Commit 11_8_2023: Surprise! Ransomware gangs are exploiting that Confluence vuln

Shubham Dhage / Unsplash

Welcome to Commit 11_8_2023! README senior editor Nathaniel Mott here with a bit of a cold… and the hottest cybersecurity news.


The Record: Yep, the Confluence bug is being used in ransomware attacks

I’m sure absolutely everyone had this on their November cybersecurity news bingo card: The Record reported Tuesday that Atlassian has confirmed that ransomware gangs are exploiting the vulnerability in Confluence Data Center and Server, CVE-2023-22518, that it disclosed on Oct. 31.

The only surprising aspect of this exploitation is that it’s being used to distribute the Cerber ransomware that, as The Record noted, was fairly common in 2016-2019 but hasn’t been seen for several years. Cerber was previously spread via vulnerabilities in Confluence, though, so maybe the group responsible for attacks that rely on the ransomware is just seriously committed to only exploiting Atlassian software.

BleepingComputer: Microsoft Authenticator looks to curb sus MFA alerts

Microsoft is looking to improve the security of push-based multi-factor authentication that relies on its Authenticator app. BleepingComputer reported Tuesday that the company has “introduced a new protective feature … to block notifications that appear suspicious based on specific checks performed during the account login stage.” That should make it a bit more difficult for attackers to bypass MFA on an account.

This is the kind of news I like to see. So long as Microsoft doesn’t mistakenly filter out legitimate authentication requests—or make it so rapidly submitting requests allows some to slip through, which would allow push fatigue attacks to continue unabated—it’s just a net positive for the security of someone’s account that doesn’t really make life any more difficult for them in the process. Nice work.

The Register: DHS ain’t happy about how ICE agents use their phones

Pop quiz: Should you install unnecessary apps on an employer-provided smartphone? Probably not, right? How about if you’re an agent with the U.S. Immigration and Customs Enforcement agency? If you answered “definitely,” well, it might be time to submit your application to the agency’s hiring department! 

The Register reported that the Department of Homeland Security recently “​​concluded [that ICE agents’] lax mobile device security potentially put sensitive government information at risk of being stolen by foreign snoops.” ICE has disputed these findings, of course, but it would probably be wise to give agents a refresher on the difference between their personal and their government-issued devices.

Jamf: North Korean hackers target macOS users with ObjCShellz malware

Jamf said on Tuesday that it has discovered a variant of the RustBucket malware deployed by the North Korea-linked advanced persistent threat called BlueNoroff, which like many of its counterparts primarily targets “cryptocurrency exchanges, venture capital firms and banks” to support the country’s military efforts.

“Although fairly simple, this malware is still very functional and will help attackers carry out their objectives,” Jamf said. “This seems to be a theme with the latest malware we’ve seen coming from this APT group.” (Which is probably the closest most researchers are willing to come to shaming APTs… at least in official communications.) More information about the malware can be found in Jamf’s report.