TLDR Information Security 2024-05-15

Palo Alto Network's premier network security summit is coming up! Join this virtual event to learn from industry leaders, tech visionaries, and cybersecurity professionals.

What's on the agenda?

• How enterprise browsers are redefining SASE, enabling secure access to all SaaS and private apps from any device.
• The latest advancements in AI, from intelligence augmentation to solutions that mitigate risk from GenAI apps.
• How AI-powered data security prevents data loss from SaaS apps to emails, from the network to the browser, all from a single SASE architecture.
• How Prisma SASE can accelerate applications up to 5X faster than the internet for superior user experience.

Register for free to save your spot

Apple has backported a fix for CVE-2024-23296, which was disclosed in March, to older devices. The vulnerability was a memory corruption bug that allowed attackers to bypass kernel memory protections. Apple reported that the vulnerability may have been actively exploited.

The Ebury botnet has compromised 400K servers over the past 15 years. Recent attacks show that operators have been targeting hosting providers to perform supply-chain attacks on clients renting virtual servers. The Ebury operators are financially motivated and often deploy credential stealers onto compromised servers.

Christie's auctions worth $840m have been disrupted by a cyber attack, affecting the sale of valuable items like a Van Gogh painting and rare wine. The website is offline, but bids can still be placed over the phone or in person. An alternative website with basic information is available. Auctions continue and there are plans for upcoming sales.

AhnLab Security Intelligence Center has identified a North Korean campaign targeting South Koreans with a malicious LNK file. The file distributes a loader for the RokRAT C2 malware. This article provides a deep dive into the loader and IoCs for the campaign.

Tycoon 2FA is a phishing-as-a-service platform that was recently updated to enhance detection avoidance. The toolkit relies on victims entering their information into attacker-controlled infrastructure. After MFA prompting, session cookies are relayed to the attacker. This article provides some real-world examples and defenses.

This blog post describes the DNS Tunneling attack technique, which is a method for attackers to hide and transport data through DNS traffic. Malicious actors can use DNS tunneling to track user activities and communicate with compromised hosts. Organizations can detect and mitigate DNS tunneling campaigns effectively by analyzing indicators like domains and IP addresses.

Keylime provides an end-to-end solution for bootstrapping hardware rooted cryptographic trust for remote machines, the provisioning of encrypted payloads, and runtime system integrity monitoring.

SharpGraphView is a post-exploitation toolkit that provides modular access to the Microsoft Graph API for cloud security teams.

Trail of Bits discusses how it has worked to add cryptographically verifiable build provenance for all bottles. This feature ensures that each bottle's content is bound to specific build-time metadata, reducing the risk of compromised or malicious installations. While still in early beta, users can verify attestations using the "brew verify" command, but caution is advised until further development is completed.

This blog post discusses techniques used in the XZ backdoor, focusing on locating function addresses, symbol tables, and system information within ELF files. It also explains the process of function hooking and demonstrates a simplified version of the XZ backdoor's logic using library functions and memory address manipulation. The XZ backdoor's method involves finding specific addresses and performing actions based on that information, simulating the process of locating critical functions within programs.

The Black Basta ransomware group is attacking critical infrastructure, affecting over 500 organizations in the past two years, including a healthcare system with 140 hospitals. FBI and security researchers warn that the group is causing severe disruptions and targeting healthcare organizations through novel social engineering tactics.

MITRE has launched EMB3D, a threat-modeling framework for embedded devices in critical infrastructure. EMB3D aims to help device vendors understand and mitigate cyber threats targeting embedded devices. The framework focuses on providing security mechanisms early in the design cycle to create inherently secure devices.

CISA, DHS, FBI, and international partners have published a guide to help civil society organizations reduce cyber threat risks by protecting high-risk communities.

Apple and Google on Monday officially announced the rollout of a new feature that notifies users across both iOS and Android if a Bluetooth tracking device is being used to stealthily keep tabs on them without their knowledge or consent.

Zscaler investigated a recent hacking incident and confirmed that only a test server was compromised, with no impact on customer data.