Google patches a Chrome zero-day

Google has rolled out a security update for the Chrome browser to fix a zero-day vulnerability exploited in the wild. Tracked as CVE-2024-4671, the flaw is a use-after-free issue within the Visuals component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger use-after-free error and execute arbitrary code on the target system. The internet giant addressed the bug with the release of Chrome versions 124.0.6367.201/.202 for Mac/Windows and 124.0.6367.201 for Linux.

In other news, F5 has fixed two high-severity SQL injection vulnerabilities (CVE-2024-26026, CVE-2024-21793) in BIG-IP Next Central Manager that allow a remote attacker to execute arbitrary SQL commands or perform a Man-in-the-Middle (MitM) attack.

Citrix has updated its advisory about a security issue affecting the PuTTY SSH client bundled with XenCenter for Citrix Hypervisor 8.2 CU1 LTSR. The vulnerability, tracked as CVE-2024-31497, could potentially enable attackers to pilfer the private SSH key of a XenCenter administrator. The flaw impacts various versions of XenCenter that utilize PuTTY for SSH connections to guest virtual machines when users click the “Open SSH Console” button. Citrix advises affected customers who do not wish to use the “Open SSH Console” functionality remove the PuTTY component completely. Those who wish to maintain the existing usage of PuTTY should replace the version installed on their XenCenter system with an updated version (with a version number of at least 0.81).

New Mirai botnet exploits Ivanti Pulse Secure bugs

Two critical security vulnerabilities, CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure (ICS) products are being actively exploited by cyber attackers to deploy the Mirai payload. According to Juniper Threat Labs, the attack involves exploiting CVE-2023-46805 to gain access to the vulnerable endpoint “/api/v1/license/key-status/;” which is susceptible to command injection. Once access is gained, attackers inject the Mirai botnet payload, facilitating further malicious activities.

Nearly 49M Dell customer records up for sale on the dark web

US PC giant Dell Technologies has reportedly been hit with a massive data breach, with approximately 49 million customer records stolen and put up for sale on the dark web. In a notification sent to affected customers, Dell said that a portal containing customer purchase information was breached. While the stolen data includes customers' names, addresses, and details regarding their Dell equipment, sensitive information such as payment details appears to be unaffected.

Marriott admits its systems were not encrypted before 2018 data breach

Hospitality giant Marriott International has admitted that its systems were not encrypted before the 2018 data breach. Marriott acknowledged that it utilized the Secure Hash Algorithm 1 (SHA-1), which does not qualify as encryption, instead of the Advanced Encryption Standard 128 (AES-128) it had previously claimed to use.

LockBit ransomware leader unmasked, charged and sanctioned in the US, UK, and Australia

In a coordinated effort, the US, UK, Australian authorities and Europol have revealed indictments and sanctions against the administrator of the notorious LockBit ransomware operation. For the first time, the identity of the Russian threat actor behind the alias 'LockBitSupp' and ‘putincrab’ has been disclosed, identified as Dmitry Yuryevich Khoroshev. According to the indictment, Khoroshev allegedly was the mastermind behind the LockBit ransomware group, acting as both developer and administrator since its inception in September 2019 until May 2024.

Russian operator behind BTC-e crypto exchange pleads guilty to money laundering

Alexander Vinnik, a Russian national, pleaded guilty to conspiracy to commit money laundering related to his involvement in operating the cryptocurrency exchange BTC-e from 2011 to 2017. Court documents reveal that Vinnik, 44, was one of the key operators of BTC-e, which once stood as one of the world’s largest virtual currency exchanges. During its operation, BTC-e processed over $9 billion in transactions and served more than one million users globally, including a significant number of customers within the United States. BTC-e was linked to the hack of the now-defunct crypto exchange Mt. Gox after it was used to launder some 300,000 bitcoins obtained through the breach. BTC-e was shut down in July 2017, at the same time Vinnik was first arrested.

On the same note, law enforcement agencies from Austria, Cyprus, and Czechia dismantled an online cryptocurrency scam, leading to the arrest of six Austrians believed to be the masterminds. The scammers presented themselves as the founders of a legitimate online trading company that purportedly launched a new cryptocurrency. They conducted an initial coin offering (ICO) for 10 million tokens, offering investors rights to the new currency. Investors paid in established cryptocurrencies like Bitcoin or Ethereum. To bolster credibility, the fraudsters claimed that they had developed proprietary software and a unique algorithm for token sales. After conducting six house searches, authorities confiscated more than 500,000 euros in cryptocurrencies and 250,000 euros in fiat currency. Numerous bank accounts linked to the scam were also frozen.

Massive BogusBazaar fraud ring steals credit cards from thousands of victims

A sophisticated criminal syndicate, dubbed BogusBazaar, has been uncovered that operates a network of over 75,000 fake e-commerce websites, defrauding unsuspecting online shoppers to the tune of millions of dollars. According to analysts at SRLabs, BogusBazaar has defrauded more than 850,000 victims, mainly from Western Europe and the US. The operation leverages two primary methods: credit card harvesting and fake selling. To lure victims, the fraudsters offer seemingly attractive deals on shoes and apparel from reputed brands at low prices.

Russian military spies APT28 exploited Outlook 0day to attack Czechia and Germany

Czechia, Germany and allies have accused Russia of orchestrating cyberattacks against democratic institutions and political parties across Europe and other countries. Germany said that the 2023 breach of the Social Democratic Party was conducted by APT28 (aka Fancy Bear, Strontium, and Forest Blizzard), a hacker collective linked to Russia’s General Staff Main Intelligence Directorate (GRU). Officials said that the intruders exploited a then zero-day vulnerability (CVE-2023-23397) in Microsoft’s Outlook email software. According to German officials, APT28 was behind widespread attacks on German companies in the fields of logistics, armaments, aerospace, IT services, and foundations and associations.

Following the revelation, Poland's national cybersecurity agency, CERT Polska, published details about a recent cyber espionage campaign by the Kremlin-backed hacker group APT28 (aka Fancy Bear) targeting Polish government institutions.

Russia-linked CopyCop network uses AI to push fake political news

Recorded Future's Insikt Group has uncovered CopyCop, an influence network operating through fake media outlets in the US, UK, and France. Suspected to be orchestrated from Russia and potentially linked to the Russian government, CopyCop employs advanced generative AI to plagiarize and manipulate content from credible sources. This included content critical of Western policies and supportive of Russian perspectives on international issues like the Russo-Ukraine war and the Israel-Hamas tensions.

UK MoD faces data breach, armed forces' personal information compromised

The UK’s Ministry of Defense (MoD) has fallen victim to a cyberattack targeting its payroll system, compromising the personal data of serving UK military personnel. The breach is suspected to be the work of Chinese hackers. The breach has reportedly affected an undisclosed number of current and former members of the Royal Navy, Army, and Royal Air Force. The compromised data includes names, bank details, and, in some cases, personal addresses.

Suspected Chinese hackers behind ArcaneDoor campaign targeting network devices

A recent cyber espionage campaign dubbed ArcaneDoor, targeting perimeter network devices, may have ties to threat actors linked to China, new findings from attack surface management firm Censys suggest. This theory is based on the fact that four out of five online hosts identified as a part of the attackers’ infrastructure are located in China and have presented SSL certificates associated with Tencent and ChinaNet autonomous systems (AS).

MITRE hackers deployed Rootrot web shell for initial access

The MITRE Corporation has published additional technical details on the April 2024 cyber intrusion, where a suspected state-sponsored threat actor gained access to the organization’s Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping.

According to the organization, the earliest signs of the intrusion date back to December 31, 2023, with the advisory deploying a web shell named “Rootrot” on an external-facing Ivanti appliance, thus gaining initial access to NERVE, a MITRE prototyping network. The Rootrot web shell has been attributed to a China-nexus cluster tracked as UNC5221. Rootrot is a web shell written in Perl embedded into a legitimate Connect Secure .ttc file located at /data/runtime/tmp/tt/setcookie.thtml.ttc by exploiting Ivanti Connect Secure zero-day flaws (CVE-2023-46805 and CVE-2024-21887).

New HijackLoader variant comes with updated evasion techniques

Security researchers have spotted a new variant of the HijackLoader malware loader first identified in 2023. The updated version of HijackLoader implements several features aimed at bolstering its stealthiness and prolonging its undetected presence on infected systems. Among the notable additions are modules designed to bypass Windows Defender Antivirus, circumvent User Account Control (UAC), evade inline API hooking commonly used by security software, and utilize process hollowing techniques.

New TunnelVision attack leaks VPN traffic via rogue DHCP servers

A new attack technique named ‘TunnelVision’ can “decloack” Virtual Private Network (VPN) traffic by bypassing VPN encapsulation. The new attack method involves the Dynamic Host Configuration Protocol (DHCP), a fundamental component of network communication. It relies on the abuse of DHCP’s option 121, which allows the configuration of classless static routes on a client's system.

New Pathfinder attack

Researchers from multiple academic institutions and Google have identified two new attack methods, collectively named ‘Pathfinder’, aimed at high-performance Intel CPUs. These methods could potentially be used to execute a key recovery attack against the Advanced Encryption Standard (AES) algorithm. Pathfinder exploits vulnerabilities in the branch predictor, allowing attackers to manipulate it and carry out two main types of attacks: reconstructing program control flow history and launching high-resolution Spectre attacks.

LLMjacking attack utilizes stolen cloud credentials to target LLM

In the novel cyber attack known as “LLMjacking,” hackers utilize stolen cloud credentials to target large language model (LLM) services hosted on the cloud. LLMjacking exploits a vulnerability in the Laravel Framework (CVE-2021-3129) to breach systems. Once inside, hackers acquire Amazon Web Services (AWS) credentials, granting them access to the LLM services.