WME Security Briefing 29 March 2024

WME Cybersecurity Briefings No. 003

Russian hackers escalating their cyber warfare, deploying TinyTurla-NG to breach European NGOs.

Cisco Talos reveals a targeted attack against organizations advocating democracy and supporting Ukraine. With their sophisticated methods, these cyber attackers are bypassing antivirus defenses and extracting sensitive data. Stay vigilant and informed!

Over 800 npm packages riddled with vulnerabilities.

15+ of these are susceptible to ‘Manifest Confusion’ attacks. This extensive news exposes the underlying risks in package dependencies that millions of developers rely on. The implications are vast as they threaten the integrity of software supply chains worldwide. Developers are urged to audit their npm packages now!

AndroxGh0st Malware Alert!

These threats, AndroxGh0st, are targeting Laravel apps. They are aiming to pilfer cloud credentials. This malware scans for sensitive .env files, extracting vital login info related to AWS and Twilio, among others. With its roots traceable back to 2022, AndroxGh0st exploits vulnerabilities in Apache HTTP Server, Laravel Framework, and PHPUnit. Stay vigilant and ensure your systems are up to date.

The U.S. sanctions two Russians and their companies for their role in the “Doppelganger” disinformation campaign.

This sophisticated operation targeted Western audiences with fake news sites and social media, aiming to sow discord and misinformation. The sanctioned individuals were instrumental in creating over 60 counterfeit sites to mimic legitimate news outlets. This action highlights our ongoing battle against cyber threats.

GitHub launches an AI-powered tool, code scanning autofix.

It’s now in public beta for Advanced Security customers.

This innovation leverages GitHub Copilot, CodeQL, and OpenAI GPT-4, and offers targeted recommendations to help developers patch over 90% of security flaws in JavaScript, Typescript, Java, and Python without introducing new issues.

A new version of malware, DinodasRAT, targets Linux systems.

DinodasRAT is a multi-platform backdoor that can steal information from your computer and control it remotely. This new version targets Red Hat-based distributions and Ubuntu Linux. It periodically contacts a remote server over TCP / UDP to fetch commands to be run. This means that the attackers can control the infected computer remotely and issue new commands at any time. DinodasRAT can perpetrate malicious file operations, change command-and-control (C2) addresses, and enumerate and terminate running processes.

Finland’s Parliament targeted in a cyberattack believed to have occurred between fall 2020 and early 2021.

Finland is blaming China’s hacking group APT31. This isn’t the first time APT31 has been accused of cyberespionage as the U.S. and U.K. have also made similar accusations in the recent past. APT31 is a Chinese state-backed group that has been active for over a decade. So far, seven operatives have been charged in the U.S. for their involvement in hacking sprees. China denies these allegations.

A sophisticated phishing platform called Darcula used by cybercriminals

They are launching phishing attacks on a large scale as they leverage iMessage and RCS messaging to bypass SMS firewalls. Phishing sites created using Darcula are designed to look like legitimate websites, tricking users into revealing personal information. The worst part is, Darcula is available for a monthly fee, making it accessible to a wide range of criminals.

India’s defense & energy sectors targeted in a cyberespionage campaign

The attackers used a malicious PDF disguised as an Air Force invitation to gain access to victims’ systems. Once infiltrated, the malware could steal sensitive data and upload it to Slack channels controlled by the attackers. The details of the malware are still unknown, but suspected to be similar to a Go-based stealer called GoStealer used in a previous phishing campaign. They might have stolen confidential documents, private emails, and cached web browser data.

Hackers actively exploiting an RCE vulnerability in Microsoft SharePoint Server.

CISA warns that this vulnerability allows an authenticated attacker with Site Owner privileges to execute arbitrary code on the server. This means that attackers could potentially take complete control of a vulnerable SharePoint server. Microsoft released a patch for this vulnerability in May 2023. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) list, which means that federal civilian agencies in the United States are required to apply the patch by April 16, 2024. If you are using Microsoft SharePoint Server, it is important to apply the patch as soon as possible.

Share:

Facebook
Twitter
LinkedIn
Picture of Matt Tinney

Matt Tinney

Professional IT executive & business leader having decades of experience with Microsoft technologies delivering modern-day cloud & security solutions.

Contact Us

=
On Key

More Posts

Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.

=