US Government IIS server breached via Telerik software flaw
CISA has disclosed information regarding a .NET deserialization vulnerability (CVE-2019-18935) in the Progress Telerik user interface (UI) for ASP.NET AJAX. CISA described the findings in an advisory on Wednesday, saying multiple cyber-threat actors were able to exploit the flaw, which also affected the Microsoft Internet Information Services (IIS) web server of a federal civilian executive branch (FCEB) agency between November 2022 and January 2023. If exploited successfully, the vulnerability allows remote code execution (RCE). Because of this, the flaw has been rated as critical and assigned a CVSS v3.1 score of 9.8.
Critical Microsoft Outlook bug PoC shows how easy it is to exploit
Security researchers have shared technical details for exploiting a critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email. Microsoft yesterday released a patch for the security flaw but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022. The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows. An attacker can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is needed as exploitation occurs when Outlook is open and the reminder is triggered on the system.
LockBit threatens release of thousands of SpaceX blueprints
Ransomware gang Lockbit has boasted that it broke into Maximum Industries, a company that makes parts for SpaceX, and stole 3,000 proprietary schematics. The prolific cybercrime crew also mocked SpaceX founder and CEO Elon Musk, and threatened to leak or sell the blueprints on March 20. As for the validity of this threat, The Register points out that LockBit is famous for claiming breaches that it hasn’t actually done, such as ION and possibly the UK’s Royal Mail.
Prometei botnet evolves – has infected +10,000 systems since November
Cisco Talos researchers have reported that the Prometei botnet has infected more than 10,000 systems worldwide since November. The crypto-mining botnet has a modular structure and employs multiple techniques to infect systems and evade detection. The botnet was first observed by Cisco Talos experts on July 2020. A deep investigation on artifacts uploaded on VirusTotal allowed the experts to determine that the botnet may have been active at least since May 2016. Experts pointed out that the malware has constantly been updated by its creators with the implementation of new modules and features. Now Talos confirms that the Prometei botnet continues to improve modules and exhibits new capabilities in recent updates.
Chinese and Russian hackers using SILKLOADER malware to evade detection
Threat activity clusters affiliated with Chinese and Russian cybercriminal ecosystems have been observed using a new piece of malware that’s designed to load Cobalt Strike onto infected machines. Dubbed SILKLOADER by Finnish cybersecurity company WithSecure, the malware leverages DLL side-loading techniques to deliver commercial adversary simulation software. The development comes as improved detection capabilities against Cobalt Strike, a legitimate post-exploitation tool used for red team operations, is forcing threat actors to seek alternative options or concoct new ways to propagate the framework to evade detection.
Senators call on CISA to examine cybersecurity risks of Chinese consumer drones
A bipartisan group of senators is asking CISA to examine consumer drones made by a company with “deep ties” to the Chinese Communist Party, warning that they could be used to spy on U.S. critical infrastructure. Several companies are in the process of expanding the use of consumer drones across the U.S. for everything from food delivery to emergency services. But U.S. senators Mark Warner (D-VA) and Marsha Blackburn (R-TN) said CISA needs to step in and “reevaluate the risks associated” with drones built by Shenzhen DJI Innovation Technology – a company they accuse of having links to China’s government. A CISA spokesperson said it will not comment on the letter publicly and plans to respond directly to the senators.
Healthcare software firm ILS announces data breach affecting more than 4 million people
The sensitive healthcare data of more than four million people was accessed by hackers who broke into the network of Independent Living Systems (ILS), a healthcare software company based in Miami. The company has provided third-party administrative services to health plans, providers, hospitals, and pharmaceutical and medical device companies for nearly two decades. ILS began sending breach notification letters out on Tuesday following a July 5, 2022 cyberattack. The information includes names, addresses, dates of birth, driver’s license numbers, Social Security numbers, financial account information and medical data such as diagnosis codes and health insurance information.
Microsoft unveils AI-powered Microsoft 365 Copilot assistant
Microsoft has announced a new assistant powered by artificial intelligence to help boost productivity across Microsoft 365 apps, currently being tested by select commercial customers. Known as Copilot, the new AI feature helps create and manage documents, presentations, and spreadsheets, as well as triage and reply to emails. Copilot is coming to all Microsoft 365 apps, from Word, Excel, PowerPoint, Outlook, and Teams to Microsoft Viva and Power Platform. It uses the GPT-4 large multimodal model just like the new Bing Chat and works like a chatbot, enabling users to generate content based on prompts exchanged via a chatbot interface.