US, UK warn of Russian military hackers targeting Zimbra, TeamCity flaws
The US and UK cyber agencies have issued a joint warning about the Russia-linked APT29 hackers (aka BlueBravo, Cloaked Ursa, Cozy Bear, and Midnight Blizzard), linked to Russia's Foreign Intelligence Service (SVR), actively targeting vulnerable Zimbra and JetBrains TeamCity servers. The group is exploiting known vulnerabilities (CVE-2022-27924 and CVE-2023-42793) to compromise servers, particularly in sectors such as diplomacy, defense, technology, and finance, to gather foreign intelligence and prepare for future cyber operations. The full list of vulnerabilities exploited by the threat actor is available here.
Fortinet, Mozilla Firefox flaws exploited in the wild
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a vulnerability impacting Fortinet products to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation.
The flaw, tracked as CVE-2024-23113, is a format string error issue that can lead to full compromise of the system. A remote non-authenticated attacker can send specially crafted requests to the device and execute arbitrary code on the target system. The flaw affects Fortinet’s FortiOS, FortiPAM, FortiProxy, and FortiWeb products.
On the same note, Mozilla has disclosed a critical security flaw in its Firefox and Firefox Extended Support Release (ESR) products, which has also come under active exploitation. The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug within the Animation timeline component. Exploitation of this flaw allows attackers to execute code in the content process by manipulating animation timelines.
Additionally, CISA released a security alert warning that threat actors are using unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager (LTM) to conduct reconnaissance on target networks. These cookies allow attackers to gather information about non-internet-facing devices, potentially identifying additional network resources for exploitation. CISA has urged organizations to encrypt cookies in F5 BIG-IP devices and use the BIG-IP iHealth diagnostic utility to identify and resolve security issues.
Microsoft patches over 100 bugs, including two actively exploited zero-days
Microsoft rolled out its October 2024 Patch Tuesday release that contains fixes for over a hundred security vulnerabilities, including two flaws actively exploited by threat actors. Actively exploited zero-day vulnerabilities include:
CVE-2024-43572 - Microsoft Management Console (MMC) Remote Code Execution Vulnerability. This critical flaw allows attackers to use specially crafted Microsoft Saved Console (MSC) files to achieve remote code execution (RCE) on targeted systems. Attackers could potentially exploit this vulnerability to execute malicious code remotely. Microsoft has addressed the issue by blocking untrusted MSC files from being opened, preventing them from being used in RCE attacks.
CVE-2024-43573 - Windows MSHTML Platform Spoofing Vulnerability. The flaw affects the MSHTML platform, a core component previously used in Internet Explorer and Legacy Microsoft Edge. While Microsoft has yet to release detailed information about the exploit, the vulnerability involves spoofing attacks using MSHTML components, which are still present in modern Windows systems.
Also, US IT software company Ivanti has patched three actively exploited vulnerabilities affecting Cloud Services Appliance (CSA). Tracked as CVE-2024-9379, CVE-2024-9380, and CVE-2024-9381 the zero-days can be exploited to execute arbitrary SQL commands, OS commands, or compromise the affected system via a specially crafted HTTP request.
Meanwhile, Palo Alto Networks has issued a warning to its customers about critical security vulnerabilities in its PAN-OS firewalls, which are targeted by publicly available exploit code. These flaws, discovered in the company's Expedition tool used for migrating configurations from other vendors like Checkpoint and Cisco, could allow attackers to hijack the firewalls. By exploiting the vulnerabilities, attackers can potentially gain access to sensitive data, including user credentials, which could lead to the compromise of firewall administrator accounts.
It’s also worth noting that Qualcomm released a security advisory to warn of a potential zero-day, CVE-2024-43047. This high-severity use-after-free vulnerability affects the DSP service and may be under limited, targeted exploitation, as noted by Google's Threat Analysis Group.
Chinese hackers target OpenAI employees in phishing attack
OpenAI disclosed the disruption of a spear-phishing campaign led by a China-based group called SweetSpecter. The group attempted to target OpenAI employees through phishing emails containing attachments designed to deploy the SugarGh0st Remote Access Trojan (RAT), which could have allowed remote control of compromised systems.
In another incident, OpenAI blocked activities of CyberAv3ngers, an Iranian group linked to the Islamic Revolutionary Guard Corps (IRGC), which had used AI models for malicious activities, including researching PLC systems and creating malicious scripts. Additionally, STORM-0817, another Iranian group, was found using AI to develop Android malware with surveillance capabilities.
In a separate report Check Point Research detailed an ongoing disinformation campaign aiming to influence the results of Moldova’s elections and nationwide referendum on the European Union membership. The threat actor, known as Lying Pigeon, uses emails instead of social media to impersonate EU institutions, Moldovan ministries, and political figures. The emails spread misleading information on sensitive topics like LGBT rights, fuel prices, and immigration, exploiting concerns tied to Moldova's pro-European government.
The campaign is aimed at collecting personal data and could lead to targeted malware attacks. Lying Pigeon has also been linked to previous malicious activities across Europe, including distributing info-stealing malware.
China-linked hackers reportedly compromise US court wiretap systems
Chinese hackers reportedly accessed the networks of several US broadband providers and obtained sensitive information from systems used for court-authorized wiretapping. The attack, believed to have been orchestrated by a Chinese state-sponsored group dubbed “Salt Typhoon,” targeted major US telecom companies including Verizon Communications, AT&T, and Lumen Technologies.
The hackers reportedly gained access to network infrastructure used by Verizon, AT&T, and Lumen to cooperate with lawful US requests for communications data and also infiltrated other internet traffic.
Hackers hijack high-level accounts and sensitive data of JAXA’s execs
Threat actors behind last year’s cyberattack on the Japan Aerospace Exploration Agency (JAXA) reportedly managed to hijack the accounts of approximately five board directors, including the agency’s president, Hiroshi Yamakawa. JAXA’s internal investigation revealed that the hackers commandeered roughly 200 accounts, including those of senior officials and members of JAXA’s leadership team.
Among the compromised accounts were those of five board members, representing over half of the nine-member board at the time. These directors, including the president, had access to critical details about JAXA’s external negotiations, space exploration efforts, and national security initiatives. The hackers also gained control over accounts of senior officials involved in policy and budget affairs.
The GoldenJackal APT targets air-gapped systems in latest cyber espionage campaign
A new cyber espionage campaign linked to the advanced persistent threat (APT) group known as GoldenJackal has been targeting air-gapped systems in governmental organizations across Europe. Spanning from May 2022 to March 2024, the campaign leveraged a custom-built, modular toolset to bypass security defenses. GoldenJackal’s arsenal includes several custom implants, such as JackalControl, JackalSteal, JackalWorm, JackalPerInfo, and JackalScreenWatcher. The tools, written in C#, enable the group to monitor systems, steal data, spread malware, and remotely control infected devices. The group’s most recent toolset includes GoldenHowl, a backdoor that facilitates access to air-gapped systems, and GoldenRobo, a tool used to collect and exfiltrate files.
North Korean hackers target job seekers with BeaverTail and InvisibleFerret malware
Palo Alto Networks’ Unit 42 discovered a new version of the BeaverTail malware, targeting tech job seekers as part of the ongoing CL-STA-240 Contagious Interview campaign. Attackers use job search platforms like LinkedIn and X (formerly Twitter) to pose as employers and deliver malware. Initially reported in November 2023, the campaign has since evolved. The latest version of BeaverTail, discovered in July 2024, is compiled using the cross-platform Qt framework, enabling deployment on both macOS and Windows. Additionally, updates to the InvisibleFerret backdoor grant attackers increased control over infected devices.
Over 100 orgs breached in BabyLockerKZ ransomware attacks
An updated variant of the MedusaLocker ransomware, dubbed ‘BabyLockerKZ,’ has been observed in ransomware attacks targeting over 100 organizations monthly. The attacks have been linked by the Cisco Talos threat intelligence team to a suspected initial access broker (IAB) or ransomware cartel affiliate operating under the moniker ‘PaidMemes.’
Talos researchers detected several differences between the original ransomware, which first emerged in 2022, and the updated variant, including the presence of extra public and private key sets stored in the system registry, and changes to the autorun key.
Mamba 2FA PaaS platform targets Microsoft 365 accounts in advanced AiTM attacks
A new phishing-as-a-service (PhaaS) platform called ‘Mamba 2FA’ has been discovered that is targeting Microsoft 365 accounts, particularly through Adversary-in-the-Middle (AiTM) techniques. At $250 per month, the platform offers threat actors well-crafted phishing pages and mechanisms to bypass multi-factor authentication (MFA).
Mamba 2FA is designed to capture authentication tokens through an AiTM setup, bypassing MFA protections that many organizations rely on to secure their accounts. With this setup, attackers can intercept and steal one-time passcodes and authentication cookies, allowing them to take over accounts without needing the victim's second authentication factor.
EU introduces new sanctions framework to counter Russia’s destabilizing actions
The European Council has introduced a new sanctions framework designed to combat Russia's escalating hybrid warfare tactics against EU member states. The framework allows the EU to target individuals and entities that engage in activities sanctioned by the Russian government.
The expanded framework allows the EU to address a wide array of hybrid threats, including interference in electoral processes, attacks on democratic institutions, sabotage of critical infrastructure, and cyber operations. It also covers the dissemination of coordinated disinformation campaigns and foreign information manipulation, along with the instrumentalization of migrants in a bid to destabilize the region.
Ukraine establishing military CERT to counter Russian cyberattacks
Ukraine's Ministry of Defense has established an Incident Response Center to strengthen its cyber defense capabilities amid growing threats from cyberattacks, particularly those originating from Russia. The new unit is dedicated to defending the country's military and communication networks. The military personnel working at the Incident Response Center will provide round-the-clock monitoring and respond to cyber incidents. The unit's mission includes mitigating the consequences of cyberattacks, strengthening the defense of the Ministry’s information and communication systems, and implementing advanced cybersecurity incident management tools.
In related news, two hackers from the Russia-linked Armageddon group have been sentenced in absentia to 15 years in prison by a Ukrainian court. The hackers, former employees of Ukraine's Security Service (SBU) in Crimea who defected to Russia's FSB in 2014, carried out over 5,000 cyberattacks targeting Ukrainian government institutions, including the Ministry of Foreign Affairs and the Ministry of Economic Development. Their goal was to access electronic document systems and servers containing sensitive government data. They were convicted of state treason and unauthorized interference with computer systems.
In the meantime, Ukraine's cyber police have arrested a 28-year-old man for operating a VPN service that allowed users in Ukraine to access the Russian internet, known as Runet (includes various Russian websites on the ".ru" and ".su" top-level domains). Following the Russian invasion, the Ukrainian government restricted access from Ukraine to Russian portion of the internet.
According to the police, the unauthorized VPN enabled users, particularly in occupied territories and pro-Russian individuals, to bypass Ukrainian restrictions. The individual faces charges under Article 361 of Ukraine's Criminal Code, which could lead to a prison sentence of up to 15 years. The service reportedly provided access to over 48 million Runet IP addresses, handling more than 100 gigabytes of traffic daily.
A participant in an international hacker group is set to stand trial in Ukraine
Ukrainian cyber police identified and located one of the group's most active members, a 49-year-old man from Kyiv. A coordinated international operation involving Europol and law enforcement from several countries led to over 80 searches, resulting in the seizure of computers containing evidence of crimes, bank cards, SIM cards, and nearly 4 million hryvnias. Authorities also discovered cryptocurrency assets worth over 24 million hryvnias, nine luxury vehicles, and 24 plots of land totaling almost 12 hectares.
The group targeted industrial enterprises in France, Germany, the US, Norway, the Netherlands, and Canada, using LockerGoga, MegaCortex, HIVE and Dharma ransomware. They stole information, encrypted computers, and demanded ransom in cryptocurrency.
In November 2023, the National Police of Ukraine charged the hacker with unauthorized interference in information systems, creating malicious software for illegal use, and extortion. In September 2024, the pre-trial investigation concluded, and the indictment was sent to court. The accused faces up to twelve years in prison with asset confiscation.
Raccoon MaaS operator pleads guilty in the US
Mark Sokolovsky, a 28-year-old Ukrainian national, has pleaded guilty in the United States to multiple charges related to his involvement in the notorious Raccoon Infostealer malware operation. Sokolovsky faces charges including computer hacking, fraud, identity theft, and money laundering. Sokolovsky was arrested in the Netherlands in March 2022, following an international law enforcement operation that simultaneously dismantled the infrastructure supporting Raccoon Infostealer. In February 2024, he was extradited to the US to face trial.
A joint police op dismantles Bohemia/Cannabia dark web marketplaces
A joint law enforcement operation has taken down the Bohemia and Cannabia Dark Web marketplaces, known as the largest and longest-running platforms for illegal goods, including drugs, counterfeit IDs, and cybercrime services. Authorities arrested two alleged administrators, one in the Netherlands and the other in Ireland. The marketplaces ceased operations at the end of 2023 due to technical issues, prompting the administrators to execute an 'exit scam' and distribute the remaining funds between themselves.
The US charges 18 entities and individuals with cryptocurrency fraud
The US authorities have charged three cryptocurrency companies—Gotbit, ZM Quant, and CLS Global—along with 15 individuals, with widespread fraud and market manipulation. Gotbit's CEO, Alexey Andryunin, has been arrested in Portugal.
The crackdown resulted in four arrests, five individuals agreeing to plead guilty, and the seizure of over $25 million in cryptocurrency. The defendants allegedly engaged in sham trades to artificially inflate the trading volume of various tokens. As part of the investigation, the FBI created a cryptocurrency company, NexFundAI and its own token. The agency closely monitored the trading of a token associated with this company.
Internet Archive hit with a data breach exposing 31M records
The Internet Archive, the world’s most famous digital library, suffered a series of cyberattacks in October 2024, temporarily disabling its site, including the Wayback Machine, and exposing the data of 31 million users. On October 8, founder Brewster Kahle confirmed that the site was hit by a DDoS attack, which was resolved hours later. On October 9, the hacktivist group BlackMeta claimed responsibility and warned of more attacks, which Kahle later confirmed. BlackMeta's social media indicated they targeted organizations linked to the US or supportive of Israel, though the Internet Archive itself is an independent non-profit.