Apple WebKit zero-day and other important bugs
Apple released security updates for its iOS, iPadOS, macOS, tvOS operating systems and the Safari browser to address an actively exploited zero-day vulnerability. The flaw in question is CVE-2024-23222, a type confusion issue in the WebKit browser engine that occurs when processing HTML content. If exploited, this vulnerability could allow a remote hacker to execute arbitrary code by tricking the victim into visiting a malicious website. The flaw was addressed with improved checks.
The company did not share any details regarding the nature of the exploitation or when it occurred.
Fortra, a company behind the widely used GoAnywhere MFT (Managed File Transfer) software, warned of a critical vulnerability that could allow hackers to compromise unpatched instances. Tracked as CVE-2024-0204, the vulnerability is an authentication bypass issue related to the lack of authorization checks related to the InitialAccountSetup.xhtml file, along with a path normalization issue. If exploited, the bug allows a remote non-authenticated attacker to bypass the authentication process and gain full control over the system by creating an administrative account.
The flaw affects GoAnywhere MFT 6.x from 6.0.1 and Fortra GoAnywhere MFT 7.4.0 and earlier and was fixed in GoAnywhere MFT 7.4.1.
Cisco issued patches to fix multiple security flaws in its products, including a high-severity vulnerability in the Unified Communications and Contact Center Solutions products, which could lead to system takeover. Tracked as CVE-2024-20253, the flaw is a deserialization of untrusted data issue that exists due to insecure input validation when processing serialized data. A remote attacker can send a specially crafted message to the listening port of an affected device and execute arbitrary code on the target system.
Among others, the vendor has also addressed a high-risk arbitrary file upload bug (CVE-2024-20272) in Cisco Unity Connection that could allow an unauthenticated attacker to upload arbitrary files and gain root privilege on the affected system.
Also, the maintainers of the open-source continuous integration/continuous delivery and deployment (CI/CD) automation software Jenkins patched a number of vulnerabilities, including two high-severity issues (CVE-2024-23897, CVE-2024-23898) that could be abused for remote code (or command) execution.
Critical Atlassian Confluence vulnerability is actively exploited by threat actors
Malicious actors are attempting to exploit a recently disclosed critical vulnerability affecting outdated versions of Atlassian Confluence servers, security researchers warn. Tracked as CVE-2023-22527, the flaw is a template injection issue that can lead to remote code exploitation. According to Atlassian, the vulnerability impacts only outdated Confluence Data Center and Confluence Server versions 8.0.0 through 8.5.3. The issue was fixed in Confluence Data Center and Server versions 8.5.4 (LTS), 8.6.0 (Data Center only), and 8.7.1 (Data Center only), and later.
Threat monitoring service Shadowserver reported that it observed over 36,000 exploitation attempts coming from over 600 IP addresses.
Apache ActiveMQ bug abused to deploy Godzilla web shells
Threat actors are increasingly exploiting a recently patched flaw in the Apache ActiveMQ message broker to deliver the Godzilla web shell to targeted hosts. The targeted vulnerability is CVE-2023-46604, a deserialization of untrusted data within the OpenWire protocol. A remote attacker can pass specially crafted data to the application and execute arbitrary code on the target system. In the latest attack observed by Trustwave, vulnerable hosts have been targeted by JSP-based web shells hidden within the ‘admin’ folder of the ActiveMQ installation directory.
Chinese cyber spies have exploited VMware zero-day since 2021
A highly advanced China-nexus espionage group has been exploiting a critical VMware vCenter Server flaw (CVE-2023-34048) as a zero-day since 2021, Google-owned cybersecurity firm Mandiant reported. The company has attributed the observed campaign to UNC3886, a threat actor known for its previous attacks against security flaws in VMware and Fortinet appliances.
Russian hackers APT29 accessed emails of Microsoft, HP executives
Russian government hackers known as Midnight Blizzard, APT29, Cozy Bear and Nobelium, compromised email environments of Microsoft and technology manufacturer Hewlett-Packard Enterprise (HPE) and extracted data from inboxes.
In the case of Microsoft, the hackers compromised the corporate systems and gained access to the email accounts of the company’s employees, including senior staff, and “exfiltrated some emails and attached documents.” As per Microsoft, the attackers compromised a legacy non-production test tenant account using a password spray attack.
HPE said that the threat actors stole information from email accounts belonging to a small portion of individuals involved in the company’s cybersecurity, go-to-market, business segments, and other functions.
Following the intrusion, Microsoft released additional technical details on the techniques used by Midnight Blizzard, along with recommendations on how to protect, detect, and respond to similar nation-state attacks.
North Korean ScarCruft hackers target security professionals with innovative tactics
A North Korean state-backed hacker group known as ScarCruft has been observed targeting media organizations and high-profile experts specializing in North Korean affairs in a new cyberespionage campaign. In the recent campaign, the group employed a novel lure tactic involving a threat intelligence report on another well-known North Korean threat actor, Kimsuky. The infection routine observed in the latest campaign includes the use of oversized Windows Shortcut (LNK) files initiating multi-stage infection chains delivering RokRAT, a sophisticated custom malware associated with ScarCruft.
China-linked Blackwood hackers deliver the NSPX30 implant via software updates
ESET published an extensive report shedding light on a new sophisticated cyberespionage campaign orchestrated by a previously undisclosed China-aligned threat actor dubbed ‘Blackwood’. The threat actor is believed to have been operating since at least 2018, using a sophisticated implant named “NSPX30” delivered via adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software. The targets included Chinese and Japanese companies, as well as individuals located in China, Japan, and the UK.
ESET researchers identified NSPX30 being delivered through compromised updates of popular Chinese applications, including Tencent QQ, Sogou Pinyin, and WPS Office.
Pro-Ukraine hackers claim a devastating attack on a Russian scientific research center
The Russian Space Hydrometeorology Research Center, Planeta, fell victim to a cyberattack orchestrated by the BO Team group, the Ukrainian Main Intelligence Directorate (HUR) revealed. The pro-Ukrainian hacktivist group wiped 280 servers at the center's largest branch in Russia's Far East. Planeta, a crucial federal enterprise, processes satellite data for over 50 government agencies, including the Russian Defense Ministry, General Staff, and Emergency Situations Service.
The cyberattack reportedly resulted in the destruction of nearly 2 petabytes (200 million gigabytes) of data, including meteorological and satellite information regularly used by various Russian agencies and unique research developed over the years, impacting the operations of the Russian Defense Ministry, Emergency Situations Ministry, Roscosmos, and other government entities.
Ukraine’s security service arrested a hacker who prepared cyberattacks on Ukrainian govt websites and guided Russian missiles at Kharkiv
The Security Service of Ukraine's (SSU) cyber unit apprehended a member of the Russian FSB-controlled hacking group called “People's Cyber Army,” who has orchestrated cyberattacks on Ukrainian government websites and played a role in guiding Russian missiles at the city of Kharkiv, including civilian infrastructure and a local hospital.
Additionally, the hacker was involved in espionage activities, monitoring the locations of Defense Forces in the region, with a focus on potential sites of the Armed Forces of Ukraine (AFU) air defense and artillery positions. The hacker was also following FSB directives to prepare for a series of Distributed Denial of Service (DDoS) attacks on the websites of Ukrainian state enterprises and government agencies.
Critical infrastructure companies in Ukraine targeted in cyberattacks
Several critical infrastructure companies in Ukraine, including the country's largest oil and gas company Naftogaz, the national postal service Ukrposhta, and the transportation safety agency DSBT, have reported cyberattacks on their systems. Naftogaz stated that hackers targeted its data center, while Ukrposhta experienced disruptions to its services due to an attack on the information infrastructure of its partners. The transportation agency DSBT faced disruptions in website operations and the “Shlyah” system used by drivers for cross-border activities. Ukraine's state railway, Ukrzaliznytsia, also reported cyberattacks affecting online ticket purchases for electric trains in Kyiv.
At present, it’s unclear what threat actor (or threat actors) is responsible for the attacks.
A loophole in GKE could allow an attacker with any Google account to take over a misconfigured Kubernetes cluster
Cloud security startup Orca Security found a loophole in Google Kubernetes Engine (GKE) that could allow an attacker with any Google account to take over a misconfigured Kubernetes cluster, potentially leading to serious security incidents such as cryptomining, denial of service, and sensitive data theft.
The issue stems from a misconfiguration related to the privileges granted to users in the system:authenticated group, which encompasses all users with a Google account. The researchers discovered that attackers could obtain access tokens via OAuth 2.0 Playground, becoming part of the system:authenticated group and gaining at least access to discovery APIs. The security firm identified over 250,000 publicly exposed GKE clusters, with approximately 1,300 potentially vulnerable to this misconfiguration.
TDS platform VexTrio runs massive cybercrime operation involving over 60 affiliates
Cybersecurity researchers at Infoblox published a report exposing VexTrio, a massive malicious traffic direction system (TDS) organization. VexTrio, with a shadowy network of over 60 affiliates, has been diverting traffic into its web, operating both its own TDS network and collaborating with affiliates such as ClearFake and SocGholish.
Australia imposes sanctions on a Russian hacker for the Medibank hack
Australia has imposed sanctions on a Russian hacker for his alleged involvement in a high-profile ransomware attack on the country's largest private health insurer, Medibank, that occurred in November 2022. The hacker, identified as 33-year-old Russian national Aleksandr Ermakov, is believed to be a member of the notorious Russian ransomware gang REvil.
The sanctions include strict travel bans and financial measures. These sanctions empower the Australian government to freeze the assets of the accused, extending to cryptocurrency wallets and ransomware payments. Any provision of assets to the hacker may result in severe penalties, including up to 10 years of imprisonment.
Trickbot malware dev sentenced to over 5 years in prison
A Russian national, Vladimir Dunaev, has been sentenced to five years and four months in prison for his role in developing and deploying the malicious software Trickbot. The Trickbot malware, taken down in 2022, aimed at stealing money and facilitating ransomware and was used to carry out cyberattacks against businesses, schools and hospitals worldwide. Dunaev provided specialized services to the Trickbot operation, developing browser modifications and malicious tools for credential harvesting, data mining, and enhancing remote access. Dunaev's sentencing comes after the conviction of another Trickbot member, Alla Witte, who received a two-year and three-month prison sentence before being deported.
Former BreachForums admin sentenced to 20 years of supervised release, no jail time
Conor Brian Fitzpatrick, the owner of the notorious hacker forum BreachForums, was sentenced to 20 years of supervised release. During the initial two years of his release, Fitzpatrick will be subject to home arrest with a GPS locator and mandatory mental health treatment. Furthermore, to ensure public safety, he is prohibited from accessing the internet in the first year of his release. Probation officers will also install monitoring software on his computer to prevent any potential illicit activities.
Ransomware attack on Finnish IT provider Tietoevry causes downtime for customers in Sweden
Finnish IT services and enterprise cloud hosting provider Tietoevry was hit with an Akira ransomware attack over the weekend that affected one of the company’s data centers in Sweden. The attack reportedly encrypted Tietoevry’s virtualization and management servers used to host the websites or applications for many Swedish firms, including the country’s largest cinema chain, Filmstaden. The intrusion is also said to have impacted retail chain Rusta, construction materials provider Moelven, farming supplier Grangnården, and several universities and colleges, as well as several government agencies and municipalities.
US securities lender EquiLend hit with a cyberattack
Fintech company EquiLend said it experienced a cyberattack resulting in unauthorized access to its systems. In response, the company has taken several systems offline and is working with external cybersecurity firms and professional advisers to investigate and restore services. The company said that the restoration process may take several days.
‘Mother of All Breaches’ exposes 26 billion records
Cybersecurity researchers discovered what they dubbed the “Mother of all Breaches” (MOAB), a supermassive database containing 26 billion records, including LinkedIn, Twitter, Weibo, Tencent, and other platforms’ user data. The MOAB is said to be a compilation of meticulously indexed data from thousands of previous leaks, breaches, and privately sold databases. While the majority of the exposed records are from past breaches, researchers warn that the MOAB likely contains previously unpublished data.