Below are the top headlines we’ve been reporting this whole week on Cyber Security Headlines.

If you’d like to hear and participate in a discussion about them, the CISO Series does a live 20-minute show every Friday at 12: 30pm PT/3: 30pm ET. Each week we welcome a different cyber practitioner to offer some color to the week's stories. Our guest this week is JJ Agha, CISO, FanDuel.

To get involved you can watch live and participate in the discussion on YouTube Live  or you can subscribe to the Cyber Security Headlines podcast and get it into your feed.

Here are the stories we'll be covering:

Critical Microsoft Outlook bug PoC shows how easy it is to exploit

Security researchers have shared technical details for exploiting a critical Microsoft Outlook vulnerability for Windows (CVE-2023-23397) that allows hackers to remotely steal hashed passwords by simply receiving an email. Microsoft yesterday released a patch for the security flaw but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since at least mid-April 2022. The issue is a privilege escalation vulnerability with a 9.8 severity rating that affects all versions of Microsoft Outlook on Windows. An attacker can use it to steal NTLM credentials by simply sending the target a malicious email. No user interaction is needed as exploitation occurs when Outlook is open and the reminder is triggered on the system.

(Bleeping Computer)

CISA warns of actively exploited Plex bug after LastPass breach

CISA has added a nearly three-year-old high-severity remote code execution (RCE) vulnerability in the Plex Media Server to its catalog of exploited security flaws. Tracked as CVE-2020-5741, the flaw could allow threat actors with admin privileges to abuse the Camera Upload feature and remotely execute arbitrary Python code in low-complexity attacks. While CISA didn’t confirm specific attacks, the issue is likely linked to the incident involving a LastPass senior DevOps engineer whose computer was hacked last year to install a keylogger and gain access to customer vault backups.

(Bleeping Computer)

AI-generated YouTube videos spread infostealers

Researchers at CloudSEK warned that it observed a 200-300% increase month-over-month on the amount of YouTube videos with links to infostealing malware in the description. In some instances, threat actors hijack legitimate accounts to push malware laden videos. Researchers say threat actors increasingly use AI-generated content to quickly push out new videos. While threat actors retain access to channels for only a few hours, they seem proficient at quickly publishing malicious content and using SEO poisoning techniques to quickly get them views. Generally links promise free software downloads for things like PhotoShop and AutoCAD, but instead install infostealers.

(The Hacker News)

Blackbaud to pay $3 million for misleading ransomware disclosure

Back in 2020, cloud software provider Blackbaud suffered a ransomware attack which affected 13,000 customers from charities, foundations, non-profits, and universities in the US, Canada, the UK, and the Netherlands. According to the SEC, Blackbaud initially stated that the attackers had not gained access to donor bank account details or social security numbers. Shortly thereafter, company staff learned that the threat actors had indeed accessed and stolen this sensitive information but failed to report it to management. This led to the company filing an SEC report the following month, which omitted vital information about the breach and also downplayed associated risks, passing them off as hypothetical. Blackbaud agreed to pay a $3 million civil penalty to settle the misreporting charges brought by the Securities and Exchange Commission (SEC).

(Bleeping Computer)

North Korea targets security researchers

Mandiant reports it spotted the North Korea-linked threat actors UNC2970 operating a phishing campaign since June 2022. The campaign uses three new malware families, specifically focusing on security researchers. It used job recruitment-based lures in a spearphishing approach. These lures impersonated legitimate recruiters and eventually shifted conversations to WhatsApp, where it would deliver malicious Word docs to install a backdoor.

(Ars Technica)

Senators call on CISA to examine cybersecurity risks of Chinese consumer drones

A bipartisan group of senators is asking CISA to examine consumer drones made by a company with “deep ties” to the Chinese Communist Party, warning that they could be used to spy on U.S. critical infrastructure. Several companies are in the process of expanding the use of consumer drones across the U.S. for everything from food delivery to emergency services. But U.S. senators Mark Warner (D-VA) and Marsha Blackburn (R-TN) said CISA needs to step in and “reevaluate the risks associated” with drones built by Shenzhen DJI Innovation Technology – a company they accuse of having links to China’s government. A CISA spokesperson said it will not comment on the letter publicly and plans to respond directly to the senators.

(The Record)

CISA creates new ransomware vulnerability warning program

CISA has announced the creation of a new Ransomware Vulnerability Warning Pilot (RVWP) program. Stemming from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and coordinated by the Joint Ransomware Task Force (JRTF), the RVWP will see CISA assess flaws commonly associated with known ransomware exploitation. After finding these vulnerabilities, the Agency will warn critical infrastructure entities with the goal of enabling mitigation before a ransomware incident. To identify entities vulnerable to the bugs, CISA will rely on various existing services, data sources, technologies and authorities, including its Cyber Hygiene Vulnerability Scanning service.

(InfoSecurity Magazine)

Two charged in DEA portal hack

Prosecutors charged two US men with illegally accessing an online portal for the US Drug Enforcement Agency. This portal connected into over a dozen other federal law enforcement databases. Prosecutors allege the men operated as part of the larger ViLE criminal organization that uses faked emergency data requests to dox victims. Once ViLE operators receive information from these requests, they post it on illicit forums, and extort victims to have it removed. Sometimes this entails giving the attacks access to social network accounts.

(Krebs on Security)