Hackers are actively exploiting Fortinet FortiNAC vulnerability to backdoor servers
Malicious actors are targeting Internet-exposed Fortinet appliances with exploits targeting CVE-2022-39952, an unauthenticated file path manipulation vulnerability in the FortiNAC webserver that allows remote command execution.
Soon after autonomous pentesting company Horizon3 released a PoC exploit for this vulnerability cybersecurity companies GreyNoise, CronUp, and Shadowserver reported mass exploitation attempts coming from multiple IP addresses.
Microsoft urges Exchange server admins to remove some antivirus exclusions
Microsoft is recommending administrators of Exchange servers to remove some antivirus exclusions, namely the Temporary ASP.NET Files and Inetsrv folders, and the PowerShell and w3wp processes, from the file-level AV scanner as they are no longer needed. Keeping these exclusions may prevent detections of IIS webshells and backdoor modules, which represent the most common security issues, the tech giant said.
RCE bug in Zoho ManageEngine is increasingly targeted in hacker attacks
BitdefenderLabs has warned of a global increase in attacks targeting Zoho ManageEngine products still not patched against CVE-2022-47966, a remote code executions bug that allows full takeover of the compromised system. The researchers said that 2,000 to 4,000 servers accessible from the internet are running one of the vulnerable ManageEngine versions.
Open source vulnerabilities found in 84% of codebases
A new study from Synopsys found that the vast majority of software programs (96%) included an open source software component, with 84% of codebases containing at least one security vulnerability. At the same time, the number of applications with high-risk vulnerabilities has decreased to about half (48%) of all applications tested, from a peak of about 60% in 2020.
Russian hackers backdoored Ukrainian government websites in 2021
Russian state-backed threat actors have compromised multiple Ukrainian government websites this week using backdoors planted as far back as December 2021. CERT-UA spotted the attacks after discovering a web shell on one of the hacked websites that the threat actors, tracked as UAC-0056, Ember Bear, or Lorec53, used to install additional malware.
Ukraine’s largest charity announces fundraising campaign for cyber offensive
Come Back Alive, Ukraine’s largest foundation for assistance to the Ukrainian military, has announced a fundraising campaign to support the country’s cyber offensive against Russia. The project aims to raise UAH 50 million (~$1,36 million) to buy technology and equipment that will help Ukraine’s cyber forces conduct cyber operations that could impact Russia’s advances on the real battlefield.
Russian propagandists are using Twitter Blue check to spread misinformation about the Ukrainian war
Russian propagandists have started using paid Twitter Blue checkmarks to spread disinformation about Russia’s invasion of Ukraine, according to a new report from Reset, a research initiative focused on how technology intersects with democracy. Reset identified a dozen Twitter accounts using paid blue checks to disseminate Kremlin-aligned Russian propaganda. While some of these accounts have just a few hundred followers, others have tens of thousands, who help to spread propaganda via likes and retweets.
WinorDLL64 backdoor linked to Lazarus Group
ESET researchers have discovered the WinorDLL64 backdoor, one of the payloads of the Wslink downloader, which they linked to the well-known North Korea-aligned APT group Lazarus. Wslink’s payload can exfiltrate, overwrite, and remove files, execute commands, and obtain extensive information about the underlying system. ESET says it observed only a few Wslink infections in Central Europe, North America, and the Middle East.
Hydrochasma cyberspies target medical labs and shipping firms in Asia
A previously unknown threat actor has been targeting shipping companies and medical laboratories in Asia since at least October 2020. Dubbed “Hydrochasma” by Symantec’s researchers, the threat actor appears to be focused on industries that may be involved in COVID-19-related treatments or vaccines. Other notable aspect is that the group relies exclusively on open-source tools instead of custom malware. The researchers said that while haven’t seen the attackers exfiltrate data in the observed attack, the group’s motivation in this campaign is likely intelligence gathering.
Hackers compromised Asia-based data centers used by some of the world’s biggest firms
Two Asia-based data centers operated by Shanghai-based GDS Holdings and Singapore-based ST Telemedia Global Data Centres were targeted in a series of cyberattacks that took place over the past three years, with threat actors stealing credentials of data center operators and login information used by their customers to access cloud services. early 2,000 customers of STT GDC and GDS were affected, including some of the world’s biggest companies like Alibaba, Amazon, Huawei, Baidu, Apple.
Hackers use fake ChatGPT apps to deploy Windows, Android malware
Threat actors are taking advantage of the growing popularity of OpenAI’s ChatGPT chatbot to deploy various types of malware or carry out other malicious activities like financial fraud.
Security researchers have discovered dozens of fake ChatGPT apps promoted via Google Play Store or a bogus OpenAI social media page that distributed several well-known malware families like Lumma Stealer, and Aurora Stealer; clipper malware, PUP (potentially unwanted programs), adware, spyware, billing fraud, etc. Researchers also discovered fraudulent ChatGPT-related payment pages designed to steal victims’ money and credit card data.
Coinbase, Activision targeted in separate social engineering attacks
An unknown attacker stole the login credentials of one of Coinbase’s employees in an attempt to gain access to the company’s systems. While the threat actor was not able to gain direct system access, a limited amount of corporate data was exposed, including contact information belonging to multiple Coinbase employees. Customer funds and data were not affected.
The popular video game publisher Activision disclosed a similar incident that took place in early December 2022, where hackers compromised the company's internal systems by tricking an employee with a phishing SMS message.
Hackers use S1deload stealer to hijack Facebook, YouTube user accounts
A new global campaign has been spotted that uses an infostealer called “S1ideload Stealer” to hijack Facebook and YouTube accounts. S1deload Stealer relies on DLL sideloading techniques to run its malicious components.
Once infected, S1deload Stealer steals user credentials, emulates human behavior to artificially boost videos and other content engagement, assesses the value of individual accounts (such as identifying corporate social media admins), mines for BEAM cryptocurrency and propagates the malicious link to the user’s followers.
Russian developer behind NLBrute malware extradited to the US
A Russian national accused of developing the NLBrute malware capable of decrypting login credentials was taken into custody by Georgian authorities in the Republic of Georgia, on October 4, 2022, and extradited to the United States.
Dariy Pankov aka “dpxaker” is charged with conspiracy, access device fraud, and computer fraud. If convicted on all counts, he faces a maximum penalty of 47 years in federal prison.
Spain to extradite alleged Twitter hacker to the US
Spain's High Court has authorized an extradition of a 23-year-old British man wanted in the US in connection with the alleged 2020 Twitter hack that compromised numerous accounts of celebrities and politicians including former US President Barack Obama and Microsoft’s Bill Gates.
O'Connor is accused of hacking 130 Twitter accounts, as well as compromising the Snapchat account of an unidentified public figure whom he allegedly tried to extort with the threat of publishing nude photographs of the person. The man is also wanted for several cases of “swatting,” prank calls to emergency services aimed at getting large numbers of police to be sent to different locations.
European police bust CEO fraud group that stole over €38 million
A Europol-coordinated law enforcement operation has resulted in the takedown of a cyber crime group that defrauded companies of millions of euros through a large-scale CEO fraud scheme. The criminal network, comprised of French and Israeli nationals, targeted companies located in France. In one case the gang tricked a French company into making a €300,000 transfer by posing as a firm’s CEO, and in another instance the fraudsters managed to steal €38 million within a few days from a Paris-based real estate developer.
Domain registrar GoDaddy discloses multi-year security breach
GoDaddy, a web hosting and internet domain registrar, disclosed a multi-year security breach, where unknown attackers installed malware on the company’s cPanel hosting servers and stole source code related to some of its services. The breach was spotted in December 2022, following customer complaints about their websites being intermittently redirected. A subsequent investigation showed that the attackers planted malware on cPanel hosting servers, which redirected random customers websites to malicious sites. GoDaddy said it is still investigating the root cause of the breach.
NSA releases recommendations on how to secure home network
The US National Security Agency (NSA) released a guide with best practices designed to help remote workers secure their home networks.