Security News
- CISA Plan Aligns Cybersecurity Across Federal Agencieswww.darkreading.com CISA Plan Aligns Cybersecurity Across Federal Agencies
The FOCAL plan outlines baselines to synchronize cybersecurity priorities and policies across, as well as within, agencies.
- Global infostealer malware operation targets crypto users, gamers
> The threat actors use a variety of distribution channels, including malvertising, spearphishing, and brand impersonation in online gaming, cryptocurrency, and software, to spread 50 malware payloads, including AMOS, Stealc, and Rhadamanthys.
> Victims are lured into downloading malicious software by interacting with what they are tricked into believing are legitimate job opportunities or project collaborations.
> On Windows, HijackLoader is used for delivering Stealc, a general-purpose lightweight info-stealer designed to collect data from browsers and crypto wallet apps, or Rhadamanthys, a more specialized stealer that targets a broad range of applications and data types.
> When the target uses macOS, Marko Polo deploys Atomic ('AMOS'). This stealer launched in mid-2023, rented to cybercriminals for $1,000/month, allowing them to snatch various data stored in web browsers.
- 1.3 million Android-based TV boxes backdoored; researchers still don’t know howarstechnica.com 1.3 million Android-based TV boxes backdoored; researchers still don’t know how
Infection corrals devices running AOSP-based firmware into a botnet.
cross-posted from: https://programming.dev/post/19431239
> Researchers still don’t know the cause of a recently discovered malware infection affecting almost 1.3 million streaming devices running an open source version of Android in almost 200 countries.
- Transport for London staff faces systems disruptions after cyberattack
>Transport for London, the city's public transportation agency, revealed today that its staff has limited access to systems and email due to measures implemented in response to a Sunday cyberattack.
- North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scamsthehackernews.com North Korean Threat Actors Deploy COVERTCATCH Malware via LinkedIn Job Scams
North Korean hackers target developers via LinkedIn job scams, spreading malware to infiltrate Web3 and crypto firms.
>"After an initial chat conversation, the attacker sent a ZIP file that contained COVERTCATCH malware disguised as a Python coding challenge," researchers Robert Wallace, Blas Kojusner, and Joseph Dobson said.
>The malware functions as a launchpad to compromise the target's macOS system by downloading a second-stage payload that establishes persistence via Launch Agents and Launch Daemons.
- Malvertising Campaign Phishes Lowe's Employeeswww.darkreading.com Malvertising Campaign Phishes Lowe's Employees
Retail employees are being duped into divulging their credentials by typosquatting malvertisements.
- Apache fixes critical OFBiz remote code execution vulnerability
Tracked as CVE-2024-45195 and discovered by Rapid7 security researchers, this remote code execution flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks.
- VMWare releases Fusion vulnerability with 8.8 ratingcyberscoop.com VMWare releases Fusion vulnerability with 8.8 rating
The company issued a patch for the high-severity bug that allows arbitrary code execution.
- Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attackthehackernews.com Hackers Use Fake GlobalProtect VPN Software in New WikiLoader Malware Attack
Hackers are spoofing GlobalProtect VPN software using SEO poisoning to deliver WikiLoader malware in a new cyberattack.
>The malvertising activity, observed in June 2024, is a departure from previously observed tactics wherein the malware has been propagated via traditional phishing emails, Unit 42 researchers Mark Lim and Tom Marsden said.
Definitions:
Malvertising - Internet advertising whose real intention is to deliver malware to the PC when the ad is clicked.
- FTC: Over $110 million lost to Bitcoin ATM scams in 2023
>The U.S. Federal Trade Commission (FTC) has reported a massive increase in losses to Bitcoin ATM scams, nearly ten times the amount from 2020 and reaching over $110 million in 2023.
>Bitcoin ATMs are typically located in convenience stores, gas stations, and other busy areas, but instead of dispensing cash like the traditional ATMs they resemble, they allow you to buy and sell cryptocurrency.
- New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Accessthehackernews.com New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access
Eight vulnerabilities in Microsoft macOS apps allow attackers to bypass permissions, gaining unauthorized access to sensitive data.
- New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systemsthehackernews.com New Rust-Based Ransomware Cicada3301 Targets Windows and Linux Systems
Cicada3301 ransomware targets SMBs, shares code with BlackCat, exploits vulnerabilities in Windows, Linux, and ESXi systems.
> Written in Rust and capable of targeting both Windows and Linux/ESXi hosts, Cicada3301 first emerged in June 2024, inviting potential affiliates to join their ransomware-as-a-service (RaaS) platform via an advertisement on the RAMP underground forum.
- D-Link says it is not fixing four RCE flaws in DIR-846W routers
>Though D-Link acknowledged the security problems and their severity, it noted that they fall under its standard end-of-life/end-of-support policies, meaning there will be no security updates to address them.
- Docker-OSX image used for security research hit by Apple DMCA takedown
>The popular Docker-OSX project has been removed from Docker Hub after Apple filed a DMCA (Digital Millennium Copyright Act) takedown request, alleging that it violated its copyright.
- Researchers find SQL injection to bypass airport TSA security checks
>Researchers Ian Carroll and Sam Curry discovered the vulnerability in FlyCASS, a third-party web-based service that some airlines use to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). KCM is a Transportation Security Administration (TSA) initiative that allows pilots and flight attendants to skip security screening, and CASS enables authorized pilots to use jumpseats in cockpits when traveling.
Definitions:
SQL injection is a code injection technique used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution.
- North Korean hackers exploit Chrome zero-day to deploy rootkit
>North Korean hackers have exploited a recently patched Google Chrome zero-day (CVE-2024-7971) to deploy the FudModule rootkit after gaining SYSTEM privileges using a Windows Kernel exploit.
>Citrine Sleet targets financial institutions, focusing on cryptocurrency organizations and associated individuals, and has been previously linked to Bureau 121 of North Korea's Reconnaissance General Bureau.
- Commercial Spyware Vendors Have a Copycat in Top Russian APTwww.darkreading.com Commercial Spyware Vendors Have a Copycat in Top Russian APT
Russia's Midnight Blizzard infected Mongolian government websites to try to compromise the devices of visitors, using watering-hole tactics.
>In the watering-hole attacks, threat actors infected two websites, cabinet.gov[.]mn and mfa.gov[.]mn, which belong to Mongolia's Cabinet and Ministry of Foreign Affairs. They then injected code to exploit known flaws in iOS and Chrome on Android, with the ultimate goal of hijacking website visitors' devices.
Definitions:
Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected.
Whereas zero-days are a class of vulnerability that is unknown to a software developer or hardware manufacturer, an N-day is a flaw that is already publicly known but may or may not have a security patch available.
- FBI: RansomHub ransomware breached 210 victims since February
This relatively new ransomware-as-a-service (RaaS) operation extorts victims in exchange for not leaking stolen files and sells the documents to the highest bidder if negotiations fail. The ransomware group focuses on data-theft-based extortion rather than encrypting victims' files, although they were also identified as potential buyers of Knight ransomware source code.
Since the start of the year, RansomHub has claimed responsibility for breaching American not-for-profit credit union Patelco, the Rite Aid drugstore chain, the Christie's auction house, and U.S. telecom provider Frontier Communications. Frontier Communications later warned over 750,000 customers their personal information was exposed in a data breach.
- CISA Launches New Portal to Improve Cyber Reporting
Today, the Cybersecurity and Infrastructure Security Agency (CISA) announces its cyber incident reporting form moved to the new CISA Services Portal as part of its ongoing effort to improve cyber incident reporting.
- Attackers Have Been Leveraging Microsoft Zero-Day for 18 Monthswww.darkreading.com Attackers Have Been Leveraging Microsoft Zero-Day for 18 Months
Likely two separate threat actors are using the just-patched CVE-2024-38112 in targeted, concurrent infostealer campaigns.
- ShinyHunters claims Santander breach, selling data for 30M customerswww.bleepingcomputer.com ShinyHunters claims Santander breach, selling data for 30M customers
A threat actor known as ShinyHunters is claiming to be selling a massive trove of Santander Bank data, including information for 30 million customers, employees, and bank account data, two weeks after the bank reported a data breach.
- International Malware Takedown Seized 100+ Serverswww.techrepublic.com International Malware Takedown Seized 100+ Servers
‘Operation Endgame’ is an ongoing, law enforcement effort to disrupt botnets, malware droppers and malware-as-a-service.
- Europol identifies 8 cybercriminals tied to malware loader botnetswww.bleepingcomputer.com Europol identifies 8 cybercriminals tied to malware loader botnets
Europol and German law enforcement have revealed the identities of eight cybercriminals linked to the various malware droppers and loaders disrupted as part of the Operation Endgame law enforcement operation.
- CISA warns of actively exploited Linux privilege elevation flawwww.bleepingcomputer.com CISA warns of actively exploited Linux privilege elevation flaw
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added two vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, including a Linux kernel privilege elevation flaw.
- Cyber cops plead for info on elusive Emotet mastermindwww.theregister.com Cyber cops plead for info on elusive Emotet mastermind
Follows arrests and takedowns of recent days
- US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISOwww.theregister.com Senator lambasts UnitedHealth for picking 'unqualified' CISO
Similar cases have resulted in serious sanctions, and they were on a far smaller scale
- Cops Swarm Global Cybercrime Botnet Infrastructure in 2 Massive Opswww.darkreading.com Cops Swarm Global Cybercrime Botnet Infrastructure in 2 Massive Ops
Europol undertook dropper malware botnet takedown while US law enforcement dismantled a sprawling cybercrime botnet for hire.
- Chinese national cuffed on charges of running 'likely the world's largest botnet ever'www.theregister.com Trio of Chinese botnet operators sanctioned by United States
DoJ says 911 S5 crew earned $100M from 19 million PCs pwned by fake VPNs
- US govt sanctions cybercrime gang behind massive 911 S5 botnetwww.bleepingcomputer.com US govt sanctions cybercrime gang behind massive 911 S5 botnet
The U.S. Treasury Department has sanctioned a cybercrime network comprising three Chinese nationals and three Thailand-based companies linked to a massive botnet controlling a residential proxy service known as "911 S5."
- BreachForums returns just weeks after FBI-led takedownwww.theregister.com BreachForums returns just weeks after FBI-led takedown
Website whack-a-mole getting worse
- SingCERT Warns Critical Vulnerabilities Found in Multiple WordPress Pluginsthecyberexpress.com SingCERT Flags Critical WordPress Plugin Vulnerabilities
SingCERT has issued an urgent alert on multiple WordPress plugin vulnerabilities, citing risks such as arbitrary file uploads and SQL injection.
- Amazon Secures pcTattletale Spyware AWS Infrastructure After Hack Reveals 17TB of Datathecyberexpress.com Amazon Locks PcTattletale Spyware After 17TB Data Was Exposed
The pcTattletale spyware website was locked down by Amazon following a hack and defacement operation exposing over 17 TB of data.
- Russian Hackers Use Legit Remote Monitoring Software to Spy on Ukraine and Alliesthecyberexpress.com Russian Hackers Use Remote Monitoring Tool To Spy On Ukraine
Russian hackers were found using legitimate remote monitoring and management software to spy on Ukraine and its allies.
- Pakistan’s Islamabad’s Safe City Authority Online System Down After Hackthecyberexpress.com Islamabad's Safe City Authority Systems Down After Hack
Islamabad's Safe City Authority, initiated by Pakistan after backing from a Chinese government loan had been hacked, leading to its shutdown.
- Russian Cyber Army Claims Alleged Cyberattack on Bulgarian Ports Infrastructure Companythecyberexpress.com Russian Cyber Army Claims The Bulgarian Ports Infrastructure Company Cyberattack
The notorious Russian Cyber Army hacker group claims the Bulgarian Ports Infrastructure Company cyberattack, targeting critical infrastructure of the company.
- Hacker defaces spyware app’s site, dumps database and source codewww.bleepingcomputer.com Hacker defaces spyware app’s site, dumps database and source code
A hacker has defaced the website of the pcTattletale spyware application, found on the booking systems of several Wyndham hotels in the United States, and leaked over a dozen archives containing database and source code data.
