Google patches eighth Chrome zero-day since the start of the year

Google rolled out emergency security updates to address an actively exploited vulnerability in its Chrome browser. Tracked as CVE-2023-7024, the vulnerability is described as a heap-based buffer overflow issue in WebRTC, which can be abused for remote code execution. To do this, an attacker needs to trick the victim into visiting a malicious web page.

ESET patches MitM bug in its security software

Slovak internet security firm ESET patched a vulnerability (CVE-2023-5594) in the SSL/TLS protocol scanning feature implemented in its products.

The issue stems from improper validation of the server’s certificate chain in the SSL/TLS protocol scanning feature. Due to this, an intermediate certificate signed using the MD5 or SHA1 algorithm was considered trusted, and thus the browser could be caused to trust a site secured with such a certificate.

The issue impacts NOD32 Antivirus, Internet Security, Smart Security Premium, Security Ultimate, Endpoint Antivirus, Endpoint Security, Server Security, Mail Security, Security for Microsoft SharePoint Server, and File Security for Microsoft Azure.

3CX warns of an SQL Injection bug in 3CX CRM Integration

VoIP communications company 3CX announced a hotfix for an SQL Injection vulnerability affecting 3CX versions 18 and 20.

Tracked as CVE-2023-49954, the flaw exists due to insufficient sanitization of user-supplied data within 3CX CRM Integration. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database. Successful exploitation of this vulnerability may allow a remote attacker to read, delete, and modify data in a database and gain complete control over the affected application.

Terrapin attack breaks the security of OpenSSH connections

A vulnerability (CVE-2023-48795) in the SSH cryptographic network protocol could allow an attacker to downgrade the connection’s security by truncating the extension negotiation message, academics from Ruhr-Universität Bochum found.

Called ‘Terrapin’, the new attack method breaks the integrity of SSH's secure channel. By carefully adjusting the sequence numbers during the handshake, an attacker can remove an arbitrary number of messages sent by the client or server at the beginning of the secure channel without the client or server noticing it.

Ivanti patches multiple high-risk vulnerabilities

IT software company Ivanti has released an update to its Avalanche mobile device management (MDM) product that addresses multiple vulnerabilities, including high-risk flaws that can lead to remote code execution. Note that public exploit codes for some of the vulnerabilities are available.

Fake F5 BIG-IP zero-day warning spreads wiper malware

The Israel National Cyber Directorate has issued an alert warning of phishing emails aimed at tricking victims into downloading security updates that ostensibly address a critical F5 BIG-IP zero-day vulnerability, but, in reality, download data-wiping malware.

Hackers use an old MS Office bug to distribute Agent Tesla data stealer

Zscaler ThreatLabz released a report highlighting a threat campaign involving the remote code execution flaw found in the Equation Editor of Microsoft Office (CVE-2017-11882) to spread the Agent Tesla information-stealing malware to users on vulnerable versions of Microsoft Office.

The attackers use words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882. Threat actors leverage the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation.

Threat actors exploit a WinRAR bug in attacks targeting Ukraine

The threat actor known as UAC-0099 has been targeting Ukrainian entities in a new series of attacks. In some cases, the attackers exploited a critical vulnerability in the WinRAR software (CVE-2023-38831) to deliver a malware strain called Lonepage. A more detailed technical analysis of the attacks is available in Deep Instinct’s report.

China-linked 8220 gang exploits Oracle WebLogic bugs to deploy malware

A threat actor known as the 8220 gang, believed to be of Chinese origin, has been spotted exploiting a high-severity vulnerability in the Oracle WebLogic platform to deploy Agent Tesla, rhajk and nasqa malware variants. The said flaw is CVE-2020-14883, an improper input validation issue within the Console component in Oracle WebLogic Server, which could be exploited for remote code execution.

Ukraine’s CERT warns of new attacks by UAC-0177 and UAC-0050

Ukraine’s CERT published two separate advisories describing new campaigns orchestrated by threat actors tracked as UAC-0177 (JokerDPR) and UAC-0050. Both campaigns involve phishing emails that disseminate malware (RemcosRat in the case of UAC-0050).

BattleRoyal cluster spreads DarkGate RAT via email and fake browser updates

A threat actor tracked as ‘BattleRoyal’ has been observed using multiple attack channels, including phishing emails, fake browser updates, traffic distribution systems (TDSs), malicious VBScript, steganography, and a Windows SmartScreen vulnerability (CVE-2023-36025) to deliver the DarkGate remote access trojan.

New FalseFont backdoor targets the Defense Industrial Base sector

Microsoft said it detected a new campaign by the Iranian nation-state actor Peach Sandstorm targeting individuals working for organizations in the Defense Industrial Base (DIB) sector with a novel backdoor called ‘Falsefront.’

First observed in early November 2023, FalseFont is a custom backdoor with a wide range of functionalities that allow operators to remotely access an infected system, launch additional files, and send information to its command-and-control servers.

Chameleon Android banker can now bypass biometric authentication

Dutch mobile security firm ThreatFabric came across an updated version of the Chameleon Android banking trojan that comes with new advanced features and capabilities, including the ability to bypass biometric prompts, and the ability to display an HTML page for enabling accessibility service on devices implementing Android 13's “Restricted Settings” feature. The new variant has also expanded its target region (Australia and Poland) to include Android users in the UK and Italy.

Scammers steal $59M in crypto using MS Drainer

Scammers have stolen over $59 million in various cryptocurrencies over the past nine months using a wallet drainer service dubbed ‘MS Drainer,’ a report from blockchain security platform Scam Sniffer revealed.

The scammers took advantage of Google Ads and X (formerly Twitter) to propagate counterfeit versions of reputable crypto websites, such as Zapper, Lido, Stargate, DefiLlama, Orbiter Finance, and Radient. They also used supply chain attacks, Discord phishing, SimSwap attacks, DNS attacks, and email phishing to push a wallet drainer, a tool that drains all assets from a specific cryptocurrency wallet.

New malware campaign employs JavaScript web injections to steal bank account credentials

Security researchers warn of a new malware campaign that employs JavaScript web injections to steal online banking account credentials. The campaign is part of a previously observed operation that has targeted over 40 financial institutions across the world.

First spotted in March 2023, the campaign has since led to at least 50,000 infected user sessions across more than 40 banks that were affected by this malware campaign spanning North America, South America, Europe and Japan.

German authorities shut down the dark web marketplace Kingdom Market

German police dismantled a dark web marketplace called “Kingdom Market” that sold a wide range of illicit goods, including drugs, fake IDs and malware. According to the BKA, the platform’s server infrastructure was seized across several countries. The operation was conducted in cooperation with law enforcement authorities from the US, Switzerland, the Republic of Moldova and Ukraine. One of the platform’s administrators was reportedly arrested in the US.

US seizes the ALPHV/BlackCat darknet website, releases decryption tool

The US authorities seized websites belonging to the prolific Russian-speaking ALPHV/BlackCat ransomware group that compromised more than 1,000 victims worldwide, receiving more than $300 million in ransom payments. However, mere hours after the FBI announced the takedown, the group posted a message claiming that they “unseized” their website.

The ransomware actors shared their version of the events, saying that the FBI compromised one of their domain controllers. They also said they are removing almost all rules from their affiliate program, allowing affiliates to target critical infrastructure.

As part of the operation, the FBI developed a decryption tool for victims to restore their data. The agency revealed that it was able to gain visibility into the BlackCat ransomware group’s operations thanks to a Confidential Human Source (“CHS”), who responded to the BlackCat ad on a publicly-assessible online forum and, after being interviewed by the ransomware operators, has become an affiliate. The informant has been given access credentials to a BlackCat affiliate panel, available at a unique Tor address.

Play ransomware has attacked nearly 300 organizations worldwide since 2022

The FBI, CISA and Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) published a joint security advisory detailing Indicators of Compromise (IoCs) and tactics, techniques, and procedures (TTPs) observed in the Play ransomware attacks.

Global police operation seizes $300M linked to online scams

Nearly 3,500 suspects were arrested and $300 million seized as a result of a six-month joint law enforcement operation supported by the South Korean government and involving police from 34 countries across the world.

Dubbed “HAECHI IV,” the operation, spanning from July to December 2023, targeted seven types of cyber scams, including voice phishing, romance scams, online sextortion, investment fraud, money laundering linked to illegal online gambling, business email compromise fraud, and e-commerce fraud.

Lapsus$ hacker sentenced to indefinite detention in hospital

Arion Kurtaj, an 18-year-old hacker associated with the Lapsus$ hacker group, has been sentenced to an indefinite hospital order, the BBC reported. Despite being diagnosed with autism, Kurtaj played a significant role in cyber-attacks on major tech companies, including Uber, Nvidia, and Rockstar Games, resulting in nearly $10 million in damages.

Due to his demonstrated skills and a perceived risk to the public, the judge decided on a lifelong stay at a secure hospital, contingent on periodic evaluations by doctors.

QakBot malware reappears with a new campaign targeting hospitality industry

Security researchers have spotted a new phishing campaign distributing the QakBot malware, more than three months after an international law enforcement operation dismantled the notorious QakBot botnet.

The new Qakbot campaign observed by Microsoft’s threat intelligence team in December was low-volume and targeted the hospitality industry with phishing emails containing a malicious PDF document.

BidenCash market leaks 1.9M stolen credit cards

Dark web carding marketplace BidenCash is offering nearly two million payment card details for free. The database includes payment card numbers, expiration dates, and CVV (card verification value) numbers but doesn’t contain other important data, the Cybernews research team noted. In March 2023, BidenCash leaked over 2 million credit and debit cards to commemorate one year of operation.

MongoDB internal breach exposes customer info

American software company MongoDB, the developer and maintainer of the document database MongoDB suffered a security incident that saw an unauthorized party gain access to some of its corporate systems containing customer data. The exposed information includes “customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer.” The company said it notified the impacted client of the incident. MongoDB added that it has no evidence that any other customers’ systems were compromised.

Israel-linked hackers paralyzed gas stations across Iran

An Israeli hacker group known as Gonjeshke Darande (Predatory Sparrow) has taken responsibility for a cyberattack that caused widespread disruption at petrol stations across Iran, impacting 70% of the country’s petrol stations. The hackers said that while they were able to disrupt the operation of all petrol stations in Iran, some of the outfits were left unharmed in order to limit potential damage to emergency services.

CISA urges tech manufacturers to get rid of default passwords

CISA published guidance for tech firms on how they can eliminate default passwords, urging vendors to stop providing software and hardware with default passwords to remove risks that could be exploited by malicious actors to gain initial access to and move laterally within organizations.

New support mechanism aims to strengthen Ukraine’s cyber defenses

Ukraine and its allies, including Estonia and Canada, Denmark, France, Germany, the Netherlands, Poland, Sweden, the UK and the US, announced the launch of a new system called the Tallinn Mechanism designed to amplify the cyber support of donors to Ukraine in the civilian domain.

With the mechanism, Ukraine's needs will be responded to in a systemized manner and matched to the possibilities of donors in such a way that support from various countries forms a coherent whole and Ukraine is able to defend itself in the cybersphere.