Cyber Bits · · 2 min read

Cyber Bits: April 29, 2024

Cyber Bits: April 29, 2024

This week we find Palo Alto still dealing with fallout from CVE-2024-3400 (but now with remediation steps!), Okta warning of "unprecedented surge" in phishing attempts, WordPress plugins being targeted, and the Department of Justice arresting founders of a crypto mixer.

Palo Alto outlines remediation steps for CVE-2024-3400

Link: The Hacker News, Palo Alto

Last week, we linked to an update from Palo Alto that gave a bit more insight into CVE-2024-3400 and how it works. With strong evidence suggesting that exploit has been used since March 26, 2024, by group now tracked as UTA0218, Palo Alto has provided guidance on how to remediate the vulnerability.

With this exploit being rated a 10.0 on the CVSS and allowing remote code execution, this should be one that moves to the top of the "to do list" for vulnerability management.

Okta warns of surge in credential stuffing attacks

Link: The Hacker News

Okta's Identity Threat Research team has identified an increase in in credential stuffing attacks against user accounts last week, likely from the same TOR exit nodes identified by the CISCO Talos team. These attacks are taking advantage of leaked credential sets, underlining the need for additional access controls like 2FA, passkeys, or even implementing FIDO keys.

An additional point of note, Microsoft has already identified that just adding 2FA to accounts reduces the likelihood of account takeover by 99% (obviously not account for human error in these attacks). We highly recommend adding this to all users within an organization, not just the elevated or high-privileged accounts.

WordPress "WP Automatic" plugin being targeted

Link: Bleeping Computer

Researchers at PatchStack identified a vulnerability affecting the WP Automatic plugin using SQL injection to create new accounts with administrator privileges. With more than 30,000 websites leveraging the plugin, PatchStack (and us) recommend updating to Version 3.9.2.0 and reviewing your WordPress instance for any additional user accounts that may have been created.

WordPress plugins being targeted as an entry point isn't anything new, but with a severity of 9.9 and allowing full administrator access once exploited, this is one to pay attention to.

Department of Justice arrests Samourai crypto mixer founders

Link: The Hacker News

The DOJ has announced they have arrested founders of Samourai, a crypto mixer. The service allegedly was responsible for over $2 billion in transactions, with $100 million directly laundered for criminal activity.

For those unfamiliar with the concept, a crypto mixer acts as a mechanism to receive payment in the form of crypto currencies, perform a series of transactions for smaller amounts, and return the payment (less a fee) to the depositor. Because of the immutability of the blockchain, the idea is to create a confusing and difficult paper trail for forensic accounting teams to identify source and destination of transfers.

Read next

Cyber Bits: July 8, 2024
Cyber Bits ·

Cyber Bits: July 8, 2024

In this week's Cyber Bits, we look into Cloudflare's BGP incident, a Go-based ransomware variant targeting VMs, Ticketmaster struggling with a ransomware incident, hackers leaking Twilio data, and Cobalt Strike servers being shutdown by the feds.

Cyber Bits: June 24, 2024
Cyber Bits ·

Cyber Bits: June 24, 2024

This week - VMware's urgent security patches, a UEFI vulnerability in Intel PCs, US sanctions on Kaspersky, ransomware attacks on old Android phones, and a breach of 1,590 crypto wallets by North Korean hackers. Stay updated with the latest cybersecurity news and tips.