Notices by Catalin Cimpanu (campuscodi@mastodon.social), page 5

Trend Micro says the BlackBasta and the Bl00dy ransomware gangs are now exploiting two recently disclosed ScreenConnect vulnerabilities (CVE-2024-1708 and CVE-2024-1709) to breach networks and encrypt files.

https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html

A German bank just sent its new TOS to customers as an USB via mail

Oh, dear lord! :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA: :AAAAAA:

https://old.reddit.com/r/de/comments/1ax7ky3/milde_interessant_die_sparkasse_schickt_mir_einen/

The Romanian Parliament, which was hit by ransomware a few weeks back, was still using XP and Win7.

A lawsuit has prevented the agency from replacing PCs for 5 years.

https://economie.hotnews.ro/stiri-telecom-26916805-camera-deputatilor-utilizeaza-inca-uri-windows-sistem-operare-ramas-fara-suport-tehnic-10-ani-litigiu-tine-loc.htm

There's now a $15 million reward for LockBit out too

https://www.state.gov/reward-offers-for-information-on-lockbit-leaders-and-designating-affiliates/

The LockBit affiliate arrested in Ukraine was actually TWO, a father and son duo from Ternopil

https://mvs.gov.ua/news/slidci-nacpoliciyi-pripinili-diialnist-transnacionalnogo-xakerskogo-ugrupovannia-lockbit-v-ukrayini

GreyNoise has taken another look at CVE-2021-44529, an older bug in the Ivanti Endpoint Manager that some security researchers thought might have been an intentional backdoor in one of the software's open-source libraries—which apparently it was.

https://www.labs.greynoise.io/grimoire/2024-02-what-is-this-old-ivanti-exploit/index.html

The cybersecurity "news outlet" I've caught copying and re-wording my articles almost a decade ago has hit a new low. (via @metacurity)

"For $2,500, they will launder any vendor’s marketing material and transform it into “news.”"

https://www.hakpop.com/blog/thehackernews-profits-from-deceptive-advertising

Cisco has announced plans to lay off more than 4,200 employees, amounting to roughly 5% of its workforce.

It's unclear if the layoffs will affect any of the Cisco cybersecurity divisions, such as Talos, Splunk, Duo, and others

https://www.cnbc.com/2024/02/14/cisco-cutting-5percent-of-global-workforce-in-restructuring-move.html

WithSecure has put together a GitHub repo named LolCerts that tracks code signing certificates known to have been leaked or stolen, then abused by threat actors.

https://github.com/WithSecureLabs/lolcerts

If you're looking for the latest entries published on ransomware leak sites, you can follow the CTI.FYI Mastodon and Bluesky accounts.

https://infosec.exchange/@CTI_FYI

https://bsky.app/profile/cti.fyi

PoC for that recent Ivanti bug (CVE-2024-22024): https://github.com/0dteam/CVE-2024-22024

Write-up here: https://labs.watchtowr.com/are-we-now-part-of-ivanti/

Patches here: https://forums.ivanti.com/s/article/CVE-2024-22024-XXE-for-Ivanti-Connect-Secure-and-Ivanti-Policy-Secure?language=en_US

LockBit admin got banned on XSS and Exploit, the two prominent Russian-speaking cybercrime forums

https://analyst1.com/this-forum-is-a-bunch-of-communists-and-they-set-me-up-lockbit-spills-the-tea-regarding-their-recent-ban-on-russian-speaking-forums/

Twitter Blue users about fixing the world's problems:

"teach AI and ML to primary schools"

Security researchers from Assetnote have found new ways to exploit the recent Ivanti zero-days (CVE-2023-46805 & CVE-2024-21887) on older versions of the Connect Secure firmware.

https://www.assetnote.io/resources/research/high-signal-detection-and-exploitation-of-ivantis-pulse-connect-secure-auth-bypass-rce

According to GreyNoise, exploitation of these zero-days has extended from a Chinese APT to cryptomining botnets.

https://www.greynoise.io/blog/ivanti-connect-secure-exploited-to-install-cryptominers

Mozilla has accused the three major browser makers—Apple, Google, and Microsoft—of sabotaging Firefox.

The company says it launched a new issue tracker where we intend to document the ways in which platforms put Firefox at a disadvantage.

https://blog.mozilla.org/netpolicy/2024/01/19/platform-tilt/

According to watchTowr Labs, Juniper has secretly patched four vulnerabilities in JunOS without disclosing the bugs or filing for a CVE.

https://labs.watchtowr.com/the-second-wednesday-of-the-first-month-of-every-quarter-juniper-0day-revisited/

Russian security firm Kaspersky has released iShutdown, a collection of Python scripts that can detect various strains of iOS spyware, such as Pegasus, Predator, and Reign.

https://securelist.com/shutdown-log-lightweight-ios-malware-detection-method/111734/

https://github.com/KasperskyLab/iShutdown

Ah... the disinformation and propaganda bots have arrived on Mastodon.

If you haven't been on Twitter, they've been pushing this narrative that "western media didn't cover South Africa's arguments" while literally sharing BBC and DW clips a day before on the same account.

It flooded Twitter to the point that any suggested tweet below infosec content was about this garbage.

The account is like 6-days old... let's see if it gets nuked. It will show me if Mastodon is worth my time anymore.

"According to our sensor network, SonicWall is seeing a large number of exploitation attempts of CVE-2023-51467. We highly recommend upgrading to Apache OFBiz version 18.12.11 or newer."

https://blog.sonicwall.com/en-us/2023/12/sonicwall-discovers-critical-apache-ofbiz-zero-day-authbiz/

France has banned government officials from using foreign encrypted messaging services like Telegram, Signal, and WhatsApp.

The government is notifying ministers and their cabinet staff that they have to uninstall the apps from their devices by December 8.

Instead, French officials have been told to use locally-developed alternatives like Tchap and Olvid.

https://www.lefigaro.fr/politique/les-ministres-invites-par-matignon-a-desinstaller-whatsapp-signal-et-telegram-d-ici-le-8-decembre-20231129