WakeUp Wednesday

1. RESURGE malware exploits Ivanti vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activities targeting a now-patched vulnerability in Ivanti Connect Secure (ICS) devices. This vulnerability is designated as CVE-2025-0282 and has a CVSS score of 9.0. Attackers are using this exploit to gain unauthorized access and install backdoors into networks.

2. Researchers reveal 46 new critical vulnerabilities in inverters

A recent security report revealed 46 new critical vulnerabilities in inverter vendors’ products. These new vulnerabilities can be abused to execute arbitrary commands on vendor devices or the cloud, compromise accounts, compromise vendor infrastructure, or take control of inverter owners’ devices.

3. CoffeeLoader malware: Advanced detection evasion with GPU-based ‘Armoury’

The newly discovered CoffeeLoader malware uses an innovative approach to evade detection by endpoint security solutions. CoffeeLoader, uses a domain generation algorithm (DGA) that acts as a fallback mechanism when the primary command-and-control (C2) channels become unavailable.

The malware uses several techniques to evade security solutions. At the heart of the malware is a packer called Armoury that executes code on a system’s Graphics Processing Unit (GPU) to complicate analysis in virtual environments. The packer is so named because it mimics the legitimate Armoury Crate utility developed by ASUS. The malware loads malicious payloads and uses GPU-based techniques to evade security mechanisms.

4. Critical Mozilla Firefox vulnerability

Mozilla has patched a critical vulnerability in Firefox for Windows. CVE-2025-2857, with a CVSS score of 10.0, allows sandbox escape, allowing attackers to execute potentially malicious code with elevated privileges.

5. Ubuntu Linux Vulnerabilities Require Manual Patching

Ubuntu users need to take action due to three new vulnerabilities discovered in the unprivileged user namespace restrictions of Ubuntu Linux. These vulnerabilities could allow a local attacker to exploit vulnerabilities in kernel components.

The vulnerabilities affect Ubuntu versions 23.10, where unprivileged user namespace restrictions are enabled, and 24.04, where they are enabled by default.

Linux user namespaces allow users to act as root in an isolated sandbox (namespace) without having the same privileges on the host. These vulnerabilities can be exploited to bypass system security measures, allowing attackers to gain root privileges. While updates are available, some vulnerabilities require manual mitigations.

‍

1. Medusa ransomware exploits malicious driver

Medusa ransomware has added a new technique known as “Bring Your Own Vulnerable Driver” (BYOVD), which uses vulnerable drivers to gain access to critical parts of the operating system via elevated privileges. In this particular case, researchers have observed a Medusa ransomware attack that delivered the encryptor via a loader packaged using a packer-as-a-service (PaaS) called HeartCrypt.

The loader was deployed in conjunction with a driver signed with a revoked certificate from a Chinese vendor called ABYSSWORKER. This driver is installed on the victim’s system and then used to bypass various EDR solutions. The driver in question, “smuol.sys,” mimics a legitimate CrowdStrike Falcon driver (“CSAgent.sys”).

2. Veeam and IBM Patches for ritical Vulnerabilities

Both Veeam and IBM have recently released important patches for critical vulnerabilities. The vulnerability in Veeam, known as CVE-2025-23120 with CVSS score 9.9, allows domain users to gain unauthorized access to backup servers, which can have serious consequences for the availability and integrity of corporate data.

IBM has also fixed vulnerabilities (CVE-2024-56346 with CVSS score 10.0 and CVE 2024-56347 with CVSS score 9.6) in their products, which, like the Veeam vulnerability, can lead to remote code execution (RCE).

3. Nakivo Vulnerability Added to CISA’s KEV List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a new vulnerability in Nakivo’s backup software to its Known Exploited Vulnerabilities (KEV) list. The vulnerability, identified as CVE-2024-48248 with a CVSS score of 8.6, allows attackers to compromise backups via remote access, potentially resulting in data loss or disruption to backup and restore processes.

An update is available. It is recommended that potentially vulnerable systems be updated as soon as possible.

4. Fake File Converters Spread Malware

The FBI recently issued another warning about a growing threat involving fake file converters being used to spread malware. In these attacks, victims are tricked into downloading malicious software that masquerades as a legitimate tool to convert files to other formats. These malicious converters spread various types of malware, including ransomware and infostealers, which are designed to steal login credentials, credit card information, and other sensitive data.

5. Microsoft Trusted Signing Service Abused for Malware Distribution

Researchers have discovered a new attack technique that abuses the Microsoft Trusted Signing Service to sign malware with legitimate certificates. This allows attackers to make malicious software appear trusted, making it harder for security systems to detect the malware.

This technique uses code-signing certificates that attackers have obtained in some way. With this method, they can spread ransomware or spyware, for example, without traditional security measures such as antivirus software recognizing the threat.

‍

1. Black Basta ransomware and automated brute force attacks on edge systems

The Black Basta ransomware group has taken a new step in its attack techniques. The group is now using an automated tool that is specifically designed to perform brute force attacks on edge systems, such as firewalls and VPN systems. This allows attackers to obtain employee credentials and then gain access to internal systems.

Once the attackers have access, they use Black Basta ransomware to encrypt files and demand ransom from affected organizations. These attacks can be particularly damaging because they target edge systems, which are often used for remote access to critical corporate resources.

2. Vulnerability in Cisco IOS XR routers: BGP attacks

Cisco has patched a denial of service (DoS) vulnerability that allows attackers to crash the Border Gateway Protocol (BGP) process on IOS XR routers with a single BGP update message. IOS XR runs on the company’s carrier-grade Network Convergence System (NCS) and Carrier Routing System (CRS) series routers, such as the ASR 9000, NCS 5500, and 8000 series.

This vulnerability, CVE-2025-20115 with a CVSS score of 8.6, was found in the Border Gateway Protocol (BGP) confederation implementation and only affects Cisco IOS XR devices when BGP confederation is configured.

3. SuperBlack Ransomware Exploits Fortinet Authentication

A new ransomware operator named “Mora_001” is exploiting two Fortinet vulnerabilities to gain unauthorized access to firewall devices and deploy a custom ransomware strain called SuperBlack. The two vulnerabilities, both authentication bypasses, are CVE-2024-55591 with CVSS score 9.8 and CVE-2025-24472 with CVSS score 8.1, which Fortinet announced in January and February respectively.

This ransomware variant allows attackers to gain access to Fortinet devices without valid credentials and then deploy their malicious software to encrypt files.

4. OBSCURE#BAT malware: fake captcha attacks

OBSCURE#BAT malware is a new malware campaign that tries to trick people by using a fake captcha. This malware is likely distributed via malicious websites that look like legitimate pages. Visitors are asked to solve a captcha, but in reality they download malware onto their system when they click on the link. What makes this malware particularly dangerous is its ability to hide files, registry entries, and running processes using user-mode API hooking. Files, registry keys, or tasks that match a specific pattern ($nya-) become invisible to standard Windows tools such as Task Manager, Explorer, and shell commands such as “dir” to display the contents of a directory. The malware also communicates with critical system processes, allowing it to embed itself deeper into legitimate processes and services. This allows attackers to gain access to a system and evade detection on compromised systems.

5. OAuth attacks on Microsoft 365 accounts via fake Adobe and DocuSign apps

A new wave of attacks aims to compromise Microsoft 365 accounts via fake OAuth apps that impersonate legitimate Adobe and DocuSign apps. These attacks use phishing techniques to trick users into logging in with their Microsoft 365 accounts and granting access to the malicious apps. Once the attackers gain access via these fake OAuth apps, they can steal data or launch further attacks within the victim’s Microsoft 365 environment.

6. Critical Vulnerability in Apache Tomcat is being actively exploited

A recently discovered vulnerability in Apache Tomcat (CVE-2025-24813) is being actively exploited following the disclosure of a proof-of-concept. This vulnerability affects the following versions of Tomcat:

• Tomcat 11.0.0-M1 through 11.0.2
• Tomcat 10.1.0-M1 through 10.1.34
• Tomcat 9.0.0-M1 through 9.0.98

The attack consists of two steps:
1. Upload a malicious session file – The attacker sends a PUT request with a base64-encoded serialized Java payload, which is stored in Tomcat’s session store.
2. Trigger execution – A GET request is sent with a JSESSIONID cookie pointing to the uploaded session file. This forces Tomcat to deserialize and execute the malicious Java code, giving the attacker full control over the server.

The vulnerability can thus lead to remote code execution when certain conditions are met, including the use of “partial PUT” and write permissions for the default servlet.

1. Hidden Commands in Bluetooth Chips of Billions of Devices

Researchers recently discovered undocumented commands in the ESP32 Bluetooth chip that are used in billions of devices worldwide. This vulnerability (CVE-2025-27840, CVSS score 6.8) allows attackers to gain access to devices without users’ knowledge and manipulate Bluetooth functionality. This could lead to data theft, remote control of devices, and even the ability to install further malware.

While these commands are not directly accessible remotely without additional vulnerabilities, they pose a potential risk for supply chain attacks and the integrity of IoT devices.

2. Webcam Ransomware Attacks: A New Method to Bypass EDR

The Akira ransomware group has developed an innovative attack method by using an unsecured webcam to bypass Endpoint Detection and Response (EDR) systems. In one recent case, attackers gained access to a corporate network via a poorly secured webcam. Often overlooked in security audits, these webcams are vulnerable to exploitation. By exploiting a vulnerable IoT device, attackers were able to spread ransomware and encrypt files on the victim’s network.

These types of attacks demonstrate that cybercriminals are becoming increasingly creative in their attempts to circumvent security solutions. Devices that are not traditionally considered risky, such as webcams and other IoT devices, are becoming increasingly vulnerable.

3. Vulnerable VMware ESXi Servers: 37,000 Systems Exposed to Attacks

More than 37,000 VMware ESXi servers are vulnerable to a critical out-of-bounds write flaw, designated CVE-2025-22224 with a CVSS score of 9.3. These servers are widely used by large organizations for virtualization and cloud infrastructure. By exploiting the vulnerability, attackers can grant administrative privileges to the VM guest, allowing the attacker to bypass the sandbox and execute code on the host as the VMX process.

CVE-2025-22224, along with CVE-2025-22225 and CVE-2025-22226, are currently being exploited in attacks as zero-days.

4. Malvertising campaigns target millions of PCs

Microsoft recently warned of a large-scale malvertising campaign that has affected an estimated one million PCs. Malvertising, or malicious advertising, is used by cybercriminals to embed malicious code in online advertisements.

This campaign, run by the Storm-0408 group, uses illegal streaming websites and malvertising redirectors to direct users to malware-hosting repositories on platforms such as GitHub and Dropbox. The distributed malware, including Lumma Stealer and Doenerium, steals sensitive information such as login credentials and personal data.

‍

1. Leaked API keys in AI training datasets

Truffle Security recently discovered nearly 12,000 API keys and passwords in Common Crawl, a large dataset used to train Large Language Models (LLMs) such as DeepSeek. It turns out that sensitive information, such as hardcoded login credentials, was accidentally included in these datasets and is publicly accessible.

According to the report, this discovery has serious implications for the security of companies that use these APIs for their business processes. Cybercriminals can abuse these keys to gain access to sensitive systems, with potentially disastrous consequences.

2. Misconfigurations in building management systems

Research shows that more than 49,000 building management systems are misconfigured online, making them vulnerable to attacks. These systems are used to access physical buildings, such as office spaces and production halls. Misconfigurations can lead to unauthorized access to these systems, compromising both the physical and digital security of an organization.

The vulnerabilities have exposed hundreds of thousands of highly sensitive employee data, including: personal identification data, biometric information, photos, and work schedules.

3. EncryptHub ransomware attacks on 618 organizations

The ransomware group EncryptHub recently hit 618 organizations by distributing infostealers and ransomware. This group uses advanced techniques to carry out attacks, first stealing sensitive corporate information, then threatening to make this information public if a ransom is not paid.

In the attacks it has carried out, it has shown a different operational strategy by executing all the processes necessary to gain initial access via personalized SMS (smishing) or by calling the person directly (vishing) and tricking the victim into installing remote monitoring and management (RMM) software.

4. Ransomware Exploits Paragon Partition Manager Vulnerability

Ransomware groups have discovered a new vulnerability in the Paragon Partition Manager software, allowing them to launch Bring Your Own Vulnerable Driver (BYOVD) attacks. Microsoft has discovered five Paragon Partition Manager BioNTdrv.sys driver flaws, one of which (CVE-2025-0289, CVSS-score 7.1) is being used by ransomware gangs in zero-day attacks to gain SYSTEM privileges in Windows.

5. Phishing PDFs Hosted on 260 Domains

Recent research shows that over 5,000 phishing PDF files have been uploaded to 260 different domains. These PDF files lead to phishing sites designed to steal victims’ credit card and personal information or distribute Lumma infostealer malware. This phishing campaign uses fake CAPTCHA images shared via PDF documents hosted on Webflow’s content delivery network (CDN) to trick victims searching for PDF documents on search engines.

1. Craft CMS Code Injection Vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert about a vulnerability in Craft CMS, a widely used content management system. This vulnerability, CVE-2025-23209 with CVSS score 8.1, allows attackers to inject malicious code into the affected organization’s website. This issue could lead to complete control over the web application, potentially leading to data leakage or user account takeover.

Attacks targeting this vulnerability have already been observed in the wild. Organizations using Craft CMS are strongly advised to update their systems to the latest version as soon as possible.

2. Microsoft Power Pages Zero-Day

Microsoft released a security update in February 2025 for a zero-day vulnerability in Power Pages, designated CVE-2025-24989. This vulnerability, with a CVSS score of 8.2, was actively exploited in attacks before the patch was available. Power Pages is a platform that allows businesses to easily build and manage websites. The vulnerability allows malicious code to be executed via malicious HTTP requests.

3. Darcula PhaaS: Automatically generate phishing kits

Darcula, a Phishing-as-a-Service (PhaaS) platform, allows cybercriminals to automatically generate phishing kits for any brand they want. With Darcula, attackers can easily create phishing pages that look exactly like legitimate brands’ websites, increasing the chances of victims handing over their sensitive information, such as passwords and credit card details.

This type of service significantly lowers the barrier to entry for cybercriminals, meaning that even less tech-savvy criminals can launch high-quality phishing attacks.

4. FrigidStealer: New infostealer for macOS

FrigidStealer is a new infostealer targeting Mac systems. This malware masquerades as a browser update. This malware is designed to steal sensitive information and spreads via fake browser update notifications. It collects sensitive data such as passwords, browser history, and stored files.

5. Palo Alto Networks Firewall Vulnerability

Palo Alto Networks warns that a file-reading vulnerability (CVE-2025-0111) is now associated with attacks using two other flaws (CVE-2025-0108 with CVE-2024-9474) to bypass authentication on PAN-OS firewalls in active attacks. Attackers can exploit this vulnerability to gain unauthorized access to network resources and sensitive information.

6. Citrix Netscaler ADC and Gateway Vulnerability

Citrix has released a security update for a critical vulnerability in Netscaler ADC and Gateway. This vulnerability, CVE-2024-12284 with a CVSS score of 8.8, allows attackers to perform remote code execution (RCE) on affected systems.

7. OpenSSH Man-in-the-Middle (MITM) and DoS attacks

New vulnerabilities (CVE-2025-26465 and CVE-2025-26466) have been discovered in OpenSSH, a widely used protocol for secure communications. These vulnerabilities make SSH servers susceptible to man-in-the-middle (MITM) and denial-of-service (DoS) attacks. While the severity of this vulnerability is lower compared to the other issues discussed, with a CVSS score of 6.5, it can still lead to disruptions to critical systems.

8. Mattermost vulnerabilities addressed

Mattermost, an open-source platform for team communication and collaboration, has addressed three critical security vulnerabilities affecting the Boards plugin. The vulnerabilities, identified as CVE-2025-20051 with CVSS score 9.9, CVE-2025-24490 with CVSS score 9.6, and CVE-2025-25279 with CVSS score 9.9, could allow attackers to read arbitrary files on the system and perform SQL injection attacks.

‍

1. Massive Brute Force Attack: 2.8 Million IP Addresses Targeted at VPN Devices

Recent reports point to a massive brute force attack that used 2.8 million IP addresses to target VPN devices. A brute force attack is a method in which attackers attempt to break in by repeatedly guessing passwords or other credentials. Millions of IP addresses were used in this attack to target VPN devices worldwide, including devices from Palo Alto, Ivanti, Fortinet, and SonicWall.

2. Malware via ASP.NET Keys: Exposed Keys Used in Malware Attacks

Microsoft warns of attacks where malicious actors are deploying malware in ViewState code injection attacks via web applications, using static ASP.NET machine keys found online. More than 3,000 public keys have currently been exposed, meaning thousands of organizations are vulnerable to this type of attack. Some developers have used ASP.NET validationKey and decryptionKey keys (designed to protect ViewState from tampering and information disclosure) found in code documentation and repository platforms in their own software.

ViewState enables ASP.NET Web Forms to manage state and preserve user input across page reloads. However, if attackers obtain the machine key designed to protect it from tampering and information disclosure, they can use it in code injection attacks to craft malicious payloads by adding crafted message authentication code (MAC).

3. Critical RCE Vulnerability in Microsoft Outlook Actively Exploited

A recently discovered remote code execution (RCE) vulnerability in Microsoft Outlook (CVE-2024-21413, CVSS score 9.8) is now being actively exploited by attackers. The vulnerability is caused by improper input validation when opening emails with malicious links, which could potentially allow attackers to execute remote code.

This opportunity arises when attackers exploit the vulnerability by bypassing Protected View (which should block malicious content in Office files by opening them in read-only mode) and opening malicious Office files in edit mode.

4. Cisco ISE Vulnerability: Attackers Can Gain Root Access

Cisco recently fixed two critical vulnerabilities (CVE-2025-20124 with CVSS score 9.9 and CVE-2025-20125 with CVSS score 9.1) in their Identity Services Engine (ISE) that could allow attackers to gain root access and execute arbitrary commands. These vulnerabilities allowed attackers to gain full control over the system, which could have far-reaching implications for an organization’s network security.

5. Possible OpenAI data breach

A malicious actor recently claimed to have obtained the credentials for 20 million OpenAI accounts, including passwords and email addresses. The claims were made on a hacking forum, where the malicious actor said he provided a sample of the data and offered to sell the entire batch. OpenAI said it takes reports of a data breach “seriously,” but said it has not yet seen evidence that its systems have been compromised.

‍

1. DeepSeek AI database unsecured: over 1 million chat logs leaked

Chinese artificial intelligence (AI) startup DeepSeek has left one of its databases unsecured without the required authentication protocols, allowing attackers to access sensitive data.

According to researchers, the ClickHouse database provides full control over database operations, including the ability to access internal data. In total, over 1 million chat logs containing sensitive customer data were exposed via a publicly available database. This data includes customer queries, internal notes, and potentially personal information.

2. Unpatched PHP Voyager vulnerabilities leave systems vulnerable

Three vulnerabilities discovered in the open-source PHP package Voyager for managing Laravel applications could be used by attackers to compromise systems. The vulnerabilities, which have not yet been fully patched, allow attackers to gain control of the affected systems via remote code execution (RCE). The vulnerabilities in question are:

CVE-2024-55415 – A flaw in the file management system allows attackers to manipulate file paths and delete or access arbitrary files on the server.

CVE-2024-55416 – The /admin/compass endpoint in Voyager improperly sanitizes user input, allowing attackers to inject JavaScript into pop-up messages.

CVE-2024-55417 – Voyager’s media upload feature allows attackers to upload malicious files by bypassing MIME type verification.

PHP Voyager has announced that a patch is in development, but until then systems remain vulnerable to these exploits.

3. Aquabotv3 Botnet exploits Mitel vulnerability

A new version of the Mirai-based malware Aquabot, known as Aquabotv3, specifically targets a command injection vulnerability in Mitel devices. This vulnerability, designated CVE-2024-41710 with a CVSS score of 6.8, allows attackers to build and control a botnet via vulnerable Mitel systems. A botnet can be used to launch large-scale DDoS attacks or to enable further network exploitation.

‍

1. SonicWall SMA1000 zero-day: critical vulnerability exploited

SonicWall, has discovered a zero-day vulnerability (CVE-2025-23006, CVSS score 9.8) in their Secure Mobile Access (SMA) 1000 devices. This vulnerability, which is currently being actively exploited, allows an unauthenticated attacker to execute arbitrary OS commands via the Appliance Management Console (AMC) and Central Management Console (CMC). A patch is available, it is recommended to install it as soon as possible.

2. Cisco fixes critical vulnerability in meeting management software

Cisco has fixed a critical vulnerability (CVE-2025-20156, CVSS score 9.9) in their meeting management software. This vulnerability allows an authenticated attacker to gain administrative access via the REST API.Although there have been no reports of this vulnerability being exploited in the wild, it is recommended that all affected Cisco devices be updated as soon as possible.

3. Attackers are exploiting Windows RID hijacking to create hidden admin accounts

A new method has been discovered to create hidden administrator accounts via Windows RID (Relative Identifier) ​​hijacking. This attack technique allows attackers to hide within the Windows security framework, making it difficult to detect by traditional security tools. The technique manipulates the RID value of a low-privileged account to trick the system into granting administrative privileges.The goal of these attacks is to gain control of networks while remaining undetected.

4. MintsLoader malware spreads Stealc infostealer via phishing

A recent campaign uses MintsLoader, a PowerShell-based malware loader, to spread the StealC infostealer. This campaign targets critical industries such as electricity, oil and gas, and legal services in the US and Europe. MintsLoader is distributed via spam emails and malicious links and executes PowerShell commands to download and execute the malware. This infostealer is designed to steal sensitive information from infected systems, including login credentials, financial information, and other sensitive company data.

5. Hundreds of fake Reddit sites are spreading Lumma Stealer malware

A recently discovered phishing network is using hundreds of fake Reddit websites to spread Lumma Stealer malware. This malware is used to steal sensitive data from users who unknowingly register on these fake platforms. The attacks target both individuals and businesses, taking advantage of Reddit’s popularity.While the attacks appear to be primarily aimed at individual users, organizations are also at risk when employees inadvertently visit these malicious websites.

6. Vulnerability in Meta’s LLaMa Framework

Meta’s LLaMA framework, used for AI applications, contains a serious vulnerability that allows remote code execution (RCE). This vulnerability, designated as CVE-2024-50050, has a CVSS score of 6.3. The vulnerability is caused by unsafe deserialization of Python objects via the pickle module. If successfully exploited, this flaw could allow an attacker to execute arbitrary code on the Llama stack inference server. Meta has released a patch and users are advised to update their systems immediately.

1. Leaked VPN and Configuration Data of 15,000 Fortinet Devices

A new hacker group known as the Belsen Group recently leaked configuration files and VPN data of over 15,000 Fortinet FortiGate devices. This data, which includes user names and passwords in plain text, was obtained several years ago by exploiting a zero-day vulnerability (CVE-2022-40684) with a CVSS score of 9.8.

2. Critical Vulnerabilities in SAP NetWeaver Servers

SAP recently patched multiple critical vulnerabilities in their NetWeaver Application Servers. Two of these vulnerabilities, CVE-2025-0070 and CVE-2025-0066, have a CVSS score of 9.9 and could have serious implications for organizations using this software. The vulnerabilities allow attackers to gain unauthorized access and steal sensitive information. The impact of such a breach can range from the loss of confidential customer information to significant business damage.

3. Advanced 2FA Phishing Attacks: New Kit Makes 2FA Useless

A new phishing kit, known as Sneaky 2FA, specifically targets Microsoft 365 accounts and bypasses two-factor authentication (2FA). Offered as a Phishing-as-a-Service (PhaaS), the kit uses advanced techniques such as prefilling email addresses and exploiting compromised infrastructure to trick victims.

4. UEFI Secure Boot Vulnerability: The Threat of Bootkits

Researchers have discovered a new vulnerability in UEFI Secure Boot, designated CVE-2024-7344 with a CVSS score of 6.5. UEFI (Unified Extensible Firmware Interface) Secure Boot is designed to prevent malicious software from loading during system boot. This vulnerability allows attackers to install bootkits even if Secure Boot is enabled.This leaves systems vulnerable to attacks that are deeply embedded in the motherboard firmware. They give attackers complete control over a system before the operating system even loads, potentially rendering traditional security measures ineffective.

5. Malicious NPM Packages: A New Threat for Developers

Software developers using the Node Package Manager (NPM) ecosystem should remain vigilant as a growing number of malicious packages are being introduced into the NPM registries. Hackers have now uploaded multiple malicious packages, including temp-etherscan-api and telegram-con, which, once installed, can infect systems with malware.

1. Critical vulnerabilities in Samsung devices fixed

Researchers have described a now-patched security flaw that affects the Monkey’s Audio (APE) decoder on Samsung smartphones and could lead to code execution. The critical vulnerability, registered as CVE-2024-49415 (CVSS score: 8.1), affects Samsung devices running Android versions 12, 13, and 14. The December patch also addresses another critical vulnerability in SmartSwitch, CVE-2024-49413 (CVSS score: 7.1). This vulnerability allowed local attackers to install malicious applications by taking advantage of improper verification of cryptographic signatures.

2. CrowdStrike warns of new phishing campaign targeting developers

CrowdStrike warns of a new phishing campaign specifically targeting software developers. In this campaign, attackers pose as CrowdStrike employees and send fake job postings. When developers click on the attached links, they are redirected to a malicious website where malware, such as cryptominers, is installed on their systems.

3. New Banshee Stealer Variant Avoids Detection by Using Apple’s XProtect

A new variant of the Banshee Stealer malware has been discovered. What’s notable about this version is that it avoids detection by using Apple’s XProtect encryption algorithm. This allows attackers to steal data from infected devices, including passwords and sensitive corporate information, without being detected. The malware mainly targets macOS users.

4. Deceptive GitHub Exploit Spreads Infostealer

A deceptive Proof-of-Concept (PoC) exploit for CVE-2024-49113 (also known as LDAPNightmare) on GitHub is infecting users with infostealer malware that exfiltrates sensitive data to a remote FTP server. Researchers report that the malicious GitHub repository contains a project that appears to be forked from SafeBreach Labs’ legitimate PoC for CVE-2024-49113, published on January 1, 2025.SafeBreach’s initial blog post about the PoC incorrectly listed CVE-2024-49112, when their PoC was for CVE-2024-49113, which is a less severe denial-of-service vulnerability. Users who download the PoC from the malicious repository are presented with a UPX-packed executable file ‘poc.exe’ that, when executed, drops a PowerShell script into the victim’s %Temp% folder.

5. Vulnerability in Ivanti Connect Secure VPN solution

Ivanti recently published two critical vulnerabilities, CVE-2025-0282 with a CVSS score of 9.0 and CVE-2025-0283, with a CVSS score of 7.0. Both vulnerabilities affect Ivanti Connect Secure (“ICS”) VPN devices. Researchers have identified zero-day exploitation of CVE-2025-0282 in the wild as of mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow. Successful exploitation could result in unauthenticated remote code execution. A patch is available.

6. Critical vulnerabilities fixed in SonicWall, Palo Alto Expedition, and Aviatrix controllers

SonicWall has released patches to address multiple vulnerabilities, including two vulnerabilities (CVE-2024-53704 with CVSS score 8.2 and CVE-2024-53706 with CVSS score 7.8) that can be exploited to bypass authentication and escalate privileges, respectively.Palo Alto Networks has released software patches to address several vulnerabilities in its Expedition migration tool. One of the vulnerabilities fixed is vulnerability CVE-2025-0103 (CVSS score: 7.8), which could be exploited by an authenticated attacker to gain access to sensitive data.Finally, Securing has also released an update for a critical vulnerability affecting Aviatrix Controller. The vulnerability, registered as CVE-2024-50603, has a CVSS score of 10.0 and can be exploited to achieve arbitrary code execution. It affects versions 7.x through 7.2.4820. The vulnerability is fixed in versions 7.1.4191 or 7.2.4996.

1. DoubleClickJacking Attack Discovered

Researchers have discovered a new attack method called DoubleClickJacking. This attack exploits user double-clicks, allowing attackers to hijack sessions by tricking users into clicking on a manipulated interface. This technique combines clickjacking with other attack vectors and can lead to the takeover of sensitive accounts.

2. Over 3 Million Unencrypted Email Servers Exposed to Sniffing Attacks

Over 3 million POP3 and IMAP email servers worldwide are vulnerable to sniffing attacks because they do not use encryption for incoming and outgoing email communications. This vulnerability allows attackers to intercept data such as login credentials during email transmission. Implementing encryption protocols is recommended to protect communications between servers and reduce the chance of interception.

3. New AI Jailbreak Method: Bad Likert

Researchers have discovered a new AI jailbreak method called “Bad Likert.” This technique uses manipulation of Likert scales (as used in surveys) to trick AI models into unlocking features that would normally be restricted. This can lead to the generation of unwanted or potentially dangerous output by AI systems.A specific type of prompt injection is an attack method called many-shot jailbreaking, which takes advantage of the LLM’s long context window and attention to create a series of prompts that gradually trick the LLM into producing a malicious response without activating its internal protections. Some examples of this technique include Crescendo and Deceptive Delight.

4. Vulnerability in Nuclei tool exposed

Researchers have discovered a vulnerability in Nuclei, a popular security scanning tool. The vulnerability, registered as CVE-2024-43405 with a CVSS score of 7.4, is in Nuclei’s template verification system, allowing malicious templates to bypass standard security checks. This means attackers could potentially inject dangerous templates into security systems. Administrators of systems using Nuclei are advised to update the tool to the latest version.

1. Critical Vulnerability in Apache Struts 2 Allows Remote Code Execution

Apache Struts 2, a widely used open-source web application framework, recently disclosed a critical vulnerability that allows remote code execution (RCE). This means that attackers can take control of a system by executing malicious code. The vulnerability (CVE-2024-53677, CVSS score 9.5) was first reported by the Apache Software Foundation and is considered high risk due to the potential impact on systems still running the affected version. Organizations using this software are strongly advised to patch their systems quickly to prevent exploitation. Proof of Concepts are available, which increases the need for patching. Patches are available in versions 2.5.33 and 6.3.0.2 or later. A script is available to self-check whether a system is vulnerable. There are no workarounds for this vulnerability.

2. Exploitation of Cleo Vulnerability in Ransomware Attacks

The U.S. government has confirmed that a critical security vulnerability in Cleo Harmony, VLTrader, and LexiCom file transfer software is being exploited in ransomware attacks. The Cleo MFT vulnerability affects versions 5.8.0.21 and earlier and is a bypass for a previously fixed flaw, CVE-2024-50623, which Cleo fixed in October 2024. However, the fix was incomplete, allowing attackers to bypass it and continue to exploit it in attacks. The Cleo vulnerability (CVE-2024-55956) has caused significant damage to date, mainly because the Clop ransomware group is believed to be responsible for multiple attacks that leverage the Cleo vulnerability.According to multiple reports, the vulnerability is being actively exploited by the Clop ransomware group, which is focused on stealing sensitive data and then using it for extortion. The specific vulnerability is in the Cleo software used for file transfers and can be exploited to gain access to corporate and government networks. Organizations using Cleo software are urged to immediately deploy the patched versions.

3. Urged on water utilities to disconnect systems from public internet

CISA and the Environmental Protection Agency (EPA) are warning water utilities to protect their internet-exposed Human Machine Interfaces (HMIs) from cyberattacks. HMIs are dashboards or user interfaces that help human operators connect to, monitor, and control industrial machinery and equipment via tablets, wearable computers, or embedded displays.In response to the increased threat of cyberattacks, the U.S. government has urged water utilities to disconnect their critical systems from the public internet. The warning comes in light of increased attacks on vital infrastructure, such as water treatment plants and distribution systems, which play a vital role in the daily functioning of society. The call to disconnect systems from the public internet is seen as a necessary measure to minimize the risk of cyberattacks, especially given the recent trend of cyberattacks targeting critical infrastructure.

4. Citrix and NetScaler: Mitigations against Password Spray Attacks

Citrix warns of password spray attacks on Citrix NetScaler. Password spray attacks are a common technique in which attackers attempt to break in by using a single password on many different accounts, rather than trying many passwords on a single account. This can lead to successful attacks when weak or frequently reused passwords are used.Citrix has shared mitigations that organizations can implement to protect against these attacks, including strengthening password policies, implementing multi-factor authentication (MFA), and monitoring for unusual login attempts.

1. Ultralytics AI model abused in cryptomining attack

An AI model from Ultralytics, a popular machine learning library widely used in computer vision applications, has been compromised. Attackers gained access to the open-source library and added a cryptominer to the code of the YOLOv5 AI model, which is widely used in the computer vision world for object detection.The compromised version of the library affects thousands of developers and companies worldwide. The cryptominer that was introduced abused the processing power of the systems on which the model was running, allowing the attackers to mine cryptocurrency without the knowledge of the users.

2. Malware disguised as a meeting app targets Web3 professionals

Attackers are targeting people working in Web3, a technology that includes blockchain and decentralized applications. These individuals are being targeted with fake business meetings using a fraudulent videoconferencing platform to infect Windows and Mac systems with crypto-stealing malware.The campaign is called “Meeten,” after the name commonly used by the meeting software, and has been ongoing since September 2024. The malware targets victims’ cryptocurrency assets, banking information, information stored in web browsers, and Keychain credentials (on Mac).The malware can be installed via a phishing attack, often via a link in an email that looks like an invitation to a virtual meeting. When the victim downloads the application, the malware is installed, which then steals the user’s cryptocurrency wallets. The attackers then use the stolen cryptocurrency for their own gain.

3. Mitel MiCollab Zero-Day Vulnerability: Proof of Concept Exploit Introduced

Mitel MiCollab, a widely used team communication and collaboration software, recently suffered a serious security breach. The leak, known as a zero-day vulnerability, allows attackers to remotely access systems without users knowing. What makes this vulnerability particularly dangerous is the fact that a proof-of-concept exploit has already been developed that could be used by attackers to exploit the vulnerability in practice.The zero-day vulnerability involves a flaw in the way MiCollab handles certain requests. This could lead to unauthorized actions being performed on systems running the software.

4. Cloudflare Tunnels Abused by Attackers

Attackers have taken advantage of Cloudflare tunnels to hide their malicious activities. Cloudflare tunnels provide a way to establish secure connections to internal networks without direct exposure to the Internet. This makes it ideal for organizations that want to protect their networks from unwanted access.Attackers are taking advantage of this tunneling technology to gain further unauthorized access to networks, even if a firewall or other security measures are already in place.

5. Researchers reveal vulnerabilities in popular open-source machine learning frameworks

Researchers have discovered multiple vulnerabilities affecting open-source machine learning (ML) tools and frameworks such as MLflow, H2O, PyTorch, and MLeap. These vulnerabilities range from privilege escalation to remote code execution. The discovered vulnerabilities are part of a broader collection of 22 security flaws that the researchers published last month. Unlike the initial set, which affected server-side flaws, the newly detailed vulnerabilities allow for ML client exploitation. Hijacking an ML client in an organization could allow malicious actors to perform extensive lateral movements within the organization.

1. Sophisticated phishing campaign exploits corrupted Word documents

A new phishing campaign is abusing the repair function for corrupt Microsoft Word documents to trick users and spread malware. The documents contain specific corrupt sections that attempt to bypass security measures. Instead of using traditional malicious macros, the user is tricked into performing a seemingly innocuous action, such as opening a document. They are then given the option to repair the document. The document is then opened and a QR code is displayed that can be scanned to view the entire document. However, the link takes the user to a Microsoft login page where the attacker attempts to obtain user credentials.

2. Rockstar Phishing Service Targets Microsoft 365 Accounts

A new phishing-as-a-service (PhaaS) platform called “Rockstar 2FA” has been discovered that enables large-scale adversary-in-the-middle (AiTM) attacks to steal Microsoft 365 user credentials. Like other AiTM platforms, Rockstar 2FA allows attackers to bypass multi-factor authentication (MFA) protections on targeted accounts by capturing valid session cookies.These attacks work by directing victims to a fake login page that mimics Microsoft 365 and tricking them into entering their credentials. The AiTM server acts as a proxy, forwarding those credentials to the legitimate Microsoft service to complete the authentication process and then capturing the cookie when it is sent back to the target’s browser. This cookie can then be used by the attacker to gain direct access to the victim’s account, even if it is MFA-protected, without the attacker needing the credentials at all.

3. 20 vulnerabilities found in Advantech industrial WiFi access points

Research has discovered 20 vulnerabilities in Advantech EKI industrial WiFi access points. The vulnerabilities can range from simple flaws that lead to remote code execution to more complex weaknesses that are harder to exploit without deep technical knowledge. Some of these vulnerabilities can be used as a way to bypass authentication and execute code with elevated privileges.Six of the 20 vulnerabilities identified are considered critical. Of the six critical flaws, five (from CVE-2024-50370 to CVE-2024-50374, CVSS score: 9.8) relate to improper neutralization of special elements used in an operating system (OS) command, while CVE-2024-50375 (CVSS score: 9.8) relates to a case of missing authentication for a critical function.

4. Malicious NPM library discovered in XML-RPC protocol

A malicious NPM library has been discovered, which has been manipulated to abuse the XML-RPC protocol. This vulnerability can be exploited by attackers to execute code on systems that use the library, potentially gaining access to sensitive data or taking control of systems. Since NPM libraries are widely used in the JavaScript and Node.js communities, part of the software supply chain, it is important to carefully monitor their dependencies and update them regularly.

5. Bootkitty: First Bootkit for Linux

Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. The bootkit, dubbed Bootkitty by its creators, is being evaluated as a proof-of-concept (PoC). There is no evidence that it is currently being exploited. The main goal of the bootkit is to disable the kernel’s signature verification feature and preload two as-yet-unknown ELF binaries via the Linux init process, the first process executed by the Linux kernel during system boot. BootKits are particularly dangerous because they are installed deep within the system, before the usual security mechanisms, making it extremely difficult to detect and remove the infection.

6. Apple Safari Remote Code Execution Vulnerability

A new vulnerability (CVE-2024-44308) has been discovered in Apple Safari. The vulnerability, in the form of remote code execution (RCE), is currently being actively exploited. This vulnerability, which allows attackers to remotely execute malicious code on a device running Safari, could potentially be exploited via infected web pages or malicious advertisements, allowing users to unknowingly infect their system with malicious software.

7. PoC exploit for zero-day vulnerability in Windows Task Scheduler

A Proof-of-Concept (PoC) exploit has been released for a critical zero-day vulnerability in Windows Task Scheduler. The vulnerability is registered as CVE-2024-49039 with a CVSS score of 8.8. Exploitation of this vulnerability could allow attackers to escalate their privileges and execute arbitrary code on affected systems. What makes this vulnerability dangerous is the potential for zero-click exploitation. This means that an attacker could compromise a system without any user interaction.

1. Avast Anti-Rootkit Driver Abuse

Adversaries are exploiting a vulnerability in an old Avast anti-rootkit driver to bypass security measures. To execute this campaign, attackers are using a variant of AV Killer, which comes with a hardcoded list of 142 names for security processes from various vendors. Because the driver can operate at the kernel level, it provides access to critical parts of the operating system and allows the malware to terminate processes. By exploiting this vulnerability, attackers can disable security software.

2. BianLian Ransomware Now Focuses on Data Theft

The ransomware group BianLian is currently focusing on data theft instead of file encryption. While the group previously employed a double extortion model, where they encrypted victims’ systems after exfiltrating the data, they are now exclusively using exfiltration-based extortion. Another point of interest from the CISA (the US Cybersecurity & Infrastructure Security Agency) advisory is that BianLian is attempting to disguise its origins by using foreign language names. The advisory surrounding BianLian also contains new information regarding techniques, tactics, and procedures.

3. Fortinet VPN vulnerability hides successful brute-force attacks

A design flaw in the logging mechanism of the Fortinet VPN server can be used to hide the successful authentication of credentials during a brute-force attack without alerting organizations to compromised credentials. While the brute-force attack is still visible, a new technique allows only failed attempts to be logged and no successful attempts, creating a false sense of security.

4. PyPI attack: malicious packages target AI tools such as ChatGPT and Claude

Researchers have discovered two malicious packages uploaded to the Python Package Index (PyPI) repository. These packages mimicked popular artificial intelligence (AI) models such as OpenAI ChatGPT and Anthropic Claude to deliver an infostealer called JarkaStealer. The packages, named gptplus and claudeai-eng, were uploaded by a user named “Xeroline” in November 2023. Both packages are no longer available for download from PyPI. The packages allegedly provided a way to access the GPT-4 Turbo API and Claude AI API, but contained malicious code that initiated the malware’s deployment upon installation.

5. Over 145,000 Industrial Control Systems (ICS) Vulnerable

Research shows that over 145,000 industrial control systems (ICS) worldwide are vulnerable to cyberattacks. These systems are crucial to the operation of critical infrastructure, such as energy, water management, and manufacturing processes. The study found that 38% of devices are located in North America, 35.4% in Europe, 22.9% in Asia, 1.7% in Oceania, 1.2% in South America, and 0.5% in Africa.The statistics are derived from the exposure of several common ICS protocols such as Modbus, IEC 60870-5-104, CODESYS, and OPC UA. The attack surfaces are unique by region: Modbus, S7, and IEC 60870-5-104 are more commonly observed in Europe, while Fox, BACnet, ATG, and C-more are more common in North America. Some ICS services used in both regions include EIP, FINS, and WDBRPC. 6.

6. MITRE’s Top 25 Most Dangerous Software Vulnerabilities of 2024

MITRE has released its list of the 25 most prevalent and dangerous software vulnerabilities for 2024. The list is based on the analysis of more than 31,000 vulnerabilities disclosed between June 2023 and June 2024. These vulnerabilities are rated based on severity and frequency, with a focus on vulnerabilities added to the CISA Known Exploited Vulnerabilities (KEV) catalog. The most dangerous vulnerabilities include cross-site scripting, SQL injections, and path traversals.

1. Critical Vulnerability in PAN-OS Firewall

Researchers have discovered a critical vulnerability in PAN-OS, the operating system of Palo Alto Networks firewalls. This vulnerability, CVE-2024-0012, with a CVSS score of 9.3, allows attackers to remotely execute code and gain full control over affected systems. If access to the management interface is restricted to a limited group of IP addresses, requiring an attacker to gain access to these IP addresses first, the CVSS score drops to 7.5. The vulnerability does not affect Prisma Access and Cloud NGFW products.Patches for the vulnerability have yet to be released, so users are advised to take steps to secure access to the management interface as soon as possible. Currently, in addition to the above vulnerability, three different critical vulnerabilities in Palo Alto Networks Expedition (CVE-2024-5910 with a CVSS score of 9.3, CVE-2024-9463 with a CVSS score of 9.9, and CVE-2024-9465 with a CVSS score of 9.3) are actively exploited.

2. DEEPDATA malware exploits Fortinet vulnerability

A new malware campaign called DEEPDATA is exploiting an unpatched vulnerability in Fortinet’s FortiClient for Windows to extract a wide range of information about target devices, including VPN credentials.The core component of DEEPDATA is a dynamic link library (DLL) loader called “data.dll” that is designed to decode and launch 12 different plugins using an orchestrator module (“frame.dll”). Among the plugins is a previously undocumented “FortiClient” DLL that can capture VPN credentials. This plugin was found to exploit a zero-day vulnerability in the Fortinet VPN client on Windows, allowing the user’s credentials to be extracted from the client’s process memory, the researchers said.

3. Privilege Escalation Vulnerability in Google’s Vertex Machine Learning Platform

Researchers have warned of two critical vulnerabilities in Google’s Vertex machine learning platform that could lead to a privilege escalation vulnerability. This vulnerability allows attackers to escalate privileges and exfiltrate models from the cloud. The research highlights how a single malicious model deployment can compromise an entire AI environment. An attacker could even use a single unauthenticated model deployed on a production system to exfiltrate sensitive data.

4. Critical Vulnerability in PostgreSQL

A new vulnerability in PostgreSQL, identified as CVE-2024-10979, with a CVSS score of 8.8, allows attackers to modify environment variables, potentially leading to code execution or information disclosure. Environment variables are user-defined values ​​that allow an application to dynamically retrieve various types of information, such as access keys and software installation paths, at runtime without having to hard-code them. In some operating systems, they are initialized during the boot phase.The vulnerability is in the PL/Perl extension. This extension is trusted by default, allowing any user to activate it. Users are only vulnerable if this extension is installed. Improper checking of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to modify sensitive process environment variables (e.g. PATH).

5. Fake AI Video Generators Infect Windows and macOS with Infostealers

Adversaries are using fake AI video generators to spread infostealer malware on both Windows and macOS systems. This malware steals sensitive information such as login credentials, personal data, and data related to crypto wallets. The fake AI video software is distributed via fake websites that pretend to be an AI video and image editor called EditPro. The sites are promoted via search results and advertisements on X.

6. New Glove Infostealer Malware Bypasses Google Chrome’s Cookie Encryption

A new infostealer malware called Glove is able to bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies. During the attacks, the attackers use social engineering tactics similar to those used in the ClickFix infection chain, tricking potential victims into installing malware using fake error dialogs displayed in HTML files. These files are attached to the phishing emails that are sent.

1. Cybercriminals exploit Excel vulnerability for attacks

A new exploit targeting Microsoft Excel allows attackers to remotely execute code and gain access to vulnerable systems. This attack takes advantage of a weakness in the handling of embedded objects within Excel files, which are normally considered trusted. This exploit can be used to spread malware (Remcos RAT) via malicious attachments in phishing emails.

2. AndroxGh0st malware integrates Mozi botnet capabilities

The threat actors behind the AndroxGh0st malware recently announced integration with the Mozi botnet. The Mozi botnet is known for its attacks on IoT devices. This integration allows AndroxGh0st to infect not only traditional computers, but also poorly secured IoT devices such as routers and smart appliances. Attackers can take over these devices and add them to a larger botnet, from which they can then perform DDoS attacks or spread further malware to other systems within the same network.

3. Palo Alto Networks warns of PAN-OS RCE vulnerability

Palo Alto Networks has warned of a potential remote code execution (RCE) vulnerability in their PAN-OS. This vulnerability could be exploited by attackers to remotely execute code and gain full control over affected systems. Palo Alto has released an update to address the vulnerability.

4. Critical Veeam RCE bug used in Frag ransomware attacks

A critical vulnerability in Veeam software is now being actively used in Frag ransomware attacks. This vulnerability allows attackers to remotely execute code and compromise systems. Organizations using Veeam software are strongly advised to install the latest patches.

5. Malicious PyPI Package Steals AWS Keys

A malicious Python package, named ‘fabrice’, has been discovered in the Python Package Index (PyPI). This package has been downloaded by over 37,000 users since 2021. The PyPI package was deliberately manipulated to automatically steal sensitive information upon installation, including API keys and other cloud credentials.

6. New CRON#TRAP Malware Infects Windows Systems

A new form of malware, CRON#TRAP, has been discovered targeting Windows systems. This malware uses Scheduled Tasks to hide and survive on infected systems. What makes CRON#TRAP special is the way it uses legitimate Windows functionality to stay under the radar of traditional antivirus programs. The malware performs malicious tasks such as stealing data and opening backdoors for further infections. This malware allows attackers to remotely access infected systems and steal sensitive data.7.New Security Updates for Aruba Access PointsHewlett Packard Enterprise (HPE) has released security updates for multiple vulnerabilities in Aruba Networking Access Point products, including two critical vulnerabilities (CVE-2024-42509 with CVSS score: 9.8 and CVE-2024-47460 with CVSS score: 9.0) that could lead to unauthenticated command execution.The vulnerabilities affect Access Points with Instant AOS-8 and AOS-10 –

• AOS-10.4.x.x: 10.4.1.4 and earlier
• Instant AOS-8.12.x.x: 8.12.0.2 and earlier
• Instant AOS-8.10.x.x: 8.10.0.13 and earlier

‍

1. Synology Zero-Day vulnerabilities

Synology has patched two critical zero-day vulnerabilities that were exploited during the Pwn2Own 2024 hacking contest. These vulnerabilities (registered as CVE-2024-10443) were fixed within days of their discovery and were related to the security of their network attached storage (NAS) devices. Synology says it has fixed the vulnerabilities in the following software versions; however, they are not automatically applied to vulnerable systems and customers are advised to update as soon as possible to block potential incoming attacks.

2. QNAP Zero-Day vulnerabilities

QNAP, another player in the NAS market, recently patched a second zero-day vulnerability (CVE-2024-50387) that was exploited during the same Pwn2Own contest. This vulnerability involves an SQL injection in their SMB service, which could allow an attacker to gain full control over a NAS device. QNAP has made patches available. The vulnerabilities are fixed in versions 4.15.002 or later and h4.15.002 and later.

3. Attacks on PTZ cameras

Cybercriminals exploited two zero-day vulnerabilities in PTZOptics cameras CVE-2024-8956 and CVE-2024-8957. These cameras are used in live streaming for industrial, medical, and government purposes. These vulnerabilities can be used to manipulate images or steal sensitive information.

4. Major data breach of Git configuration files

A recent incident revealed more than 15,000 Git configuration files that were accidentally exposed on the internet. These files contained sensitive information such as access tokens and credentials, making thousands of projects vulnerable to attacks.

1. TeamTNT is back with a new Golgotha ​​attack

The notorious hacking group TeamTNT has recently launched a new attack campaign, dubbed “Golgotha”. This group has long been known for their attacks on cloud environments. This new attack campaign aims to infect both cloud and container environments and hijack resources for crypto mining. TeamTNT is using a combination of misconfigurations and exploits, including new techniques to steal credentials from AWS environments and breach Docker containers. In addition, they are using tools such as Tmate, which allows them to maintain remote access to compromised systems even after reboots or reconfigurations.

2. New kernel rootkit threat due to Windows driver signature bypass

A new attack method is being used by malicious actors to install kernel rootkits by abusing a Windows Driver Signature Bypass. This allows them to load malicious drivers that would normally be blocked by the system. This allows them to gain access to the heart of the operating system without the system raising any alarms. This is a critical vulnerability because rootkits can penetrate deeply into the system at the kernel level, remaining virtually invisible to traditional antivirus and security programs. It gives attackers complete control over a system.

3. Fortinet: Critical vulnerability in FortiManager

Fortinet recently warned about a critical vulnerability in their FortiManager solution, which is being actively exploited by malicious actors. This vulnerability (CVE-2024-47575, CVSS score: 9.8) is also known as FortiJump and is located in the FortiGate to FortiManager (FGFM) protocol. This critical vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code or commands via specially crafted requests. Fortinet has released a patch and urges users to apply it as soon as possible. Since the exploit is already being actively used in the wild, it is essential to update the firmware of all FortiGate devices and increase network traffic monitoring.

4. Black Basta ransomware uses Microsoft Teams for social engineering

The Black Basta ransomware group has developed a clever new technique to infiltrate companies. First, an employee’s mailbox is flooded with hundreds of (basically not malicious) emails to confuse the employee. Then, the employee is called by someone pretending to be IT support on Microsoft Teams. In the confusion, they manage to trick employees into giving them sensitive data or gaining access to critical systems.

5. CISA warning: Active exploitation of Sharepoint vulnerability

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about the active exploitation of a vulnerability CVE-2024-38094 (CVSS score: 7.2) in Sharepoint. This vulnerability allows an authenticated attacker with site owner privileges to use the vulnerability to inject arbitrary code and execute this code in the context of SharePoint Server. The risk of exploitation is increased by the fact that proof-of-concept (PoC) exploits are in circulation. A patch is available, it is recommended to install it as soon as possible.

6. Dutch police hit malicious actors with Operation Magnus

On October 28, 2024, the Dutch National Police, in close cooperation with the FBI and other partners of the international law enforcement task force, disrupted the operation of the Redline and Meta-infostealers. Redline is an affordable but powerful Windows malware that steals information and has been sold to cybercriminals since 2020. This leads to theft of passwords, authentication cookies, crypto wallets and other sensitive data on a large scale. Meta (not to be confused with MetaStealer) is a newer Windows infostealer malware project announced in 2022 and marketed as an improved version of Redline. Authorities claim to have gained access to the source code, including license servers, REST API services, panels, stealer binaries, and Telegram bots, for both malware. Both Meta and Redline used the same infrastructure, so it is likely that the same authors/operators are behind both projects.

1. Vulnerabilities in E2EE cloud storage platforms

End-to-End Encrypted (E2EE) cloud storage platforms, which are designed to protect user data, have come under fire due to recent vulnerabilities. Research from ETH Zurich has discovered serious vulnerabilities in five popular cloud storage services, including pCloud, Icedrive, Seafile and Tresorit, which together are used by millions of people.
These vulnerabilities allow attackers to manipulate data and even replace encryption keys. Specific attacks range from reordering or deleting files without the user’s knowledge to injecting malicious files into user storage. Examples such as “unauthenticated chunking” in pCloud and Seafile show that an attacker can delete or reorder entire files without warning the user.

2. Spectre Bypass on Intel and AMD CPUs on Linux

A newly discovered vulnerability has been discovered in both Intel and AMD processors for Linux. This vulnerability, a variant of the infamous Spectre attacks, allows malicious applications to bypass security controls and steal sensitive information. The attack uses speculative execution, a technique used to improve processor performance. While mitigations are available, systems remain vulnerable if not implemented correctly.

3. Microsoft’s Loss of Security Logs

Microsoft recently reported that some customer security logs from the month of September were lost. The lost logs contain security data that is typically used to monitor suspicious traffic, behavior, and login attempts on a network, increasing the likelihood that attacks could go unnoticed. According to Microsoft’s assessment, the following services were impacted, each with varying degrees of logging disruption:

• Microsoft Entra: Potentially incomplete login and activity logs.
• Azure Logic Apps: Intermittently experienced gaps in telemetry data in Log Analytics, Resource Logs, and Logic Apps diagnostic settings.
• Azure Healthcare APIs: Partially incomplete diagnostic logs. • Microsoft Sentinel: Potential gaps in security-related logs or events.
• Azure Monitor: Observed gaps or degraded results when querying log data from impacted services.
• Azure Trusted Signing: Experienced partially incomplete SignTransaction and SignHistory logs.
• Azure Virtual Desktop: Partially incomplete in Application Insights. Key AVD connectivity and functionality were not affected.
• Power Platform: Minor discrepancies affecting data in various reports.

4. Google Meet malware attack

A new phishing campaign called ClickFix is ​​using fake Google Meet pages to spread malware. Cybercriminals simulate error messages in Google Meet meetings and trick users into downloading malicious software, often in the form of infostealing malware. These attacks capitalize on the growing reliance on videoconferencing tools. It is important for companies to make employees aware of these types of threats and to use technologies such as sandboxing to detect and block such attacks.

5. New macOS vulnerability ‘HM Surf’ discovered

A new macOS vulnerability, dubbed HM Surf, allows attackers to access sensitive data without permission by manipulating certain system functions that are normally restricted to trusted processes. The attackers bypass the operating system’s Transparency, Consent, and Control (TCC) technology to gain unauthorized access to users’ data. Although Apple has released a patch, users are encouraged to apply these updates as soon as possible.

6. Internet Archive breached due to stolen access tokens

Internet Archive has been hacked again, this time via their Zendesk email support platform. The attackers were able to gain access by using stolen access tokens, a tactic that is becoming increasingly common. Such tokens allow attackers to pose as authorized users, giving them access to sensitive information without the need for passwords.

7. Zero-Day Vulnerabilities in 2023: Exploitation of Unknown Weaknesses

According to Google’s Security Team, 70% of vulnerabilities exploited in 2023 were zero-days. This means that the vulnerabilities were exploited before a patch or security update was available. Actively monitoring for new vulnerabilities and responding quickly with mitigations is therefore essential for companies.

8. Internet Explorer Zero-Day Abuse for Malware Distribution

Cybercriminals have taken advantage of a zero-day vulnerability (CVE-2024-38178) in Internet Explorer to spread malware via malicious advertisements. This attack, known as “Code on Toast,” infected systems without any user interaction. The ads were designed to install malware as soon as a user visited the page. Although Internet Explorer is no longer widely used, it remains an attractive target for attackers due to legacy systems that still rely on this outdated browser.

9. Spring Framework Vulnerability: CVE-2024-38819

A newly discovered path traversal vulnerability in the Spring Framework, identified as CVE-2024-38819, allows attackers to access sensitive files via malicious HTTP requests. Path traversal attacks allow attackers to gain unauthorized access to files outside of the intended directory. This vulnerability affects applications that serve static resources via the WebMvc.fn or WebFlux.fn functional web frameworks.The vulnerability could have serious implications for web applications running on Spring, as sensitive information such as configuration files could be exposed to unauthorized users. Developers and administrators are advised to update their systems to the latest versions and apply mitigations to prevent exploitation of this vulnerability.

1. Microsoft Ends Support for PPTP and L2TP VPN Protocols

Microsoft has announced that it is ending support for the legacy PPTP (Point-to-Point Tunneling Protocol) and L2TP (Layer 2 Tunneling Protocol) VPN protocols in Windows Server. These legacy protocols are considered insecure by modern standards and are therefore vulnerable to attacks.The deprecation of these protocols means that IT teams that still rely on them need to take action to update their VPN infrastructure to more secure options, such as IKEv2 or SSTP.

2. Ransomware Groups Akira and Fog Target Veeam Vulnerabilities

Ransomware continues to be a significant problem for organizations worldwide. The Akira and Fog ransomware groups are now actively exploiting a critical vulnerability in Veeam Backup & Replication software. This vulnerability (CVE-2024-40711) allows remote code execution (RCE), which could lead to full system compromise if left unpatched.

3. ChatGPT Abused by Cybercriminals to Write Malware

Unfortunately, the use of AI in cybersecurity also has a downside. OpenAI recently confirmed that malicious actors have abused ChatGPT to generate malicious software. Cybercriminals have found ways to use the model to write complex malware, including phishing attacks and ransomware.This highlights the need for cybersecurity professionals to remain vigilant about the use of AI tools, as they can be used by both security specialists and attackers.

4. Critical Vulnerability Discovered in GitLab

GitLab has confirmed a critical vulnerability that allows attackers to execute arbitrary pipelines on vulnerable GitLab instances. This vulnerability (CVE-2024-9164) allows attackers to launch unauthorized pipelines on specific branches. This could lead to serious security risks such as software supply chain compromise or potentially damaging codebase changes.

5. CISA warns of critical Fortinet RCE vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that a critical vulnerability in Fortinet products (CVE-2024-23113) is now being actively exploited by attackers. This vulnerability allows attackers to remotely execute code on vulnerable devices, potentially leading to full network compromise.

6. Internet Archive hacked: data breach affects 31 million users

Finally, the popular Internet Archive was the victim of a large-scale hack, in which the data of 31 million users was compromised. The stolen data includes email addresses, IP addresses, and hashed passwords. Even though the passwords were hashed, users with weak passwords could still be at risk.Internet Archive users are advised to change their passwords immediately, especially if they have been used for other accounts.

1. CUPS Vulnerability: Amplification of DDoS Attacks

A recently patched vulnerability, CVE-2024-47176, in the Common Unix Printing System (CUPS) could be used not only for remote code execution (RCE), but also to launch DDoS attacks to strengthen. CUPS is a widely used print management system that comes standard on many Linux and macOS systems. The vulnerability is in the ‘cups-browsed’ component, which allows for automatic discovery of network printers. If this functionality is not needed, we recommend we recommend disabling this component. In a DDoS attack, malicious actors attempt to overload a system with traffic, making it inaccessible. This CUPS vulnerability allows attackers to multiply and send small amounts of data, potentially increasing the size of the attack dramatically. This makes systems with an unprotected CUPS installation are attractive as amplifiers for large-scale attacks.

2. CosmicSting attacks: More than 4,000 Adobe Commerce and Magento webshops affected

About 5% of all Adobe Commerce and Magento online stores, which amounts to 4,275 stores, are hacked in the “CosmicSting” attacks. Cybercriminals have developed an exploit that gives them access to the underlying systems of these webshops, allowing them to inject malicious scripts. These are vulnerabilities CVE-2024-34102 and CVE-2024-2961. CVE-2024-34102 is an XXE (XML External Entity) vulnerability. This makes it possible to read local files to obtain passwords and keys, for example. CVE-2024-2961 concerns a buffer overflow vulnerability in the iconv library in GLIBC The iconv() function in the GNU C Library versions 2.39 and earlier may overflow the output buffer passed to the function by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set. This may cause a application crashes or an adjacent variable is overwritten. The attacks steal sensitive customer data such as credit card information. These campaigns specifically target the backend of e-commerce platforms, with the attack exploiting vulnerabilities in outdated or poorly maintained webshops.

3. Apple Releases Updates for iOS and iPadOS to Address Zero-Day Vulnerabilities

Apple recently released a security update for iOS and iPadOS to address two security issues. The first vulnerability, registered as CVE-2024-44204, could have allowed passwords to be were read aloud by a user’s assistive technology VoiceOver. Apple also patched a security vulnerability (CVE-2024-44207) specific to the recently launched iPhone 16 models, which could allow audio to be captured before the microphone indicator is on.

4. Perfctl Malware: A Year-Long Cryptomining Campaign

The Linux malware “perfctl” has been attacking Linux servers and workstations for at least three years, largely remaining undetected through the use of rootkits, among other things. This new perfctl malware targets Linux systems and uses advanced techniques to evade detection. It is a fileless malware that is difficult to remove and focuses on cryptomining. Perfctl has infected millions of Linux servers worldwide and uses an arsenal of at least 20,000 different exploits for various server misconfigurations.

5. Apache Avro SDK Vulnerability

A critical vulnerability in the Apache Avro SDK can be exploited for remote code execution (RCE). This vulnerability , identified as CVE-2024-47561, allows attackers to execute arbitrary code on systems that use the SDK. Apache Avro is an open-source project that provides a language-neutral data serialization framework for large-scale data processing. The vulnerability affects any application where users can specify their own Avro parsing schemes.

1. NVIDIA Container Toolkit vulnerability: full takeover possible

A severe vulnerability (CVE-2024-0132, CVSS score 9.0) has been discovered in the NVIDIA Container Toolkit. This vulnerability allows attackers to gain full control over the host system. This toolkit is often used for GPU-based container environments, so the impact of an exploit can be high, especially in cloud and datacenter environments where containers are an integral part of the infrastructure. If exploited, attackers can gain control of the container and gain access to the underlying host, leading to potential data theft or even complete system takeover. The particular library comes pre-installed in many AI-focused platforms and virtual machine images and is the standard tool for GPU access when NVIDIA hardware is involved. The vulnerability has been fixed in NVIDIA Container Toolkit version v1.16.2 and NVIDIA GPU Operator version 24.6.2.

2. RomCom malware variant ‘Snipbot’

A new variant of the RomCom malware, Snipbot, has been discovered in data theft campaigns. This new version shows for the first time post-infection activity of the malicious actor on a victim system. The malware specifically focuses on exfiltrating sensitive data and uses advanced techniques to avoid detection. The Snipbot attacks target various industries and are characterized by targeted phishing campaigns that provide access to networks and steal sensitive information.

3. HPE Aruba Networks: Critical RCE Vulnerabilities

Hewlett Packard Enterprise (HPE) Aruba has patched three critical vulnerabilities affecting their wireless access points. These vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507), can lead to Remote Code Execution (RCE) by sending specially crafted packets to the PAPI (Aruba’s Access Point Management Protocol) UDP port (8211).

4. Embargo Ransomware: New focus on cloud environments

The Embargo ransomware has expanded its attacks to hybrid cloud environments. By targeting cloud storage and services, attackers attempt to encrypt critical data and force companies to pay ransoms. The attackers use weak passwords and elevated accounts to gain access to the network.

1. macOS ‘Sequoia’ update breaks VPN and antivirus software

Apple’s latest macOS update, Sequoia, has unexpectedly caused problems with several VPN and antivirus software. The operating system’s networking behavior has changed, leading to incompatibility issues. Several VPN and security vendors have reported that their software no longer works properly, which could have serious consequences for users who rely on secure network connections and malware protection.

2. Apache HugeGraph Server vulnerability actively exploited

CISA warns of a critical vulnerability in Apache HugeGraph Server (CVE-2024-27348), which is being actively exploited. This vulnerability allows attackers to remotely execute arbitrary code, giving them full control over servers. Exploit code is available, and the vulnerability is already being actively used by cybercriminals. Organizations running this software are strongly advised to apply patches as soon as possible, enable the Auth system, and use Java 11.

3. New PondRat malware hidden in Python Libraries

A new malware campaign called PondRat has been discovered, spreading malicious code via Python libraries. PondRat is particularly dangerous because it hides itself within seemingly legitimate Python modules. This malware can steal data, perform command-and-control operations, and give attackers long-term access to systems. The malicious modules, real-ids, coloredtxt, beautifultext, and minisound, have since been removed from the PyPI repositories.

4. Ivanti’s Cloud Appliance: new vulnerability

Ivanti recently warned about a new vulnerability (CVE-2024-8963) in their cloud appliances, which has become the target of active attacks. This vulnerability allows attackers to access sensitive information or compromise systems. This vulnerability comes shortly after another vulnerability (CVE-2024-8190) was discovered in the same cloud service.

5. FreeBSD RCE vulnerability allows attackers to execute malicious code

The CVE-2024-41721 describes a critical vulnerability in the USB code of FreeBSD’s bhyve virtual machine, specifically in the emulation of XHCI (USB). Due to insufficient bounds validation, an out-of-bounds read error can occur in heap memory, allowing arbitrary data to be written. This can lead to remote code execution.This vulnerability has a CVSS score of 9.8 and is considered highly dangerous, as it can be exploited remotely without requiring user interaction or special privileges. This could allow an attacker to gain full control over the system, which could have serious consequences for the confidentiality, integrity, and availability of the system.It is strongly recommended to apply the patches provided by FreeBSD, as this vulnerability affects systems that have not been updated to the patched versions.

6. 2FA bypass via RestAPI

The CVE-2024-8606 describes a vulnerability in the Checkmk software, specifically in the REST API. This vulnerability allows an attacker to bypass two-factor authentication (2FA). This means that a user can gain access even after successfully authenticating without the second factor of authentication being enforced. This is possible in versions of Checkmk before 2.3. 0p16 and 2.2. 0p34.

1. Windows Vulnerability: Braille Spaces Used in Attacks

A recently patched vulnerability in Windows, CVE-2024-43461, is being actively exploited by attackers. This vulnerability resides in the MSHTML component of Windows, where attackers use braille spaces to evade detection and trick victims into opening a malicious file containing malware. CVE-2024-43461 was actively exploited for the July patch as part of an attack chain related to CVE-2024-38112. To be fully protected, Windows users must install both the July and September updates.

2. Malware Locks Down Browsers to Steal Google Credentials

A new malware campaign specifically targets Google credentials by locking browsers in kiosk mode. This means that the user cannot close their browser without entering the required credentials. Once entered, the credentials are stolen by the cybercriminals. This attack method is particularly dangerous because it forces users to give up personal information under the illusion that they have no other option.

3. Ivanti’s Endpoint Manager Mobile vulnerability actively exploited

Ivanti warns of a vulnerability in their Endpoint Manager Mobile (EPMM) software, known as CVE-2024-8190. This vulnerability allows attackers to gain access to the EPMM administration console and intercept sensitive data. APT groups are already actively exploiting this vulnerability in attacks against organizations. Ivanti has issued an urgent appeal to users to install the latest patches to prevent further damage.

4. New Linux Malware ‘Hadooken’ Targets Oracle WebLogic Servers

A new malware campaign has been discovered on Linux-based systems, targeting Oracle WebLogic servers. The malware, dubbed ‘Hadooken‘, exploits known vulnerabilities in outdated or unpatched WebLogic servers to install a backdoor. This backdoor allows attackers to gain long-term access to the infected servers, which can have serious consequences for companies that rely on this infrastructure. We advise organizations that use WebLogic to check their systems and install the available patches.

5. D-Link Router Vulnerability: Hidden Functionality

A critical vulnerability, registered as CVE-2024-45697, has been discovered in several D-Link routers, routers that are often used in home networks and small businesses. This vulnerability concerns hidden functionality that allows attackers to remotely gain full control over the device. The exploit makes it possible to access the router without authentication, leading to potential network compromise.

1. Progress LoadMaster: Critical RCE Vulnerability (10/10 CVSS)

Recently, a Critical vulnerability (CVE-2024-7591) discovered in Progress LoadMaster. It has a CVSS score of 10. This vulnerability can lead to Remote Code Execution (RCE), allowing attackers to take full control of affected systems.

LoadMaster is a widely used application for load balancing, and this flaw affects all versions prior to 7.2.76. Attackers can exploit this vulnerability without any authentication, increasing the risk of exploitation. An update is available, we recommend installing it as soon as possible.

2. Malware distribution via LinkedIn

Recently, there have been reports of malware being distributed via LinkedIn. This platform, often seen as a trusted source for business communications, is also valuable to cybercriminals. They can collect a lot of data via this platform and, for example, gain a good insight into the function and activities of a person. This makes LinkedIn an attractive target for cybercriminals. Cybercriminals use misleading messages and attachments to spread COVERTCATCH malware. The method is relatively simple: scammers contact potential victims, engage them in a conversation, and then convince them to download a file disguised as a Python Coding Challenge.

3. Rise in Quishing attacks

In addition, there has been an increase in attacks via QR codes, the so-called ‘Quishing‘. This form of phishing targets people who scan QR codes, such as those found at EV charging stations. When scanning the QR code, users are directed to malicious websites, where sensitive data is stolen or malware is installed is being installed.

4. SonicWall SSL VPN: Critical Access Control Exploit in the Wild

SonicWall is warning users of a critical vulnerability (CVE-2024-40766, CVSS score 9.3) in its SSL VPN products, specifically related to access control. Attackers can exploit this vulnerability via This vulnerability can gain unauthorized access to networks. In addition, the vulnerability is actively being abused to spread Akira ransomware. SonicWall has released a patch, we advise you to install it as soon as possible.

5. Kibana 8.15. 1: Security Update for Elastic Stack- users

Organizations using ElasticStack, specifically Kibana, should implement the new security updates. There is a deserialization issue in Kibana that could lead to arbitrary code execution. The vulnerability is registered as CVE-2024-37288, with a CVSS score of 9.9 ).

In the Netherlands, the Elastic Stack, including Kibana, is a popular choice for organizations that need to analyze and visualize large amounts of data. Although there are no direct reports that the vulnerability is currently being actively exploited, we advise to install the available update as soon as possible .

‍

1. Business Email Compromise (BEC)

In all regions, the summer holidays are now over and most people are back at work. With the holiday feeling still in mind, many employees want to handle as many emails as possible on that first day. The sense of urgency combined with a lower level of alertness to phishing increases the chance that an employee will become a victim. In addition, malicious parties have had the opportunity to collect personal data, such as email addresses and telephone numbers, thanks to out-of-office messages during the holiday period. Therefore, take the time to answer your emails and be alert to malicious messages, attachments and links.

2. Atlassian Confluence: CVE-2023-22527

Cybercriminals are actively exploiting a critical vulnerability in Atlassian Confluence Data Center and the Confluence Server. The vulnerability that is currently being actively exploited is CVE-2023-22527, with a CVSS score of 10. This puts systems that are not up to date at high risk of unauthorized access and potential data theft. In addition, affected systems are being used by the malicious actors for cryptomining. Atlassian Confluence users are advised to install the available updates as soon as possible.

3. Google Chrome: Drive-by Downloads with Rootkit

Microsoft has identified a new campaign by the North Korean hacker group Citrine Sleet. This campaign exploited two vulnerabilities for which no updates were available at the time. The first vulnerability was a zero-day in Chromium-based browsers, such as Chrome, that was exploited. This vulnerability is registered as CVE-2024-7971, a vulnerability in the V8 JavaScript and WebAssembly engine that affects versions of Chromium older than 128.0.6613.84. The second vulnerability is CVE-2024-38106 and was present in the Windows kernel.

4. Cicada3301 ransomware: targeting VMware ESXi systems

Cicada3301 is a new ransomware-as-a-service group, providing a platform for double extortion through a ransomware and a data breach website. The group first emerged in June 2024 and has since claimed multiple victims. Their name appears to be derived from an internet cryptography game, but there is no connection to that phenomenon. The threat specifically targets VMware ESXi systems, which are widely used in virtualization environments.Cicada3301’s ransomware, written in Rust, bears striking similarities to the now-defunct Black Cat/ALPHV ransomware. Both use ChaCha20 for encryption and similar commands for powering down VMs and deleting snapshots.

5. GitHub Comment Abuse: Password-Stealing Malware

Cybercriminals have found a new way to trick GitHub users by exploiting comments on popular repositories. These comments contain links that pretend to be “fixes” to issues, but in reality lead to password-stealing malware. GitHub project maintainers and users are advised to be cautious about clicking on links in comments and to report any suspicious activity. Implementing better security practices, such as restricting who can post comments, can help mitigate this type of attack.

1. PeakLight Dropper: New Memory-Only Malware

Researchers at Mandiant have discovered new malware that uses a technique known as “DLL hijacking” to load malicious code and evade detection. The malware, dubbed PeakLight Dropper, is a memory-only dropper. The attackers behind this dropper use it to install further malware on victims’ systems, opening the door for data theft and espionage activities. Using such a dropper allows attackers to hide their presence and remain on systems for the long term without being detected.

2. Qilin Ransomware Abuses VPNs to Compromise Networks

Qilin Ransomware, is a new ransomware that targets vulnerable VPN infrastructures. The ransomware uses stolen VPN credentials to gain access to networks and then encrypts the data. Notably, it steals credentials stored in Google Chrome browsers. What makes this credential harvesting technique dangerous is that the potential implications extend far beyond the original victim’s organization. In addition, data exfiltration is combined with encryption, putting victims under double pressure: paying to decrypt files and preventing sensitive information from being leaked.

3. New macOS Malware: Cthulhu Stealer

Mac users are increasingly being targeted by cybercriminals, as evidenced by the discovery of the Cthulhu Stealer malware. This malicious software specifically targets macOS systems and is designed to steal login credentials, browsing history, and other sensitive information, using techniques to evade detection, such as obfuscation and exploiting legitimate software.

4. Hardcoded Credential Vulnerability in Enterprise Devices

SolarWinds recently released updates for a vulnerability (CVE-2024-28987) in its Web Help Desk (WHD) software. The vulnerability involves hardcoded credentials in specific corporate network devices. Attackers can abuse these embedded credentials to gain access to networks and move around without authentication.

5. NGate: Android Malware Targeting NFC Credentials

NGate uses Near Field Communication (NFC) credentials to clone contactless payment cards and steal money. Thanks to the advanced techniques this malware uses, it can disguise itself as legitimate apps and trick users into accessing their devices. When there is no separation between personal and business use of smartphones and/or the smartphone is not monitored by the organization, there is a risk that the malware can negatively impact an organization. NGate has the disadvantage that it targets financial data, making it a threat to both consumers and businesses that use NFC payments.

6. Sedexp: Linux Malware Abusing udev Rules

A recently identified Linux malware, Sedexp, takes a unique approach to persistence and evading detection. Thanks to the use of udev rules, a Linux subsystem that handles device events, Sedexp remains undetected while performing its malicious activities. This malware has been able to hide for almost two years, which underscores the need for regular system and network monitoring to identify such advanced threats.

7. Vulnerability in Mobile Security Framework

The MobSF framework is a testing, malware analysis, and security assessment system that can perform static and dynamic analysis. It contains a vulnerability in the Static-Libraries analysis section. During the extraction of .a extension files, the measure intended to prevent Zip Slip attacks is not properly implemented. The implemented measure can be bypassed, allowing an attacker to extract files to any desired location within the server where MobSF resides.The vulnerability is registered as (CVE-2024-43399). The vulnerability is fixed in 4.0.7. Updating to this version is important due to the potential impact of the vulnerability. This allows attackers to gain full control over a system.

8. Proof of Concept (POC) for TCP/IP vulnerability

A POC has been published for CVE-2024-38063, which describes a critical vulnerability in the TCP/IP stack of the Windows operating system. When a public exploit is available, it is more likely that attackers will abuse this vulnerability. The update for this vulnerability is available and it is recommended to install it as soon as possible.

1. Critical SolarWinds vulnerability is being actively exploited

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about a critical vulnerability in SolarWinds software that is being actively exploited in attacks. The vulnerability is CVE-2024-28986, with a CVSS score of 9.8. This Remote Code Execution (RCE) vulnerability allows cybercriminals to remotely gain control of systems and execute malicious code.

SolarWinds has released a patch to address this issue. We advise organizations that use SolarWinds products to install this patch as soon as possible.

2. Ransomware group uses new malware to disable security software

RansomHub, a notorious ransomware group, has developed a new malware tool. This malware, dubbed EDRKillShifter by Sophos researchers, allows cybercriminals to install and execute ransomware without being detected. The malware specifically targets security software in Bring Your Own Vulnerable Driver (BYOVD) attacks. To do this, the malware deploys a legitimate, vulnerable driver on target devices to elevate privileges, disable security solutions, and take control of the system.

3. Microsoft Patches Active Zero-Day Vulnerability

Microsoft recently patched a zero-day vulnerability that was actively being exploited in targeted attacks. This vulnerability, CVE-2024-38193 with CVSS score 7.8, is described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. The vulnerability allowed attackers to gain unauthorized access and compromise sensitive data. What is remarkable about this attack is that it goes beyond the traditional Bring Your Own Vulnerable Driver (BYOVD) attack. In fact, this CVE exploits a vulnerability in a driver that is already installed on a Windows host, rather than “bringing” a vulnerable driver and using it to bypass security measures.

4. Attackers are abusing public .env files for malicious actions

Recent research by Unit42 has revealed that several organizations have fallen victim to a large-scale extortion campaign. Several organizations have been compromised by the misuse of publicly accessible environment variable (.env) files that contain login credentials linked to cloud and social media applications. Cybercriminals are using this information to compromise systems and carry out further attacks.

It has also been found that the affected environments had multiple cybersecurity issues, such as the infrequent changing of login credentials and the lack of an architecture based on the principle of granting least privileges. The campaign is notable because the attack infrastructure was set up within the Amazon Web Services (AWS) environments of the infected organizations and was used as a starting point to scan over 230 million unique targets for sensitive data.

It is imperative that developers and IT administrators ensure that .env files are never publicly accessible. By following best practices, such as properly configuring servers and using environment variables, organizations can reduce the risk of this sensitive information falling into the wrong hands.

5. Abuse of Azure and Google domains to spread malware and disinformation campaigns

Recent research by BleepingComputer has shown that cybercriminals are abusing legitimate Azure and Google domains to spread disinformation and distribute malware. By using these well-known platforms, attackers are successfully bypassing the detection systems of security software and convincing victims of the legitimacy of their malicious content.

‍

At the BlackHat 2024 conference, a remote code execution (RCE) attack on Microsoft 365 Copilot was presented. The CVE allows attackers to use Remote Code Execution (RCE) to search for sensitive content (in SharePoint, email, calendar, Teams) and to execute plugins. Data Loss Prevention (DLP) checks are often bypassed as a result. Although the execution of the RCE uses email as a means, the actual attack scenarios are more complex.

Microsoft released patches for 90 vulnerabilities during its Patch Tuesday. Of these, nine are critical zero-day exploits, six of which are actively exploited. The CVEs in question are:

• CVE-2024-38178 – Scripting Engine Memory Corruption Vulnerability
• CVE-2024-38193 – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• CVE-2024-38213 – Windows Mark of the Web Security Feature Bypass Vulnerability
• CVE-2024-38106 – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2024-38107 – Windows Power Dependency Coordinator Elevation of Privilege Vulnerability
• CVE-2024-38189 – Microsoft Project Remote Code Execution Vulnerability

Also CVE-2024-38063 (CVSS score 9.8), a Remote Code Execution (RCE) vulnerability that affects the Windows TCP/IP stack, specifically in the processing of IPv6 traffic has been patched.

SAP has patched 17 vulnerabilities in its August update, including a critical authentication bypass that could allow remote attackers to completely compromise the system. This vulnerability, registered as CVE-2024-41730, has a CVSS score of 9.8. This is a vulnerability that affects SAP BusinessObjects Business Intelligence Platform versions 430 and 440 and could be exploited under certain circumstances.

Ivanti’s Virtual Traffic Manager was also affected by a critical vulnerability (CVE-2024-7593 with a CVSS score of 9.8) that allowed unauthorized users to gain administrative rights.

Several critical vulnerabilities have also been discovered and patched in Zabbix, a leading open-source monitoring tool used for network and application monitoring. The first vulnerability is registered as CVE-2024-22116 with a CVSS score of 9.9. This vulnerability allows a low-privileged administrator to execute arbitrary code within the Monitoring Hosts section. There is also a critical remote code execution (RCE) vulnerability, identified as CVE-2024-36461 with a CVSS score of 9.1.

The Gcore Radar Report for H1 2024 provides detailed insights into DDoS attack data, showing changes in attack patterns and the broader threat landscape. Key findings include a 46% increase in DDoS attacks in H1 2024 compared to the same period last year, reaching 445K in Q2 2024.

Finally, Tenable researchers discovered vulnerabilities in Microsoft’s AI-driven Azure Health Bot Service. These vulnerabilities, specifically related to privilege escalation via Server-Side Request Forgery (SSRF), could allow attackers to access sensitive patient data by accessing cross-tenant resources. The vulnerabilities now have been patched.

‍

It’s Wednesday again, which means it’s time for #WakeUpWednesday. Every Wednesday, we want to make as many people as possible aware of cybersecurity risks. A summary of this week’s cybersecurity  news.

1. Critical vulnerability in Rockwell industrial control systems.
A critical vulnerability has been discovered in Rockwell Automation’s ControlLogix 1756 programmable logic controllers (PLC). This vulnerability, with code CVE-2024-6242 and a CVSS v3.1 score of 8.4, allows attackers to bypass security and gain unauthorized access to industrial control systems, this poses a significant risk to industrial environments where these controllers are deployed because attackers can execute sophisticated commands such as downloading logic or changing configurations. Rockwell Automation has released firmware updates for this vulnerability and advises users to update their devices to the latest firmware versions.

2. Apache doubly vulnerable this week
Vulnerability CVE-2024-36268 in Apache InLong, with a CVSS v3.1 score of 9.8, is a critical code-injection vulnerability that exposes systems to remote attacks. This vulnerability affects Apache InLong’s TubeMQ Client, an essential part of the framework that facilitates communication with the TubeMQ messaging system. This vulnerability allows attackers to execute arbitrary code on affected systems. The impact is significant, especially for sectors such as finance, healthcare and e-commerce, where Apache InLong is widely used. Users are strongly advised to update their systems to version 1.13.0 of Apache InLong to fix this vulnerability. For those who cannot update immediately, a patch is available.

In addition, a new zero-day vulnerability in Apache OFBiz ERP, designated CVE-2024-38856, has been discovered. This vulnerability with a CVSS score of 9.8 allows attackers to remotely execute code without authentication by exploiting a flaw in the authentication mechanism. This can lead to unauthorized access and control of affected systems. The impact of this vulnerability is significant, as Apache OFBiz is a widely used open-source ERP solution deployed by many organizations. The affected systems are all versions of Apache OFBiz prior to 18.12.11. Therefore, the recommendation is to immediately update to version 18.12.11 or higher.

3. Malware spread via fake software updates
Hackers believed to be linked to Chinese group StormBamboo hacked an unknown Internet Service Provider (ISP) to spread malware through software updates.By penetrating the ISP’s infrastructure, the attackers were able to modify DNS responses and redirect users to malicious servers instead of legitimate update servers.This happened even when users used public DNS services such as Google or Cloudflare.The malware was spread through insecure update mechanisms of several applications, including 5KPlayer and Quick Heal, which did not use TLS or cryptographic signatures to verify updates.

4. The danger of obsolete and forgotten domains
Recent research has shown that more than a million domains are vulnerable to takeover by cybercriminals through “Sitting Ducks” attacks, which designate vulnerabilities in the domain name system (DNS) that allow attackers to take over domains without needing access to the real owners’ accounts with the DNS provider or registrar. This weakness often results from outdated or poorly managed DNS settings, making domains look like “sitting ducks” (easy targets). Attackers can exploit these weaknesses to hijack domains and use them for malicious activities such as phishing, malware distribution and other cyber attacks.

5. Stay on top of vulnerabilities.
Every day we are inundated with new vulnerabilities, and those CVE vulnerabilities are being exploited by cybercriminals at an increasing rate. In many cases, they are using publicly available exploit codes, such as those shared on GitHub. 80% of these exploits are published even before the CVE and 14% even before a patch is available. But tools such as Shodan and Nmap and Gen AI also play a crucial role in automatically detecting and exploiting vulnerable systems. This is also why it is so important to respond quickly to CVE vulnerabilities with patches, updates or mitigation measures. Unfortunately, many organizations do not yet have this basic control fully in place. We see that even old CVE vulnerabilities, such as a 6-year-old Windows leak, therefore remain interesting for criminals. So; stay aware of the latest and currently actively exploited CVE vulnerabilities.

‍

As the vacation season is now truly upon us, this week’s special edition, with 5 pieces of advice for a cyber-safe vacation, both business and personal:

1. Check windows and doors.
   The vacation season is the time to unwind, but not for cybercriminals. They take advantage of this very period when IT departments are less occupied. Consequently, the vacation months see a sharp increase in false login attempts. So before you leave, make sure that basic measures, such as strong and unique passwords and two-factor authentication, are in place for the organization. Just like you take a moment to check the windows and doors before going on vacation.
2. Watch out for pickpockets.
   The vacation money has been paid out again, and we spend money more easily during the vacations. Cybercriminals know that too. So stay alert, because cybercriminals are opportunistic and use right this period to make their move with bought ready-made phishing campaigns and leaked email lists. So pay attention to phishing! Just like pickpockets and scammers on vacations.
3. Be careful with unopened mail.
   You don’t want to think about it now but after the vacations there is another big back log of unread emails waiting for you. Many people reserve the first morning after vacation to click through that quickly, which increases the risk of clicking on malicious phishing emails. Take your time and be careful!
4. Keep the insurance card handy.
   Should things go wrong, it is also important while on vacation to keep your incident response (IR) plan in order. Often, for example, those with mandates are not present or less accessible. It is therefore important to have good arrangements so that you are prepared for an incident. And always keep the T-CERT emergency number handy!
5. Stay on top of the latest vulnerabilities with WakeUpWednesday.
   Each week a summary of vulnerabilities and cyber threats that have received national or international attention. With this week:

Acronis has issued a critical security advisory regarding a vulnerability in their Acronis Cyber Infrastructure (ACI) product. This vulnerability with code CVE-2023-45249, allows attackers to bypass authentication on vulnerable servers using standard credentials and is rated as critical (CVSS score of 9.8). Administrators are advised to apply the available patch to all affected devices.

Researchers from security firm Binarly have discovered that the Secure Boot feature is circumventable on hundreds of models of laptops, PCs, motherboards and other devices from Acer, Dell, Gigabyte, Intel, Lenovo and Supermicro, among others. Secure Boot is a security measure in the Unified Extensible Firmware Interface (UEFI) designed to ensure that only trusted software runs during system boot. The vulnerability, identified as CVE-2023-24932, allows attackers to execute untrusted code during the boot process even when Secure Boot is enabled. Users are advised to check if they are running vulnerable firmware and install updates as soon as they become available.

‍

Cybercriminals are currently actively taking advantage of the problems surrounding CrowdStrike by pretending to be CrowdStrike. They distribute fake updates that supposedly fix security issues but actually install malware and data shredders. These fake updates specifically target businesses and can lead to serious data loss and operational disruptions.

SolarWinds patched multiple critical vulnerabilities in their Access Rights Manager (ARM) and other products this month. These vulnerabilities could allow attackers to gain unauthorized access and compromise sensitive data. An update is available, it is recommended to install it as soon as possible.

Multiple vulnerabilities have been discovered in the SAP AI Core, a platform that supports artificial intelligence and machine learning models. These vulnerabilities could lead to unauthorized access and manipulation of AI models, which could have serious consequences for companies that rely on AI for critical business processes. The vulnerabilities apply to cloud environments such as Amazon Web Services (AWS), Microsoft Azure and SAP HANA Cloud. An update is available, please install it as soon as possible.

A critical vulnerability in Cisco’s Secure Email Gateway (SEG) devices allows attackers to add root users, giving them full control over the devices. This vulnerability can lead to serious security breaches, including data theft and disruption of email communications. The advice is to update the Cisco SEG devices to the latest firmware versions as soon as possible.

A new variant of Play ransomware has been discovered that targets Linux systems. This ransomware encrypts systems and makes the recovery process significantly more difficult. The ransomware spreads through security holes in Linux environments.

A new vulnerability (CVE-2024-41107) has been discovered in Apache CloudStack, which makes user accounts vulnerable to attacks. This vulnerability could give attackers access to sensitive information and control over user accounts. An update is available, please install it as soon as possible.

A zero-day exploit called EvilVideo was recently discovered. This exploit exploits a vulnerability in Telegram for Android that allows attackers to send malicious files that look like video files through Telegram channels, groups, and chats. Telegram patched the vulnerability in version 10.14.5.

Finally, a serious vulnerability has been discovered in Bazaar v1.4.3. This makes user accounts vulnerable to attacks, which poses serious security risks for companies using this version. A Proof of Concept (PoC) has now been developed to demonstrate the exploitability of CVE-2024-40348. The advice is to install the available patch as soon as possible.

Recent research shows that within just 22 minutes of publishing proof-of-concept (PoC) exploits, attackers are using them in attacks. This highlights the need for organizations to respond quickly to new vulnerabilities and apply patches immediately. Cloudflare’s Application Security 2024 report further highlights that zero-day exploits and CVE exploits are on the rise, with a significant increase in the number of reported vulnerabilities.

More than 1.5 million Exim mail servers are vulnerable to a critical vulnerability that allows attackers to bypass security filters and send malicious executables to user accounts. This vulnerability, designated CVE-2024-39929 with a CVSS score of 9.1, affects all Exim versions up to and including 4.97.1. It is essential that system administrators update their Exim installations as soon as possible to mitigate this threat.

A wave of coordinated DNS hijacking attacks is targeting decentralized finance (DeFi) crypto domains registered with Squarespace. Malicious actors hijack DNS settings to redirect traffic to rogue websites, where they can steal user information and cryptocurrency. The incident is partly attributed to the recent migration of domains from Google to Squarespace, which removed two-factor authentication (2FA), increasing the vulnerability.

The latest version of HardBit Ransomware, version 4.0, uses passphrase protection to evade detection and employs advanced techniques to remain undetected. This ransomware is designed to disable Microsoft Defender Antivirus and terminate processes and services to avoid detection. In addition, this ransomware has the ability to erase backups and disable system restore options. It then encrypts files and changes system settings to hide the attack.

A serious vulnerability has been discovered in the Cellopoint Secure Email Gateway. This vulnerability is designated CVE-2024-6744 with a CVSS score of 9.8. The vulnerability causes a stack-based buffer overflow. This can be abused by attackers to execute malicious code and gain control over the system. It is essential that organizations immediately apply the available patch to mitigate this vulnerability.

New versions of the GootLoader malware, part of the Gootkit banking trojan, have been released, enabling more advanced attacks. The malware is linked to a threat actor called Hive0127 (also known as UNC2565) and exploits JavaScript to download post-exploitation tools. It is distributed via search engine optimization (SEO) poisoning and serves as a method of delivering various payloads such as Cobalt Strike, Gootkit, IcedID, Kronos, REvil, and SystemBC. Recently, the bad guys behind GootLoader also released their own command-and-control (C2) and lateral movement tool, called GootBot.

Furthermore, the scope of the supply chain attack on the widely used Polyfill[.]io JavaScript library is larger than previously thought. New findings from Censys show that more than 380,000 hosts embed a polyfill script that links to the malicious domain. This includes references to “13” in their HTTP responses. The attack is notable because it redirects specific visitors to adult and gambling-themed websites at time-specific times. The malicious behavior was introduced after the domain and its associated GitHub repository were sold to a Chinese company called Funnull in February 2024. This led to Namecheap suspending the domain. Cloudflare and Google took steps to mitigate the attack by replacing Polyfill links with safe alternatives and blocking ads for sites that used the malicious domain.

In addition, a new vulnerability, CVE-2024-36991, a path traversal vulnerability has been discovered that affects Splunk Enterprise on Windows versions below 9.2.2, 9.1.5. and 9.0.10 affects. A proof-of-concept (POC) exploit is available on GitHub, which attempts to read Splunk’s /etc/passwd file. The vulnerability targets instances with Splunk Web enabled.

A firmware update is available for CVE-2024-27867, a vulnerability in Apple AirPods that could allow an attacker to gain unauthorized access to the headphones. Because this vulnerability is currently being actively exploited, it is essential to install this update. The authentication issue occurs with: AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro and Beats Fit Pro.

Finally, an increase in cyber attacks has been observed around sporting events this summer, including the 2024 European Football Championship and the Olympic Games. Cybercriminals are selling credentials related to the tournament on underground markets, and geopolitical tensions are playing a role in denial-of-service attacks.

A vulnerability has been discovered in the MoveIT software. This vulnerability is registered as CVE-2024-5806 with an initial CVSS score of 7.4. However, following the release of the Watchtowr blog and its proof of concept, Progress updated the score to 9.1. This critical vulnerability allows attackers to compromise systems. It is strongly recommended that all MOVEit Transfer customers running versions 2023.0, 2023.1 and 2024.0 upgrade to the latest patched version as soon as possible.

Juniper Networks has also released an urgent patch for a serious authentication bypass vulnerability. This vulnerability (CVE-2024-2973, with a maximum CVSS score of 10.0), could allow attackers to access network devices without proper credentials. Also in this case it is recommended to install the patch as soon as possible.

Adobe recently published a security advisory regarding 10 vulnerabilities impacting Adobe Commerce, Magento Open Source, and Adobe Commerce Webhooks Plugin. Of these ten vulnerabilities, six could lead to arbitrary code execution. These six vulnerabilities are registered as CVE-2024-34111, CVE-2024-34102, CVE-2024-34108, CVE-2024-34109, CVE-2024-34110 and CVE-2024-34105. A POC is now available for CVE-2024-34102. This vulnerability leverages nested deserialization, which allows attackers to execute arbitrary code via XML External Entity (XXE) injections. This can lead to the exfiltration of sensitive data such as cryptographic keys. Users are strongly advised to update their Magento installations to the latest version and apply emergency patches to mitigate this vulnerability.

Another vulnerability for which a POC is currently available is CVE-2024-6387. This vulnerability, also known as “regreSSHion”, is an unauthenticated remote code execution (RCE) vulnerability in OpenSSH’s server (sshd) on glibc-based Linux systems. This vulnerability, discovered by Qualys, allows full root access without user interaction and was reintroduced in OpenSSH version 8.5p1. This vulnerability is a reintroduction of a previously resolved vulnerability (CVE-2006-5051) and emphasizes the importance of thorough regression testing.

Furthermore, a serious vulnerability has been discovered in iTerm2 versions 3.5.x before 3.5.2. This vulnerability, listed as CVE-2024-38396, allows attackers to inject arbitrary code via improper filtering of escape sequences. This is especially dangerous with tmux integration enabled. Users are strongly advised to update iTerm2 to version 3.5.2 or later to resolve this vulnerability

GitLab also released a patch for a critical CI/CD vulnerability that allows attackers to execute arbitrary code. Given GitLab’s popularity in DevOps, this vulnerability could have far-reaching consequences if left unaddressed.

We wrap up this #WakeUp Wednesday with a recent report revealing that fake IT support sites are promoting malicious PowerShell scripts as fixes for Windows errors. These scripts are actually designed to distribute information-stealing malware. The sites mainly focus on the Windows error 0x80070643, an issue that many users have been experiencing since January. The fake support sites are promoted through hacked YouTube channels to give the appearance of legitimacy. Users who search online for a solution to their Windows problems run the risk of being misled by these sites.

‍

Recently, researchers have identified several security threats that require the attention of cybersecurity specialists.

A new builder of the ‘Nevermore‘ ransomware is being warned about. Attention is required because it uses advanced techniques to avoid detection and has already compromised multiple databases. In addition, Nevermore is designed to create custom ransomware and is also being offered to other cybercriminals in this way.

A new command execution technique, called ‘GrimResource‘, uses specially crafted MSC (Microsoft Saved Console) and an unpatched Windows XSS vulnerability to execute code via the Microsoft Management Console. Attackers have moved to a new file type, Windows MSC (.msc) files, which are used in the Microsoft Management Console (MMC) to manage various aspects of the operating system or create custom views of commonly used tools. In general, system administrators are advised to watch out for the following:

• File manipulations with apds.dll called by mmc.exe.
• Suspicious executions via MCC, specifically processes launched by mmc.exe with .msc file arguments.
• RWX memory allocations by mmc.exe originating from script engines or .NET components.
• Unusual .NET COM object creation within non-standard script interpreters such as JScript or VBScript.
• Temporary HTML files created in the INetCache folder due to APDS XSS redirection.

Elastic Security has published a full list of GrimResource indicators on GitHub and provided YARA rules in the report to detect suspicious MSC files.

In addition, a vulnerability has been discovered in SolarWinds Serv-U software, where a directory traversal bug allows attackers to read sensitive files on the host machine. This vulnerability, identified as CVE-2024-28995 with a CVSS score of 8.6, has been actively exploited by attackers and highlights the need for rapid patching by users of the affected software.

Also, researchers have disclosed a UEFI vulnerability (CVE-2024-0762, CVSS score 7.5) that affects multiple generations of Intel CPUs, from 14th Gen Raptor Lake to 6th Gen Skylake. This vulnerability allows attackers to execute arbitrary code and gain full system access, which could lead to serious and lasting consequences for affected systems.

Finally, there is a new Rust-based malware called Fickle Stealer, which steals sensitive information from compromised hosts. This malware is distributed via various attack chains and uses a PowerShell script to bypass User Account Control (UAC). Fickle Stealer highlights the need for constant vigilance and proactive security measures to protect devices from such threats.

To reduce the risk of a cyber incident, it is important to ensure, among other things, that systems are provided with the latest updates, that there are clear protocols for information security, for example, and that users are trained to recognize suspicious activity.

‍

Broadcom has released updates for three vulnerabilities in VMware vCenter. Two vulnerabilities (CVE-2024-37079 and CVE-2024-37080, CVSS score 9.8) are classified as critical and allow remote code execution (RCE). Both are heap overflow vulnerabilities in vCenter’s implementation of DCERPC (Distributed Computing Environment/Remote Procedure Call) which is used to call a function on a remote machine as if it were a local machine.

A new phishing campaign was discovered this week that abuses the Windows Search Protocol to deliver malicious scripts. Attackers use HTML attachments that manipulate the ‘search-ms’ URI to execute batch files. The emails often contain an invoice document in a ZIP archive, which helps to evade detection by antivirus programs. Once the user opens the HTML, they are automatically redirected to a malicious URL or to a clickable link if the auto-redirection fails.

A sophisticated malware campaign uses legitimate but compromised websites to deliver a Windows backdoor called BadSpace. The attack chain includes an infected website, a command-and-control server, and sometimes a fake browser update. If it is the first time a user visits the compromised site, the site collects information about the device, IP address and location, and forwards it to a predetermined domain.

Advice
Monitoring network activities and systems is crucial. It is critical that organizations continually update and monitor their security systems to quickly detect and address unauthorized access attempts.

Recently, a new phishing kit called ‘V3B’ has emerged that targets customers of 54 major European banks. This kit is promoted on Telegram and uses advanced techniques to avoid detection by anti-phishing tools and search engines. It supports multilingual phishing pages and also allows attackers to communicate with victims in real-time via a chat function.

Another development is the ‘Commando Cat‘ cryptojacking attack campaign, which takes advantage of exposed Docker Remote API servers to deploy cryptocurrency miners. This attack campaign uses Docker images from the open-source Commando project and uses chroot to break out of the container and gain access to the host system. This highlights the importance of securing container configurations and APIs.

The Muhstik botnet, known for its DDoS attacks, exploits a recently patched security vulnerability in Apache RocketMQ. This botnet, which mainly targets IoT devices and Linux servers, can take over vulnerable servers and thus expand its reach. It is crucial that organizations update their systems to the latest versions to mitigate these threats.

PHP for Windows recently patched a critical RCE vulnerability that affects all versions since 5.x. This vulnerability was due to a flaw in the handling of character encoding conversions and could be exploited if PHP was used in CGI mode or if the PHP executables were accessible to the web server. More information on this vulnerability can be found in our blog.

Furthermore, malicious VSCode extensions have been discovered with millions of installations. These extensions can collect sensitive data without being detected by standard endpoint detection and response (EDR) tools. It is essential that developers check their extensions for potential threats and use only trusted sources for their development tools.

A proof-of-concept (PoC) exploit for a Veeam Backup Enterprise Manager authentication bypass flaw (CVE-2024-29849) is now publicly available. An update is available. In addition, mitigating measures have been published.

Finally, Zyxel has released an emergency update for critical vulnerabilities in older NAS devices that have reached end of life. This patch addresses three critical vulnerabilities that could lead to remote code execution (RCE).

Fake browser updates are currently used to spread malware such as BitRAT and Lumma Stealer infostealers. The attack chain begins when potential targets visit a rogue website containing JavaScript code. This code is designed to redirect users to a fake browser update page. This page contains a zip file hosted on Discord. This file is automatically downloaded to the victim’s device.

A recent analysis by Bitdefender has uncovered more than 50,000 dangerous links spreading malware, phishing campaigns and spam over the past six months. These attacks often use Discord as an attack vector.

AI startup Hugging Face recently reported a security breach that detected unauthorized access to their Spaces platform. Hugging Face says they have already revoked the authentication tokens in the compromised data and notified those affected by email. All Hugging Face Spaces users are advised to renew their tokens and move to fine-grained access tokens, giving organizations more control over who has access to their AI models.

Furthermore, RedTail crypto mining actively abuses vulnerabilities in Palo Alto Networks firewalls. The addition of the PAN-OS vulnerability to the toolkit has been supplemented by updates to the malware, which now includes new anti-analysis techniques, according to Akamai findings.

The Cybersecurity & Infrastructure Security Agency (CISA) has added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including a Linux kernel privilege exploitation flaw. This first vulnerability, CVE-2024-1086, was first reported in January 2024 as a use-after-free issue in the netfilter: nf_tables component. The second critical vulnerability is CVE-2024-24919, an information disclosure vulnerability that affects Check Point VPN devices.

Snowflake, together with security companies CrowdStrike and Mandiant, issues a statement regarding the investigation into a targeted campaign against some Snowflake customer accounts. For users of the platform, it is important to enforce multi-factor authentication on all accounts and set network policies to allow only authorized users or traffic from authorized locations. In addition, it is wise to reset login details and change them periodically.

Several new cybersecurity threats emphasize the need for security professionals to stay alert. A critical vulnerability in the Replicate AI platform allowed attackers to gain unauthorized access to the AI ​​prompts and results of all Replicate platform customers. That can result in the execution of malicious AI models. Malicious parties can also gain access to customer data, according to research by cloud security company Wiz.

Security researchers at Horizon3 have released a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet’s Security Information and Event Management (SIEM) solution, which was patched in February. This vulnerability, CVE-2024-23108, is a command injection vulnerability that allows remote command execution as root without requiring authentication.

Ivanti has patched critical remote code execution vulnerabilities in their Endpoint Manager, where SQL injection vulnerabilities allowed an unauthenticated attacker within the same network to execute code. This concerns CVE-2024-29822 to CVE-2024-29827 (CVSS scores: 9.6).

Adversaries are using code from a Python clone of Microsoft’s Minesweeper game to hide malicious scripts in attacks on European and US financial organizations. The legitimate code is used to hide Python scripts that download and install the SuperOps RMM. Superops RMM is a legitimate remote management software that gives the malicious actors direct access to the compromised systems.

ShrinkLocker, a new ransomware, creates a new boot partition to encrypt corporate systems using Windows BitLocker. ShrinkLocker, so named because it creates boot volume by shrinking available non-boot partitions, has been used to attack a government agency and companies in the vaccine and manufacturing sectors.

Cybersecurity researchers at Elastic Security Labs have discovered a new cryptojacking campaign that uses vulnerable drivers to disable known security solutions (EDRs) and thwart detection in a so-called Bring Your Own Vulnerable Driver (BYOVD) attack. The primary payload, called GHOSTENGINE, uses vulnerable drivers to disable EDRs in cryptojacking attacks.

Finally, there is an infostealer malware, Gipy, which masquerades as an AI voice generator app, tricking users into downloading malicious files. Kaspersky research shows that Gipy malware, once delivered, allows adversaries to steal data, mine cryptocurrency and install additional malware on the victim’s system.

This WakeUp Wednesday focuses on a critical vulnerability in Fluent Bit, known as CVE-2024-4323 and ‘Linguistic Lumberjack’. This vulnerability has consequences for all major cloud providers. Exploiting the vulnerability can lead to denial-of-service (DoS) and possibly remote code execution (RCE) attacks. It is critical that systems are updated to Fluent Bit version 3.0.4, which resolves this vulnerability.

In addition, a new variant of the BiBi Wiper malware has been discovered that destroys the disk partition table. This makes data recovery more difficult and increases downtime for affected victims.

Furthermore, a critical vulnerability has been discovered in the llama_cpp_python Python package that can be exploited by attackers to achieve arbitrary code execution. The flaw, known as CVE-2024-34359 (CVSS score: 9.7), has been codenamed Llama Drama by software vendor Checkmarx. llama_cpp_python, is a popular package with over 3 million downloads to date, which allows developers to integrate AI models with Python.

Finally, a coordinated campaign has been observed using legitimate services such as GitHub and FileZilla to deliver a range of malware and banking Trojans such as Atomic, Vidar, Lumma and Octo.

Critical vulnerabilities in Telit Cinterion mobile modems could allow remote attackers to execute arbitrary code via SMS, Kaspersky research shows. These vulnerabilities include critical flaws that allow remote code execution and unauthorized escalation of privilege. This poses risks to integrated communications networks and IoT devices. The vulnerabilities are registered as CVE numbers CVE-2023-47610 through CVE-2023-47616, with CVE-2023-27610 having a CVSS score of 9.8. Organizations using these modems are advised to ask the telecom provider to disable sending text messages to the device.

Last Thursday, Google released security updates to fix a zero-day flaw in Chrome that was being actively exploited. The critical vulnerability, registered as CVE-2024-4671, has been described as a use-after-free case in the Visuals component. Use-after-free bugs, which occur when a program references a memory location after it has been deallocated, can have a variety of consequences, ranging from a crash to arbitrary code execution.

Researchers at Leviathan Security Group have described a Virtual Private Network (VPN) bypass technique called TunnelVision. This way, attackers can eavesdrop on the victim’s unencrypted network traffic just by being on the same local network, while appearing to the user as if they are using a secure VPN connection. The “decloaking” method has been assigned CVE number CVE-2024-3661 (CVSS score: 7.6). This bypass technique affects all operating systems that implement a DHCP client and provides support for DHCP option 121 routes. At its core, TunnelVision involves routing traffic without encryption through a VPN using an attacker-configured DHCP server that uses the classless static route option 121 to set a route in the VPN user’s routing table. It also stems from the fact that the DHCP protocol does not authenticate such option messages, leaving them open to manipulation.

Research by Symantec shows that malicious parties are increasingly using Microsoft Graph API to evade detection. According to the researchers, this is done to facilitate communication with the command-and-control (C&C) infrastructure hosted on Microsoft cloud services. The popularity of the Graph API may be driven by the belief that traffic to known entities, such as commonly used cloud services, is less likely to arouse suspicion. In addition, it is also a cheap and secure source of infrastructure for malicious parties, because basic accounts for services such as OneDrive are free.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability for GitLab to the Known Exploited Vulnerabilities (KEV) catalog, due to active exploitation in the wild. The vulnerability, CVE-2023-7028 (CVSS score: 10.0), could allow attackers to compromise accounts by sending password reset emails to an unverified email address. GitLab, which announced details of the flaw earlier in January, said it was introduced as part of a code change in version 16.1.0 on May 1, 2023. The vulnerability was fixed in GitLab versions 16.5.6, 16.6.4, and 16.7. 2, where the patches are also usable on versions 16.1.6, 16.2.9, 16.3.7 and 16.4.5.

HPE Aruba Networking has released its April 2024 security advisory detailing critical remote code execution (RCE) vulnerabilities. These affect multiple versions of ArubaOS, the proprietary network operating system. The advisory lists ten vulnerabilities, four of which are unauthenticated buffer overflow issues that could lead to remote code execution (RCE). These vulnerabilities are critical, with a CVSS score of 9.8. The four critical vulnerabilities have CVE numbers: CVE-2024-26305, CVE-2024-26304, CVE-2024-33511, and CVE-2024-33512.

The vulnerabilities impact: Mobility Conductor (formerly Mobility Master), Mobility Controllers and WLAN Gateways and SD-WAN Gateways managed by Aruba Central and are present in the following software versions:

• ArubaOS 10.5.1.0 and lower
• ArubaOS 10.4.1.0 and lower
• ArubaOS 8.11.2.1 and lower, and
• ArubaOS 8.10.0.10 and lower

The vulnerabilities also affect ArubaOS and SD-WAN software versions that have reached end of maintenance (EoL) status:

• ArubaOS 10.3.x.x
• ArubaOS 8.9.x.x
• ArubaOS 8.8.x.x
• ArubaOS 8.7.x.x
• ArubaOS 8.6.x.x
• ArubaOS 6.5.4.x
• SD-WAN 8.7.0.0-2.3.0.x, en
• SD-WAN 8.6.0.4-2.2.x.x

‍

According to a report by The Shadowserver Foundation, systems in the Netherlands are still vulnerable to the critical vulnerability in CrushFTP. By exploiting the vulnerability, attackers can bypass authentication for admin accounts and gain full remote code execution. A patch is available, it is recommended to install it as soon as possible.

Rhino Security Labs has discovered a critical vulnerability in Progress Flowmon, a tool used for network monitoring and analysis. This vulnerability, CVE-2024-2389 has a CVSS score of 10. Exploitation of this vulnerability allows attackers to remotely execute unauthorized commands via a specially crafted API request. This way they can access the Flowmon web interface and then execute arbitrary system commands there.

Furthermore, a warning about two zero-day vulnerabilities in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls that are actively being exploited. The vulnerabilities have been identified as CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution). A patch is available, it is recommended to install it as soon as possible.

Okta is warning of a spike in both the size and frequency of credential stuffing attacks targeting its identity and access management solutions. A number of customer accounts were breached in the attacks. Adversaries use credential stuffing to compromise user accounts by automatedly trying lists of usernames and passwords typically purchased from cybercriminals.

In the research of Pierre Barre, an independent security expert, 18 vulnerabilities were published for the Brocade SANnav storage area network (SAN) management application. The vulnerabilities impact all versions up to and including 2.3.0. The issues range from incorrect firewall rules, insecure root access, and incorrect Docker configurations to a lack of authentication and encryption, which could allow a malicious actor to intercept credentials, overwrite arbitrary files, and gain full access to the device. Hewlett Packard Enterprise also shipped patches for a subset of these vulnerabilities in HPE SANnav Management Portal versions 2.3.0a and 2.3.1 as of April 18, 2024.

CrushFTP warns users about a critical vulnerability that is currently being actively exploited by malicious actors. By exploiting the vulnerability, an unauthenticated attacker can move outside the virtual file system (VFS) and download system files. Systems that use a DMZ perimeter network for their CrushFTP instance are not currently vulnerable. Patches are available.

Furthermore, Palo Alto has published an update regarding the vulnerability in Palo Alto PAN-OS. The vulnerability is a combination of two flaws in the PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 versions of the software. The first is not sufficiently validating the session ID format before it was saved by the GlobalProtect service. This allowed an attacker to save an empty file with a file name chosen by the attacker. The second relied on the files being generated by the system and then using those file names as part of a command.

A vulnerability in GitHub is being exploited by malicious parties to spread malware. This distribution takes place via URLs associated with a Microsoft repository, making the files appear trustworthy. While most of the malware activity is based on the Microsoft GitHub URLs, this capability can be exploited with any public repository on GitHub.

Currently, Lastpass users are actively being approached by malicious parties with a telephone phishing (voice phishing) campaign in an attempt to steal their login details. After telephone contact with a person posing as a helpdesk employee, an email is sent to the victim with a link that refers to a phishing site. When the Lastpass user enters his details here, the malicious party will try to log in with these details and adjust the settings. According to Lookout researchers, this attack uses CryptoChameleon, advanced software that is also associated with crypto theft.

Palo Alto has released patches for a critical vulnerability in the PAN-OS GlobalProtect Gateway. The vulnerability (CVE-2024-3400, CVSSv4 score 10) allows an unauthenticated attacker to remotely execute arbitrary code and is currently being actively exploited. The patches currently available are updates for versions PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1 and PAN-OS 11.1.2-h3. Patches for other versions are expected shortly. A T-Update was recently published about this, more information can be found in our blog.

Telegram recently patched a zero-day vulnerability in its Windows desktop application. Exploiting this vulnerability allowed an attacker to bypass security warnings and automatically launch Python scripts. Currently this vulnerability has been addressed by adding the .untrusted extension to pyzw files on the server side, which when clicked causes Windows to ask which program you want to use to open these files, instead of automatically starting in Python .

Phylum researchers have discovered that “test files” related to the vulnerability in XZ Utils (liblzma-sys) have also been found in a Rust crate. Liblzma-sys, which has been downloaded more than 21,000 times to date, provides Rust developers with connections to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The affected version in question is 0.3.2. The test files themselves are not included in the .tar.gz nor the .zip tags on GitHub and are only present in liblzma-sys_0.3.2.crate installed from Crates.io.

Finally, the Rust project has released an update to its standard library. This comes after it was revealed that a specific function used to run batch files on Windows systems could be exploited via an injection flaw. The set of common features of the Rust programming language, known as the Standard Library, provides the ability – among many other capabilities – to run Windows batch files via the Command API. However, the function did not process the input to the API strictly enough and did not prevent the possibility of injecting code into the execution.

Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways that connect to the public Internet are likely vulnerable to a Remote Code Execution (RCE) vulnerability. The vulnerability is registered as CVE-2024-21894 and involves a severe heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x. By exploiting this vulnerability, attackers could potentially cause Denial of Service (DoS) or achieve RCE by sending specially crafted requests.

More than 92,000 D-Link NAS devices are vulnerable to arbitrary command injection and a hardcoded backdoor that, when combined, could allow an attacker to remotely execute code on the device. The vulnerability is registered as CVE-2024-3273. No patches are available because the vulnerable devices are in End Of Life (EOL) status. The advice is to replace the devices with newer types. If that is not possible, it is recommended to at least install the latest available updates.

Proofpoint researchers, together with the Team Cymru research team, investigated Latrodectus malware. Latrodectus is a downloader whose purpose is to download payloads and execute arbitrary commands. This malware was believed to be an evolved version of IcedID-loader. Further analysis revealed that Latrodectus is new malware that, based on the characteristics of the analyzed sample and the functionality of the malware, was written by the same developers as IcedID.

Wiz research has found that AI-as-a-Service providers are susceptible to two major risks that could allow adversaries to escalate their privileges, gain cross-tenant access to other customers’ models, and even compromise CI/ can take over CD pipelines. For example, malicious parties can take over the CI/CD pipeline to carry out a supply chain attack.

Adversaries have used Facebook ads and hijacked pages to promote fake AI services such as MidJourney, OpenAI’s SORA and ChatGPT-5, and DALL-E. The purpose of these ads and pages is to infect unsuspecting users with password-stealing malware. Users tricked by the ads join fraudulent Facebook communities. However, the community posts often promote temporary access to upcoming and highly anticipated AI services, tricking users into downloading malicious executables that infect Windows computers with infostealers such as Rilide, Vidar, IceRAT, and Nova.

Red Hat warns of a code injection vulnerability in XZ Utils, the compression utility for the XZ format included in Unix-like operating systems such as Linux. The vulnerability (CVE-2024-3094 with a CVSS score of 10.0) affects two versions of Fedora Linux 40 beta, version 5.6.0 and version 5.6.1, and Fedora Rawhide. The code injection (CVE-2024-3094) injects code into the authentication process that allows malicious actors to gain remote access to the system. Users are advised to downgrade the tool to a more secure version or disable SSH completely. More information about this vulnerability can be read in our blog.

Cisco warns of password-spraying attacks on VPN services. These initially targeted firewalls and SSLVPN devices from Fortinet, Palo Alto, WatchGuard, SonicWall and Cisco, but have been expanded to include web apps that use Active Directory for authentication. Cisco has published mitigating measures. According to a researcher, based on, among other things, the attack pattern, the attacks appear to be related to the Brutus botnet.

Apple macOS users are currently being targeted by two different infostealer variants. Both have the same goal, which is to steal sensitive user information. The info stealers are spread via fake websites and malicious advertisements. One of the attack chains targets users who search for ARc Browser via search engines such as Google and are then presented with a rogue ad. This advertisement then directs the user to similar sites offering the malware. The fake site cannot be accessed directly, but can only be accessed via a generated sponsored link.

A vulnerability in the wall command of the util-linux package that is part of the Linux operating system could allow an unauthorized attacker to steal passwords or modify the victim’s clipboard. The vulnerability is registered as CVE-2024-28085, is called WallEscape and has been present in every version of the package for the past 11 years, up to and including 2.40 which was released yesterday.

Researchers at the National Cyber Security Center (NCSC) in the UK have published a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software that is currently being actively exploited. This vulnerability (CVE-2023-48788, with a CVSS score of 9.3) affects FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2). Patches are available, the advice is to install them as soon as possible.

Tenable researchers have published details about a now patched vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA). By exploiting this vulnerability, an attacker could hijack sessions and execute remote code on the underlying instances.

Finally, information about a new series of StrelaStealer phishing attacks. StrelaStealer focuses on stealing credentials from Outlook email accounts, among others. Researchers from Unit 42 indicate that this wave of attacks is impacting more than 100 organizations in both the EU and the US. In an attempt to avoid detection, the malicious actors change the initial file format of the email attachments. Instead of the previously used ISO files, ZIP files are now used and, among other things, PDB strings are removed to evade detection by tools that use static signatures.

G Data researchers have found a number of GitHub repositories offering cracked software used to deliver RisePro infostealer. This infostealer has new string encryption and a custom MSI installer that crashes reversal programs like IDA. The campaign includes at least 13 repositories linked to 11 different accounts. The repositories in question have now been removed.

In addition, Netskope researchers have discovered that malicious parties are spreading the infostealer AXORult via rogue Google sites. This uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on a third-party website.

Research by IBM X-Force shows that the Russia-linked threat actor APT28 can be linked to several active phishing campaigns. These campaigns use documents that resemble those of several organizations and government institutions in Europe, among others. These documents are a mix of internal and publicly available documents, as well as possible documents generated by the malicious actor. The documents relate to finance, critical infrastructure, cybersecurity, maritime security and healthcare, among others. Other actions by this attacker involve exploiting vulnerabilities in Microsoft Outlook, including CVE-2023-23397, with a CVSS score of 9.8.

Cyble researchers say they saw an increase in attempts to exploit CVE-2024-23334 by ransomware group ShadowSyndicate in March. The vulnerability concerns a directory traversal vulnerability located in the aiohttp Python library. Aiohttp is an open source library built on top of Python’s asynchronous I/O framework, Asyncio.

Magnet Goblin is a financially motivated hacking group that quickly exploits 1-day vulnerabilities to compromise Internet-accessible servers and install malware. They take advantage of the time between the supplier publishing a patch for a vulnerability and the actual patching of the vulnerability by organizations. Check Point has analyzed their tactics and warns about their quick response time to new Proof of Concepts (PoCs). In some cases, vulnerabilities are already exploited the day after a Proof of Concept is published.

Cisco has released patches to resolve a vulnerability in its Secure Client software. The vulnerability, CVE-2024-20337, has a CVSS score of 8.2 and allowed an attacker to perform a Carriage Return Line Feed (CRLF) injection attack on a user. Successfully exploiting the vulnerability could allow an attacker to execute arbitrary script code in the browser or access sensitive, browser-based information.

QNAP warns of vulnerabilities in its NAS software products. The vulnerabilities (CVE-2024-21899, CVE-2024-21900, and CVE-2024-21901) impact several versions of QNAP operating systems, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x , QuTS hero h4.5.x, QuTScloud c5.x and the myQNAPcloud 1.0.x service. Exploiting the vulnerabilities could allow attackers to gain access to these devices. The vulnerabilities concern an authentication bypass, command injection and SQL injection. Patches have been made available by QNAP.

Technical details and a proof-of-concept (PoC) exploit have been made available for a recently disclosed critical vulnerability in Progress Software OpenEdge Authentication Gateway and AdminServer. Adversaries can exploit this vulnerability to bypass authentication protections. The vulnerability, CVE-2024-1403, has a CVSS score of 10. This vulnerability affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.

Avast research shows that hacker group Lazarus is exploiting the recently patched privilege escalation flaw in the Windows kernel to gain access at the kernel level. After gaining access, they can disable the security software on the compromised systems. The exploited vulnerability is CVE-2024-21338 with a CVSS score of 7.8. Exploitation of this vulnerability can allow an attacker to gain system privileges. The vulnerability was fixed earlier this month as part of the Patch Tuesday updates.

Research by JPCERT/CC shows that Lazarus uploaded four packages to the Python Package Index (PyPI) repository, with the aim of infecting development systems with malware. The packages have now been removed. These are pycryptoenv, pycryptoconf, quasarlib and swapmempool. These have together been downloaded 3,269 times, with pycryptoconf accounting for the most downloads with 1,351. The package names pycryptoenv and pycryptoconf are similar to pycrypto, a Python package used for encryption algorithms in Python.

Security vendor JFrog has discovered 100 malicious artificial intelligence (AI)/machine learning (ML) models in the Hugging Face platform. These models also include cases where loading a pickle file leads to code execution. The model’s payload gives the attacker a shell on the compromised system, allowing them to take full control of their victims’ machines.

ConnectWise has fixed vulnerabilities in ScreenConnect. ScreenConnect is remote support software that provides remote access to internal systems. An unauthorized attacker can exploit these vulnerabilities to create a new administrator account and/or initiate remote code execution, with all the associated risks. More information about the vulnerabilities and the measures to be taken can be found in our blog.

Researchers are currently seeing a spike in email phishing campaigns that abuse the Google Cloud Run service to spread various banking Trojans in Europe and elsewhere. Researchers at Cisco Talos revealed that the infection chains associated with these malware families use malicious Microsoft Installers (MSIs) that act as droppers or downloaders for the final malware payload(s).

The malicious parties behind ransomware group LockBit are active again. Last week, much of the infrastructure was put on hold by law enforcement agencies. Because the backups were not affected by the authorities, LockBit is now back with a new infrastructure and a new .onion address for publishing victims.

We believe it is important to inform organizations about trends and developments in the field of cybersecurity. Tesorion is one of the participants in the Project Melissa partnership, which was founded in the fight against ransomware attacks. Last week, Project Melissa presented the report ‘Jaarbeeld Ransomware 2023‘. This Annual Report provides insight into ransomware attacks in the Netherlands and was drawn up with anonymized data provided by affiliated cybersecurity companies, the police, the Public Prosecution Service and the NCSC. This annual report shows, among other things, that 58 percent of Dutch victims did not have a backup.

Fortinet recently published two advisories. The first describes CVE-2024-21762. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary code via the FortiOS SSL VPN interface using specifically crafted requests. In the second Advisory, CVE-2024-23113 is described. This vulnerability in the FortiOS FortiGate-to-FortiManager (FGFM) interface could also allow an unauthenticated, remote attacker to execute arbitrary code or commands via specially crafted requests. Both vulnerabilities have a CVSS score of 9.8 and are already being exploited in the wild. No public exploit code is currently available for any of the vulnerabilities. More information is available via the blog.

Ivanti has released a new vulnerability that affects Connect Secure, Policy Secure and ZTA gateways. This new vulnerability, CVE-2024-22024, has a CVSS score of 8.3. This vulnerability allows attackers to access protected resources without authentication. There is no indication that this vulnerability is currently being exploited, unlike previously published vulnerabilities CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. The January 31 mitigation also provides protection against CVE-2024-22024, and patches are now available. We recommend installing these patches as soon as possible.

New macOS malware written in Rust is currently being distributed. This pretends to be a Visual Studio Update. The malware, called RustDoor, provides a backdoor to affected systems. RustDoor can run on Intel-based (x86_64) and ARM (Apple Silicon) architectures, say researchers at cybersecurity firm Bitdefender. The macOS backdoor is offered under various names, including ‘zshrc2,’ ‘Previewers,’ ‘VisualStudioUpdater,’ ‘VisualStudioUpdater_Patch,’ ‘VisualStudioUpdating,’ ‘visualstudioupdate,’ and ‘DO_NOT_RUN_ChromeUpdates’. The malware contains a wide range of commands to upload files, collect files and collect information about the endpoint, among other things.

We start this WakeUp Wednesday with the attack on software company AnyDesk. AnyDesk, maker of remote desktop software, indicates that a security audit revealed that production systems have been compromised. All security-related certificates have been revoked and the systems have been repaired or replaced where necessary. The code signing certificate for the binaries will also soon be revoked and replaced by a new copy. As a precaution, the passwords for the web portal have also been revoked and users are asked to change the password there if they use the same password in other places as well.

Snyk researchers have discovered four critical vulnerabilities in container engine components. These four vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23653 and CVE-2024-23652) together are called ‘Leaky Vessels’. The vulnerability requiring most urgent attention is CVE-2024-21626, with a CVSS score of 8.6. This vulnerability impacts runC, the lightweight container runtime for Docker and other container environments. Exploiting this vulnerability could allow an attacker to gain unauthorized access to the underlying host operating system and potentially anything else running on the same host. The Buildkit, runc and Dockers have released an update that fixes the vulnerabilities. CISA encourages cloud system administrators to quickly take appropriate measures to prevent exploitation of the vulnerability.

A critical vulnerability in the social media network Mastodon allows Mastodon accounts to be taken over remotely. The vulnerability, CVE-2024-23832, has a CVSS score of 9.4. A security update has now been released to resolve the vulnerability. Technical details about the vulnerability will be released on February 15. This gives administrators the opportunity to install the available update before the details are known and the risk of exploitation increases.

Cisco has announced that its Unified Communications and Contact Center Solutions products are vulnerable to a critical vulnerability (CVE-2024-20253). This vulnerability allows an attacker to remotely execute code and gain root access to the affected device. The vulnerability has a CVSS score of 9.9. We recommend installing the available patches as soon as possible.

Fortinet researchers have discovered new malicious malware packages in the open-source Python Package Index (PyPI). The malware infects Windows systems with an infostealer called WhiteSnake Stealer. These malware packages are called nigpal, telerer, seGMM, myGens, NewGends and TestLibs111. Depending on the operating system of the victims’ devices, the malware is executed when the aforementioned Python packages are installed.

Two weeks ago, our WakeUp Wednesday covered two critical vulnerabilities in GitLab (CVE-2023-7028) and (CVE-2023-5356). GitLab is now once again warning of a vulnerability (CVE-2024-0402) that could allow an authenticated attacker to write files to arbitrary locations on the GitLab server when creating a workspace. The vulnerability has a CVSS score of 9.9 and is fixed in GitLab 16.6.6, 16.7.4, and 16.8.1. In addition, the solution has also been implemented in version 16.5.8. We recommend installing the update as soon as possible.

Finally, the AIVD warns against the use of Quantum Key Distribution (QKD). This method of exchanging encryption keys would be insecure because there is no guarantee that the quantum channels will not be eavesdropped or manipulated by third parties. According to the AIVD, the QKD technology is unusable in most cases because there are various limitations in applying the technology. For example, special hardware is required and there is a limited range because QKD systems use a direct fiber optic connection or light signals. The range is therefore no greater than a few hundred kilometers.

An increase in attacks has been noted that exploit the Ivanti Connect Secure and Ivanti Policy Secure vulnerabilities. These vulnerabilities allow attackers to gain access to sensitive information and systems. The latest information regarding these vulnerabilities (CVE-2023-46805 and CVE-2024-21887) can be found in our blog. There are currently no security updates available, but it is possible to take mitigating measures to reduce the risk. Our blog also includes Ivanti’s schedule for releasing the security updates.

Another serious threat is the Apache ActiveMQ (CVE-2023-46604) vulnerability, which is actively exploited by several cyber criminals. The vulnerability in Apache Active MQ allows remote code execution. Since this vulnerability was disclosed, it has been actively exploited by multiple malicious actors to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets. Researchers at Trustwave see a new Godzilla web shell that disguises itself as an unknown binary format and thus evades detection by security solutions. A patch is available for CVE-2023-46604, it is recommended to install it as soon as possible.

Finally, a warning about an old, but still effective attack technique: abusing TeamViewer to spread ransomware. According to a report from Huntress, it appears that ransomware groups are still using this method to gain access to devices and then deliver their malicious payload. In many cases, this abuse can be prevented by using strong passwords, enabling multi-factor authentication and using TeamViewer only where and when necessary.

Ivanti Connect Secure VPN contains two vulnerabilities that together pose a serious threat to the security of the system. The first vulnerability (CVE-2023-46805) allows authentication to be bypassed and access to the system without valid credentials. The second vulnerability (CVE-2024-21887) allows commands to be injected and executed on the system. An attacker can manipulate or take over the system’s configuration, files and network connections. It is therefore important to install available updates or restrict access to the system as soon as possible.

Juniper Networks SRX series firewalls and EX series switches have a critical vulnerability (CVE-2024-21591) in the J-Web configuration tool. This vulnerability has a CVSS score of 9.8 and allows remote code execution on the devices without authentication. An attacker can gain root privileges, disable the device, or perform Denial-of-Service (DoS) attacks. It is highly recommended to install the security updates or upgrade JunOS to the latest version. If that is not possible, as a workaround one can disable the J-Web configuration tool or limit access to it to only the trusted network hosts.

GitLab Community and Enterprise have two critical vulnerabilities that allow account hijacking. The first vulnerability (CVE-2023-7028) has a CVSS score of 10 and allows account takeover without user interaction. The second vulnerability (CVE-2023-5356) has a CVSS score of 9.6 and allows exploiting Slack/Mattermost integrations to execute slash commands as a different user. It is recommended to install the updates as soon as possible.

‍

A new remote code execution vulnerability has been discovered in Apache Rocket MQ NameServer, which was not resolved by the previous patch. This vulnerability, CVE-2023-37582, allows attackers to execute arbitrary code on affected servers. The recommended solution is to upgrade the NameServer to version 5.1.2/4.9.7.

Three malicious Python packages have been found in the open source Python Package Index (PyPI) repository, which crypto miners can install on Linux devices. The packages, modularseven, driftme and catme, are related to a previous campaign that used culturestreak; according to research by Fortinet. The packages have now been removed from PyPI.

Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption are vulnerable to a series of flaws collectively called KyberSlash. These can allow for the possible recovery of secret keys. Kyber is one of the algorithms selected by NIST (National Institute of Standards and Technology) to resist attacks from quantum computers.

Ivanti has released an update to address a remote code execution vulnerability in its Endpoint Management software (EPM). This vulnerability could allow attackers to gain control of registered devices or the server. The vulnerability, registered as CVE-2023-39336, affects all supported Ivanti EPM versions. A patch is available.