BU-CERT News

From any.run

Today, we’re excited to announce a new service in ANY.RUN — YARA Search. 

YARA Search offers a way to identify threats that differs from our TI Lookup. While TI Lookup allows you to search for related threat data using individual indicators like IP addresses or event fields, YARA Search analyzes the contents of files themselves. 

This is a completely new way to search ANY.RUN‘s threat intelligence database, and a new addition to our range of threat intelligence tools — in true ANY.RUN fashion, giving you quick access to information from real-world data.  

Read more…

From gbhackers.com

Cisco has released critical security updates to address multiple vulnerabilities in its Adaptive Security Appliance (ASA) devices and Firepower Threat Defense (FTD) software, collectively known as the “ArcaneDoor” vulnerabilities.

If exploited, these vulnerabilities could allow a cyber threat actor to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.

Recently, GBHackers on Security reported that a sophisticated cyber espionage campaign dubbed “ArcaneDoor” conducted by a state-sponsored threat actor tracked as UAT4356 to exploit these 2 zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Cisco’s Adaptive Security Appliance (ASA) firewalls.

Read more…

From infosecurity-magazine.com

Most businesses are concerned about AI-enabled cyber-threats, with 93% of security leaders expecting to face daily AI-driven attacks by the end of 2024, according to a new report by Netacea.

Around two-thirds (65%) expect that offensive AI will be the norm for cybercriminals, used in most cyber-attacks.

The threat vector that respondents to the Netacea survey believe is most likely to be powered by AI is ransomware, cited by 48% of CISOs.

This was followed by phishing (38%), malware (34%), bot attacks (16%) and data exfiltration (13%).

These views closely align with the threat vectors security leaders see as the greatest cyber threat facing their business in the next six months: ransomware (36%), phishing (22%), malware (21%), bot attacks (11%) and data exfiltration (9%).

Netacea believes this shows businesses underestimate the impact bot attacks have, citing its 2023 survey in which enterprises reported that bots cost on average 4.3% of their online revenue.

The firm said this equates to 50 ransomware payouts for the largest businesses.

Read more…

From securityaffairs.com

Google addressed four vulnerabilities in the Chrome web browser, including a critical vulnerability tracked as CVE-2024-4058.

The vulnerability CVE-2024-4058 is a Type Confusion issue that resides in the ANGLE graphics layer engine. An attacker can exploit this vulnerability to execute arbitrary code on a victim’s machine.

This critical flaw was reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02, the researchers have been awarded a $16,000 bounty.

The IT giant also fixed a high-severity flaw tracked as CVE-2024-4059. The flaw is an Out of bounds read that resides in the in V8 API. The vulnerability was discovered by Eirik on 2024-04-08.

Google also fixed another high-severity flaw tracked as CVE-2024-4060. The flaw is Use after free in Dawn, which is an open-source and cross-platform implementation of the WebGPU standard. The vulnerability was reported by wgslfuzz on 2024-04-09.

Read more…

From bleepingcomputer.com

​Cisco warned today that a state-backed hacking group has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.

The hackers, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, began infiltrating vulnerable edge devices in early November 2023 in a cyber-espionage campaign tracked as ArcaneDoor.

Even though Cisco has not yet identified the initial attack vector, it discovered and fixed two security flaws—CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—that the threat actors used as zero-days in these attacks.

Cisco became aware of the ArcaneDoor campaign in early January 2024 and found evidence that the attackers had tested and developed exploits to target the two zero-days since at least July 2023.

Read more…

From microsoft.com

Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.

Read more…

From gbhackers.com

Attackers are employing evasion techniques to bypass detection and extend dwell time on compromised systems. This is achieved by targeting unmonitored devices, leveraging legitimate tools, and exploiting zero-day vulnerabilities. 

While defenders are improving detection speed (dwell time decreased from 16 to 10 days), this is partly due to faster ransomware identification and adversary-in-the-middle and social engineering tactics to bypass multi-factor authentication. 

Cloud infrastructure is under attack, with attackers even leveraging cloud resources. Both red and purple teams are exploring AI for better security outcomes as they analyze these trends and offer mitigation strategies to the security community.

Read more…