The Daily Decrypt The Digital Security Collective

In today's episode, we discuss fake browser updates distributing BitRAT and Lumma Stealer via Discord (https://thehackernews.com/2024/06/beware-fake-browser-updates-deliver.html), a malicious npm package targeting Gulp users with a RAT (https://thehackernews.com/2024/06/researchers-uncover-rat-dropping-npm.html), and the high-severity Atlassian Confluence RCE vulnerability (CVE-2024-21683) for which a PoC is now available (https://www.helpnetsecurity.com/2024/06/03/cve-2024-21683-poc/). Tune in to learn about these critical cybersecurity threats and how you can protect your systems.Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/



Tags:



Browser Updates, Cybersecurity Threat, BitRAT, Lumma Stealer, eSentire, Fake Browser Updates, Discord, Malicious npm Package, Gulp Toolkit, Remote Access Trojans, Software Supply Chain Attacks, CVE-2024-21683, Atlassian Confluence, Remote Code Execution, Cyber Attackers, Cybersecurity Researchers, Downloader Malware, Exploit, Developer Security, Cyber Attack Mitigation



Search Phrases:




How to avoid fake browser updates



BitRAT malware detection



What is Lumma Stealer



Discord used for malware distribution



Malicious npm packages 2024



Latest remote access trojans



CVE-2024-21683 Atlassian Confluence vulnerability



Protect against software supply chain attacks



eSentire cybersecurity report



Remote code execution in Atlassian Confluence




https://thehackernews.com/2024/06/beware-fake-browser-updates-deliver.html



Rise of Fake Browser Updates as Malware Vectors:




Cybercriminals now use fake browser updates to distribute BitRAT and Lumma Stealer malware.



These attacks typically start when users visit compromised websites that redirect them to fraudulent update pages.



Actionable Insight: Avoid downloading updates from unfamiliar sources; always verify the legitimacy of update prompts through official channels.





Discord as a Malware Distribution Platform:

Attackers use Discord to host malicious files, leveraging its widespread use among legitimate users.



Bitdefender found over 50,000 harmful links on Discord in the past six months.



Actionable Insight: Exercise caution when downloading files from Discord and report suspicious links to platform moderators.





Sophisticated Attack Chain Mechanisms:

Attacks involve JavaScript and PowerShell scripts within ZIP files to execute malware.



These scripts load additional payloads disguised as PNG image files, adding a layer of obfuscation.



Actionable Insight: Use advanced endpoint protection that can detect and mitigate script-based attacks.





BitRAT and Lumma Stealer Capabilities:

BitRAT can harvest data, mine cryptocurrency, and take control of infected devices.



Lumma Stealer, available for rent, steals information from web browsers and crypto wallets.



Actionable Insight: Regularly update and patch software, employ strong passwords, and use multi-factor authentication to protect sensitive information.





Emerging Threats: Drive-by Downloads and Malvertising:

Fake browser update attacks often utilize drive-by downloads and malvertising techniques.



Recent campaigns trick users into manually executing malicious PowerShell code under the guise of browser updates.



Actionable Insight: Educate users on the risks of drive-by downloads and ensure robust network defenses are in place.





Lumma Stealer's Growing Popularity:

Lumma Stealer logs for sale increased by 110% from Q3 to Q4 2023, indicating its effectiveness and high success rate.







Actionable Insight: Implement continuous monitoring and threat intelligence to detect and respond to emerging threats promptly.





Exploiting Pirated Software:

Attackers use pirated software and adult game installers to distribute various malware, including Orcus RAT and XMRig miner.



Actionable Insight: Avoid using pirated software and educate users

In today's episode, we cover the critical Linux vulnerability CVE-2024-1086 being actively exploited and urge users to patch immediately (https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/). We also discuss the Ticketmaster data breach by the ShinyHunters group, impacting 560 million customers and demanding a £400,000 ransom (https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit). Lastly, we delve into potential Snowflake compromises involving stolen customer credentials, with conflicting reports on whether Snowflake itself or its customers were breached (https://www.helpnetsecurity.com/2024/05/31/snowflake-compromised-data-theft/).



Tags:
Linux, Exploited, Kernel, Vulnerability, CVE, Cybersecurity, CISA, ShinyHunters, Ticketmaster, Cybercrime, Data breach, Cybercriminals, Snowflake, Credentials, Security, Privilege escalation



Search Phrases:




How to protect against CVE-2024-1086



Linux kernel vulnerability CVE-2024-1086



ShinyHunters Ticketmaster data breach



Snowflake stolen credentials breach



Cybersecurity measures for Linux vulnerabilities



Protecting against data breaches in Ticketmaster



Cybercrime groups targeting big companies



Escalating privileges in Linux kernel



Preventing credential-based attacks in Snowflake



Recent exploits in cybersecurity 2024




Linux vulnerability being actively exploited



https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/
---`Sure thing! Here’s a flash briefing on the Linux vulnerability actively exploited:




Critical Linux Vulnerability Alert:



The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical Linux vulnerability (CVE-2024-1086) to its known exploited vulnerabilities list. [Source: Dan Goodin, Ars Technica]



Severity and Impact:



Severity rating: 7.8 out of 10.



Affected Linux kernel versions: 5.14 through 6.6.



The vulnerability allows privilege escalation, enabling attackers to gain higher system privileges.



Technical Details:



It's a use-after-free error in the NF_tables component of the Linux kernel.



Use-after-free errors can result in remote code execution or privilege escalation.



The bug was patched in January, but many systems remain unpatched.



Exploitation Details:



Exploits allow for a "powerful double-free primitive" when the correct code paths are hit.



Techniques include arbitrary code execution in the kernel and potentially dropping a universal root shell.



Action Required:



CISA mandates federal agencies to patch by June 20.



All affected organizations should update their systems immediately.




Engagement Tips:




Question for Listeners: Have you checked if your systems are running the affected Linux kernel versions?



Call to Action: Update your systems now to prevent potential exploitation.



Feedback Request: Share your experiences with patching critical vulnerabilities on our social media channels.




By keeping these points in mind, you'll ensure your systems are secure and you're up-to-date with the latest cybersecurity threats. Stay safe out there!`



Ticketmaster hit by data hack that may affect 560m customers



https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit
---`- Ticketmaster Cyber-Attack: Ticketmaster has experienced a significant data breach, with hackers offering to sell customer data on the dark web. Live Nation, Ticketmaster's parent company, confirmed the breach and is working with forensic investigators and law enforcement to mitigate the risks. [Source: The Guardian]



Ticketmaster hit by data hack that may affect 560m customers



https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit---`security.



Snow

In today’s episode, we explore the FlyingYeti campaign exploited by using a WinRAR vulnerability (CVE-2023-38831) to deliver COOKBOX malware in Ukraine, detailed by Cloudflare’s Cloudforce One: https://thehackernews.com/2024/05/flyingyeti-exploits-winrar.html. Next, we discuss the unprecedented mystery malware attack that destroyed 600,000 routers from ISP Windstream, reported by Black Lotus Labs: https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/. Finally, we dive into the Trend Micro study on CISOs facing pressure from corporate boards to downplay cyber risk: https://www.cybersecuritydive.com/news/cisos-pressure-boards-downplay-cyber-risk/717497/.



Tags: WinRAR, COOKBOX, FlyingYeti, Cloudflare, cyber warfare, Ukraine, phishing attacks, malware, routers, ISP, threat actor, Trend Micro, CISOs, cyber risks, organizational security



Search Phrases:




WinRAR vulnerability explained



COOKBOX malware detection and removal



FlyingYeti cyber attack details



Cloudflare security advisories



Protecting against phishing attacks



Malware impact on routers



ISP security breach cases



Trend Micro cybersecurity reports



CISO corporate board pressure



Organizational cybersecurity best practices




May31



An unknown threat actor recently unleashed a devastating malware attack that obliterated over 600,000 routers from a single internet service provider in just 72 hours.



Forcing the company to replace all of the affected devices, leaving their patrons in digital darkness.



What the heck happened here and how will we recover from this?



Under mounting pressure from corporate boards, nearly four and five chief information security officers or CSOs are being pushed to downplay the severity of cyber risks.



As revealed by a recent trend micro study..



How can CSOs navigate the pressure from corporate boards while also maintaining robust security posture?



And finally, sometimes I pick stories simply because the name is too good. So flying Yeti is exploiting a WinRAR vulnerability to deliver cookbook malware in Ukraine marking another alarming chapter in Russia, aligned cyber warfare.



You're listening to the daily decrypt..



And just over 72 hour time period malware called Chalubo



Rendered more than 600,000 routers permanently unusable.



All of these routers belonged to a single internet service provider named Windstream.



And this ISP is now forced to replace every single one of these routers.



Now that is not a small task. And a lot of these routers live in rural areas, which would be a long drive for.



ISP technicians to make.



And there were only so many ISP technicians. Out there. Sure they can ship you these routers, but that's going to take a long time because no supply chain is equipped to handle a random 600,000.



Product order.



Overnight. So who knows how long these people will be without internet?



The specific routers that were affected are action tech T 3,200 and Sage com.



And users are reporting a static red light on their routers, which indicates failure.



Wow. Black Lotus labs utilize the census search engine.



To track these affected router models and noted that.



Throughout that 72 hour time period.



There was a 49% drop in connections for these routers. So almost half of these routers on the public internet.



Went offline.



And I had mentioned that a lot of these routers lived in rural areas.



But the spread of this disaster is, is pretty wide and vast because.



This internet service provider provided service specifically to.



Rural areas. And what is out in rural areas, a lot of farming and agriculture. So who knows what sort of impact this will have? Over.



Our food source in the coming months.



' cause even tractors nowadays rely on wifi.



Which is a whole nother wormhole. That I won't get to on this episode, but if you're interested, go ahead and look up John De

In today's episode, we explore how cybercriminals exploited StackOverflow to promote the malicious Python package "pytoileur" aimed at cryptocurrency theft (https://thehackernews.com/2024/05/cybercriminals-abuse-stackoverflow-to.html). We also examine the FBI's takedown of the 911 S5 botnet and its massive impact on online fraud and cybercrime (https://krebsonsecurity.com/2024/05/is-your-computer-part-of-the-largest-botnet-ever/). Lastly, we introduce RansomLord, an open-source anti-ransomware tool that leverages DLL hijacking to block ransomware attacks pre-encryption (https://github.com/malvuln/RansomLord).



FBI Botnet: https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors



00:00 Introduction to Ransomware Defense



01:12 Ransom Lord: A Game Changer



03:55 How to Check for Botnet Infections



06:47 Malicious Python Package Alert



09:19 Conclusion and Final Thoughts



Tags:



Cybercriminals, Python Package Index, pytoileur, cryptocurrency theft, malicious packages, StackOverflow, open source security, botnet, VPN, YunHe Wang, 911 S5, cybersecurity, RansomLord, exploits, vulnerabilities, ransomware protection



Search Phrases:




Cybercriminal infiltration of Python Package Index



pytoileur malicious package on StackOverflow



Cryptocurrency theft using pytoileur



How to protect against malicious Python packages



Largest botnet disguised as VPN service



Arrest of YunHe Wang for cybercrime



911 S5 botnet detection methods



Protecting computers from 911 S5 botnet



RansomLord tool against ransomware



Ransomware vulnerabilities exploited by RansomLord




May30



There is a new proof of concept. Open source tool called ransom Lord.



attacks, the malware that launches ransomware.



In order to defeat it before it can encrypt your files.



I'm a little blown away by this one, but we'll get to that in a sec. How can ransom Lord change the game for ransomware defenders? And what tactics does it use to defeat ransomware?



The largest botnet ever operating under the guise of free VPN services. Has been dismantled with the arrest of its alleged mastermind for orchestrating cyber crimes, totalling billions of dollars in fraudulent losses. How can you check if your computer is part of the nine 11 s5 botnet and what steps can you take to protect yourself in the future?



The Python package index has been infiltrated with a malicious package named PI told earlier. Which has now found to facilitate cryptocurrency theft by leveraging reputable platforms, such as stack overflow. What measures can developers take to protect themselves from being deceived by malicious packages?



Like this one.



You're listening to the daily decrypt. .



Alright. So as defenders, we are constantly thinking about how to defeat ransomware. But I haven't seen much come out other than detection capabilities. So we're still focused on detecting.



Indicators of compromise that might lead to ransomware.



But just yesterday health net security released an article on an open source. Anti ransomware tool that essentially attacks the ransomware malware Using DLL hijacking.



and automates the creation of PE files. Which are used to exploit.



Ransomware before it can encrypt your files.. So even the thought of this type of defense makes me so excited.



The idea that there can be more than just detecting indicators of compromise for ransomware prevention. When we can actually go in and attack the ransomware itself.



And get rid of it before it even has the opportunity to encrypt your files.



It's a breath of fresh air.



So.



This tool, which is free and open source and available on get hub. The link is in the show notes below. Deploys exploits in order to defend the network. Which is a novel strategy for defeating ransomware.



It also uses vulnerability intelligence.



That maps, threats to vulnerable DLLs.



In order to target specific thr

In today's episode, we discuss the White House's call for critical cybersecurity assistance for sectors like healthcare and water utilities (https://www.cybersecuritydive.com/news/white-house-seeks-critical-cyber-assistance-for-water-utilities-healthcare/716942/), analyze the compromise of JAVS Viewer software by loader malware (https://www.helpnetsecurity.com/2024/05/23/javs-viewer-malware/), and explore how rising cyberattacks are driving the growth of the cybersecurity industry, affecting companies like AWS, Cisco, and CrowdStrike (https://www.cybersecuritydive.com/news/attacks-fuel-cyber-business/716782/).



Full Coker Speech: https://www.youtube.com/watch?v=1yR3kfajhk0



00:00 Introduction to the Cybersecurity Boom



01:04 The Economics of Cybersecurity



03:22 National Cyber Director's Keynote Highlights



04:14 The Cost of Cybersecurity Measures



05:19 Teenagers in Cybercrime: A Growing Concern



06:13 JAVS Viewer Malware: What You Need to Know



07:50 Conclusion and Call to Action



Tags: Harry Coker Jr, healthcare, water utilities, ransomware, National Cyber Director, critical infrastructure, cyber threats, innovative strategies, cybersecurity, administration initiatives, Lapsus, teenage cybercrime, JAVS, recording software, loader malware, security risks, courtrooms, prisons, compromised software, cybersecurity vendors, digital threat landscape, market complexity



Search Phrases: Initiatives by Harry Coker Jr in cybersecurity Healthcare cyber threat protection strategies Water utilities ransomware defense National Cyber Director's speech on cyber threats Administration measures against teenage cybercrime Compromised JAVS software security risks Immediate actions for JAVS Viewer users Cybersecurity vendors' role in digital threat evolution Increasing complexity in the cybersecurity market Global spending on cybersecurity in 2023



May24



Cyber attacks are propelling the cybersecurity industry to new Heights with global spending on security projected to hit in astonishing. $215 billion this year.



How are cybersecurity vendors adapting to the constant evolution of cyber threats while also contributing to increased complexity in the market?



National cyber director, Harry Coker Jr.



Announced a sweeping initiative to fortify healthcare and water utilities against cyber threats.



Highlighting a commitment to strengthen America's critical infrastructure. At a keynote speech on Wednesday. What measures is the administration taking to deter teenagers from join me, joining cyber criminal groups. Like Lapsis.



Threat researchers have discovered that legitimate recording software from JAVS has been compromised with loader malware directly from the developers own site.



If you're using the jabs viewer, what actions can you take?



If you suspect your version has been compromised.



You're listening to the daily decrypt.



The cybersecurity industry is thriving.



Thanks to the rise in cyber attacks.



Now this makes sense. Supply and demand is the foundation of capitalism.



And cyber attacks are on the rise. So of course, cybersecurity is booming, but this reminds me sort of eerily of the show fallout, which is on Amazon prime, highly recommend one of my favorite TV shows of all time.



But go ahead and skip the next 15 seconds if you don't want any spoilers, but.



One of the most fascinating aspects of that show is how.



Valtech the maker of these volts.



Was one of the top companies in the country.



Because one, they preyed on citizens, fear of a nuclear war. So they made these vaults.



To keep people safe in the impending nuclear bomb drop. But in order to stay on top in order to stay.



Relevant.



They needed that nuke to drop.



And I don't think we're at that point yet with cybersecurity, I believe.



The volume of cyber attacks is enough to sustain a $200 billion industry. But who knows what will happen in 10, 20, 30 years, maybe in ord

In today's episode, we discuss Microsoft President Brad Smith's upcoming testimony before Congress regarding security shortcomings (source: https://www.cybersecuritydive.com/news/microsoft-president-congressional-hearing/716847/), dive into the privacy concerns surrounding Windows 11's new Recall feature (source: https://www.helpnetsecurity.com/2024/05/22/windows-recall-security-privacy/), and detail Rockwell Automation's advisory on disconnecting internet-facing ICS devices amid rising cyber threats (source: https://thehackernews.com/2024/05/rockwell-advises-disconnecting-internet.html).



00:00 Introducing Windows 11's Recall Feature: A Privacy Concern?



01:11 The Risks and Protections Against Windows 11's Recall Feature



04:44 Microsoft's Response to Security Breaches and Future Plans



06:41 Advisory on Industrial Control SystemsAmid Cyber Threats



07:36 Wrapping Up and How to Stay Connected



Tags List



Microsoft, Brad Smith, Cybersecurity, Congress, Windows, Recall, AI, cybercriminals, Rockwell Automation, Industrial control systems, Cyber threats, Vulnerabilities



Search Phrases




Microsoft cybersecurity measures



Brad Smith congressional testimony



Impact of recent cyberattacks on Microsoft



Security risks of Windows Recall feature



Protecting against cyber intrusions



Rockwell Automation cybersecurity advice



Industrial control systems cyber threats



Geopolitical tensions and cyber vulnerabilities



Scanning for public-facing assets in cybersecurity



Mitigating cyber risks in industrial control systems




may23



Microsoft windows has introduced a new feature in windows 11 powered machines called recall, which takes screenshots of your open applications, every couple of seconds and uses AI to analyze them.



This is obviously stirring fears among security experts who are warning that it could become a goldmine for cybercriminals if misused. How can users protect themselves from these potential security and privacy risks posed by windows. Recall.



Speaking of Microsoft. On June 13th, Microsoft president Brad Smith will face Congress to address a cascade of security failures. That led to their recent cyber intrusions.



And finally Rockwell automation is advising urgent disconnects of internet facing industrial control systems, amid rising cyber threats, linked to geopolitical tensions and exploited vulnerabilities in these ICS devices.



.



What immediate actions can administrators take?



To not only check if their devices are publicly accessible, but also remediate it.



You're listening to the daily decrypt.



Hey, no press is bad. Press.



And today. Microsoft windows is getting a lot of press.



So just recently, Microsoft has introduced a new feature called recall in windows 11. That captures screenshots every few seconds.



And then uses AI.



To search through these screenshots and interact with specific content.



Essentially indexing, everything that you do on your computer.



This could be very useful for those of us like myself who have a terrible memory.



And want to remember what we were just doing. Users can go in and search through the, their history on their computer to see, Hey, what was I doing? 10 minutes ago that I need to continue doing? Sure. Sounds great. You know, who else can search through your whole history? Anyone who's compromised your system. So this feature can be disabled.



Which is great.



You can also specify apps that you want to exclude from this. So if that app is open, it will stop taking screenshots. But what's key to understand is that if you're compromised, an attacker can covertly enable this feature using PowerShell.



And so once they have that enabled, they can just sit back and wait.



For you to do something that jeopardizes your privacy, like entering your social security number.



See what banks you use.



Maybe use those screenshots to extort you, maybe you're doing something you woul