Welcome to Security Sunday – Week 17. Our weekly round-up of events in the world of cyber security (22.04 – 28.04 2024).

We collect notable incidents and vulnerability reports from the past week.

ČTK website attacked by hackers, NBU investigates the attack

The news website of the Czech News Agency (CTK) was attacked by hackers on Tuesday. The attackers published a message about preventing the assassination of Peter Pellegrini. The assassination had been planned by a Ukrainian diplomat.

“CTK points out that two fictitious texts, which did not originate from its production, were published on its news website České noviny this morning (Tuesday) by an unknown attacker. The text is headlined ‘BIS prevented an assassination attempt on newly elected Slovak President Peter Pelligrini’ and an alleged extraordinary statement by Minister Lipavský on the same subject,” the press office said.

“He has been in contact with BIS, the National Cyber Security Authority and the police about the attack. Spokeswoman Martina Vašíčková told CTK.

Brokewell malware targets Android banking apps

ThreatFabric has discovered a new strain of malware called Brokewell targeting Android users.

Analysts discovered Brokewell through a seemingly innocuous browser update page. Further analysis revealed that this was not a normal update, but a mechanism for deploying previously unrecognised mobile malware.

Brokewell infiltration begins with a fake browser update page. The victim believes they are simply updating their browser.

Once installed, Brokewell unleashes a number of features, including the ability to add a fake screen over legitimate banking applications to capture user credentials. It also uses its own WebView to capture cookies.

Brokewell extends its spying capabilities by collecting device information, call history, keystrokes, geolocation and can even record audio, turning the victim’s device into a comprehensive spying tool.

Cisco warns of ArcaneDoor zero-day attack on ASA firewalls

Attackers are exploiting software vulnerabilities in some Cisco Adaptive Security Appliance (ASA) or Cisco Firepower Threat Defense (FTD) devices to inject malware and potentially exfiltrate data, according to Cisco Talos.

The campaign, dubbed ArcaneDoor, exploits two documented software vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Cisco products. However, experts are still unsure how the attackers got into the system.

“We have not identified the original access vector used in this campaign. We have not yet found evidence of authentication-free exploitation,” Cisco Talos said.

Cisco said that an unnamed customer reported “security concerns” about ASA firewall products to its PSIRT team in early 2024, triggering an investigation that led to the discovery of the attacker (tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center).

“This attacker used custom tools that demonstrated a clear focus on espionage and a thorough knowledge of the targeted devices, which are hallmarks of a sophisticated state-sponsored attack,” Cisco said.

Cisco noted that the hacking team used two backdoors used for configuration modification, reconnaissance, network traffic exfiltration and potentially lateral movement in the network.

Critical vulnerability in popular node-mysql2 database library

Security researchers have discovered vulnerabilities in node-mysql2, a JavaScript database library that powers countless web applications and backend systems. The vulnerabilities have been identified as CVE-2024-21508, CVE-2024-21509 and CVE-2024-21511.

The most severe vulnerabilities, CVE-2024-21508 and CVE-2024-21511, have a critical CVSS rating of 9.8. This means that attackers could remotely execute arbitrary code on servers running vulnerable versions of node-mysql2.

Security experts warn that a publicly available PoC dramatically increases the threat level. Attackers could quickly weaponise this PoC and launch automated attacks across the internet to find vulnerable systems.

If your applications or services use this library, update them immediately to version 3.9.7 or higher. These versions include critical fixes.

Russian group APT28 exploits Windows Print Spooler vulnerability to escalate privileges

Microsoft is warning that the Russian group APT28 is exploiting a vulnerability in Windows Print Spooler to escalate privileges and steal data using a new tool called GooseEgg.

APT28 is believed to have been using this tool to exploit CVE-2022-38028 since April 2019.

The vulnerability, reported by the US National Security Agency, was patched in Microsoft’s October 2022 Patch Tuesday.

Microsoft observed that once compromised, attackers run this tool as a script named ‘execute.bat’ or ‘doit.bat’, which runs the GooseEgg executable and gains persistence on the compromised system.

Although it is a simple application, GooseEgg is capable of running other applications with elevated privileges, allowing attackers to remotely execute code, install backdoors, and move laterally within compromised networks.

Windows Defender and Kaspersky EDR allow remote file deletion

Researchers from the US-Israeli company SafeBreach last Friday discussed vulnerabilities in Microsoft and Kaspersky security products that could potentially allow remote file deletion.

The attack relies on Microsoft and Kaspersky’s use of byte signatures to detect malware.

“Our goal was to fool EDRs by implanting malware signatures into files to make them think they are malicious,” the researchers explained in their presentation at Black Hat Asia.

To achieve this, the researchers found a byte signature associated with the malware on the VirusTotal platform and then inserted it into the database – for example, by creating a new user with a name that included the signature. The EDR program then considered the database containing the signature to be infected with malware.

If EDR is set to remove infected files, it will do so. The pair claimed that databases or virtual machines could therefore be removed remotely.

For example, access to the database could be gained by registering as a new user on a website and using a name that contains a byte signature. Similarly, a byte signature could be used in a comment.

Microsoft’s position is that users can block the attack vector by, for example, placing files in protected folders to prevent immediate deletion.

Interested in cybersecurity? Check out other editions of our weekly Security Sunday..