Hackers Exploit Fake Facebook MidJourney AI Page to Promote Malware to 1.2M People

Hackers are using Facebook advertisements and hijacked pages to promote fake Artificial Intelligence services, such as MidJourney, OpenAI’s SORA and ChatGPT-5, and DALL-E, to infect unsuspecting users with password-stealing malware.

The malvertising campaigns are created by hijacked Facebook profiles that impersonate popular AI services, pretending to offer a sneak preview of new features.

Users tricked by the ads become members of fraudulent Facebook communities, where the threat actors post news, AI-generated images, and other related info to make the pages look legitimate.

However, the community posts often promote limited-time access to upcoming and eagerly anticipated AI services, tricking the users into downloading malicious executables that infect Windows computers with information-stealing malware, like Rilide, Vidar, IceRAT, and Nova.

Information-stealing malware focuses on stealing data from a victim’s browser, including stored credentials, cookies, cryptocurrency wallet information, autocomplete data, and credit card information.

This data is then sold on dark web markets or used by the attackers to breach the target’s online accounts to promote further scams or conduct fraud.

In one of the cases seen by researchers at Bitdefender, a malicious Facebook page impersonating Midjourney amassed 1.2 million followers and remained active for nearly a year before it was eventually taken down.

Many posts tricked people into downloading the infostealers by promoting a non-existent desktop version of the tool. Some posts highlighted the release of V6, which isn’t officially out yet (the latest version is V5). In other cases, the malicious ads promoted opportunities to create NFT art and monetize their creations.

While this page has since been taken down, the threat actors launched a new page that is still active with over 600,000 members that is pushing a fake Midjourney site distributing malware.

Read: https://www.bleepingcomputer.com/news/security/fake-facebook-midjourney-ai-page-promoted-malware-to-12-million-people/

US Lawmakers Introduce Federal Data Privacy Law

A bipartisan US federal data protection law has been drafted by two US lawmakers, aiming to codify and enforce privacy rights for all US citizens.

Congresswoman Cathy McMorris Rodgers (R-WA 5th District) who is the House Committee on Energy and Commerce Chair, and Senator Maria Cantwell (D-WA), the Senate Committee on Commerce, Science and Transportation Chair, unveiled the draft legislation on April 7, 2024.

They have dubbed the draft bill the American Privacy Rights Act.

The national law aims to give US citizens greater control over their personal data, limiting the ability of big tech firms to process, transfer and sell such information.

It also mandates stronger cybersecurity standards for organizations to protect personal data they hold from being hacked or stolen, giving enforcement powers to the Federal Trade Commission (FTC), States and individuals for any violations.

Key provisions in the draft Act include minimizing the data that companies can collect, keep, and use about people, of any age, to what companies actually need to provide them products and services. It also gives more power to citizens to control how their personal data is used, such as preventing the transfer or selling of their data, opting out of data processing if a company changes its privacy policy. Organizations will also be required to obtain express consent before sensitive data can be transferred to a third party.

Rodgers commented: “This landmark legislation gives Americans the right to control where their information goes and who can sell it. It reins in Big Tech by prohibiting them from tracking, predicting, and manipulating people’s behaviors for profit without their knowledge and consent. Americans overwhelmingly want these rights, and they are looking to us, their elected representatives, to act.”

Read: https://www.infosecurity-magazine.com/news/us-federal-privacy-law-legislators/

Hacker Leaks 8.5M U.S. Environmental Protection Agency (EPA) Contact Data, CISA Claims Data Already Publicly Available

The U.S. Environmental Protection Agency (EPA) is facing a data leak, carried out by a hacker operating under the alias USDoD. This data leak has exposed personal and sensitive information belonging to more than 8.5 million users, including customers and contractors.

The data breach was brought to light on the morning of Sunday, April 7, 2024. Notably, USDoD has a history of engaging in high-profile data breaches, with previous incidents including the exposure of data from 87,000 members of InfraGard, a sensitive security program funded by the FBI and dedicated to safeguarding critical infrastructure in the United States.

Regarding the data leak, the hacker told Hackread.com that the leak contains the entire contact database of the agency. Analysis conducted by Hackread.com indicates that the data provided by USDoD appears to be legitimate; however, conclusive verification can only be provided by the U.S. Environmental Protection Agency.

Meanwhile, a review of the leaked file reveals a 500MB Zip archive containing three CSV files labeled “Contact,” “Inter_Contact,” and “Staff.” An assessment of these files reveals the presence of zip codes, full names, phone numbers and email addresses, as well as company and job titles.

Hackread has notified the U.S. Environmental Protection Agency (EPA) and CISA regarding the data breach. On Monday, 8 April 2024, CISA confirmed that the incident has been investigated by the FBI and the leaked data is already publicly available, saying: “FBI engaged EPA on Friday 4/5 where EPA determined the data reportedly
taken as publicly available and the reported compromise to be a non-issue, per their internal hunting elements.”

During a conversation with Hackread.com, the hacker stated that they never breached the EPA and that the data was indeed publicly available. They claimed to have extracted it from a Philadelphia-based third-party platform called DataRefuge.

Read: https://www.hackread.com/us-environmental-protection-agency-hacked-data-leaked/

Researchers at the Shadowserver Foundation identify Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability

Researchers at the Shadowserver Foundation have identified thousands of internet-exposed Ivanti VPN appliances likely impacted by a recently disclosed vulnerability leading to remote code execution. The vulnerability, tracked as CVE-2024-21894 (CVSS 8.2), is described as a heap overflow bug in the IPSec component of Ivanti Connect Secure (formerly Pulse Connect Secure) and Policy Secure that could be exploited by remote, unauthenticated attackers to cause a denial-of-service (DoS) condition or execute arbitrary code.

On April 2, Ivanti released software updates to address this flaw and three other vulnerabilities in its two VPN appliances, including CVE-2024-22053, another high-severity heap overflow bug leading to DoS.

The issue impacted all supported versions of Connect Secure and Policy Secure and Ivanti has urged all users to update their instances, albeit noting that it was not aware of these bugs being exploited at the time of disclosure.

On Friday, ShadowServer, which is conducting daily internet scans to identify vulnerable and exploited appliances, said it had identified over 16,000 Ivanti VPN instances potentially impacted by CVE-2024-21894.

As of April 7, ShadowServer data shows roughly 10,000 internet-accessible Ivanti Connect Secure and Policy Secure instances vulnerable to CVE-2024-21894. Most of the appliances are in the US (3,700) and Japan (1,700), followed by the UK (860), France (710), Germany (570), China (440), Canada (300), and India (290). What is unclear, however, is how many of these are actual Ivanti VPNs or honeypots and whether the decrease in observed instances was caused by patching.

Ivanti has found itself reeling from a spate of zero-day attacks that recently threw its security response teams into disarray and forced the US government to issue disconnection instructions. The company says it is now embarking on a makeover of the entire cybersecurity organization.

Read: https://www.securityweek.com/thousands-of-ivanti-vpn-appliances-impacted-by-recent-vulnerability/

New Malware Persistence Method Targeting Magento Servers

Attackers are exploiting a new method for malware persistence on Magento servers, discovered by Sansec. A cleverly crafted layout template in the database is being used to automatically inject malware. This technique is responsible for periodic reinfections of systems, as found in the layout_update database table.

By combining the Magento layout parser with the beberlei/assert package, attackers execute system commands. Specifically, they exploit the layout block tied to the checkout cart, executing commands whenever <store>/checkout/cart is requested. The injected command, ‘sed’, adds a backdoor to the CMS controller, ensuring malware reinjection even after manual fixes or system compilations.

The first time we’ve seen actual abuse of CVE-2024-20720 which was discovered in February by security researcher Blaklis. The exploitation of CVE-2024-20720 enabled a remote code execution backdoor.

Attackers used this mechanism to inject a fake Stripe payment skimmer, redirecting payment data to https://halfpriceboxesusa.com/pub/health_check.php, potentially compromising another Magento store.

Affected merchants are urged to run the eComscan scanner to uncover hidden backdoors and promptly upgrade Magento to versions 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7. Check the version matrix for guidance.

Attribution reveals the attacker IPs: 45.146.54.58, 45.146.54.59, 45.146.54.61, 45.146.54.67, 216.73.163.170, 216.73.163.182. Stay vigilant against these threats to safeguard your Magento systems.

Read: https://sansec.io/research/magento-xml-backdoor

CISA warns of “nation state compromise involving Microsoft products”

The US CISA (Cybersecurity and Infrastructure Security Agency) just issued Emergency Directive 24-02 highlighting “significant risk of nation-state compromise involving Microsoft products.”

The directive aimed at federal agencies – instructing them to “analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to secure privileged Microsoft Azure accounts.”

Read: https://www.cisa.gov/news-events/alerts/2024/04/11/cisa-issues-emergency-directive-24-02-mitigating-significant-risk-nation-state-compromise-microsoft

 

Elsewhere Online:

NSA Revamps Guidelines on Zero-Trust to Minimize Vulnerability Exposures
Read: https://www.darkreading.com/cybersecurity-operations/nsa-updates-zero-trust-advice-to-reduce-attack-surfaces

Third Party SaaS Vendor Causes Home Depot Employee Data Leak
Read: https://www.darkreading.com/cyberattacks-data-breaches/home-depot-hammered-by-supply-chain-data-breach

Google Takes Legal Action Against China-Based App Developers Over Cryptocurrency Scam Targeting Thousands
Read: https://www.bitdefender.com/blog/hotforsecurity/google-sues-crypto-investment-app-makers-over-alleged-massive-pig-butchering-scam/

Critical Flaws Uncovered in Generative AI Models on Hugging Face Platform: Insights from Wiz Security Research
Read: https://www.infosecurity-magazine.com/news/wiz-discovers-flaws-generative-ai/

Security Vulnerability Exposes Ibis Budget Guest Room Codes to Hackers
Read: https://www.hackread.com/ibis-budget-guest-room-codes-hacker-vulnerability/

 

Previously on #AxisOfEasy