---
title: "Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News [February 19, 2024] | DuoCircle"
description: "Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News [February 19."
image: "https://www.duocircle.com/images/og-default.png"
canonical: "https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-9-of-2024/"
---

Quick Answer

Week 9, 2024 cyber news: Joomla patches five flaws in 4.4.3 and 5.0.3, including CVE-2024-21726 XSS that can lead to RCE via admin clicks; Cisco Talos finds Astaroth/Guildma, Mekotio, and Ousaban banking trojans abusing Google Cloud Run with persistent LNK Startup entries; CISA, EPA, and the FBI publish a water-utility hardening fact sheet covering MFA, defaults, OT/IT inventory, and incident response; Knight ransomware (rebrand of Cyclops, used against 50+ orgs) source code goes up for sale on a hacker forum; OpenAI removes accounts tied to North Koreas Emerald Sleet, Russias Forest Blizzard, Chinas Charcoal and Salmon Typhoon, and Irans Crimson Sandstorm for misusing ChatGPT.

Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News \[February 19, 2024\]

Your browser does not support the audio element.

[ Download episode](https://media.mailhop.org/duocircle/images/2024/02/Joomla-XSS-Risk-Banking-Trojan-Google-US-Cyber-Tips---Cybersecurity-News-February-19-2024.mp3) 

Share 

[ ](https://www.linkedin.com/sharing/share-offsite/?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-9-of-2024%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=Joomla%20XSS%20Risk%2C%20Banking%20Trojan%20Google%2C%20US%20Cyber%20Tips%2C%20Cybersecurity%20News%20%5BFebruary%2019%2C%202024%5D&url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-9-of-2024%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-9-of-2024%2F "Share on Facebook") [ ](https://reddit.com/submit?url=undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-9-of-2024%2F&title=Joomla%20XSS%20Risk%2C%20Banking%20Trojan%20Google%2C%20US%20Cyber%20Tips%2C%20Cybersecurity%20News%20%5BFebruary%2019%2C%202024%5D "Share on Reddit") [ ](mailto:?subject=Joomla%20XSS%20Risk%2C%20Banking%20Trojan%20Google%2C%20US%20Cyber%20Tips%2C%20Cybersecurity%20News%20%5BFebruary%2019%2C%202024%5D&body=Check out this article: undefined%2Fblog%2Fannouncements%2Fcyber-security-news-update-week-9-of-2024%2F "Share via Email") 

![cybersecurity](https://media.mailhop.org/duocircle/images/2024/02/office-365-tenant-to-tenant-migration-same-domain.jpg) 

From Joomla’s new vulnerabilities to the latest banking trojan campaigns on Google Cloud Run and OpenAI keeping state-sponsored threat actors from using its ChatGPT tool, here are the top scoops of the week in the [cybersecurity](/) world. Stay tuned to learn more about these and how to **keep yourself safe** from these new threats.

## Joomla Addresses XSS Vulnerabilities Potentially Leading to RCE Attacks on Sites

**Five new vulnerabilities** were discovered in Joomla’s CMS (Content Management System) that threat actors could use to execute [website code](https://aicontentfy.com/en/blog/delving-into-website-code-understanding-basics#:~:text=Website%20code%20refers%20to%20the,and%20functionality%20to%20the%20website.). 

Joomla has addressed the issues, and the fixes are present in version 4.4.3 and 5.0.3 of the CMS, so it’s **best to update** these. Here are the vulnerabilities: [CVE-2024-21722](https://developer.joomla.org/security-centre/925-20240201-core-insufficient-session-expiration-in-mfa-management-views.html), [CVE-2024-21723](https://developer.joomla.org/security-centre/926-20240202-core-open-redirect-in-installation-application.html), [CVE-2024-21724](https://developer.joomla.org/security-centre/927-20240203-core-xss-in-media-selection-fields.html), [CVE-2024-21725](https://developer.joomla.org/security-centre/928-20240204-core-xss-in-mail-address-outputs.html), and [CVE-2024-21726](https://developer.joomla.org/security-centre/929-20240205-core-inadequate-content-filtering-within-the-filter-code.html). Joomla released an [advisory](https://www.joomla.org/announcements/release-news/5904-joomla-5-0-3-and-4-4-3-security-and-bug-fix-release.html) explaining all of these. The organization also shared details on how threat actors could use these to execute remote code by tricking system admins into clicking on malicious links.

The last one of the above is an XSS flaw that could allow threat actors to [inject malicious scripts](https://www.bleepingcomputer.com/news/security/hackers-steal-data-of-2-million-in-sql-injection-xss-attacks/) into the **content served** to other users. Threat actors could launch [spray and prayer attacks](https://www.scmagazine.com/brief/spray-and-pray-attacks-likely-with-zoho-manageengine-rce-bug) on a larger audience by exploiting these. 

_Joomla did not share any technical details but did ask the users to update to the **latest versions to stay safe**._ 

## Massive Banking Trojan Campaign Exploits Google Cloud Run by Hackers

Researchers at Cisco Talos have warned about threat actors abusing [Google Cloud Run](https://cloud.google.com/run/docs/overview/what-is-cloud-run#:~:text=Cloud%20Run%20is%20a%20managed,'re%20using%20Go%2C%20Node.) to spread **banking trojans**. 

_Google Cloud Run is for deploying frontend and backend services._ The researchers [observed](https://blog.talosintelligence.com/google-cloud-run-abuse/) a **massive surge** in its misuse for malware distribution. Threat actors have been misusing the platform since September last year as it can bypass standard security and is cheap. The threat actors use [phishing emails that look like authentic](https://sg.news.yahoo.com/fake-buyer-phishing-scam-victims-losing-january-investigated-singapore-041025550.html) communication, such as invoices or financial statements. These emails have [phishing links](/phishing-protection/protecting-your-business-from-phishing-attacks/) that redirect to malicious web services hosted on Cloud Run and also **obscured MSI files**. Once the victim opens the files, the payloads are downloaded and installed on the victim’s system.

The malware is persistent and can **survive reboots** on the system as it adds LNK files to the Startup folder. The campaign uses Astaroth/Guildma, Mekotio, and Ousaban banking trojans, which can infiltrate systems and [exfiltrate data without the victim’s knowledge](https://www.securitymagazine.com/articles/100359-there-was-a-39-surge-in-data-exfiltration-cyberattacks-in-2023). _They can log keystrokes, collect credentials, capture the screen, and monitor the clipboard._ 

[![cloud base cyber attack](https://media.mailhop.org/duocircle/images/2024/02/sendgrid-alternative.jpg)](https://media.mailhop.org/duocircle/images/2024/02/sendgrid-alternative.jpg)

Google has not addressed the new threat, so avoiding such phishing emails is best. If you get one, you should approach the branch via the **official website** or number to check the authenticity. Moreover, make certain to have the required [phishing protection](/email/phishing-protection) measures to stay safe.

## US Government Offers Cyberattack Defense Tips for Water Utilities

The FBI released a list of defense measures that US water utilities should check to **defend systems** against threats. 

The FBI [released](https://www.cisa.gov/news-events/alerts/2024/02/21/cisa-epa-and-fbi-release-top-cyber-actions-securing-water-systems) the fact sheet along with CISA and the EPA (Environment Protection Agency) along with free services, tools, and resources they can use. Water utilities need to reduce risks to critical assets like [OT devices](https://www.techtarget.com/whatis/definition/operational-technology) to the public internet and conduct [cybersecurity assessments](https://www.itgovernanceusa.com/cyber-security-risk-assessments#:~:text=A%20cybersecurity%20risk%20assessment%20evaluates,to%20treat%20the%20identified%20risks.) to **outline the vulnerabilities** that exist in their systems.

The agency says organizations should **change all default settings** and handle insecure passwords. Also, implementing [MFA (Multi-Factor Authentication)](/email-security/multi-factor-authentication-mfa-and-its-impact-on-email-security/) can go a long way. WWS facilities must also create **inventories of OT/IT assets** to assess the attack service and back these up regularly. _Moreover, it’s recommended that they patch all systems to block exploitation attacks and develop a cybersecurity incident response/recovery plan to take care of breaches when they do occur._ 

These recommendations came because [water facilities](https://edition.cnn.com/2023/12/01/politics/us-water-utilities-hack/index.html) have become one of the **top targeted sectors** of threat actors in recent years. It is crucial to enhance [phishing awareness training](/phishing-awareness-training) within these facilities to bolster their cybersecurity measures and safeguard against potential threats.

## Source Code of Knight Ransomware Up for Sale Following Shutdown of Leak Site

[![ransomware](https://media.mailhop.org/duocircle/images/2024/02/hosted-mail-server-7982.jpg)](https://media.mailhop.org/duocircle/images/2024/02/hosted-mail-server-7982.jpg)

The **source code** of [Knight ransomware](https://www.bleepingcomputer.com/news/security/knight-ransomware-distributed-in-fake-tripadvisor-complaint-emails/) is currently on sale to buyers on a hacker forum by a former representative. 

The ransomware came at the end of July last year and was a rebrand of the Cyclops operation that could target all **operating systems**. It also had a lite version of its encryptor and [info stealers](https://therecord.media/indian-air-force-infostealing-malware) for low-level threat actors, which they could use to attack organizations of smaller sizes.

Researchers at [KELA](https://www.linkedin.com/posts/kela-cyber%5Fknight-ransomware-source-code-for-sale-after-activity-7165762359045689344-XnLZ/) came across the ad a few days ago. The ad was posted under the alias, Cyclops, a known representative of the gang. The threat actor is selling the source code for the ransomware panel and the locker, written in Glong C++. The threat actor shared no price, but they said it was for a single buyer. The seller also shared **Jabber contact addresses** for the buyers to get in touch. 

The [ransomware](/data-privacy/8-most-nefarious-ransomware-attacks-from-2017-to-mid-2023/) has been **used to breach over 50 organizations** since last year and could be a massive threat in the wrong hands. 

## ChatGPT Access Denied to State-Sponsored Hackers by OpenAI

OpenAI has removed multiple accounts of [state-sponsored threat actor groups](https://www.securityweek.com/state-sponsored-group-blamed-for-change-healthcare-breach/) from North Korea, China, Iran, and Russia. 

The accounts were abusing OpenAI’s [ChatGPT](/phishing-protection/10-applications-of-chatgpt-that-hackers-are-already-exploiting/) tool for malicious purposes, as reported by **(MTI) Microsoft’s Threat Intelligence**. Microsoft shared a [report](https://www.microsoft.com/en-us/security/blog/2024/02/14/staying-ahead-of-threat-actors-in-the-age-of-ai/) highlighting how the threat actors were misusing the model. All activity associated with the following has been terminated. 

- Emerald Sleet (North Korea)
- Forest Blizzard (Russia)
- Charcoal Typhoon (China)
- Crimson Sandstorm (Iran)
- Salmon Typhoon (China)

_The threat actors used ChatGPT to improve their strategies and operations, such as social engineering, evasion tactics, surveillance, etc._ However, none of the cases showed them directly using the platform to develop [malware](/data-privacy/new-zero-click-hack-with-stealthy-root-privilege-malware-targets-ios-users/) or such tools. The threat actors used ChatGPT’s **code assistance** for low-level operations like scripting, optimization of existing code, and turning antiviruses off. 

OpenAI shared a [post](https://openai.com/blog/disrupting-malicious-uses-of-ai-by-state-affiliated-threat-actors) and highlighted how the organization will **continue to monitor** and disrupt state-backed threat actors with its monitoring technology and information from industry partners.

## Topics

NewsSecurityUpdates 

![Brad Slavin](https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg) 

Brad Slavin 

General Manager

General Manager at DuoCircle. Product strategy and commercial lead across the email security portfolio.

## Secure your email infrastructure

Protect, authenticate, and deliver. Contact our team to find the right solution.

[Contact Sales](/contact/) [Explore Products](/products/) 

## Related Articles

[  News 3m  Alert: Fix SPF & DKIM Settings For Your Email Forwarding Set Up Through Microsoft o365 SMTP Server Or Your Emails May End Up In Spam  Jul 20, 2021 ](/blog/announcements/alert-fix-spf-dkim-settings-for-your-email-forwarding-set-up-through-microsoft-o365-smtp-server-or-your-emails-may-end-up-in-spam/)[  News 6m  Cyber Security News Update, Week 1 of 2022  Jan 7, 2022 ](/blog/announcements/cyber-security-news-update-week-1-of-2022/)[  News 7m  Cybersecurity News Update, Week 1 of 2023  Jan 1, 2023 ](/blog/announcements/cyber-security-news-update-week-1-of-2023/)[  News 5m  EasyPark Data Breach, Ohio Lottery Cyberattack, GTA 5 Leak, Cybersecurity News \[December 25, 2023\]  Jan 4, 2024 ](/blog/announcements/cyber-security-news-update-week-1-of-2024/)

```json
{"@context":"https://schema.org","@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}],"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://www.g2.com/products/phish-protection-by-duocircle/reviews","https://github.com/duocircle","https://www.crunchbase.com/organization/duocircle-llc"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://support.duocircle.com"},"knowsAbout":["Email Security","Email Authentication","SPF","DKIM","DMARC","Phishing Protection","Spam Filtering","SMTP Relay","Email Deliverability","Email Forwarding"]}
```

```json
{"@context":"https://schema.org","@type":"WebSite","name":"DuoCircle LLC","url":"https://www.duocircle.com","description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}
```

```json
[{"@context":"https://schema.org","@type":"BlogPosting","headline":"Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News [February 19, 2024]","description":"Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News [February 19.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-9-of-2024/","datePublished":"2024-02-27T17:44:10.000Z","dateModified":"2025-08-21T20:07:06.000Z","dateCreated":"2024-02-27T17:44:10.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-9-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":989,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/02/office-365-tenant-to-tenant-migration-same-domain.jpg","caption":"cybersecurity","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":2,"name":"News"},{"@type":"ListItem","position":3,"name":"Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News [February 19, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-9-of-2024/"}]}]
```

```json
{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.duocircle.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://www.duocircle.com/blog/"},{"@type":"ListItem","position":3,"name":"News","item":"https://www.duocircle.comundefined"},{"@type":"ListItem","position":4,"name":"Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News [February 19, 2024]","item":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-9-of-2024/"}]}
```

```json
{"@context":"https://schema.org","@type":"BlogPosting","headline":"Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News [February 19, 2024]","description":"Joomla XSS Risk, Banking Trojan Google, US Cyber Tips, Cybersecurity News [February 19.","url":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-9-of-2024/","datePublished":"2024-02-27T17:44:10.000Z","dateModified":"2025-08-21T20:07:06.000Z","dateCreated":"2024-02-27T17:44:10.000Z","author":{"@type":"Person","@id":"https://www.duocircle.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://www.duocircle.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin runs DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. His focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/dmarcreport/images/team/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"DuoCircle LLC","url":"https://www.duocircle.com","logo":{"@type":"ImageObject","url":"https://www.duocircle.com/images/duocircle-logo.png"},"description":"DuoCircle is a portfolio of specialized email products covering protection, authentication, delivery, and routing. We deliver about 90% of category-leader capability at roughly half the price, backed by experts who own the outcome. Trusted by 50,000+ organizations since 2014.","subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://www.duocircle.com/blog/announcements/cyber-security-news-update-week-9-of-2024/"},"articleSection":"announcements","keywords":"News, Security, Updates","wordCount":989,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/duocircle/images/2024/02/office-365-tenant-to-tenant-migration-same-domain.jpg","caption":"cybersecurity","width":900,"height":600},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}}
```