$600K drained from crypto wallets in Ledger dApp supply-chain attack
Hardware wallet-maker Ledger has warned users not to use web3 dApps following a supply-chain attack on the Ledger dApp Connect Kit library involving a malicious version of the software that was deploying a JavaScript wallet drainer that stole $600,000 in cryptocurrencies and NFTs.
Ledger said in a statement that an attacker gained access to a former Ledger employee’s NPMJS account through phishing and published a malicious version of the Ledger Connect Kit (affecting versions 1.1.5, 1.1.6, and 1.1.7) that used a rogue WalletConnect project to reroute funds to a hacker wallet. The company has already replaced a malicious version of Connect Kit with a genuine version. Ledger hardware and Ledger Live were not compromised, the vendor said.
Microsoft released its final Patch Tuesday of 2023
Microsoft released its December Patch Tuesday security updates addressing over 30 vulnerabilities across a range of products, including several high-risk bugs that can be abused to compromise unpatched machines and a previously disclosed AMD zero-day vulnerability that remained unpatched.
Among the flaws Windows administrators should pay special attention to is CVE-2023-36019, a spoofing bug in Microsoft Power Platform Connector. The issue could be exploited via specially crafted URLs. The flaw affects all versions of Microsoft Power Platform and all versions of Azure Logics Apps.
Apple backports WebKit zero-day fix to older iPhones
Apple rolled out security patches for iOS, iPadOS, macOS, tvOS, watchOS, and Safari web browser to resolve multiple security flaws, including numerous high-risk vulnerabilities affecting AVEVideoEncoder, ExtensionKit, Find My, ImageIO, Kernel, Safari Private Browsing, and WebKit that can result in remote code execution.
Sophos issues updates for an old firewall bug still actively exploited by hackers
UK-based cybersecurity firm Sophos released security patches for an RCE vulnerability in end-of-life (EOL) firewall firmware addressed in September 2022 after it learned that the vulnerability had been actively exploited in the wild.
The said flaw, tracked as CVE-2022-3236, is a code injection issue stemming from improper input validation in the User Portal and Webadmin interfaces of Sophos Firewall. It can be exploited for remote code execution via a malicious request. The issue affects Sophos Firewall v19.0 MR1 (19.0.1) and older.
Apache addresses high-risk Struts2 RCE bug, exploit attempts detected
The Apache Software Foundation issued security updates to fix a remote code execution vulnerability in the Apache Struts 2 software package.
Tracked as CVE-2023-50164, the vulnerability was described as a path traversal issue that exists due to input validation error when processing directory traversal sequences in path names. The vulnerability could be exploited by a remote hacker to upload a malicious file to the server and execute it. The flaw impacts Struts 2.0.0 - Struts 2.3.37 (EOL), Struts 2.5.0 -Struts 2.5.32, Struts 6.0.0 - Struts 6.3.0.
Note, that the bug has already come under active exploitation. The Shadowserver Foundation said hackers are targeting CVE-2023-50164 using publicly available Proof of Concept (PoC) code.
Vulnerabilities are now main initial access vector for ransomware
A new report from Corvus indicates that ransomware actors are shifting from spearphishing attacks as a means to gain entry to target systems to exploiting vulnerabilities. The report said that vulnerability exploitation rose as an initial access vector from nearly 0% of ransomware claims in H2 2022 to almost 30% in the first half of 2023.
Ukraine’s largest mobile carrier Kyivstar hit with a cyberattack after hackers compromised an employee’s account
Ukraine’s largest mobile operator Kyivstar suffered a cyberattack this week, with people across Ukraine reporting internet and network outages, as well as issues with air raid alerts. The attack reportedly damaged the company’s IT infrastructure.
Kyivstar said that the restoration of services will be conducted step-by-step and currently there’s no timeline for when services will be fully restored. The company’s CEO explained that the intruders were able to gain access to the company’s internal network through a compromised account of one of the employees.
Two hacker groups have claimed responsibility for the hack - Killmilk and Solntsepyok (in the English language it can be roughly translated as ‘sun-scorch’). Solntsepyok is believed to be a front for a well-known Russian hacking group dubbed “Sandworm” associated with Russia’s GRU military intelligence agency.
Russian APT29 exploits JetBrains TeamCity servers in widespread attacks
Cybersecurity agencies and intelligence services warned that a threat actor linked to the Russian Foreign Intelligence Service (SVR) has been exploiting a vulnerability in JetBrains’ TeamCity CI/CD software platform to conduct Solarwinds-style cyberespionage operations since September 2023.
The group is exploiting CVE-2023-42793, an authentication bypass vulnerability in TeamCity that allows remote code execution. Unlike the Solarwinds hack, the threat actor did not similarly use access to the software but instead leveraged it to escalate its privileges, move laterally, deploy additional backdoors and establish long-term access to the victim network.
North Korea’s Lazarus uses Log4j exploits to deliver novel DLang-based malware
The North Korean hacking group known as Lazarus has orchestrated a new campaign that exploits a two-year-old vulnerability (CVE-2021-44228, aka Log4Shell) to deploy three never-before-seen malware families written in the DLang programming language. The new malware tools are two remote access trojans (RATs), one of which, dubbed “NineRAT” by Cisco’s Talos researchers, uses Telegram bots and channels as a medium of command and control (C2) communications. The second RAT, non-Telegram-based, is tracked as “DLRAT.” The third malware is a DLang-based downloader named “BottomLoader.”
The new campaign, dubbed “Operation Blacksmith,” targets manufacturing, agricultural and physical security companies.
Of note, recent research found that more than one-third (38%) of applications continue to operate on vulnerable versions of Log4j, a widely used open-source logging library.
Russian hackers exploit Israel-Hamas conflict to deploy Headlace malware
The Russian government-backed threat actor known as APT28 has been observed using lures related to the Israel-Hamas conflict to deliver a custom backdoor named ‘Headlace,’ which is a multi-component malware including a dropper, a VBS launcher and a backdoor using MSEdge in headless mode to continuously download secondary payloads, likely to exfiltrate credentials and sensitive information.
The campaign targets entities with direct influence on the allocation of humanitarian aid, primarily those based in Europe.
Iranian nation-state OilRig APT targets Israel with new malware
ESET researchers shared technical details on three new downloaders named ODAgent, OilCheck, OilBooster and an updated version of the SC5k downloader deployed by the Iranian state-sponsored hacker group OilRig (APT34, Cobalt Gypsy, Twisted Kitten and Crambus) in attacks against Israeli entities. The downloaders use various legitimate cloud service APIs for C&C communication and data exfiltration: Microsoft Graph OneDrive API, Microsoft Graph Outlook API, and Microsoft Office EWS API.
Pro-Hamas Gaza Cybergang targets Palestinian entities with Pierogi++ backdoor
SentinelLabs released a report detailing a recent campaign by a suspected Hamas-aligned cluster Gaza Cybergang aimed at Palestinian entities that uses a new backdoor named Pierogi++ based on an older malware strain named Pierogi, first seen in 2019.
Chinese hackers hijack SOHO routers and VPN devices via sophisticated KV-botnet
A Chinese government-backed hacking group tracked as Volt Typhoon and Bronze Silhouette known for its attacks on the US critical infrastructure has been linked to a new sophisticated botnet named KV-botnet active since at least 2022. The campaign has been targeting Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras.
The KV-botnet features two distinct logical clusters, a complex infection process and a well-concealed command-and-control (C2) framework. A more detailed technical analysis of the new threat can be found in Lumen’s Black Lotus Labs report.
New BazarCall phishing campaign uses Google Forms to boost credibility
Email security firm Abnormal uncovered a new BazarCall phishing campaign that leverages the Google Forms online tool to create and send payment receipts to victims to make the phishing attempt appear more trustworthy.
Russian national linked to Hive ransomware group arrested in France
A Russian individual suspected of money laundering for the notorious Hive ransomware gang, known for orchestrating numerous high-profile cyber attacks globally, has been apprehended by French authorities in Paris.
Although the French police did not disclose the suspect's identity, local media reports indicate that the individual is approximately forty years old and resides in Cyprus. Authorities identified the criminal through his activities on social networks. The arrest took place on December 5 in Paris, and the suspect was subsequently placed in custody.
During searches at the suspect's residence in Cyprus, law enforcement authorities seized more than 570,000 euros in cryptocurrencies, believed to be proceeds from illicit activities linked to the Hive ransomware gang.
Suspected member of KelvinSecurity hacker group arrested in Spain
The Spanish National Police arrested a Venezuelan citizen believed to be one of the alleged leaders of the financial apparatus of a hacktivist group, known as “Kelvin Security,” responsible for more than 300 high-level attacks against strategic sectors across over 90 countries in the last 3 years.
The police have not named the arrested individual but said that he was the main person responsible for money laundering for the group through cryptocurrency exchanges. He was charged with involvement in a criminal organization, disclosure of secrets, computer damage and money laundering.
Microsoft disrupts cybercrime syndicate that created 750M fake accounts
Microsoft seized websites and social media pages run by a cybercrime syndicate known as Storm-1152 that generated for sale over 750 million fraudulent Microsoft accounts. Storm-1152 also offered tools designed to circumvent identity verification software on various popular technology platforms. The illicit operations of the syndicate had amassed millions of dollars.
The seized domains include Hotmailbox.me, a marketplace facilitating the sale of fake Microsoft Outlook accounts, and the trio of 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, which were platforms selling tools for bypassing identity verification.
Microsoft disclosed that the fraudulent Microsoft accounts created by Storm-1152 were utilized by multiple cybercriminal entities involved in activities such as ransomware attacks, data breaches, and extortion schemes, including Scattered Spider (Octo Tempest, oktapus, UNC3944, Scatter Swine, and Muddled Libra), linked to two high-profile attacks against MGM Casino and Caesars Entertainment.
Hundreds arrested in Interpol-led operation targeting human trafficking-fuelled cyber fraud
A total of 281 individuals were arrested for offenses such as human trafficking, passport forgery, corruption, telecommunications fraud, and sexual exploitation as a result of an Interpol operation targeting human trafficking groups that are forcing victims to commit cyber scams on a massive scale.
Over the course of five months, more than 270,000 inspections and police checks were conducted at 450 hotspots associated with human trafficking and migrant smuggling. Many of these locations were identified as hubs for trafficking victims to notorious cyber scam centers in Southeast Asia.
Additionally, the UK sanctioned 9 individuals and 5 entities for their involvement in trafficking people in Cambodia, Laos and Myanmar, forcing them to work for online ‘scam farms’ which enable large-scale fraud.
Personal data of over 500,000 customers on Russian crypto exchanges exposed in a security breach
Personal data of customers at nine Russia-based cryptocurrency exchanges was exposed for more than two months due to a security incident, the Cybernews Research team found.
The exposed information included highly sensitive data such as full names, credit card numbers, email addresses, IP addresses, payment and withdrawal request amounts, transaction descriptors like BTCRUB, and additional authentication details like user agents. The leaked data encompasses more than 615,000 payment requests and over 28,000 withdrawal requests.