Cyber Security Headlines Week in Review: Critical Outlook bug PoC, CISA Plex warning, YouTube AI infostealers 

NOTE: If the video above is not playing, go to the source on YouTube.

This week’s Cyber Security Headlines – Week in Review, March 13-17, is hosted by Rich Stroffolino  with our guest, JJ Agha, CISO, FanDuel

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at

Critical Microsoft Outlook bug PoC shows how easy it is to exploit

Security researchers have shared technical details for exploiting a critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email. Microsoft yesterday released a patch for the security flaw but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022. The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows. An attacker can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is needed as exploitation occurs when Outlook is open and the reminder is triggered on the system.

(Bleeping Computer)

CISA warns of actively exploited Plex bug after LastPass breach

CISA has added a nearly three-year-old high-severity remote code execution (RCE) vulnerability in the Plex Media Server to its catalog of exploited security flaws. Tracked as CVE-2020-5741, the flaw could allow threat actors with admin privileges to abuse the Camera Upload feature and remotely execute arbitrary Python code in low-complexity attacks. While CISA didn’t confirm specific attacks, the issue is likely linked to the incident involving a LastPass senior DevOps engineer whose computer was hacked last year to install a keylogger and gain access to customer vault backups.

(Bleeping Computer)

AI-generated YouTube videos spread infostealers

Researchers at CloudSEK warned that it observed a 200-300% increase month-over-month on the amount of YouTube videos with links to infostealing malware in the description. In some instances, threat actors hijack legitimate accounts to push malware laden videos. Researchers say threat actors increasingly use AI-generated content to quickly push out new videos. While threat actors retain access to channels for only a few hours, they seem proficient at quickly publishing malicious content and using SEO poisoning techniques to quickly get them views. Generally links promise free software downloads for things like PhotoShop and AutoCAD, but instead install infostealers. 

(The Hacker News)

Blackbaud to pay $3 million for misleading ransomware disclosure

Back in 2020, cloud software provider Blackbaud suffered a ransomware attack which affected 13,000 customers from charities, foundations, non-profits, and universities in the US, Canada, the UK, and the Netherlands. According to the SEC, Blackbaud initially stated that the attackers had not gained access to donor bank account details or social security numbers. Shortly thereafter, company staff learned that the threat actors had indeed accessed and stolen this sensitive information but failed to report it to management. This led to the company filing an SEC report the following month, which omitted vital information about the breach and also downplayed associated risks, passing them off as hypothetical. Blackbaud agreed to pay a $3 million civil penalty to settle the misreporting charges brought by the Securities and Exchange Commission (SEC). 

(Bleeping Computer)

North Korea targets security researchers

Mandiant reports it spotted the North Korea-linked threat actors UNC2970 operating a phishing campaign since June 2022. The campaign uses three new malware families, specifically focusing on security researchers. It used job recruitment-based lures in a spearphishing approach. These lures impersonated legitimate recruiters and eventually shifted conversations to WhatsApp, where it would deliver malicious Word docs to install a backdoor. 

(Ars Technica)

Senators call on CISA to examine cybersecurity risks of Chinese consumer drones

A bipartisan group of senators is asking CISA to examine consumer drones made by a company with “deep ties” to the Chinese Communist Party, warning that they could be used to spy on U.S. critical infrastructure. Several companies are in the process of expanding the use of consumer drones across the U.S. for everything from food delivery to emergency services. But U.S. senators Mark Warner (D-VA) and Marsha Blackburn (R-TN) said CISA needs to step in and “reevaluate the risks associated” with drones built by Shenzhen DJI Innovation Technology – a company they accuse of having links to China’s government. A CISA spokesperson said it will not comment on the letter publicly and plans to respond directly to the senators.

(The Record)

CISA creates new ransomware vulnerability warning program

CISA has announced the creation of a new Ransomware Vulnerability Warning Pilot (RVWP) program. Stemming from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and coordinated by the Joint Ransomware Task Force (JRTF), the RVWP will see CISA assess flaws commonly associated with known ransomware exploitation. After finding these vulnerabilities, the Agency will warn critical infrastructure entities with the goal of enabling mitigation before a ransomware incident. To identify entities vulnerable to the bugs, CISA will rely on various existing services, data sources, technologies and authorities, including its Cyber Hygiene Vulnerability Scanning service.

(InfoSecurity Magazine)