Security researchers disclosed the details of a series of vulnerabilities affecting Treck TCP/IP stack, a popular TCP/IP software library. Collectively tracked as Ripple20, the flaws impact hundreds of millions of connected devices putting them at risk of remote hijacking.
The vulnerabilities could be exploited to achieve remote code execution, perform denial-of-service attacks, and to obtain potentially sensitive information. Exploitation involves sending specially crafted IP packets or DNS requests to the targets, and in some cases it may be possible to launch attacks directly from the internet.
Cyber security firm ESET published extensive reports describing two espionage operations, one of which targeted aerospace and military sectors in Europe and Middle East, and the other was aimed at the high-profile military and diplomatic entities in Eastern Europe.
The first campaign, dubbed “Operation In(ter)reception,” has been active between September and December 2019 and involved the use of fake accounts on LinkedIn that posted bogus job offers through which attackers attempted to compromise their targets and deliver cyber espionage tools.
While the primary goal of the Operation In(ter)reception campaign was cyber espionage, in some of the cases the researchers observed the attackers attempting to use the compromised accounts within the target organizations to launch BEC attacks against other businesses.
The second report from ESET sheds some light on a new espionage operation conducted by the InvisiMole threat actor, which appears to be tightly connected to a Russian-linked Gamaredon threat group.
An investigation into recent InvisiMole attacks that have started in late 2019 and appear to be still ongoing showed that InvisiMole’s tools are delivered only on environments that have been previously compromised by Gamaredon.
The InvisiMole malware spreads within compromised networks by exploiting the BlueKeep (CVE-2019-0708), or EternalBlue (CVE-2017-0144) vulnerabilities in the RDP and SMB protocols, respectively. The third method of propagation within the hacked network involves using weaponized documents and software installers, created using benign files stolen fr om the compromised organization.
Google Chrome’s users have been hit with a massive spyware operation that has been carried out via malicious Chrome extensions with over 32 million collective downloads. The malicious extensions were capable of taking screenshots of the victim device, loading malware, reading the clipboard, harvesting tokens and monitoring keystrokes.
Researchers from Awake Security who uncovered the espionage campaign believe that the mastermind behind this operation is a single threat actor, which the experts have yet identified. The assumption was made because all identified malicious extensions sent users data back to domains registered through the GalComm domain registrar.
Radio-frequency chip maker MaxLinear Inc. disclosed a cyber attack against its IT systems, in which attackers gained access to files containing employees’ personal information, including name, personal and company email address and personal mailing address, employee ID number, driver’s license number, financial account number, Social Security number, date of birth, work location, compensation and benefit information, dependent, and date of employment.
The company said it has suffered a Maze ransomware attack that impacted “certain but not all” its operational systems.
Web stores belonging to large retail chains Claire’s and Intersport have been targeted by a so-called Magecart attack, which involves hackers injecting payment card skimmers designed to steal information stored on customers’ payment cards into site’s pages.
In the case of the Claire’s online store the card skimmer was delivered from a domain (claires-assets.com) designed to look like the legitimate Claire’s site.
In the Intersport incident, the web skimming attack targeted only customers in Croatia, Serbia, Slovenia, Montenegro, and Bosnia and Herzegovina. According to Intersport, “no payment card information were intercepted” in the attack.