Another year-long effort materializes for CISA with the introduction of a webpage that provides specific cybersecurity resources for vulnerable groups, such as journalists and human-right defenders, to combat cyber threats effectively.

A new wave of malware attacks sparked concerns among cybersecurity experts worldwide this week. The list includes the likes of JsOutProx, UNAPIMON, Red CryptoApp, and others. Additionally, Vultur, an Android banking trojan was observed masquerading as an authenticator and productivity apps on Google Play. Also, criminals are back with pirated video game lures on YouTube, targeting home users lacking enterprise-grade security to steal sensitive data.

The Good

• The CISA introduced a dedicated High-Risk Communities webpage aimed at providing cybersecurity resources for high-risk communities, including activists, journalists, and human rights defenders. The initiative offers tailored guidance and tools to mitigate cyber threats, recognizing the increased risk these groups face. Resources include Project Upskill, offering "how-to" guides for non-technical individuals, information on local cyber volunteer programs, and a repository of free or discounted cybersecurity tools.

The Bad

• Visa warned about a surge in detections of a new variant of JsOutProx malware targeting financial institutions in South and Southeast Asia, the Middle East, and Africa. The malware enables attackers to execute various malicious activities, including command execution, payload downloads, and keyboard/mouse control. The phishing campaign associated with JsOutProx involves fake financial notifications sent via email, with malicious .js files hosted on GitLab.
• Netenrich researchers have identified a new ransomware group called Red CryptoApp, employing a unique tactic of publicly shaming victims on a "wall of shame" to coerce ransom payments. While the origins of operators are still unclear, experts underlined similarities with the Maze ransomware group. The ransomware targets various industries globally, with a primary focus on the U.S.
• Sansec reported that threat actors are exploiting a critical vulnerability (CVE-2024-20720) in unpatched Magento sites, allowing them to inject a persistent backdoor into e-commerce websites. The backdoor, added to the CMS controller, ensures periodic reinjection, enabling persistent remote code execution. The exploit facilitates the deployment of a fake Stripe payment skimmer, targeting payment data.
• Proofpoint warned users of a new campaign deceiving them into clicking on malicious links in YouTube video descriptions. Info-stealer malware, including Vidar, StealC, and Lumma Stealer, are being delivered disguised as pirated software and video game cracks alongside legitimate content. Popular games, especially those appealing to children, are used as lures, indicating a focus on less savvy users. YouTube has removed over two dozen accounts and videos flagged by Proofpoint.
• Cyber espionage group Earth Freybug (aka APT41) recently launched a phishing campaign utilizing a new malware called UNAPIMON. The attack, reminiscent of previous campaigns, targeted various sectors across several countries. UNAPIMON, detected in the attack flow, utilizes DLL hijacking and API unhooking techniques to evade detection. The malware, deployed through batch files and service manipulation, prevents child processes from being monitored, allowing malicious activity to go undetected.
• Swiss IT security assessment firm Pentagrid uncovered a security flaw in self check-in kiosks at Ibis Budget hotels across Europe, potentially exposing keypad access codes for room entry. Discovered in late 2023, the flaw allowed access to room numbers and keypad codes by entering dashes instead of booking IDs. While the vulnerability required physical access to the kiosk, it posed a risk for theft and raised concerns over the security of low-budget hotel rooms without safes.
• Google released patches for 28 vulnerabilities in Android, with 25 affecting Pixel devices. This also included two exploited flaws in Pixel's bootloader and firmware. The company warns of targeted exploitation but doesn't provide specific details. The update addresses various vulnerabilities leading to the elevation of privilege and information disclosure issues, along with fixes for Qualcomm components. The most severe issue, CVE-2024-23704, affects Android 13 and 14.
• A critical security vulnerability (CVE-2024-2879) was identified in WordPress's LayerSlider plugin (a visual web content editor), affecting versions 7.9.11 through 7.10.0. This SQL injection flaw, with a CVSS score of 9.8, allowed unauthenticated attackers to extract sensitive information, including password hashes, from databases. The issue has been addressed in version 7.10.1, released on March 27.
• The Vultur Android banking trojan made a comeback with upgraded capabilities and improved evasion techniques, allowing attackers to control mobile devices and extract sensitive information remotely. Distributed via trojanized dropper apps on the Google Play Store, Vultur now encrypts its communication, employs multiple encrypted payloads, and masquerades as legitimate applications. It leverages techniques like TOAD to spread, targeting victims through SMS messages and phone calls.
• Red Hat issued a warning regarding a backdoor flaw discovered in the xz data compression software library, potentially impacting instances of Fedora Linux 40 and Fedora Rawhide. The backdoor, present in xz versions 5.6.0 and 5.6.1, allows for remote access via OpenSSH and system. Designated as CVE-2024-3094, the vulnerability is rated as critical. While Red Hat assures that Red Hat Enterprise Linux (RHEL) is unaffected, users of Fedora Linux 40 and Rawhide are advised to cease usage immediately.
• Cybersecurity firm Wiz identified two critical vulnerabilities within Hugging Face's AI platform, potentially exposing millions of private AI models and apps. The risks involve a shared inference infrastructure takeover and a shared CI/CD takeover, allowing attackers to compromise the platform's integrity. Wiz recommends isolation and segmentation as crucial steps to mitigate such risks for AI-as-a-service providers.