Multiple malware families exploit OAuth2 weakness for session hijacking

CloudSEK's threat research team released a report describing an undocumented Google OAuth endpoint named “MultiLogin” that multiple info-stealing malware families abuse to hijack user sessions and get continuous access to Google services even after a password reset.

The exploit came to light after a threat actor named PRISMA published it on their Telegram channel in October 2023. It has since been adopted by various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

Nearly 11 million instances are vulnerable to Terrapin SSH attacks

Almost 11 million internet-exposed SSH servers are vulnerable to the recently disclosed Terrapin attack (CVE-2023-48795) that breaks the integrity of SSH's secure channel, Shadowserver found.

The majority of vulnerable systems were identified in the United States (3.3 million), followed by China (1.3 million), Germany (1 million), Russia (700,000), Singapore (390,000), and Japan (380,000).

Ivanti fixes a high-severity bug in Endpoint Manager

IT and cybersecurity software solutions and services provider Ivanti has addressed an SQL-injection vulnerability (CVE-2023-39336) in its Endpoint Manager manager product that could allow a remote hacker to control machines running as EPM or execute arbitrary code if configured to use SQL express. Users are advised to update their systems as soon as possible.

CISA warns of actively exploited flaws in Chrome and Excel parsing library

The US Cybersecurity and Infrastructure Security Agency has updated its Known Exploited Vulnerabilities catalog to add two security vulnerabilities, one of which is CVE-2023-7024, a remote code execution bug in Google Chrome, and the second is CVE-2023-7101, a flaw affecting an open-source Perl library for reading information in an Excel file called Spreadsheet::ParseExcel. The latter was exploited by Chinese hackers as part of a recent attack campaign on Barracuda ESG appliances.

Orange Spain suffers major internet outage due to hacker breach

Orange Spain, the Spanish unit of French telecoms provider Orange, suffered an internet outage after a hacker compromised the company’s RIPE account, leading to the misconfiguration of the Border Gateway Protocol (BGP) routing and Resource Public Key Infrastructure (RPKI) settings. This caused the IP addresses to be improperly announced on the internet. Orange Spain said no customer information was compromised in the incident.

Russian hackers infiltrated Kyivstar networks since at least May 2023

Russian military hackers have been lurking in the network of Kyivstar, one of Ukraine’s three biggest telecom operators, since at least May 2023, according to Illia Vitiuk, head of the Security Service of Ukraine's (SBU) cybersecurity department. He revealed that the attack, which has been linked to the Sandworm hacking group, wiped “almost everything,” including thousands of virtual servers and PCs.

Russia hacked residential cameras in Ukraine to spy on air defense and critical infrastructure

The Security Service of Ukraine (SSU) took down two residential cameras hacked by the Russian intelligence services to spy on Ukraine's air defense systems and critical infrastructure. The data from these cameras, which were strategically placed to broadcast the operations of Ukraine's air defense systems and the locations of critical infrastructure, was used by Russia to support its January 2 missile attack on Ukraine and its capital, Kyiv. The missile attack killed at least five people and injured as many as 130.

UAC-0050 threat actor employs advanced evasion techniques in attacks on Ukraine

The notorious hacker group UAC-0050 has upgraded its tactics to enhance secrecy and efficacy. The threat actor has long been associated with cyber operations targeting government agencies in Ukraine, primarily utilizing the remote access tool called Remcos. The latest findings from Uptycs indicate that the group has adopted a sophisticated communication technique, referred to as the “pipe method,” to covertly transfer malicious data and avoid detection.

Over $80 million in crypto stolen from Orbit Chain project

South Korean cross-chain bridge project Orbit Chain was robbed of more than $80 million worth of cryptocurrency, including Ether, Dai, Tether, and USD Coin, following a series of drain attacks involving multiple asset types. There are currently no indications as to who may be behind the hack.

Free decryptor released for Black Basta ransomware

Security researchers released a free tool that allows to restore the data encrypted by the Black Basta ransomware. The tool exploits a weakness in the encryption algorithm used by Black Basta, where the ChaCha keystream used to XOR 64-byte chunks of the target file was not advanced properly, resulting in the same 64 bytes being used to XOR all blocks to be encrypted.

Zeppelin ransomware source code offered for sale for $500 on hacking forum

A threat actor has been offering for sale the source code and a cracked version of the Zeppelin ransomware builder for just $500. Zeppelin is a derivative of the Delphi-based Vega/VegaLocker malware family that was active between 2019 and 2022.

The seller said that they did not develop the malware but simply managed to crack a builder version for it, as reported by BleepingComputer.

Hackers hit Australian state's court recording database

Threat actors accessed the court recordings database in Australia's Victoria state and disrupted the audio-visual in-court technology network, impacting recordings and transcription services. Recordings of some hearings in courts between 1 November and 21 December 2023 may have been impacted, Court Services Victoria (CSV) said, adding that no other court systems or records, including employee or financial data, were accessed.

Malicious actors exploit innovative technique to bypass Windows security

Researchers with Security Joes published a detailed technical analysis of a sophisticated technique employed by threat actors to compromise the security of Windows operating systems. This new method leverages executables commonly found in the trusted WinSxS folder, exploiting them via the classic DLL Search Order Hijacking technique. The novel exploit exposes a vulnerability in the way Windows handles dynamic link library (DLL) loading, allowing threat actors to execute malicious code within the Windows environment.

LastPass enforces a 12-character minimum master password

LastPass has implemented stricter password measures, mandating that all customers use a master password with a minimum of 12 characters. This requirement, initiated in April 2023 for new customers and existing ones resetting their passwords, will be universally enforced starting January 2024. Customers are required to log in to confirm their compliance with the new policy. Those already using a 12-character or longer master password are unaffected, while others must create or update their master passwords accordingly.