Apache OFBiz RCE flaw is being exploited in the wild
The US Cybersecurity & Infrastructure Security Agency (CISA) has added two security vulnerabilities in its Known Exploited Vulnerability Catalog (KEV). One of the flaws is a path traversal vulnerability in Apache OFBiz, an open-source ERP system widely used across various industries. Tracked as CVE-2024-32113, the flaw affects OFBiz versions prior to 18.12.13 and could allow attackers to remotely execute arbitrary commands on vulnerable servers. The second vulnerability, CVE-2024-36971, is a recently patched Android kernel zero-day.
Cisco warns of multiple high-risk flaws in end of life IP phones
Cisco has issued a warning about multiple critical remote code execution zero-day vulnerabilities in the web-based management interface of the end-of-life Small Business SPA 300 and SPA 500 series IP phones. The flaws, tracked as CVE-2024-20450, CVE-2024-20451, CVE-2024-20452, CVE-2024-20453, and CVE-2024-20454, do not have available fixes or mitigation strategies. Users are advised to upgrade to newer, actively supported models as soon as possible.
In a separate advisory, CISA said that threat actors are abusing the legacy Cisco Smart Install (SMI) feature to get their hands on sensitive data.
Exploitation attempts against a critical flaw in Progress Software WhatsUp Gold observed
The Shadowserver Foundation said it has observed exploitation attempts against a critical vulnerability affecting the Progress Software WhatsUp Gold IT infrastructure monitoring software. Tracked as CVE-2024-4885, the flaw is a path traversal issue that could lead to remote code execution.
In other news, the US Securities and Exchange Commission (SEC) has decided not to bring charges against Progress Software regarding the MOVEit software supply chain attack, which exposed the data of millions since 2023. In an August 6 Form 8-K filing, Progress Software announced that the SEC had concluded its investigation into the company's handling of the MOVEit Transfer zero-day vulnerabilities exploited in 2023.
18-year-old vulnerability in Firefox and Chrome exploited by hackers
Oligo researchers have identified a new security issue called "0.0.0.0 Day," which affects all major web browsers. This flaw allows malicious websites to exploit the IP address 0.0.0.0, potentially breaching local networks. The vulnerability arises from inconsistent security implementations across browsers and a lack of industry standardization. As a result, attackers can use 0.0.0.0 to target local services, including those for development, operating systems, and internal networks, posing a significant risk to cybersecurity.
A bug in 1Password could allow hackers to obtain account unlock key
AgileBits, the developer of 1Password, has acknowledged a security vulnerability, CVE-2024-42219, in its macOS version. The flaw could allow an attacker to bypass inter-process communication protections, enabling them to exfiltrate password vault items and potentially obtain the account unlock key. The vulnerability affects all versions of 1Password 8 for Mac prior to 8.10.36. To exploit the flaw, an attacker would need to convince a user to run malicious software, which could then impersonate a 1Password browser extension, leveraging the vulnerability to access sensitive data.
Windows Downgrade attack exposes fully patched systems to old flaws
SafeBreach security researcher Alon Leviev exposed two security vulnerabilities that could be exploited to perform downgrade attacks on fully updated Windows systems. The technique effectively “unpatch” systems, reintroducing previously fixed vulnerabilities and rendering the notion of a “fully patched” Windows machine virtually meaningless. The vulnerabilities, tracked as CVE-2024-38202 and CVE-2024-21302, affect Windows 10, Windows 11, and Windows Server platforms.
CrowdStrike publishes final root cause analysis of Falcon Sensor outages
Texas-based cybersecurity company CrowdStrike published the final root cause analysis of a failure that led to a widespread IT outage affecting millions of Microsoft Windows hosts. The crash occurred on July 19, 2024, when two additional IPC Template Instances were deployed. As the company explained, one of the instances included a non-wildcard matching criterion for the 21st input parameter. The adjustment necessitated the sensor to evaluate the 21st input parameter, a function not previously required by earlier channel file versions.
The Content Validator assessed the new Template Instances but assumed the IPC Template Type would receive 21 inputs. However, when the updated Channel File 291 was sent to the sensors, it led to an out-of-bounds read issue within the Content Interpreter. As sensors processed IPC notifications from the operating system, they attempted to access the 21st input value, despite only expecting 20 values. This mismatch caused the system to read beyond the input data array's bounds, triggering widespread crashes.
Iranian hackers are targeting US officials before election
Iran-linked hackers attempted to breach the account of a high-ranking official involved in a US presidential campaign in June, according to Microsoft. The attempt followed a successful breach of a county-level US official’s account. The incidents are part of increasing efforts by Iranian groups to influence the upcoming US presidential election.
Microsoft’s report details four campaigns by the Iranian threat actors. One group has been operating covert news sites targeting opposing voter groups in the US, using AI to plagiarize content. Another group has been preparing for more extreme influence operations, possibly involving intimidation or incitement of violence. A third group, linked to the IRGC, sent a spear-phishing email to a campaign official, while a fourth group compromised a government employee's account in a swing state, focusing on strategic intelligence collection.
In other news, the US State Department has announced a reward of up to $10 million for information leading to the identification or location of members of the Iranian hacker group known as “CyberAv3ngers.” The group, which believed to have ties to the Iranian Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC), has been involved in a series of cyberattacks targeting Israeli technology and critical infrastructure across the globe.
North Korean hackers using npm for initial access
A North Korea-linked threat actor known as Moonstone Sleet has been observed pushing malicious npm packages to the JavaScript package registry. The security division of cloud monitoring company Datadog Security Labs uncovered two malicious npm packages, "harthat-api" and "harthat-hash," published on July 7, 2024. These packages, removed shortly after being published, did not attract any downloads.
On the same note, a recent report from cybersecurity firm Resilience has linked the North Korea-affiliated threat actor known as Kimsuky to a new wave of cyberattacks targeting university staff, researchers, and professors. These attacks, primarily carried out through phishing campaigns, aim to infiltrate university networks for espionage purposes.
Additionally, South Korea's National Intelligence Service, the Prosecutors' Office, the National Police Agency, the Defense Security Command, and the Cyber Operations Command, issued a joint cybersecurity advisory to warn about the increasing cyber threats posed by North Korean hacking groups targeting the country's construction and machinery sectors.
StormBamboo APT compromises ISP to abuse insecure software update mechanisms
The China-linked threat actor Evasive Panda, also known as StormBamboo, compromised an unnamed internet service provider (ISP) to push malicious software updates to target companies in mid-2023. Volexity discovered that StormBamboo was altering DNS query responses for specific domains associated with automatic software update mechanisms. The tactic targeted software with insecure update processes, such as those using HTTP without proper digital signature validation of installers. When these applications attempted to retrieve updates, they instead downloaded and installed malware, including MACMA and POCOSTICK.
Threat actors ramp up attacks on orgs in the US, Europe and Asia with new backdoors
Symantec’s Threat Hunter Team released a report detailing new backdoors used by threat actors in attacks against organizations in the US, Europe and Asia.
Chinese cyber spies target Taiwanese research institute with ShadowPad and Cobalt Strike
A new cyber espionage campaign by the the China-linked state-sponsored threat actor tracked as APT41 has been observed targeting an unnamed Taiwanese government-affiliated research institute with the ShadowPad malware and the Cobalt Strike tool.
The breach, according to Cisco Talos, likely began as early as July 2023, with the attackers exploiting an outdated and vulnerable version of the Microsoft Office IME binary as a loader to deliver the customized second-stage loader, which subsequently launched the ShadowPad payload. In addition, APT41 developed a tailored loader to inject a proof-of-concept for the CVE-2018-0824 remote code execution vulnerability directly into memory to achieve local privilege escalation.
British nuclear submarine software reportedly developed by Russian and Belarusian engineers
A recent investigation has uncovered that software essential to the operation of Britain's nuclear submarines was developed by engineers based in Russia and Belarus. The software, intended to be created by British IT staff with appropriate security clearances, was instead partially outsourced to developers in Siberia, Russia, and Minsk, Belarus.
A new phishing campaign uses Google Drawings and WhatsApp shortened links to bypass security
Cybersecurity researchers have identified a new phishing campaign that cleverly uses Google Drawings and WhatsApp-generated shortened links to bypass security measures and lure victims. The attackers exploit well-known platforms like Google and WhatsApp to host the malicious content, making it appear legitimate. They then direct users to a fake Amazon website designed to steal sensitive information from unsuspecting victims.
Admin of the WWH Club underground forum arrested in the US
US authorities have arrested Pavel Kublitsky, a Russian citizen, for allegedly running a dark web forum called WWH Club, which taught users how to steal money from credit cards and bank accounts. Another administrator, Alexander Khodyrev from Kazakhstan, is also involved. The forum had 170,000 users and sold guides on various cybercrimes, including DDoS attacks and database leaks.
An undercover FBI agent exposed the operation by purchasing one of these courses for $1,000. Two years ago, Kublitsky and Khodyrev sought asylum in the US, despite claiming to be unemployed, but were living in luxury in Miami. Kublitsky was also reportedly linked to the MMM-2011 financial pyramid scheme led by Sergey Mavrodi.
US, Germany seize Cryptonator domain, the platform's founder indicted
A coordinated international effort seized the domain of online crypto wallet Cryptonator. The platform was taken down for its failure to implement appropriate anti-money laundering controls and its role in facilitating illicit activities. Cryptonator, an online cryptocurrency wallet launched in 2014, allowed users to perform direct transactions and instant exchanges between different cryptocurrencies within one personal account.
The US authorities have also filed a criminal complaint against Russian national Roman Pikulev, accusing him of founding and operating Cryptonator. The DoJ alleges that Cryptonator was an unlicensed money service business (MSB) that processed over $235 million in illicit funds.
Police recover over $40 million from international email scam
Singapore authorities have recovered over $40 million defrauded in a business email compromise (BEC) scam.
The US charges a man involved in North Korean remote IT worker fraud schemes
Matthew Isaac Knoot, 38, from Nashville, Tennessee, has been charged for his role in aiding North Korea's illicit weapons program, including weapons of mass destruction (WMD). Knoot allegedly helped North Korean IT workers obtain remote jobs with American and British companies by using a stolen identity to pose as a US citizen. He hosted company laptops at his residence, installed unauthorized software to facilitate access, and conspired to launder payments to accounts linked to North Korean and Chinese actors. Knoot ran this "laptop farm" from July 2022 to August 2023. If convicted, he faces up to 20 years in prison.