Please help us out with a 5 question survey about NoCode Apps

Major Cybersecurity Breach: Top US Agency CISA Hacked, Systems Offline

According to CNN sources, a federal cybersecurity agency recently uncovered a hacking incident where it was compelled to shut down two crucial computer systems. The affected systems include one that facilitates the exchange of cyber and physical security assessment tools among federal, state, and local authorities, as disclosed by informed US officials. Additionally, the second system contains sensitive information pertaining to security assessments of chemical facilities.

A CISA spokesman said the recent hack had no operational impact, and the agency is actively upgrading and modernizing its systems. The incident affected only two offline systems, which were already scheduled for replacement due to their outdated technology. The spokesperson emphasized the need for organizations to have an incident response plan to address cyber vulnerabilities.

Private researchers have previously informed CNN that one of the groups exploiting these vulnerabilities is a Chinese espionage-focused group. This situation highlights the irony that even cybersecurity agencies and officials can fall victim to hacking since they rely on the same technology as others. Nate Fick, the US’ leading cybersecurity diplomat, acknowledged last year that his personal account on social media platform X was hacked, attributing it to the inherent risks associated with his profession.

Read: https://www.cnn.com/2024/03/08/politics/top-us-cybersecurity-agency-cisa-hacked/index.html

Incognito Darknet Market rug pulls users, then extorts them

Incognito Market, a darknet marketplace specializing in narcotics, seems to have pivoted its business model to that of ransomware gangs:

They’ve launched a widespread extortion campaign against their own users. Targeting both vendors and buyers, the platform is demanding fees ranging from $100 to $20,000. Those who refuse to comply face the threat of having their cryptocurrency transaction records and chat logs exposed. This brazen extortion initiative emerged as the second act of an an “exit scam,” where the platform operators rug pulled the entire system, leaving users unable to withdraw substantial funds from the platform.

Incognito Market’s homepage was updated with a blackmail message from its owners, threatening to release purchase records of vendors who refuse to pay for confidentiality. The message reveals the accumulation of private messages, transaction info, and order details over the years, surprising users who relied on the market’s ‘auto-encrypt’ feature. Messages and transaction IDs were never deleted, and potential leaks to law enforcement are hinted at.

Read: https://krebsonsecurity.com/2024/03/incognito-darknet-market-mass-extorts-buyers-sellers/

New Linux Malware Discovery Demonstrates how NerbianRAT is Used Across Platforms by For-Profit Threat Groups

Researchers have unearthed Linux malware that circulated in the wild for at least two years before being identified as a credential stealer that’s installed by the exploitation of recently patched vulnerabilities.

The newly identified malware is a Linux variant of NerbianRAT, a remote access Trojan first described in 2022 by researchers at security firm Proofpoint. Last Friday, Checkpoint Research revealed that the Linux version has existed since at least the same year, when it was uploaded to the VirusTotal malware identification site.

Checkpoint went on to conclude that Magnet Goblin—the name the security firm uses to track the financially motivated threat actor using the malware—has installed it by exploiting “1-days,” which are recently patched vulnerabilities. Attackers in this scenario reverse engineer security updates, or copy associated proof-of-concept exploits, for use against devices that have yet to install the patches.

Checkpoint also identified MiniNerbian, a smaller version of NerbianRAT for Linux that’s used to backdoor servers running the Magento ecommerce server, primarily for use as command-and-control servers that devices infected by NerbianRAT connect to. Researchers elsewhere have reported encountering servers that appear to have been compromised with MiniNerbian, but Checkpoint Research appears to have been the first to identify the underlying binary.

“Magnet Goblin, whose campaigns appear to be financially motivated, has been quick to adopt 1-day vulnerabilities to deliver their custom Linux malware, NerbianRAT and MiniNerbian,” Checkpoint researchers wrote. “Those tools have operated under the radar as they mostly reside on edge-devices. This is part of an ongoing trend for threat actors to target areas which until now have been left unprotected.”

Read:
https://arstechnica.com/security/2024/03/never-before-seen-linux-malware-gets-installed-using-1-day-exploits/

New Malware Campaign Leverages Security Flaw in Popup Builder WordPress Plugin

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code. According to Sucuri, the campaign has infected over 3,900 sites over the past three weeks.

“These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024,” security researcher Puja Srivastava said in a report dated March 7.

Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins. The shortcoming was exploited as part of a Balada Injector campaign earlier this January, compromising no less than 7,000 sites.

The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages.

WordPress site owners are recommended to keep their plugins up-to-date and scan their sites for any suspicious code or users, and perform appropriate cleanup.

“This new malware campaign serves as a stark reminder of the risks of not keeping your website software patched and up-to-date,” Srivastava said.

Read: https://thehackernews.com/2024/03/malware-campaign-exploits-popup-builder.html

Roku Resolves Unauthorized Subscriptions and Provides Refunds for 15k Breached Accounts

Following the discovery of what they referred to as “suspicious activity,” Roku announced the cancellation of unauthorized subscriptions and the provision of refunds to more than 15,000 affected accounts. The publicly traded  streaming TV giant (Nasdaq:ROKU), which reported $3.4 billion in revenue in the previous year, revealed that hackers leveraged compromised username and password combinations from other services to gain unauthorized access to user accounts during the period spanning from the end of December to the end of February.

According to the breach notification letters, the hackers gained access to the affected Roku accounts and changed the login information. In some cases, they attempted to purchase streaming subscriptions.

The company states that the hackers did not obtain sensitive personal information such as social security numbers, full payment account numbers, or dates of birth.

Sound familiar? Credential stuffing strikes again – if you haven’t already read our piece on this from last week, you should.

Read: https://therecord.media/roku-unauthorized-subscriptions-account-refunds

 
Elsewhere Online:

Anonymous Sudan Hacking Group Behind Series of Attacks on French Government
Read: https://www.securityweek.com/the-french-government-says-its-being-targeted-by-unusual-intense-cyberattacks/

Airbnb’s Policy Shift: Prohibiting Indoor Security Cameras for Enhanced Privacy and Trust
Read: https://www.npr.org/2024/03/11/1237609591/airbnb-bans-indoor-security-cameras-surveillance-privacy

Mitigating Longstanding Risks: The Resolution of a 5-Year-Old Building Access System Vulnerability
Read: https://www.securityweek.com/exploited-building-access-system-vulnerability-patched-years-after-disclosure/

California’s Data Broker Revelation: Selling Sensitive Information on Minors, Reproductive Health, and Geolocation
Read: https://therecord.media/dozens-of-data-brokers-disclose-selling-info-on-kids-geolocation-data-reproductive-health

Microsoft Exposes Critical Hyper-V Vulnerabilities in Patch Release
Read: https://www.darkreading.com/vulnerabilities-threats/microsoft-discloses-two-critical-hyper-v-flaws-low-volume-patch-update

Previously on #AxisOfEasy