News – Page 5 – BU-CERT

No more 12345: devices with weak passwords to be banned in UK

Posted on 29 April 2024

From theguardian.com

Tech that comes with weak passwords such as “admin” or “12345” will be banned in the UK under new laws dictating that all smart devices must meet minimum security standards.

Measures to protect consumers from hacking and cyber-attacks come into effect on Monday, the Department for Science, Innovation and Technology said.

It means manufacturers of phones, TVs and smart doorbells, among others, are now legally required to protect internet-connected devices against access by cybercriminals, with users prompted to change any common passwords.

Brands have to publish contact details so that bugs and issues can be reported, and must be transparent about timings of security updates.

It is hoped the new measures will help give customers confidence in buying and using products at a time when consumers and businesses have come under attack from hackers at a soaring rate.

Find Malware by File Contents with YARA Search: Our New Threat Intelligence Service

Posted on 25 April 2024

From any.run

Today, we’re excited to announce a new service in ANY.RUN — YARA Search.

YARA Search offers a way to identify threats that differs from our TI Lookup. While TI Lookup allows you to search for related threat data using individual indicators like IP addresses or event fields, YARA Search analyzes the contents of files themselves.

This is a completely new way to search ANY.RUN‘s threat intelligence database, and a new addition to our range of threat intelligence tools — in true ANY.RUN fashion, giving you quick access to information from real-world data.

Alert! Cisco Releases Critical Security Updates To Fix 2 ASA Firewall 0-Days

Posted on 25 April 2024

From gbhackers.com

Cisco has released critical security updates to address multiple vulnerabilities in its Adaptive Security Appliance (ASA) devices and Firepower Threat Defense (FTD) software, collectively known as the “ArcaneDoor” vulnerabilities.

If exploited, these vulnerabilities could allow a cyber threat actor to take control of an affected system.

The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.

Recently, GBHackers on Security reported that a sophisticated cyber espionage campaign dubbed “ArcaneDoor” conducted by a state-sponsored threat actor tracked as UAT4356 to exploit these 2 zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Cisco’s Adaptive Security Appliance (ASA) firewalls.

Security Leaders Braced for Daily AI-Driven Attacks by Year-End

Posted on 25 April 2024

From infosecurity-magazine.com

Most businesses are concerned about AI-enabled cyber-threats, with 93% of security leaders expecting to face daily AI-driven attacks by the end of 2024, according to a new report by Netacea.

Around two-thirds (65%) expect that offensive AI will be the norm for cybercriminals, used in most cyber-attacks.

The threat vector that respondents to the Netacea survey believe is most likely to be powered by AI is ransomware, cited by 48% of CISOs.

This was followed by phishing (38%), malware (34%), bot attacks (16%) and data exfiltration (13%).

These views closely align with the threat vectors security leaders see as the greatest cyber threat facing their business in the next six months: ransomware (36%), phishing (22%), malware (21%), bot attacks (11%) and data exfiltration (9%).

Netacea believes this shows businesses underestimate the impact bot attacks have, citing its 2023 survey in which enterprises reported that bots cost on average 4.3% of their online revenue.

The firm said this equates to 50 ransomware payouts for the largest businesses.

GOOGLE FIXED CRITICAL CHROME VULNERABILITY CVE-2024-4058

Posted on 25 April 2024

From securityaffairs.com

Google addressed four vulnerabilities in the Chrome web browser, including a critical vulnerability tracked as CVE-2024-4058.

The vulnerability CVE-2024-4058 is a Type Confusion issue that resides in the ANGLE graphics layer engine. An attacker can exploit this vulnerability to execute arbitrary code on a victim’s machine.

This critical flaw was reported by Toan (suto) Pham and Bao (zx) Pham of Qrious Secure on 2024-04-02, the researchers have been awarded a $16,000 bounty.

The IT giant also fixed a high-severity flaw tracked as CVE-2024-4059. The flaw is an Out of bounds read that resides in the in V8 API. The vulnerability was discovered by Eirik on 2024-04-08.

Google also fixed another high-severity flaw tracked as CVE-2024-4060. The flaw is Use after free in Dawn, which is an open-source and cross-platform implementation of the WebGPU standard. The vulnerability was reported by wgslfuzz on 2024-04-09.

ArcaneDoor hackers exploit Cisco zero-days to breach govt networks

Posted on 25 April 2024

From bleepingcomputer.com

Cisco warned today that a state-backed hacking group has been exploiting two zero-day vulnerabilities in Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to breach government networks worldwide.

The hackers, identified as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, began infiltrating vulnerable edge devices in early November 2023 in a cyber-espionage campaign tracked as ArcaneDoor.

Even though Cisco has not yet identified the initial attack vector, it discovered and fixed two security flaws—CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—that the threat actors used as zero-days in these attacks.

Cisco became aware of the ArcaneDoor campaign in early January 2024 and found evidence that the attackers had tested and developed exploits to target the two zero-days since at least July 2023.

Analyzing Forest Blizzard’s custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials

Posted on 25 April 2024

From microsoft.com

Microsoft Threat Intelligence is publishing results of our longstanding investigation into activity by the Russian-based threat actor Forest Blizzard (STRONTIUM) using a custom tool to elevate privileges and steal credentials in compromised networks. Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions. Microsoft has observed Forest Blizzard using GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American government, non-governmental, education, and transportation sector organizations. While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.