Operational Cybersecurity Alignment, Chrome Credential Threats, CISA CVEs Update – Cybersecurity News [September 16, 2024]

Did you know how cyberspace unfolded this week? Here we are to inform you about this week’s most talked-about news and updates, curated and designed for you. We have covered topics around cybersecurity attacks, advisories, and other security-related updates. Some of these topics are related to leveraging cloud solutions in creating and maintaining access control, the FOCAL plan of CISA to safeguard an organization’s security posture, Chrome users being targeted to reveal account credentials, CISA’s addition of two new CVEs to the list, Fake and fraudulent live streaming websites exposed, and many more.

CISA Releases Plan to Align Operational Cybersecurity Priorities

The Cybersecurity and Infrastructure Security Agency (CISA) and The Federal Civilian Executive Branch (FCEB) have initiated an FECB Operational Cybersecurity Alignment (FOCAL) Plan. The idea is to help organizations strengthen their security posture that  targets over 100 federal agencies. The FOCAL plan considered each agency’s unique system architecture and risk tolerance capabilities, resulting in an industry-accepted and adopted plan.

CISA aims to reduce vulnerabilities, enhance the robustness of defense mechanisms, so that the organizations are well-equipped to fight against advanced cyber threats. Asset Management, Vulnerability Management, Defensible Architecture, Cyber Supply Chain Risk Management (C-SCRM), and Incident Detection and Response are the five priority areas in the plan.

The FOCAL Plan provides a clear roadmap for public and private sector organizations, despite just federal agencies recommending them to enhance and leverage their cybersecurity tools and methodologies. It highlights the importance of proactive measures like securing internet-accessible assets, realizing the need to invest in defense strategies and mechanisms, and much more to mitigate risks in today’s dynamic threat landscape.

The plan also underscores the need for collaboration across varied domains and sectors to build a more resilient cybersecurity infrastructure. When successfully implemented, The objectives emphasized by the FOCAL plan will help ensure the rise in advanced collective defenses, eventually improving detection and response capabilities.

New Threats Targeting Chrome Users To Provide Their Google Sign-In Credentials

Recently, we have seen the emergence of a new form of cybersecurity threat specifically targeting Google Chrome users. This threat uses malicious software (malware) named StealC that forces its victims to reveal their Google account credentials. As per the researchers at Open Analysis Lab, the technicalities include trapping users in Chrome’s kiosk mode, locking them in full-screen mode, and disabling keyboard keys (specifically, system keys) like F11 and ESC. Once infected, victims have no choice but to enter their login details into a Google sign-in page (credentials stolen in the background). The frequency of such attacks is growing at an alarming rate at a time when browser activities are at an all-time high.

Hackers infect the system with the Amadey malware which is responsible for deploying the main malware named StealC. Once the user’s browser is locked into kiosk mode, StealC captures their credentials when they attempt to log in. This attack isn’t limited to desktops—there’s also a growing threat from the TrickMo malware, targeting Android users by posing as a legitimate Google Chrome app.

TrickMo tricks users into granting sensitive permissions, gaining crucial details about the victim’s profile. These techniques come under the broader trend of credential-stealing attacks, which leverage modern tools and attack vectors that are very sophisticated, complex, and difficult to detect and identify. Internet users are advised to seriously exercise the below steps to safeguard themselves against such sophisticated-natured threats:

1. Avoid clicking suspicious links or URLs
2. Do not download unknown software
3. Only rely on the official Google PlayStore or App Store for authentic downloads
4. Practice caution when allowing permissions to various apps
5. Update your software regularly

CISA’s Known Exploited Vulnerabilities Catalog Updated with Two New CVEs

The CISA has identified and updated its Known Exploited Vulnerabilities Catalog with two newly founded vulnerabilities. The vulnerabilities include the CVE numbers CVE-2024-43461 and CVE-2024-6670. The CVE-2024-43461 is determined to be a Microsoft Windows MSHTML Platform Spoofing vulnerability, and CVE-2024-6670 is a Progress WhatsUp Gold SQL Injection vulnerability. These vulnerabilities are critical as they open pathways for cyber threat actors having malicious intent, increasing the risk of exploitation across federal systems.

This addition highlights CISA’s ongoing efforts under Binding Operational Directive (BOD) 22-01, which mandates Federal Civilian Executive Branch (FCEB) agencies to address known vulnerabilities by specified deadlines to mitigate potential occurrences of future risks. The Known Exploited Vulnerabilities Catalog, established through BOD 22-01, is a critical tool to address vulnerabilities that present active cybersecurity risks and threats as early as possible. It is advised that timely remediation of these vulnerabilities is essential to reduce exposure to the threat landscape and defend infrastructure against cyberattacks.

Although BOD 22-01 applies primarily to FCEB agencies, CISA encourages public and private organizations to integrate these cataloged vulnerabilities into their vulnerability management programs. By doing so, organizations can strengthen their defenses and minimize system risks. CISA will continue to update the catalog as new vulnerabilities meeting its criteria are discovered.

Exploitation of Facebook by Bangladesh Group Entity, Apkdownloadweb

If you have been using Facebook, you might be familiar with the increase in scamming activities on the platform. Hackers try to create fake funeral streaming groups and also try to emotionally manipulate friends and family of the deceased to provide their credit card details. These fraudulent Facebook postings use realistic event details and images of the deceased to deceive followers into accepting the tragedy. In these groups, the victims are directed to a newly registered website demanding payment to view the live streams. Not only are realistic funeral events broadcast, but they also cover various events, including weddings, birthdays, and community gatherings.

As per research and findings, one domain has been identified,  livestreamnow.xyz, which is linked to a Bangladesh entity called “Apkdownloadweb,” they have registered similar fake streaming sites up until now. These groups have been using DNS servers hosted in Bangladesh and have connections to thousands of questionable domains at the same IP address. These networks of scam websites target victims by involving social engineering tactics and using stolen credentials to fuel these fake streaming services.