Welcome to the Secjuice Squeeze, a curated selection of interesting security articles and infosec news that you may have missed, lovingly curated for you every week. This week's volume was curated by Secjuice writers Andy74, Ross Moore, Prasanna, Erin N, and Mars Groves.

Cyber-attacks bring down many Ukraine websites

Ukraine has been hit by more cyber-attacks, which its government says are "on a completely different level." Earlier on Wednesday, the websites of several Ukrainian banks and government departments became inaccessible. Internet connectivity company NetBlocks tweeted: "The incident appears consistent with recent DDOS attacks."

Read more at bbc.com

Will war in Ukraine lead to a wider cyber-conflict?

Russian missiles slammed into Kyiv on the morning of February 24th. But its computer networks were already long under attack. On February 23rd, as the country was still bracing for an invasion that was expected to be imminent, the websites of Ukraine’s parliament and several government agencies were put out of action.

Read more at economist.com

Free Cybersecurity Services and Tools

As part of our continuing mission to reduce cybersecurity risk across U.S. critical infrastructure partners and state, local, tribal, and territorial governments, CISA has compiled a list of free cybersecurity tools and services to help organizations further advance their security capabilities.

Read more at cisa.gov

UK firms warned of Russian cyberwar ‘spillover’ from Ukraine

British officials are concerned about “spillover” from any heightened Russian cyber-activity in Ukraine, as demonstrated by last week’s attack on two banks by hackers linked to the GRU spy agency. Although there have been no Ukraine-related Russian attacks on the UK since the start of the crisis, cyber-specialists have been holding meetings with key companies to discuss the possible threat and how it could be tackled.

Read more at theguardian.com

Declassified documents reveal CIA has been sweeping up information on Americans

The Central Intelligence Agency (CIA) has been secretly collecting Americans’ private information in bulk, according to newly declassified documents that prompted condemnation from civil liberties watchdogs. The surveillance program was exposed on Thursday by two Democrats on the Senate intelligence committee.

Read more at theguardian.com

Conti ransomware gang takes over TrickBot malware operation

After four years of activity and numerous takedown attempts, the death knell of TrickBot has sounded as its top members move under new management, the Conti ransomware syndicate, who plan to replace it with the stealthier BazarBackdoor malware. TrickBot is a Windows malware platform that uses multiple modules for various malicious activities, including information stealing, password stealing, infiltrating Windows domains, initial access to networks, and malware delivery.

Read more at bleepingcomputer.com

WooCommerce Skimmer Uses Fake Fonts and Favicon to Steal CC Details

The holidays are always a busy time for ecommerce stores. Dealing with an influx of Christmas shoppers, holiday sales and inventory, shipping, and at times, also hackers. Today’s investigation starts out much like many others, with our client reporting an antivirus warning appearing only on their checkout page, of course at the worst possible time right around the end of December.

Read more at blog.sucuri.net

Malicious CSV Text Files Used to Install BazarBackdoor Malware

A new phishing campaign is using specially crafted CSV text files to infect users' devices with the BazarBackdoor malware.

Read more at bleepingcomputer.com

Two Dozen UEFI Vulnerabilities Impact Millions of Devices From Major Vendors

Researchers at firmware security company Binarly have identified nearly two dozen vulnerabilities in UEFI firmware code used by the world’s largest device makers.

Read more at securityweek.com

Google Workspace to strip privacy control from admins, re-enable tracking

Starting on March 29, Google is changing its infamous "Web & App Activity" controls for paid users of Google Workspace. That feature is now being split up into two settings, one still called "Web & App Activity" and another called "Search history." The big news is that Google is taking advantage of this settings split to re-enable some tracking features, even if users have previously opted out.

Read more at arstechnica.com

Google Patches 27 Vulnerabilities With Release of Chrome 98

Google announced the release of Chrome 98 in the stable channel with a total of 27 security fixes inside, including 19 for vulnerabilities reported by external researchers. The most severe of these security defects could be exploited to execute arbitrary code with the same privileges as the Chrome browser has on the target system.

Read more at securityweek.com

Critical Flaws Discovered in Cisco Small Business RV Series Routers

Cisco has patched multiple critical security vulnerabilities impacting its RV Series routers that could be weaponized to elevate privileges and execute arbitrary code on affected systems, while also warning of the existence of proof-of-concept (PoC) exploit code targeting some of these bugs.

Read more at thehackernews.com

CVE-2022-0185: Kubernetes Container Escape Using Linux Kernel Exploit

On Jan. 18, 2022, researchers found a heap base buffer overflow flaw (CVE-2022-0185) in the Linux kernel (5.1-rc1+) function “legacy_parse_param” of filesystem context functionality, which allows an out-of-bounds write in kernel memory. Using this primitive, an unprivileged attacker can escalate its privilege to root, bypassing any Linux namespace restrictions.

Read more at crowdstrike.com

Critical RCE Flaws in 'PHP Everywhere' Plugin Affect Thousands of WordPress Sites

Critical security vulnerabilities have been disclosed in a WordPress plugin known as PHP Everywhere that's used by more than 30,000 websites worldwide and could be abused by an attacker to execute arbitrary code on affected systems.

Read more at thehackernews.com

Fake Windows 11 Upgrade Installers Infect You with RedLine Malware

Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware. RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.

Read more at bleepingcomputer.com

New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs

Siemens announced the availability of patches and mitigations for a total of 27 vulnerabilities that can be exploited to remotely crash some of the company’s SIMATIC products. One of these advisories describes three high-severity flaws that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks against some Siemens programmable logic controllers (PLCs) and associated products.

Read more at securityweek.com

Latest Kali Linux 2022.1 Version Arrives With “Everything” Flavor And More

The latest version of Kali Linux has just arrived with lots of exciting features. With Kali Linux 2022.1, users can get new tools, an “Everything” flavor, wider SSH compatibility, refreshed theme, and more.

Read more at latesthackingnews.com

Grafana Web Security Vulnerability Opened A Plethora of Attack Possibilities

Research from a pair of bug bounty hunters has led to the discovery of a high-impact web security vulnerability in popular dashboard tool Grafana. The cross-site request forgery (CSRF) vulnerability – tracked as CVE-2022-21703 – opens the door for attackers to elevate their privileges through cross-origin attacks against administrators on systems running vulnerable versions of the open source platform.

Read more at portswigger.net

High-Severity RCE Security Bug Reported in Apache Cassandra Database Software

Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations.

Read more at thehackernews.com

Meet Kraken: A New Golang Botnet in Development

ZeroFox Intelligence discovered a previously unknown botnet called Kraken. Though still under active development, Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim’s system.

Read more at zerofox.com

Malicious Emails Can Crash Cisco Email Security Appliances

Cisco this week informed customers that its Email Security Appliance (ESA) product is affected by a high-severity denial of service (DoS) vulnerability that can be exploited using specially crafted emails. The flaw, tracked as CVE-2022-20653, affects the DNS-based Authentication of Named Entities (DANE) email verification component of Cisco AsyncOS Software for ESA. It can be exploited remotely without authentication.

Read more at securityweek.com

Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike

Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts. "Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers," South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published Monday.

Read more at thehackernews.com

Revamped CryptBot malware spread by pirated software sites

A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software. CryptBot is a Windows malware that steals information from infected devices, including saved browser credentials, cookies, browser history, cryptocurrency wallets, credit cards, and files.

Read more at bleepingcomputer.com

Multiple Vulnerabilities Found In Zabbix IT Monitoring Platform

Researchers have warned users of numerous security vulnerabilities in the Zabbix monitoring platform. Exploiting the bugs could allow an adversary to compromise an entire network. The developers have patched the flaws with the latest release.

Read more at latesthackingnews.com

Microsoft OneDrive For macOS Local Privilege Escalation

In this blog post, we will share the details of a vulnerability Offensive Security discovered in the XPC service of Microsoft OneDrive. Although Microsoft secured these services reasonably well, we will see how small mistakes in the code can have serious impacts. It took Microsoft over a year to fix the vulnerability and the patched version of OneDrive was released in 2021 December.

Read more at offensivesecurity.com

This 3D animation was created by the artist Piotr Forkasiewicz from Poland, relevant to the current war events around the globe.