Weekly Security News – 15th January 2024

Welcome to this week’s Security News. If you have any queries or concerns about anything in this week’s news, then please get in touch with our team who can advise further. For our existing clients, if we believe anything may affect your organisation, our team will be in touch directly. 

Vulnerabilities and Patches

Cryptominers Targeting Misconfigured Apache Hadoop and Flink with Rootkit in New Attacks

Cybersecurity researchers have discovered a new attack exploiting misconfigurations in Apache Hadoop and Flink to deploy cryptocurrency miners within targeted environments. The attackers employ packers and rootkits to conceal the malware, making the attack particularly intriguing. Additionally, the malware is designed to delete contents from specific directories and modify system configurations to avoid detection. The use of these tactics showcases the evolving techniques used by threat actors to compromise systems and deploy malicious payloads, emphasizing the importance of robust cybersecurity measures and proper configuration management in securing big data and analytics platforms.

CISA Flags Active Exploitation of Microsoft SharePoint Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security vulnerability affecting Microsoft SharePoint Server to its Known Exploited Vulnerabilities (KEV) catalog, indicating evidence of active exploitation. Tracked as CVE-2023-29357 with a CVSS score of 9.8, the vulnerability is a privilege escalation flaw that could allow an attacker to gain administrator privileges. Microsoft had released patches for this vulnerability as part of its June 2023 Patch Tuesday updates. The flaw is associated with the exploitation of spoofed JWT authentication tokens, enabling network attacks that bypass authentication and grant unauthorized access to the privileges of an authenticated user without requiring any user action.

Actively exploited 0-days in Ivanti VPN are letting hackers backdoor networks

Ivanti has disclosed two zero-day vulnerabilities in Ivanti Connect Secure (ICS), a VPN appliance previously known as Pulse Secure. The vulnerabilities are tracked as CVE-2023-46805 and CVE-2024-21887. Ivanti provided limited details about the zero-days, urging customers to promptly follow mitigation guidance. ICS has faced previous zero-days in recent years, some of which were exploited extensively. The disclosure underscores the importance of promptly addressing vulnerabilities in VPN appliances to mitigate the risk of exploitation and safeguard network security.

Microsoft shares script to update Windows 10 WinRE with BitLocker fixes

Microsoft has released a PowerShell script to automate updating the Windows Recovery Environment (WinRE) partition to address CVE-2024-20666. This vulnerability could potentially lead to a BitLocker encryption bypass. The security issue was fixed with the KB5034441 security update released during the recent Patch Tuesday. The PowerShell script aims to resolve a known issue causing installation failures of KB5034441 on Windows 10 systems, which could leave devices vulnerable to the BitLocker encryption bypass flaw, allowing unauthorized access to encrypted data. Users are encouraged to apply the necessary updates to safeguard their systems against potential security risks.

Microsoft fixes 48 bugs in January Patch Tuesday, none of them zero-days

For the January 2024 Patch Tuesday, Microsoft addressed 48 vulnerabilities, and notably, none of these flaws were actively exploited. This means that no zero-day vulnerabilities were published or patched on January 9, marking the second consecutive Patch Tuesday without zero-days. The most critical vulnerability addressed in this update is CVE-2024-20674, which received a patch for all current versions of Windows. Regular and timely application of security patches is crucial for maintaining the security of systems and protecting against potential threats.


Mandiant Details How Its X Account Was Hacked

The X account of Mandiant, part of Google Cloud, was compromised in early January and exploited to promote a link to a fake website posing as the legitimate Phantom cryptocurrency wallet. An investigation by Mandiant revealed that the compromise was likely the result of a brute-force password attack and impacted a single account. There is no evidence suggesting the compromise extended to Mandiant or Google Cloud systems. Mandiant acknowledged that 2FA would have mitigated the issue, but due to transitions and changes in 2FA policy, adequate protection was not in place. Steps have been taken to prevent a recurrence of such incidents.

Threat Actors Increasingly Abusing GitHub for Malicious Purposes

GitHub’s widespread use in IT environments has made it an attractive option for threat actors to host and distribute malicious payloads, as well as serve as dead drop resolvers, command-and-control, and data exfiltration points. Recorded Future has coined the term “living-off-trusted-sites” (LOTS) to describe this approach, which is a variation of the living-off-the-land (LotL) techniques commonly employed by threat actors to hide malicious activities within legitimate network traffic. Using GitHub for malicious infrastructure allows adversaries to blend in with genuine network activity, making it challenging for traditional security defences to detect and attribute malicious actions. This underscores the importance of monitoring and securing trusted platforms against abuse by threat actors.

This AI Chatbot is Trained to Jailbreak Other Chatbots

Researchers claim to have trained an AI tool called Masterkey to generate new methods to evade the defences of other chatbots and create malware for injection into vulnerable systems. Masterkey reportedly automates the process of finding new vulnerabilities in Large Language Model (LLM)-based systems such as ChatGPT, Microsoft’s Bing Chat, and Google Bard. It highlights the evolving challenges in securing AI systems and the potential risks associated with the use of AI in cybersecurity, emphasizing the need for robust defences to mitigate the exploitation of vulnerabilities in these systems.

The Top 24 Security Predictions for 2024

As global experts examine trends and international focus areas for 2024, several key topics have emerged. These include upcoming elections, regional conflicts, space exploration, and advances in artificial intelligence (AI). Given the increasing centrality of technology in various aspects of life, cybersecurity predictions and reports are deemed more critical than ever. These cybersecurity assessments help anticipate and address emerging threats, vulnerabilities, and trends, enabling organizations and individuals to adopt proactive measures to enhance their security posture.