Cyber Bits · · 2 min read

Cyber Bits: April 29, 2024

Cyber Bits: April 29, 2024

This week we find Palo Alto still dealing with fallout from CVE-2024-3400 (but now with remediation steps!), Okta warning of "unprecedented surge" in phishing attempts, WordPress plugins being targeted, and the Department of Justice arresting founders of a crypto mixer.

Palo Alto outlines remediation steps for CVE-2024-3400

Link: The Hacker News, Palo Alto

Last week, we linked to an update from Palo Alto that gave a bit more insight into CVE-2024-3400 and how it works. With strong evidence suggesting that exploit has been used since March 26, 2024, by group now tracked as UTA0218, Palo Alto has provided guidance on how to remediate the vulnerability.

With this exploit being rated a 10.0 on the CVSS and allowing remote code execution, this should be one that moves to the top of the "to do list" for vulnerability management.

Okta warns of surge in credential stuffing attacks

Link: The Hacker News

Okta's Identity Threat Research team has identified an increase in in credential stuffing attacks against user accounts last week, likely from the same TOR exit nodes identified by the CISCO Talos team. These attacks are taking advantage of leaked credential sets, underlining the need for additional access controls like 2FA, passkeys, or even implementing FIDO keys.

An additional point of note, Microsoft has already identified that just adding 2FA to accounts reduces the likelihood of account takeover by 99% (obviously not account for human error in these attacks). We highly recommend adding this to all users within an organization, not just the elevated or high-privileged accounts.

WordPress "WP Automatic" plugin being targeted

Link: Bleeping Computer

Researchers at PatchStack identified a vulnerability affecting the WP Automatic plugin using SQL injection to create new accounts with administrator privileges. With more than 30,000 websites leveraging the plugin, PatchStack (and us) recommend updating to Version 3.9.2.0 and reviewing your WordPress instance for any additional user accounts that may have been created.

WordPress plugins being targeted as an entry point isn't anything new, but with a severity of 9.9 and allowing full administrator access once exploited, this is one to pay attention to.

Department of Justice arrests Samourai crypto mixer founders

Link: The Hacker News

The DOJ has announced they have arrested founders of Samourai, a crypto mixer. The service allegedly was responsible for over $2 billion in transactions, with $100 million directly laundered for criminal activity.

For those unfamiliar with the concept, a crypto mixer acts as a mechanism to receive payment in the form of crypto currencies, perform a series of transactions for smaller amounts, and return the payment (less a fee) to the depositor. Because of the immutability of the blockchain, the idea is to create a confusing and difficult paper trail for forensic accounting teams to identify source and destination of transfers.

Read next

Cyber Bits: November 25
Cyber Bits ·

Cyber Bits: November 25

Welcome to this week's edition of Cyber Bits, where we cover the latest in malware campaigns, advanced persistent threats, data breaches, vulnerabilities in enterprise systems from Fortinet and Palo Alto, and the economic impact of cyberattacks. Here's what you need to know this week:

Cyber Bits: October 21
Cyber Bits ·

Cyber Bits: October 21

In this week's Cyber Bits, Internet Archive faces another breach, Microsoft sets up Azure tenant honeypots, ransomware attacks are using ESET's name, Microsoft may have lost some security logs, and North Korea is targeting companies looking for temporary IT workers.

Cyber Bits: October 14
Cyber Bits ·

Cyber Bits: October 14

In this weeks Cyber Bits, Microsoft deprecates VPN protocols, OpenAI confirms what everyone already knew about bad guys using ChatGPT for malware, SOC teams lament alert fatigue, qualified personnel gaps in cloud and cyber, and how to build cyber resilience for SMB's.