Microsoft fixes over 80 security bugs, 6 actively exploited in the wild
Microsoft released its August 2024 Patch Tuesday security updates that address more than 80 vulnerabilities in the vendor’s software, including six zero-day flaws that are being actively exploited by malicious actors. The fixed zero-days include:
-
CVE-2024-38189 - Microsoft Project Remote Code Execution Vulnerability. The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into opening a specially crafted file and execute arbitrary code on the system.
-
CVE-2024-38178 - Microsoft Windows Scripting Engine Memory Corruption Vulnerability. The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can trick the victim into opening a specially crafted file and execute arbitrary code on the system.
-
CVE-2024-38213 (aka Copy2Pwn) - Microsoft Windows SmartScreen Security Feature Bypass Vulnerability. The vulnerability exists due to insufficient implementation of security measures. An attacker can bypass Windows Mark of the Web security feature. According to security researchers, the flaw has been exploited by threat actors behind the DarkGate operation since March 2024.
-
CVE-2024-38193 - Microsoft Windows Ancillary Function Driver for WinSock Privilege Escalation Vulnerability. The issue stems from a use-after-free error within the ancillary function driver for WinSock. A local user can trigger a use-after-free error and execute arbitrary code with elevated privileges.
-
CVE-2024-38106 - Microsoft Windows Kernel Privilege Escalation Vulnerability. The vulnerability exists due to a race condition within the Windows kernel. A local user can exploit the race and execute arbitrary code with SYSTEM privileges.
-
CVE-2024-38107 - Microsoft Windows Power Dependency Coordinator Privilege Escalation Vulnerability. The vulnerability exists due to a use-after-free error within Windows Power Dependency Coordinator. A local user can trigger a use-after-free error and execute arbitrary code with SYSTEM privileges.
A SolarWinds Web Help Desk bug exploited in the wild
The US cybersecurity agency CISA has added a security vulnerability in the SolarWinds product to its catalog of the actively exploited bugs. Tracked as CVE-2024-28986, the flaw is a deserialization of untrusted data issue that could lead to remote code execution.
Ivanti fixes a slew of the high-risk bugs in its products
Ivanti has rolled out security updates to patch several high-risk vulnerabilities affecting Virtual Traffic Manager (vTM), Ivanti Avalanche, Ivanti Neurons for ITSM. The vulnerabilities can be exploited for remote code execution, theft of data, or performing a Man-in-the-Middle (MitM) attack.
In other news, Fortinet released security updates to address security vulnerabilities in GUI Console WebSockets, FortiAnalyzer and FortiManager, and FortiOS.
A large-scale extortion campaign targets cloud environments
A threat actor has been hacking and extorting companies by exploiting misconfigured cloud server infrastructure, Palo Alto Networks’ Unit 42 warns. The attacker has been conducting large-scale scans of the internet to find exposed environment variable files (.ENV), which are commonly used to store configuration data. The threat actor accessed cloud servers by extracting login credentials from these files.
The campaign set up its attack infrastructure within the Amazon Web Services (AWS) environments of various organizations and scanned over 230 million unique targets. The campaign targeted 110,000 domains, uncovering 90,000 unique variables in the .env files, including 7,000 related to cloud services and 1,500 linked to social media accounts. The attacker also used multiple source networks to carry out the operation.
Over 100 Ukraine’s govt PCs infected with malware in new UAC-0198 campaign
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign that is impersonating the Security Service of Ukraine (SSU) to infect computer systems with malware. According to the agency, the threat actor, which it tracks as UAC-0198, has managed to infect more than 100 computer in Ukrainian government agencies’ networks with the AnonVNC malware.
Russia’s FSB-linked phishing campaign targets journalists, lawyers, and diplomats
A sophisticated and prolonged phishing campaign has been targeting journalists, human rights defenders, opposition figures, and American diplomats for over 18 months, with one of the participating groups linked to Russia's Federal Security Service (FSB). The campaign is being executed by two distinct groups, with one of them, known as Coldriver (also referred to as Star Blizzard or Callisto), directly connected to the FSB. The second group, identified as Coldwastrel, displays different tactics and techniques, suggesting it is a separate threat group. It’s not clear what Russian intelligence agencies the threat actor is affiliated with.
The attack has affected more than 10 known targets, including an independent Russian investigative outlet, the legal defense organization First Department, and former US Ambassador to Ukraine, Steven Pifer. However, cybersecurity experts believe the actual number of targets could be significantly higher.
On the similar note, Meta said that Russia remains the top source of troll networks disrupted on Facebook and Instagram, with Iran following closely. Since 2017, Meta has disrupted 39 covert influence operations originating from Russia, 30 from Iran, and 11 from China.
As the US elections approach in November, Meta anticipates Russia-based operations will focus on promoting candidates opposed to US aid to Ukraine, while criticizing those who support it. These operations may blame US economic hardships on aid to Ukraine and amplify pro-Russia views on the war.
In the meanwhile, the Russian propaganda network Doppelgänger is scrambling to secure its operations after European hosting companies were revealed to have unwittingly supported its infrastructure. The Bavarian State Office for the Protection of the Constitution (BayLfV) reported that following the disclosures, the network's operators quickly moved to back up systems and protect data.
The agency, which monitored Doppelgänger for weeks, confirmed its ties to Russia, noting the use of Russian IP addresses, the Cyrillic alphabet, and activity patterns aligning with Moscow and St. Petersburg time zones. The disinformation campaign has been active since May 2022, targeting multiple countries with fake profiles, websites, and news portals.
Russian or Belarusian hackers suspected in major leak of Polish athletes' data
A major data breach at the Polish Anti-Doping Agency (POLADA) has compromised the sensitive information of thousands of Polish athletes. Over 50,000 files, including medical records, doping test results, and personal details, were leaked online following a sophisticated cyberattack that officials suspect may have been orchestrated by Russia or Belarus.
The hackers behind the attack published approximately 250 GB of data on the dark web, exposing highly confidential information such as passwords, contact details, and photographs of Polish athletes. The breach was first announced on the pro-Russian Telegram channel Beregini.
South Korean authorities accuse North Korean hackers of stealing military data
South Korea's ruling People Power Party (PPP) claim that North Korea-backed hackers have stolen crucial information about the K2 “Black Panther” main battle tank and two of the country's key spy planes, the “Baekdu” and “Geumgang.”
One breach occurred when engineers from a part manufacturer for the K2 tank defected to a competing firm. These engineers reportedly took with them external storage drives containing sensitive information, including design blueprints, development reports, and details about the tank's sophisticated overpressure system. The new employer allegedly attempted to export this technology to a Middle Eastern country, raising concerns that the leak may have extended beyond South Korea's borders.
In a separate incident, North Korean hackers reportedly had targeted a South Korean defense contractor responsible for producing operational and maintenance manuals for various military equipment, including the Baekdu and Geumgang spy planes.
New Actor240524 APT is targeting Azerbaijani and Israeli diplomats
NSFOCUS Security Labs (NSL) released a report detailing a recent attack campaign targeting Azerbaijan and Israel by previously unknown threat actor tracked as Actor240524. The attackers employed spear-phishing emails to target Azerbaijani and Israeli diplomats, using newly developed Trojan programs named ABCloader and ABCsync to steal sensitive data.
China-linked Earth Baku expands activities to Europe, Middle East, and Africa
Trend Micro released an in-depth report on a Chinese state-backed threat actor Earth Baku, believed to be linked to another Chinese threat actor APT41. The researchers note that the group has expanded its operations from the Indo-Pacific region to Europe, the Middle East, and Africa, targeting countries including Italy, Germany, UAE, and Qatar, with possible activities in Georgia and Romania.
The group exploits public-facing applications like IIS servers to gain entry and deploys advanced malware such as the Godzilla webshell, StealthVector, StealthReacher, and SneakCross. StealthVector and StealthReacher are customized loaders that use AES encryption and code obfuscation to deploy backdoor components stealthily. SneakCross utilizes Google services for command-and-control (C&C) and features a modular design for easier updates. Post-exploitation, Earth Baku employs tools like a customized iox tool, Rakshasa, and Tailscale to maintain persistence, using MEGAcmd for data exfiltration.
Threat actors target Chinese speakers with VolleyRAT malware
Fortinet’s threat intelligence arm FortiGuard Labs uncovered an ongoing ValleyRAT campaign aimed at Chinese-speaking users. ValleyRAT, a multi-stage malware, has historically targeted sectors like e-commerce, finance, sales, and management. It employs various techniques to monitor and control victims, deploying plugins to inflict additional harm. A notable feature of ValleyRAT is its extensive use of shellcode, allowing it to execute components directly in memory, minimizing its file presence on the victim's system.
Trump, Biden, Harris targeted in Iran phishing campaign, Google said
APT42, an Iranian government hacking group also known as Charming Kitten and Mint Sandstorm, targeted around a dozen individuals in May and June, Google said. The hackers focused on personal email accounts across multiple providers, successfully compromising at least one account belonging to a high-profile political consultant.
However, Google did not confirm a connection between these attacks and the leaked documents from the Trump campaign that were previously reported by media. The group is still attempting to hack personal email accounts linked to Biden, Trump, and Vice President Harris. APT42's tactics include embedding malicious links in emails and PDF attachments, as well as engaging with targets on encrypted messaging platforms like Signal and WhatsApp to build trust.
The Gafgyt botnet is targeting machines with weak SSH passwords
Aqua Nautilus researchers have discovered a new variant of the Gafgyt botnet, also known as Bashlite or Lizkebab. This variant targets machines with weak SSH passwords through brute force attacks. Once the machines are compromised, it executes two binaries directly from memory to expand the Gafgyt IoT botnet and exploit the system's GPU power for cryptocurrency mining.
New Banshee Stealer targets browsers, crypto wallets, 100+ browser extensions on Apple macOS systems
A new macOS malware named "Banshee Stealer" has emerged on the cyber threat landscape. Developed by Russian threat actors, the malware is capable of running on both macOS x86_64 and ARM64 architectures. Banshee Stealer targets crucial system information, browser data, and cryptocurrency wallets. The malware is available on underground forums for a monthly subscription price of $3,000, which is more expensive than most Windows-based stealers. The malware is designed to target a broad range of browsers, cryptocurrency wallets, and approximately 100 browser extensions.
New EDR-killing tool EDRKillShifter linked to RansomHub ransomware op
A cybercrime group behind the RansomHub ransomware has been observed using a new tool designed to disable endpoint detection and response (EDR) software on compromised systems. The tool, named ‘EDRKillShifter’ by cybersecurity firm Sophos, functions as a loader executable, a delivery mechanism that leverages a legitimate but vulnerable driver, a method known as ‘bring your own vulnerable driver’ (BYOVD). This technique allows the attackers to exploit legitimate drivers to disable EDR software, effectively bypassing security measures on the targeted systems.
CryptoCore crypto scam drains over $5.4 million from users
A cybercrime group known as CryptoCore has orchestrated a sophisticated social media scam campaign, resulting in the theft of over $5.4 million worth of cryptocurrency assets. The group has employed a range of advanced techniques, including deepfake videos, hacked social media accounts, and professionally designed fake websites, to deceive users and drain their crypto wallets.
Massive malware campaign force-installs malicious Chrome extensions on browsers
A large-scale malware campaign has compromised over 300,000 Google Chrome and Microsoft Edge browsers, force-installing malicious extensions that hijack homepages, steal browsing history, and execute unauthorized commands on infected devices. The malware is delivered through fake websites mimicking popular download sites, such as those offering utilities like Roblox FPS Unlocker, YouTube video downloaders, VLC media player, and KeePass password manager. The fraudulent sites trick users into downloading what appears to be legitimate software, but instead, the downloads contain malware designed to install harmful extensions.
Law enforcement disrupts Radar/Dispossessor ransomware gang’s operations
The US FBI announced the takedown of the notorious “Radar/Dispossessor” ransomware group, with an international law enforcement effort dismantling the gang’s servers across the United States, the United Kingdom, and Germany.
Russian man gets 40 months in prison for selling nearly 300,000 login credentials
Georgy Kavzharadze, a 27-year-old Russian national from Moscow, has been sentenced to 40 months in prison for his involvement in selling stolen financial information on the dark web marketplace Slilpp. Operating under the alias "TeRorPP," Kavzharadze was a prolific vendor who listed over 626,100 stolen login credentials for sale and successfully sold around 297,300 of them. These credentials were later linked to approximately $1.2 million in fraudulent transactions.
Hackers behind Reveton and Ransom Cartel ransomware extradited to the US
One of the world’s most prolific Russian-speaking cybercriminals has been extradited to the United States as a result of an international law enforcement effort. The man, identified as 38-year-old Maksim Silnikau, also known by various aliases including 'J.P. Morgan,' 'xxx,' and 'lansky,' was apprehended on July 18, 2023, in Estepona, Spain, following years of investigation by the NCA, in collaboration with the United States Secret Service (USSS) and the FBI.
Silnikau, originally from Belarus, is believed to be the mastermind behind a vast cybercrime network responsible for the development and distribution of notorious ransomware strains such as Reveton and Ransom Cartel, as well as the infamous Angler Exploit Kit, a tool used to conduct sophisticated ‘malvertising’ campaigns.
Megaupload founder Kim Dotcom to be extradited to the US
Kim Dotcom, the internet entrepreneur behind the now-defunct file-sharing website Megaupload, has lost his lengthy legal battle to avoid extradition from New Zealand to the United States. New Zealand's Justice Minister Paul Goldsmith signed the extradition order this week. Dotcom faces multiple criminal charges in the US, including copyright infringement, money laundering, and racketeering. US authorities allege that Dotcom's platform caused over $500 million in losses to film studios and music producers.
Ukrainian police shut down a scam call center that defrauded Latvians thousands of dollars
Ukrainian police have dismantled a sophisticated cryptocurrency fraud ring that targeted Latvian citizens and arrested five individuals, including the scheme's mastermind. The fraudulent operation was orchestrated by a 27-year-old resident of Kharkiv, who enlisted seven accomplices to participate in the scheme. The criminals allegedly contacted Latvians by phone, offering lucrative opportunities to invest in cryptocurrency or stocks with the promise of substantial returns. If the victims expressed interest, they were directed to a link that granted the fraudsters remote access to their computers.