Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin
The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a “Patch” plugin and install it. Read more.
SQL Brute Force Leads to BlueSky Ransomware
Source: THE DFIR REPORT
While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack. They then leveraged Cobalt Strike and Tor2Mine to perform post-exploitation activities. Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network wide. Read more.
Cactus Ransomware Exploiting Qlik Sense Code Execution Vulnerability
Cactus is ransomware that encrypts data, provides a ransom note (” cAcTuS.readme.txt “), and appends the. “CTS1 ” extension to filenames. They exploit via the combination or direct abuse of (CVE-2023-41266, CVE-2023-41265). Read more.
New SugarGh0st RAT targets Uzbekistan government and South Korea
Source: Cisco TALOS
We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. Read more.
Google Unveils RETVec – Gmail’s New Defense Against Spam and Malicious Emails
Source: The Hacker News
RETVec, which works on over 100 languages out-of-the-box, aims to help build more resilient and efficient server-side and on-device text classifiers, while also being more robust and computationally less expensive. Read more.
Booking.com Customers Scammed in Novel Social Engineering Campaign
Source: Infosecurity Magazine
The researchers said the campaign, which they believe has been running for at least a year, begins by deploying the Vidar infostealer to gain access partner hotels’ Booking.com credentials. This information is then used to send phishing emails to Booking.com customers and trick them into handing over their payment details, in many cases leading to money being stolen. Read more.
Apache ActiveMQ Jolokia Remote Code Execution Vulnerability (CVE-2022-41678) Notification
Source: Security Boulevard
In the configuration of ActiveMQ, jetty allows org.holokia.http.AgentServlet to process requests for/api/Jolokia. An authenticated attacker can send a specially crafted HTTP request to write a malicious file through the Jolokia service, thus implementing remote code execution. At present, the vulnerability PoC has been made public. Read more.