29 November 2024

Cyber Security Week in Review: November 29, 2024


Cyber Security Week in Review: November 29, 2024

A critical bug in ProjectSend file-sharing software exploited in the wild

A critical security vulnerability affecting ProjectSend, an open-source file-sharing platform, is reportedly being actively exploited. The flaw, tracked as CVE-2024-11680, allows attackers to execute arbitrary PHP code on unpatched servers. The vulnerability was initially discovered by Synacktiv in January 2023 and described as an improper authorization check in ProjectSend version r1605, released in October 2022. VulnCheck has observed exploitation attempts by unknown threat actors targeting public-facing ProjectSend servers since September 2024. The attackers have leveraged exploit code released by Project Discovery and Rapid7 to compromise vulnerable systems. As part of the exploitation, the attackers enable the user registration feature to gain elevated privileges for further malicious activity.

Hackers exploit Firefox and Windows zero days to deliver RomCom backoor

A Russia-linked threat actor has been exploiting two recently patched zero-days affecting Mozilla products to deliver the RomCom backdoor. Previously, the group was caught abusing another zero-day flaw (CVE-2023-36884) impacting Microsoft Word. In the most recent campaign the RomCom threat actor used CVE-2024-9680, a use-after-free flaw in Mozilla Firefox, Thunderbird, and the Tor Browser, allowing malicious actors to execute code within the browser's restricted context. When chained with another previously unknown Windows vulnerability (CVE-2024-49039), attackers can escalate their control, executing arbitrary code in the context of the logged-in user without requiring any user interaction.

An RCE bug in Array Networks SSL VPN products is being exploited in the wild

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-risk vulnerability in Array Networks SSL VPN products to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2023-28461, allows remote arbitrary code execution due to missing authentication mechanisms. Recent analysis by Trend Micro has revealed that the vulnerability has been exploited by a threat actor group known as Earth Kasha. The group has targeted advanced technology organizations and government agencies in Japan, Taiwan, and India. CVE-2023-28461 is being combined with other vulnerabilities, such as Proself's flaw CVE-2023-45727 and Fortinet's FortiOS/FortiProxy vulnerability CVE-2023-27997, for initial access.

Russian hackers exploit Wi-Fi networks abroad without leaving Russia

Russian hackers affiliated with the country’s military intelligence agency (GRU) have developed a sophisticated method to breach Wi-Fi networks in foreign countries while operating remotely from Russia. The technique involves compromising nearby devices connected to vulnerable Wi-Fi networks and using them to infiltrate target systems.

China-linked Earth Estries APT deploys new Ghostspider backdoor in Southeast Asia attacks

A China-linked state-sponsored threat actor known as Earth Estries has been targeting telecommunications companies in Southeast Asia with a novel backdoor called Ghostspider. The backdoor is capable of establishing secure communications with attacker-controlled servers via a custom protocol protected by Transport Layer Security (TLS). This allows it to fetch and execute additional modules for extended functionality, enabling Earth Estries to maintain persistence and conduct long-term espionage. Initial access is achieved by leveraging N-day vulnerabilities in widely used software such as Ivanti Connect Secure (CVE-2023-46805, CVE-2024-21887), Fortinet FortiClient EMS (CVE-2023-48788), Sophos Firewall (CVE-2022-3236), Microsoft Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, collectively known as ProxyLogon).

APT-C-60 group attacks Japan with SpyGlace backdoor

The South Korea-aligned threat actor known as APT-C-60 has been linked to a targeted attack on an unnamed organization in Japan. The attack, which occurred around August 2024, employed a convincing job application-themed lure to deliver the SpyGlace backdoor. APT-C-60 leveraged well-known legitimate services such as Google Drive, Bitbucket, and StatCounter to obfuscate its malicious activities.

CyberVolk hacktivists target nations opposing Russian interests with ransomware attacks

A hacktivist group with suspected roots in India, known as CyberVolk, has been deploying ransomware attacks against state and public entities in nations perceived as opposing Russian interests. The group has been active since at least March 2024, exploiting global geopolitical tensions to justify its campaigns. CyberVolk recently claimed responsibility for cyberattacks on critical infrastructure and scientific institutions in Japan, France, and the United Kingdom.

Bootkitty UEFI bootkit targets Linux systems

ESET researchers have discovered what they said is the first-known Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. The bootkit’s purpose is to disable the Kernel’s Signature Verification Feature, a mechanism that ensures the integrity and authenticity of the Linux kernel, critical for maintaining a secure boot process.

Bootkitty operates by exploiting vulnerabilities in the Linux boot process. Despite being signed with a self-signed certificate, it cannot run on systems with UEFI Secure Boot enabled unless attackers manually install their certificates. However, it can boot the Linux kernel by patching integrity verification functions in memory before the GRUB bootloader executes.

Hackers exploit Avast anti-rootkit driver to evade detection and disable security

Cybercriminals have launched a sophisticated campaign utilizing "bring-your-own-vulnerable-driver" (BYOVD) tactic involving a vulnerable Avast Anti-Rootkit driver used to disable security defenses on targeted systems. The malware, identified as a variant of an AV Killer, uses a vulnerable driver to gain kernel-level access to the operating system. Kernel access allows it to tamper with critical system components and disable security software. 

Glassbridge influence operation spreads pro-China propaganda

Google’s Threat Intelligence Group (GTIG) has dismantled an extensive network of fake news websites operated by entities tied to pro-China influence campaigns. Dubbed Glassbridge, the network spanned hundreds of domains and presented itself as a consortium of independent news outlets, but its content heavily echoed narratives favorable to the political interests of the People’s Republic of China (PRC).

T-Mobile detects intrusion attempts, no sensitive data compromised

US telecom giant T-Mobile has disclosed that it recently detected and blocked attempts by threat actors to infiltrate its systems. The company said that no sensitive information was accessed during the incidents.

Malicious actors are abusing popular Godot game engine to deploy malware

Check Point Research has uncovered a malware loader dubbed GodLoader that is exploiting the Godot Gaming Engine to execute malicious code. Threat actors used maliciously crafted GDScript code to bypass antivirus systems and infect over 17,000 devices since June 2024. Victims were tricked into believing they were downloading software cracks, inadvertently running the malware instead.

According to Godot security team, the Godot Engine itself is not vulnerable. The team said that the engine is neither uniquely suited nor particularly at risk for such misuse, as any programming language can be leveraged for malicious purposes.

Supply chain attack targets popular npm package LottieFiles

Researchers from ReversingLabs detected a supply chain attack involving the widely used npm package @lottiefiles/lottie-player. The company identified three malicious versions of the package—2.0.5, 2.0.6, and 2.0.7—designed to steal crypto wallet assets. According to ReversingLabs, the attack was executed using an unauthorized access token from a privileged developer account.

In other news, cybersecurity researchers at Checkmarx have uncovered a year-long software supply chain attack in the npm package registry. The attack involved a package named @0xengine/xmlrpc, which initially appeared as a legitimate JavaScript-based XML-RPC server and client for Node.js. The package, first published on October 2, 2023, has been downloaded 1,790 times and remains accessible.

The malicious activity began with the release of version 1.3.4 on October 3, 2023. This update introduced code designed to exfiltrate sensitive data, including SSH keys, bash history, system metadata, and environment variables. The stolen data was sent every 12 hours via cloud services like Dropbox and file.io. Additionally, the package included functionality to mine cryptocurrency on compromised systems.

Banshee Stealer source code leaks online

The source code for the macOS malware Banshee Stealer was leaked online, leading to the shutdown of its operation. The malware is designed to steal sensitive data from macOS devices, including OS passwords, system information, browser data, and cryptocurrency wallets such as Exodus, Ledger, and more.

Banshee Stealer gained attention in August 2024 when it was advertised on cybercrime forums for $3,000 per month. Believed to be developed by Russian threat actors, the malware targeted both personal and financial data. The motivation and identity of the leaker remain unknown.

Global cybercrime crackdown nets thousands of arrests and dismantles Illicit networks

Law enforcement agencies worldwide conducted a series of operations aimed at combating cybercrime.

Operation Serengeti, led by Interpol and Afripol, spanned 19 African nations from September to October 2024. Authorities arrested 1,006 suspects and dismantled over 134,000 malicious infrastructures. The operation uncovered over 35,000 victims and estimated global financial losses of $193 million. It targeted cybercrimes including ransomware, business email compromise (BEC), and online scams.

Simultaneously, the five-month Operation HAECHI V (July-November 2024) employed law enforcement from 40 countries to combat voice phishing, romance scams, sextortion, investment fraud, illegal gambling, and e-commerce fraud. Authorities seized over $400 million in assets and arrested 5,500 suspects. In South Korea and Beijing, a voice phishing syndicate responsible for $1.1 billion in losses was dismantled, with 27 members arrested and 19 indicted.

In Europe, Europol coordinated a crackdown on illegal streaming networks, leading to 11 arrests in Croatia and operations against 102 suspects. These networks pirated films, TV channels, and sports broadcasts, serving 22 million users and earning illegal profits of €250 million monthly. Copyright holders suffered economic damages of €10 billion.

Back to the list

Latest Posts

Cyber Security Week in Review: December 6, 2024

Cyber Security Week in Review: December 6, 2024

In brief: Zero-day vulnerabilities in I-O data routers, Russian Turla hijacks C2 infrastructure of Pakistani hackers, and more.
6 December 2024
Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

Russian Turla hijacks C2 infrastructure of Pakistani hackers in espionage campaign

The group has infiltrated the C2 infrastructure of the Pakistani-based actor Storm-0156, as part of the “spy-on-spy” tactics.
5 December 2024
Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

Japan’s CERT warns of zero-day vulnerabilities in I-O data routers

If exploited, the flaws allow attackers to alter device settings, execute arbitrary commands, and disable the firewall.
5 December 2024