Joomla XSS Risk, Banking Trojan Google, US Cyber Tips – Cybersecurity News [February 19, 2024]
From Joomla’s new vulnerabilities to the latest banking trojan campaigns on Google Cloud Run and OpenAI keeping state-sponsored threat actors from using its ChatGPT tool, here are the top scoops of the week in the cybersecurity world. Stay tuned to learn more about these and how to keep yourself safe from these new threats.
Joomla Addresses XSS Vulnerabilities Potentially Leading to RCE Attacks on Sites
Five new vulnerabilities were discovered in Joomla’s CMS (Content Management System) that threat actors could use to execute website code.
Joomla has addressed the issues, and the fixes are present in version 4.4.3 and 5.0.3 of the CMS, so it’s best to update these. Here are the vulnerabilities: CVE-2024-21722, CVE-2024-21723, CVE-2024-21724, CVE-2024-21725, and CVE-2024-21726. Joomla released an advisory explaining all of these. The organization also shared details on how threat actors could use these to execute remote code by tricking system admins into clicking on malicious links.
The last one of the above is an XSS flaw that could allow threat actors to inject malicious scripts into the content served to other users. Threat actors could launch spray and prayer attacks on a larger audience by exploiting these.
Joomla did not share any technical details but did ask the users to update to the latest versions to stay safe.
Massive Banking Trojan Campaign Exploits Google Cloud Run by Hackers
Researchers at Cisco Talos have warned about threat actors abusing Google Cloud Run to spread banking trojans.
Google Cloud Run is for deploying frontend and backend services. The researchers observed a massive surge in its misuse for malware distribution. Threat actors have been misusing the platform since September last year as it can bypass standard security and is cheap. The threat actors use phishing emails that look like authentic communication, such as invoices or financial statements. These emails have phishing links that redirect to malicious web services hosted on Cloud Run and also obscured MSI files. Once the victim opens the files, the payloads are downloaded and installed on the victim’s system.
The malware is persistent and can survive reboots on the system as it adds LNK files to the Startup folder. The campaign uses Astaroth/Guildma, Mekotio, and Ousaban banking trojans, which can infiltrate systems and exfiltrate data without the victim’s knowledge. They can log keystrokes, collect credentials, capture the screen, and monitor the clipboard.
Image sourced from sprintzeal.com
Google has not addressed the new threat, so avoiding such phishing emails is best. If you get one, you should approach the branch via the official website or number to check the authenticity. Moreover, make certain to have the required phishing protection measures to stay safe.
US Government Offers Cyberattack Defense Tips for Water Utilities
The FBI released a list of defense measures that US water utilities should check to defend systems against threats.
The FBI released the fact sheet along with CISA and the EPA (Environment Protection Agency) along with free services, tools, and resources they can use. Water utilities need to reduce risks to critical assets like OT devices to the public internet and conduct cybersecurity assessments to outline the vulnerabilities that exist in their systems.
The agency says organizations should change all default settings and handle insecure passwords. Also, implementing MFA (Multi-Factor Authentication) can go a long way. WWS facilities must also create inventories of OT/IT assets to assess the attack service and back these up regularly. Moreover, it’s recommended that they patch all systems to block exploitation attacks and develop a cybersecurity incident response/recovery plan to take care of breaches when they do occur.
These recommendations came because water facilities have become one of the top targeted sectors of threat actors in recent years. It is crucial to enhance phishing awareness training within these facilities to bolster their cybersecurity measures and safeguard against potential threats.
Source Code of Knight Ransomware Up for Sale Following Shutdown of Leak Site
The source code of Knight ransomware is currently on sale to buyers on a hacker forum by a former representative.
The ransomware came at the end of July last year and was a rebrand of the Cyclops operation that could target all operating systems. It also had a lite version of its encryptor and info stealers for low-level threat actors, which they could use to attack organizations of smaller sizes.
Researchers at KELA came across the ad a few days ago. The ad was posted under the alias – Cyclops, a known representative of the gang. The threat actor is selling the source code for the ransomware panel and the locker, written in Glong C++. The threat actor shared no price, but they said it was for a single buyer. The seller also shared Jabber contact addresses for the buyers to get in touch.
The ransomware has been used to breach over 50 organizations since last year and could be a massive threat in the wrong hands.
ChatGPT Access Denied to State-Sponsored Hackers by OpenAI
OpenAI has removed multiple accounts of state-sponsored threat actor groups from North Korea, China, Iran, and Russia.
The accounts were abusing OpenAI’s ChatGPT tool for malicious purposes, as reported by (MTI) Microsoft’s Threat Intelligence. Microsoft shared a report highlighting how the threat actors were misusing the model. All activity associated with the following has been terminated.
- Emerald Sleet (North Korea)
- Forest Blizzard (Russia)
- Charcoal Typhoon (China)
- Crimson Sandstorm (Iran)
- Salmon Typhoon (China)
The threat actors used ChatGPT to improve their strategies and operations, such as social engineering, evasion tactics, surveillance, etc. However, none of the cases showed them directly using the platform to develop malware or such tools. The threat actors used ChatGPT’s code assistance for low-level operations like scripting, optimization of existing code, and turning antiviruses off.
OpenAI shared a post and highlighted how the organization will continue to monitor and disrupt state-backed threat actors with its monitoring technology and information from industry partners.