Backdoor in XZ Utils can lead to SSH server compromise
Malicious code in the widely used compression library across various Linux distributions XZ Utils has been uncovered that can lead to system compromise. Tracked as CVE-2024-3094, the issue was found in versions 5.6.0 and 5.6.1 of XZ Utils. The backdoor is not present in the source code found in the Git repository but is introduced in the distributed tarballs.
Following the disclosure, the US Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory regarding CVE-2024-3094, advising users to downgrade XZ Utils to an uncompromised version, such as XZ Utils 5.4.6 Stable.
Google fixes two Pixel zero-days exploited by forensic companies
Google has released its April 2024 Android security patches that address multiple vulnerabilities, including two zero-day flaws affecting Pixel smartphones. One of the zero-days is CVE-2024-29745, an information disclosure flaw in the bootloader component that can allow a local application to gain access to sensitive data. The second zero-day, tracked as CVE-2024-29748, is described as an improper input validation issue that can lead to remote code execution.
According to maintainers of GrapheneOS, the above mentioned vulnerabilities “are being actively exploited in the wild by forensic companies.”
Ivanti addresses high-risk Connect Secure and Policy Secure flaws
Ivanti has rolled out security updates to patch a slew of vulnerabilities affecting its Connect Secure and Policy Secure products. Security updates cover four vulnerabilities, including a high-risk flaw (CVE-2024-21894) that can be abused for remote code execution. The vulnerability exists due to a boundary error within the IPSec component. A remote attacker can send specially crafted packets to the device, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
The three other bugs (CVE-2024-22052, CVE-2024-22053, CVE-2024-22023) are deemed medium risk, and could be exploited by a remote attacker to trigger a denia-of-service (DoS) condition.
In related news, Mandiant released a report highlighting the exploitation of flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) by multiple China-linked threat actors, including UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, UNC5337, and UNC3886. The Google subsidiary said it has also identified financially motivated actors exploiting CVE-2023-46805 and CVE-2024-21887, likely to enable operations such as crypto-mining. Since the public disclosure on January 10, 2024, Mandiant has observed eight distinct clusters involved in the exploitation of one or more of these Ivanti CVEs.
HTTP/2 CONTINUATION Flood can lead to denial of service (DoS) attacks
A set of vulnerabilities in the HTTP/2 protocol dubbed “CONTINUATION Flood” has been uncovered. These vulnerabilities can be exploited to launch denial of service (DoS) attacks, capable of crashing web servers with just a single TCP connection in certain implementations. The impact of these vulnerabilities extends to disrupting server availability, ranging from crashes to significant performance degradation.
Chinese cyberespionage cluster Earth Freybug adds new Unapimon malware to its arsenal
A threat activity cluster known as Earth Freybug has been observed employing a new malware variant named Unapimon. Described as a simple yet effective C++-based malware, Unapimon comes with advanced features focused on thwarting detection mechanisms. It utilizes a technique to prevent child processes from being monitored, thus evading detection in sandbox environments. The malware achieves this by leveraging the Detours library, a Microsoft open-source tool, to unhook critical API functions.
Chinese hackers exploited Swedes' routers to launch cyberattacks
The state-backed Chinese hacker group APT31 has used routers belonging to Swedish citizens as part of cyberattacks against a range of countries, Säpo (Swedish Security Service) revealed. According to Säpo's press spokesperson Fredrik Hultgren-Friberg, APT31 conducted extensive cyberattacks during 2020 and 2021 against several countries in Europe.
Ukraine gathers evidence to prosecute hackers behind the Kyivstar attack in Hague
The Ukrainian State Security Service (SBU) said it is building a case against Russian hackers responsible for the December 2023 cyberattack on nation's largest telecommunications operator Kyivstar to prosecute them at the International Criminal Court (ICC) in The Hague.
According to the SBU, the attack on Kyivstar was orchestrated by the hacker group known as Sandworm, which is identified as a state-sponsored unit within Russia's intelligence apparatus.
Illya Vitiyuk, the head of the Cybersecurity Department, said that the SBU is currently conducting a series of expert examinations to assess the extent of the damage caused by the hackers to the affected systems. Additionally, the security agency has initiated requests to obtain further information from international partners.
New Gamaredon infrastructure uncovered
Embee Research published a report detailing new server infrastructure used by the Russia-associated Gamaredon (aka Aktinium, Armageddon, UAC-0010) threat actor linked to multiple cyberattacks against Ukrainian entities.
Russia is reportedly trying to sabotage European railways
Russia has launched numerous cyber attacks aimed at European rail networks, with the intent to destabilize the EU and disrupt critical infrastructure, Martin Kupka, the Czech Republic's transport minister, told Financial Times. These attacks targeted signalling systems and the networks of České dráhy, the Czech national railway operator, causing concerns about potential accidents and service disruptions.
US cyber board blames Microsoft for the May Storm-0558 hack
The DHS Cyber Safety Review Board (CSRB) has released a report on Microsoft's hack by the Chinese threat actor Storm-0558 in May 2023, in which the hackers breached an unidentified number of email accounts linked to around 25 organizations, including some related individual consumer accounts and government agencies in Western Europe and the US. CSRB’s report found Microsoft at fault for the intrusion, which officials said was “preventable” and that “Storm-0558 was able to succeed because of a cascade of security failures at Microsoft.” The board has concluded that Microsoft's security culture is insufficient and necessitates a comprehensive overhaul.
China-linked cyber spies targeting multiple regions with an advanced Linux backdoor
Check Point’s threat analysis team published a report detailing a Linux version of a cross-platform backdoor named DinodasRAT, also known as XDealer, previously linked to Chinese threat actor LuoYu. The Linux version, tracked as Linodas, is more mature than the Windows variant, tailored with capabilities specifically aimed at Linux servers.
Hackers claim to steal US government data
A group of threat actors known as IntelBroker, Sanggiero and EnergyWeaponUser claim to have breached Acuity Inc, a US-based tech consulting firm. The hackers claim to have stolen sensitive information on United States government personnel, and United States allies. Some of data shared shows information on individuals from the Department of Justice, Federal Bureau of Investigation, Department of Homeland Security, and Department of State. The stolen information allegedly includes employee full name, government e-mail address, and government phone number (and extension if applicable).
Acuity has confirmed the hack but said that the affected GitHub repositories housed dated and non-sensitive information.
Law enforcement crackdown had a significant impact on the LockBit ransomware operation
Following the aftermath of Operation Cronos, the LockBit ransomware group faces significant setbacks as their operations are impeded, according to a new report from Trend Micro. Recent data reveals that nearly 80% of the victim entries on the site following Operation Cronos are fake.
Hackers deliver info-stealing malware via YouTube video game cracks
Threat actors are disseminating malware through YouTube channels masquerading as sources for cracked and pirated video games. Multiple YouTube channels have been identified as being used for malware distribution, with video descriptions containing links leading to the download of malicious payloads. The malware, which includes notorious variants such as Vidar, StealC, and Lumma Stealer, is designed to steal sensitive information from users' systems.
The attacks appear to target common users lacking enterprise-grade security measures on their personal computers, the company said.
Threat actors drop malware through Facebook pages impersonating AI brands
Cybercriminals have begun exploiting the popularity of generative artificial intelligence software by spreading malware through Facebook pages impersonating well-known AI brands like Midjourney, Sora AI, and ChatGPT 5. The malicious pages on Facebook are meticulously designed to trick users into downloading purportedly official desktop versions of popular AI software. The cybercriminals behind these campaigns regularly change and adapt the malicious payloads in an attempt to avoid further detection from security software. The malicious ads serve Rilide, Vidar, IceRAT, and Nova info-stealers.
A new version of JsOutProx is targeting financial institutions in APAC and MENA
Resecurity researchers discovered a new variant of the JtSOutProx attack framework targeting financial services and organizations in the APAC and MENA regions. The latest campaign observed by the researchers involves the use of fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code. Most of the identified payloads were hosted on GitHub and GitLab repositories.
New Latrodectus malware is being distributed in the wild
Proofpoint spotted a new advanced malware strain named “Latrodectus,” which is a downloader with various sandbox evasion functionality. While similar to IcedID, Proofpoint says it is entirely new malware, likely created by the IcedID developers. Latrodectus has been observed in the campaigns by the TA577 and TA578 cybercrime threat actors.
Hackers abuse Google Ads tracking feature to deliver malware
Threat actors are exploiting a tracking feature in Google Ads to deliver malicious software, researchers at AhnLab Security Intelligence Center (ASEC) have warned. The observed cases revealed that the malware is being disseminated under the guise of installers for popular groupware applications such as Notion and Slack. Once installed and executed, the malware proceeds to download malicious files and payloads from the attacker’s server, potentially compromising the security of the affected systems.
OWASP Foundation discloses data breach due to Wiki web server misconfiguration
OWASP Foundation, a US-based non-profit organization that supports the OWASP (Open Worldwide Application Security Project) infrastructure and projects, has disclosed a security incident that affected member resumes. The data breach, which occurred in late February 2024, was caused by a misconfiguration of OWASP’s old Wiki web server. The incident impacted the personally identifiable information (PII) of OWASP members from 2006 to around 2014 who provided their resumes as part of joining OWASP. The affected data includes names, email addresses, phone numbers, physical addresses and other personal information, the foundation said in a short data breach notice.
Japanese optics giant Hoya hit with a cyberattack
The world’s second-largest eyeglass and lens-maker Hoya disclosed a cybersecurity incident that affected “the systems for some production plants and the ordering system for several products.” The breach took place on March 30, 2024. The company has launched an investigation to determine the scope of the breach and whether any customer or personal data was taken during the incident.
Google to delete billions of personal records following settlement in privacy lawsuit
The US tech giant Google has agreed to remove billions of personal records collected from over 136 million individuals in the United States who used its Chrome web browser. The move is part of a settlement in response to a class-action lawsuit accusing Google of engaging in illegal surveillance practices.