

The International Monetary Fund (IMF) has announced that unknown attackers breached 11 IMF email accounts at the beginning of the year. This institution, financed by 190 member countries, is also one of the United Nations' most significant financial organizations, headquartered in Washington.

According to a press release, the IMF detected the incident in February and is currently conducting an investigation to assess the impact of the attack. So far, the IMF has found no evidence suggesting that the attackers could access other systems or resources beyond the compromised email accounts.

While the IMF did not provide further details about the breach, it confirmed the use of Microsoft 365's cloud-based email platform. Preliminary investigation results indicate that the incident does not appear to be part of a targeted attack on Microsoft.

In January, Microsoft disclosed that the Russian hacker group Midnight Blizzard, linked to Russia's Foreign Intelligence Service, accessed Microsoft's corporate emails through a password spray attack compromising an old, non-production, tester Exchange Online account.

The IMF experienced a similar breach in 2011, described by an official as a "very major breach," prompting the World Bank to temporarily sever its network connections with the IMF as a precaution.

France Travail, a French government agency responsible for the unemployment registry, providing financial support, and aiding job searches, issued a warning that hackers breached their systems, and an estimated 43 million people's personal data may have been leaked.

The agency disclosed that between February 6 and March 5, during a cyberattack, hackers stole the data of job seekers registered with the agency over the past 20 years. A statement published on a French portal assisting victims of cyberattacks informed that the affected individuals would receive notifications from the agency.

France Travail has notified the country's data protection agency, the National Commission on Informatics and Liberty (CNIL), which stated that up to 43 million people could be affected.

The data obtained from the attack includes full names, dates and places of birth, social security numbers, France Travail identification, email, postal addresses, and telephone numbers. The privacy breach does not involve people's banking information or passwords, but CNIL warns that cybercriminals could use the available data in conjunction with information from other privacy incidents.

These data increase the risk of identity theft and phishing, thus the agency recommends potentially affected individuals to be particularly vigilant regarding received emails, phone calls, and SMS messages.

No further details about the attack have been provided by the authorities.

This cyberattack on the agency sets a new record in France in terms of affected individuals, surpassing the 33 million people affected by the February breaches of Viamedis and Almerys.

(bleepingcomputer.com)

Fortra patched a critical remote code execution vulnerability affecting its FileCatalyst file transfer products.

Tracked as CVE-2024-25153 (CVSS score: 9.8 ), the critical vulnerability allows attackers to run arbitrary code on affected servers by bypassing authentication.

The vulnerability was fixed with the release of FileCatalyst Workflow version 5.1.6 Build 114.

"The 'ftpservlet' in the FileCatalyst Workflow web portal's directory traversal allows for the uploading of files outside the intended 'uploadtemp' directory via a specially crafted POST request. In situations where a file is successfully uploaded to the web portal's DocumentRoot, the specially crafted JSP files can be used for code execution, including webshells." - the statement read.

The vulnerability was reported in August 2023 by Tom Wedgbury from LRQA Nettitude, before Fortra joined the CNA program. Nettitude researchers have now released a full PoC exploit for the vulnerability on GitHub. The exploit demonstrates how to upload a webshell on vulnerable instances for command execution.

Given that Fortra's GoAnywhere Managed File Transfer (MFT)'s previously disclosed vulnerabilities were severely exploited last year by threat actors similar to Cl0p, it is recommended that users apply the necessary updates to mitigate potential threats.

(securityaffairs.com)

The cybercriminal group known as APT28, linked to Russia, is implicated in ongoing phishing campaigns across Europe, Asia, and the Americas, using fake documents purportedly from governmental and other organizations.

According to IBM X-Force, the documents range from internal and public records to unique files created by the group, covering finance, critical infrastructure, cybersecurity, health, and industry.

These disclosures came over three months after the group used decoys related to the Israel-Hamas conflict to exploit the HeadLace backdoor.

APT28 also targeted Ukrainian and Polish government entities with phishing messages aiming to install info-stealing malware like MASEPIE, OCEANMAP, STEELHOOK. They exploited Microsoft Outlook vulnerabilities (CVE-2023-23397) for NTLM hash theft to conduct relay attacks.

The latest IBM X-Force-observed attacks, from late November 2023 to late February 2024, leveraged the URI handler in Microsoft Windows.

Attackers tricked users into downloading malware from WebDAV servers operated by the group. Evidence suggests these servers ran on compromised Ubiquiti routers, part of a botnet dismantled by the US government last month.

"The group now utilizes ITG05 hosting services for various payload operations," say security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr.

(thehackernews.com)