Cyber Round-up

Cyber Round-up for 26th April

April 25, 2024

Cyber Round-up for 26th April

Welcome to Ironshare’s Cyber Round-up, where we look back at the events of that last week to cover some of the news, posts, views, and highlights from the world of Security.

In this week’s round-up:

Security News

Phishing Campaign Uses LastPass Branding to Deceive Users

LastPass has reported an ongoing phishing campaign leveraging a phishing kit called CryptoChameleon, which uses LastPass branding to deceive users. The kit enables criminals to create fake login pages to steal user credentials.

The campaign, now utilizing new phishing sites like "tickets-lastpass[.]com," primarily uses SMS and direct calls to direct victims to these sites. LastPass is actively working to take down these sites and advises customers to ignore unsolicited communications and never share their passwords.


FTC Refunds 117,000 Ring Customers Following Privacy Breach

Ring customers are set to receive a total of $5.6 million as a settlement from a privacy breach lawsuit. This follows claims that Amazon employees and contractors accessed users' private video feeds without permission, leading to security concerns. After complaints of inadequate security measures that allowed unauthorized access to customer video feeds and account information, The Federal Trade Commission (FTC) are issuing refunds for all affected customers.

“The FTC is sending 117,044 PayPal payments to consumers who had certain types of Ring devices, such as indoor cameras, during periods when the FTC alleges unauthorized users may have had access to customer videos. Consumers should redeem their PayPal payment within 30 days.” – FTC

You can find out more about this settlement in The Federal Trade Commission’s official statement, here.


Cisco Firewall Platform Vulnerabilities Are Being Actively Exploited – Urgent Patching Required

The UK's National Cyber Security Centre (NCSC) has issued an alert regarding exploitation of vulnerabilities in Cisco firewall platforms. Cisco are aware that the two vulnerabilities, CVE-2024-20353 and CVE-2024-20359, are being actively exploited, posing a significant security risk. If successfully exploited, an attacker could gain control of the affected device with root-level privileges.

These flaws only affect Cisco devices running Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. Users are urged to apply the latest security updates as soon as possible to protect their systems.

To address the active exploitation, these vulnerabilities have been abused by unknown state-sponsored hackers to conduct espionage. The campaign, named ArcaneDoor by Cisco Talos, involved deploying custom malware, including the “Line Runner” and “Line Dancer” backdoors, to modify configurations, conduct reconnaissance, capture network traffic, and potentially enable lateral movement.

Talos claim that "Perimeter network devices are the perfect intrusion point for espionage-focused campaigns,”, which is supported by a recent trend of attacks against Fortinet, Ivanti, and Palo Alto devices.


Latest Microsoft Phishing Campaign Uses Malicious PDF Files Hosted on Autodesk Drive

A new phishing campaign exploits Autodesk Drive to target corporate users with emails containing malicious PDF links. These emails, appearing legitimate by mimicking sender signatures, direct recipients to phishing sites where they are prompted to enter Microsoft account credentials. The attackers then distribute phishing emails to the contacts of compromised email accounts and have even recreated the malicious documents in multiple languages to spread their campaign to multiple countries.

The email links all appear to use the autode[.]sk URL shortener which, when clicked, directs the user to a PDF hosted on Autodesk Drive. The document contains the sender’s name and the company they work for, to further deceive the user, as well as a button to ‘VIEW DOCUMENT’. This link then redirects to the fake Microsoft sign-in where the user’s credentials are stolen.

All Autodesk users are advised to be on the lookout for signs of phishing; specifically, emails containing an autode[.]sk link.


Vulnerability in WP Automatic Plugin Affects More Than 30,000 WordPress Websites

The WP Automatic plugin for WordPress has been hit by millions of SQL injection attacks targeting a critical vulnerability identified as CVE-2024-27956. This flaw has been exploited to create unauthorized admin accounts and plant backdoors on over 30,000 websites, significantly compromising security. PatchStack disclosed this issue, which affects plugin versions before Administrators are urged to update to version 3.92.1 or later to protect their sites.


Stay Safe, Secure and Healthy!

Edition #273 – 26th April 2024


Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.

Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.

Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.


Ironshare is a provider of Information and Cyber Security services.

we went with; wizard pi