To summarise this month's cyber security news, we saw TryHackMe reach three million users, a Cisco IMC ‘Proof of Concept’ exploit, and disaster strikes LastPass, GoogleAds, Mitre Corporation, and Change Healthcare!
Continue reading to discover the latest news.
TryHackMe reaches 3 million users!
On the 13th of April, 2024, we reached a significant milestone in our journey: reaching 3 million users!
We’d like to express our heartfelt gratitude to each and every one of you who has contributed to TryHackMe's success. Whether you're a long-time member or a brand-new user, your enthusiasm, feedback, and dedication inspire us to continue striving for excellence. Of course, it wouldn’t be a TryHackMe milestone without awarding our wonderful community of hackers!
To celebrate three million of us, we prepared a unique series of 3-million-themed challenges to test your skills. The challenges cover a wide range of topics, including:
- Exploiting chained vulnerabilities
- Supply chain attacks
- Reverse engineering of custom cryptography
- Smart contracts hacking
- SQL injection
- Threat hunting
- Code analysis
Check out our NEW ‘3 Million’ module to take part!
Mitre Corporation caught in cyber attack
MITRE Corporation, a non-profit organisation overseeing federally funded research and development centres, recently detected a sophisticated cyber attack on one of its internal research and development networks.
Believed to be initiated by the UNC5221 group from China, the attack targeted the Ivanti Connect Secure appliance, compromising networks and affecting numerous Fortune 500 corporations.
MITRE swiftly responded, containing the incident and assuring the public that its business and public-facing networks remained unaffected. While details about the attack are limited due to an ongoing investigation, MITRE has collaborated with law enforcement agencies and notified sponsors and customers.
Cisco IMC ‘Proof of Concept’ exploit
A Proof of Concept (PoC) exploit has surfaced for a critical vulnerability, CVE-2024-20356, found in Cisco’s Integrated Management Controller (IMC). This flaw permits command injection, potentially granting attackers root access to affected systems.
The vulnerability exists within the IMC's web-based management interface and affects various Cisco servers and computing systems. Security researchers from Nettitude have demonstrated an exploit named "CISCown," which automates privilege escalation by manipulating the vulnerability.
This exploit, available on GitHub, facilitates arbitrary code execution with root privileges on the underlying operating system of Cisco hardware. Cisco has responded with software updates to address the vulnerability, urging affected organisations to apply them promptly. As there's no known workaround, updating is crucial to safeguard systems.
LastPass phishing campaign
LastPass alerted users to a sophisticated phishing campaign where hackers impersonated LastPass employees to steal users' master passwords and hijack accounts.
This campaign, uncovered by Lookout, employs the CryptoChameleon phishing kit, known for previous crypto thefts. Hackers created counterfeit LastPass websites to deceive users into entering login credentials.
The attack begins with a phone call from a fake LastPass employee, followed by an email containing a link to a phishing site resembling LastPass. Victims unknowingly provide their master passwords, enabling hackers to take control of their accounts.
LastPass has taken down the initial phishing site and advises users to remain cautious. Recommendations include verifying communications from trusted sources, avoiding unknown links or attachments, and implementing multi-factor authentication for added security.
A new Google Ads malvertising campaign
A new Google malvertising campaign is utilising fake domains resembling legitimate IP scanner software to distribute a novel backdoor called MadMxShell. Zscaler ThreatLabz researchers identified 45 look-alike domains created between November 2023 and March 2024, masquerading as port scanning and IT management tools.
Victims searching for these tools are directed to deceptive sites, triggering the download of a malicious ZIP file containing DLL and executable files. Upon execution, the backdoor gains persistence on the host, disables Microsoft Defender Antivirus, and communicates with a command-and-control server through DNS MX queries, evading detection.
The threat actor behind this campaign has been identified on underground forums, indicating a long-term interest in malvertising. Their use of Google Ads threshold accounts allows for extended ad campaigns without upfront payment, potentially leading to widespread malware distribution.
Change healthcare suffers ransomware threat
Change Healthcare has been caught in a complex ransomware situation, worsened by a new ransom demand from a different group, RansomHub.
Initially targeted by AlphV, Change Healthcare allegedly paid a $22 million ransom, but now faces a second threat from RansomHub, claiming to possess 4 terabytes of stolen data. Although Change Healthcare has not confirmed payment, samples provided by RansomHub suggest credibility.
This situation underscores the dangers of relying on ransomware groups, as AlphV reportedly disappeared after receiving payment, leaving affiliates and stolen data unresolved. RansomHub's claim further complicates matters, indicating a lack of trust among cyber criminals.
The incident highlights the enduring impact of ransomware attacks, with medical facilities suffering revenue loss and service disruptions. Despite RansomHub's assurance of data deletion upon payment, the reliability of such promises remains uncertain.
TryHackMe co-hosts workshop at the University of Cape Town
On Saturday the 6th of April, TryHackMe, in collaboration with MWR CyberSec, hosted an application security workshop for students at the University of Cape Town.
TryHackMe hosted a comprehensive four-hour workshop, and additionally provided participants with an exclusive one-month premium subscription to TryHackMe. The workshops helped create future cyber knights by providing students with an introduction to application security and penetration testing!
Check back again next month for our monthly roundup of cyber security news!
Ben Spring