2K+ PAN devices compromised in an ongoing attack
Over 2,000 Palo Alto Networks devices have been compromised in an active campaign exploiting two critical vulnerabilities: CVE-2024-0012 (authentication bypass) and CVE-2024-9474 (privilege escalation). The flaws are being used by attackers to alter configurations, execute arbitrary code, and deploy malware, such as PHP-based web shells. The attack, dubbed "Operation Lunar Peek," has mainly impacted devices in the US (554 infections) and India (461), with smaller numbers in Thailand, Mexico, and other countries.
Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Progress Kemp LoadMaster to its Known Exploited Vulnerabilities (KEV) catalog, indicating its active exploitation in the wild. CVE-2024-1212 is an OS command injection flaw that allows unauthenticated, remote attackers to execute arbitrary system commands via the LoadMaster management interface. Though Progress Software issued a patch back in February 2024, recent reports indicate attackers are actively targeting unpatched systems.
In parallel, Broadcom has disclosed active exploitation of two VMware vCenter Server vulnerabilities. One of the flaws (CVE-2024-38812) is a heap-overflow vulnerability in the DCERPC protocol, enabling remote code execution for attackers with network access. The other vulnerability (CVE-2024-38813) is a privilege escalation issue allowing attackers with network access to escalate their privileges to root.
Apple has rolled out security updates for iOS, iPadOS, macOS, visionOS, and Safari to patch two zero-day vulnerabilities that are reportedly being actively exploited in the wild. These flaws, tracked as CVE-2024-44308 and CVE-2024-44309, affect the WebKit framework. CVE-2024-44308 reside in JavaScriptCore and allows arbitrary code execution when processing malicious web content. Apple has addressed the issue with improved input validation checks. The second flaw (CVE-2024-44309) is a cookie management in WebKit that could enable cross-site scripting (XSS) attacks when handling malicious web content. Apple implemented enhanced state management to resolve the issue.
Oracle has patched a critical remote execution flaw in its Agile Product Lifecycle Management (PLM) Framework that is being actively exploited in the wild. Tracked as CVE-2024-21287, the flaw exits due to missing authorization within the Software Development Kit, Process Extension component. A remote non-authenticated attacker can send a specially crafted HTTP request and view arbitrary file on the system.
A new malware botnet has been observed actively exploiting a zero-day vulnerability in end-of-life GeoVision devices, potentially recruiting them for Distributed Denial of Service (DDoS) attacks or cryptomining operations. The vulnerability, tracked as CVE-2024-11120, is a critical OS command injection flaw. The vulnerability exists due to improper input validation. A remote unauthenticated attacker can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Researchers at Pentera discovered a design flaw in Fortinet VPN servers' logging mechanism that could aid attackers in hiding successful login attempts during brute-force attacks. While failed attempts are logged as expected, the flaw allows attackers to prevent the logging of successful login events.
In other news, MITRE has released 2024's top 25 most dangerous software weaknesses.
D-Link urges replacement of EoL VPN routers following discovery of high-risk bug
Taiwanese networking hardware and telecoms equipment vendor D-Link has issued an urgent advisory to customers, warning them to replace several end-of-life (EoL) VPN router models after a high-risk unauthenticated, remote code execution (RCE) vulnerability was discovered. The vulnerability exists due to a boundary error. A remote unauthenticated attacker can send specially crafted requests to the device, trigger a stack-based buffer overflow and execute arbitrary code on the target system. The affected models include DSR-150, DSR-150N, DSR-250, and DSR-250N, with all hardware versions and firmware revisions from 3.13 to 3.17B901C at risk.
New Helldown ransomware group exploits Zyxel firewalls in targeted attacks
A new ransomware group named ‘Helldown’ has emerged on the threat landscape, exploiting vulnerabilities in Zyxel firewalls to infiltrate corporate systems. According to cybersecurity firms Truesec and Sekoia, the vulnerability aligns with a bug (CVE-2024-42057) publicly reported in Zyxel's forums earlier this month. First spotted in August 2024, Helldown has targeted over 30 organizations, listing their names on its dark web extortion portal.
Russian hackers target Asia and Europe with Hatvibe and Cherryspy custom malware
Threat actors associated with Russia have been linked to a cyber-espionage campaign targeting organizations in Central Asia, East Asia, and Europe. Recorded Future's Insikt Group, which dubbed the cluster TAG-110, has identified overlaps with UAC-0063, a group linked to the Russian APT28 (BlueDelta). Active since at least 2021, TAG-110 focuses on government agencies, human rights organizations, and educational institutions.
The campaign employs custom malware tools, Hatvibe and Cherryspy. Hatvibe serves as a loader for Cherryspy, a Python-based backdoor designed for espionage and data theft. Initial access is typically gained through phishing emails or exploiting vulnerabilities in web-facing services like Rejetto HTTP File Server.
In other news, Palo Alto Network’s Unit42 released a report detailing ICS malware called FrostyGoop/Bustleberm used in an attack on a municipal energy company in Ukraine in early 2024.
Ngioweb botnet and NSOCKS proxy service disrupted following over a year’s investigation
Security firms are dismantling the Ngioweb botnet, a major supplier to the NSOCKS proxy service, responsible for over 35,000 proxies used by cybercriminals and nation-state actors. Ngioweb powers at least 80% of the proxies on NSOCKS[.]net, spanning 180 countries. The botnet leverages a ‘loader’ network to redirect infected devices to command-and-control (C2) servers, which fetch and execute Ngioweb malware.
First identified in 2017, Ngioweb has been providing residential proxies to both financially motivated groups and advanced persistent threats (APTs) since late 2022. Key actors using the service include Muddled Libra, tied to the Scattered Spider cybercrime gang, and Pawn Storm (APT28), a Russian GRU-linked group. A Chinese-affiliated group, Water Barghest, was also found exploiting the botnet.
China-linked espionage group Liminal Panda targets global telecommunications
A new China-linked cyber espionage group dubbed ‘Liminal Panda’, has been linked to a series of sophisticated cyberattacks targeting telecommunications entities in South Asia and Africa. Threat actor’s activities involve emulating global system for mobile communications (GSM) protocols, allowing for command-and-control (C2) operations and enabling access to sensitive subscriber data such as call metadata, mobile subscriber information, and SMS messages.
Another China-linked threat actor, BrazenBamboo, has been observed exploiting a FortiClient zero-day vulnerability to steal VPN credentials using a modular post-exploitation framework called DEEPDATA.
A report from Trend Micro looks into a new Earth Kasha’s cyber campaign involving the Lodeinfo malware that has been targeting Japan since 2019.
Securite360’s report highlights a new malware loader used by a Chinese APT dubbed Sharp Panda.
North Korean hackers impersonate US-based IT firms
Threat actors linked to North Korea are impersonating US-based software and tech consulting firms as part of a larger scheme involving IT workers to evade sanctions and generate revenue for the regime. North Korea employs a global network of skilled IT workers, who use fake identities and credentials to secure remote jobs in areas like software development, blockchain, and cryptocurrency. These operations are often facilitated by front companies in regions such as China, Russia, Southeast Asia, and Africa, which help obscure the workers’ origins and manage payments.
Examples include China-based Yanbian Silverstar Network Technology Co. Ltd., disrupted in 2023, and Russia-based Volasys Silver Star, sanctioned in 2018 for laundering funds through online payment services and Chinese bank accounts. Payments are frequently routed via cryptocurrencies or shadow banking systems, ultimately funding North Korea’s state programs, including weapons development, while bypassing international sanctions.
Meanwhile, South Korean police have confirmed that hackers affiliated with North Korea's military intelligence agency carried out a 2019 Ethereum heist, stealing 342,000 tokens worth 58 billion won ($41.5 million at the time). The hackers laundered more than half of the stolen Ethereum through three cryptocurrency exchanges they controlled, offering it at discounted rates in exchange for bitcoin. The remainder was funneled through 51 other exchanges, according to the National Police Agency.
NSO Group exploited WhatsApp flaws to deploy Pegasus spyware after sued by Meta
Israeli surveillance firm NSO Group reportedly continued exploiting WhatsApp vulnerabilities to deploy its Pegasus spyware, even after facing legal action from Meta. Court documents filed last week detail the company's development of multiple zero-day exploits, including a previously unknown vector named “Erised.”
240 domains linked to the ONNX phishing service has been disrupted
Microsoft has taken down 240 phishing-related websites and disrupted operations linked to "ONNX," a fraudulent service allegedly run by an Egyptian individual, Abanoub Nady, also known as "MRxC0DER." Nady created and sold DIY phishing kits under the ONNX brand name, enabling cybercriminals to carry out widespread phishing campaigns.
The US authorities dismantled PopeyeTools, a notorious online marketplace for stolen financial data and cybercrime tools. Three administrators were charged with conspiracy to commit access device fraud and related offenses. Authorities seized three domain names hosting the marketplace and confiscated $283,000 in cryptocurrency from the suspect’s account. Active since 2016, PopeyeTools facilitated the sale of sensitive information belonging to at least 227,000 individuals, generating $1.7 million in illicit revenue.
Additionally, Meta announced it has dismantled over two million accounts linked to pig butchering scams, originating from organized crime syndicates operating in Cambodia, Myanmar, Laos, the UAE, and the Philippines. These scams, often based in Southeast Asian compounds, involve criminals using social media and dating apps to establish trusted personal or romantic relationships with victims worldwide. The scammers then manipulate victims into transferring their money into fraudulent investment schemes.
Five alleged Scattered Spider members charged for phishing and crypto heists
The US Department of Justice has indicted five individuals allegedly tied to the notorious cybercrime gang Scattered Spider. The suspects, accused of orchestrating multimillion-dollar cryptocurrency thefts and high-profile cyberattacks, now face charges that could land them in prison for decades. Scattered Spider is suspected of executing high-profile attacks on MGM Resorts, Caesars Entertainment, and identity services provider Okta. Using SMS phishing and social engineering, the group allegedly launched a multi-year campaign to harvest credentials, compromise corporate systems, and siphon funds from cryptocurrency wallets.
Phobos ransomware administrator extradited to US from South Korea
Evgenii Ptitsyn, aka ‘derxan’ and ‘zimmermanx,’ a Russian national accused of running the notorious Phobos ransomware operation, has been extradited from South Korea to the United States where he faces a 13-count indictment tied to international cybercrime. Phobos ransomware has been linked to over 1,000 cyberattacks worldwide, including critical hits on US public and private entities. The attacks have reportedly extorted more than $16 million in ransom payments. According to the indictment, Ptitsyn was a key player in the scheme overseeing the sale, distribution, and operation of the ransomware.
Helix ‘mixer’ operator sentenced to three years in prison
Larry Dean Harmon, a US resident, has been sentenced to three years in prison for his role in operating Helix, a cryptocurrency “mixer” service linked to illegal activities on the darknet. Harmon is also required to forfeit more than $400 million worth of cryptocurrency, real estate, and other assets as part of his sentencing. Helix was closely integrated with Grams, a darknet search engine also run by Harmon. Together, the services formed a critical infrastructure for online drug dealers and other darknet operators seeking to launder illegal proceeds. Harmon developed an Application Programming Interface (API) to allow darknet marketplaces to incorporate Helix into their payment systems.
New Ghost Tap cash-out technique exploiting mobile payment systems
ThreatFabric researchers uncovered a sophisticated cash-out method dubbed ‘Ghost Tap,’ which is being actively employed by threat actors. The tactic exploits stolen credit card details linked to mobile payment services like Google Pay and Apple Pay, leveraging Near Field Communication (NFC) technology to execute fraudulent transactions.