Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices

A threat actor is monetizing vulnerable Internet-of-Things (IoT) devices by infecting them with malware and listing them as residential proxies within minutes after exploitation, Trend Micro reports.

Tracked as Water Barghest, the adversary has compromised over 20,000 IoT devices to date, renting them to threat actors looking to anonymize their activities.

Active for at least five years, Water Barghest has remained under the radar by extensively relying on automation, erasing log files to cover its tracks, and only accepting cryptocurrency payments.

The threat actor acquires IoT device vulnerabilities (including zero-days), uses publicly available online scanners to identify vulnerable devices, and then attempts to exploit them from a set of data center IP addresses. Compromised devices are quickly monetized on specialized marketplaces.

See more
Security Week:
https://www.securityweek.com/threat-actor-turns-thousands-of-iot-devices-into-residential-proxies/

The Hackers News: https://thehackernews.com/2024/11/ngioweb-botnet-fuels-nsocks-residential.html

#cybersecurity #malware #ngioweb 

 China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks

A new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection.

Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers.

The threat actor's malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration.

See more
The Hackers News: https://thehackernews.com/2024/11/china-backed-hackers-leverage-sigtran.html

Infosecurity magazine:
https://www.infosecurity-magazine.com/news/tmobile-breached-chinese/

#cybersecurity #c2 #hack #SaltTyphoon 

 NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data

Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims' Facebook Ads Manager accounts and harvest credit card data stored in web browsers.

"They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement," Netskope Threat Labs researcher Jan Michael Alcantara said in a report shared with The Hacker News.

"New techniques used by NodeStealer include using Windows Restart Manager to unlock browser database files, adding junk code, and using a batch script to dynamically generate and execute the Python script."

See more: https://thehackernews.com/2024/11/nodestealer-malware-targets-facebook-ad.html

#cybersecurity #nodestealer #malware 

 Brave on iOS adds new "Shred" button to wipe site-specific data

Brave Browser 1.71 for iOS introduces a new privacy-focused feature called "Shred," which allows users to easily delete site-specific mobile browsing data.

Many sites use first-party cookies for paywall systems and usage limits, which technically enables user tracking across sessions and makes this data susceptible to sharing with third parties.

Brave's new Shred feature works on a per-site basis, meaning that it can wipe data from a single website without affecting others.

See more: https://www.bleepingcomputer.com/news/security/brave-on-ios-adds-new-shred-button-to-wipe-site-specific-data/

#cubersecurity #privacy #brave 

 Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects

Google has revealed that its AI-powered fuzzing tool, OSS-Fuzz, has been used to help identify 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library.

"These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets," Google's open-source security team said in a blog post shared with The Hacker News.

The OpenSSL vulnerability in question is CVE-2024-9143 (CVSS score: 4.3), an out-of-bounds memory write bug that can result in an application crash or remote code execution. The issue has been addressed in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl.

See more: https://thehackernews.com/2024/11/googles-ai-powered-oss-fuzz-tool-finds.html

#cybersecurity #fuzzing #ai 

 New Ghost Tap attack abuses NFC mobile payments to steal money

Cybercriminals have devised a novel method to cash out from stolen credit card details linked to mobile payment systems such as Apple Pay and Google Pay, dubbed 'Ghost Tap,' which relays NFC card data to money mules worldwide.

The tactic builds upon the methods previously deployed by mobile malware like NGate, documented by ESET in August, which involved relaying Near Field Communication (NFC) signals from payment cards.

Ghost Tap is more obfuscated and more challenging to detect, does not require the card or the victim's device, doesn't need continual victim interchange, and involves money mules on multiple remote locations interacting with Point of Sale (PoS) terminals.

See more:
BleepingComputer:
https://www.bleepingcomputer.com/news/security/new-ghost-tap-attack-abuses-nfc-mobile-payments-to-steal-money/

The Hacker News:
https://thehackernews.com/2024/11/ghost-tap-hackers-exploiting-nfcgate-to.html

#cybersecurity #ghosttap #malware 

 New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems

Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus.

"Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia said in a report shared with The Hacker News. "Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware."

Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an "aggressive ransomware group" that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare.

Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It's estimated to have attacked at least 31 companies within a span of three months.

The new 'Helldown' ransomware operation is believed to target vulnerabilities in Zyxel firewalls to breach corporate networks, allowing them to steal data and encrypt devices.

The Hacker News:
https://thehackernews.com/2024/11/new-helldown-ransomware-expands-attacks.html

BleepingComputer:
https://www.bleepingcomputer.com/news/security/helldown-ransomware-exploits-zyxel-vpn-flaw-to-breach-networks/

Infosecurity magazine:
https://www.infosecurity-magazine.com/news/helldown-ransomware-target-vmware/

#cybersecurity #helldown #ransomware 

 Known platforms were used to promote scammy or pirate content, see more:

Amazon and Audible flooded with 'forex trading' and warez listings: https://www.bleepingcomputer.com/news/security/amazon-and-audible-flooded-with-forex-trading-and-warez-listings/

Spotify abused to promote pirated software and game cheats: https://www.bleepingcomputer.com/news/security/spotify-abused-to-promote-pirated-software-and-game-cheats/

#cybersecurity #warez  

 The latest reported data breaches 👀

US space tech giant Maxar discloses employee data breach: https://www.bleepingcomputer.com/news/security/us-space-tech-giant-maxar-discloses-employee-data-breach/

Ford Investigating Potential Breach After Hackers Claim Data Theft: https://www.securityweek.com/ford-investigating-potential-breach-after-hackers-claim-data-theft/

Fintech giant Finastra investigates data breach after SFTP hack: https://www.bleepingcomputer.com/news/security/fintech-giant-finastra-investigates-data-breach-after-sftp-hack/

Cyberattack at French hospital exposes health data of 750,000 patients: https://www.bleepingcomputer.com/news/security/cyberattack-at-french-hospital-exposes-health-data-of-750-000-patients/

#cybersecurity #databreach 

 Hackers Hijack Unsecured Jupyter Notebooks to Stream Illegal Sports Broadcasts

Misconfigured data science environments have been targeted by threat actors for sports stream ripping, according to cloud security firm Aqua Security.

Honeypots operated by the company showed that cybercriminals are targeting misconfigured JupyterLab and Jupyter Notebook applications, which are web-based development environments for notebooks, code, and data.

Aqua Security believes that Jupyter solutions are typically used for data science by individuals who may lack awareness of common misconfigurations that can leave servers vulnerable to hackers. 

Shodan shows roughly 15,000 internet-exposed Jupyter servers and approximately 1% of them — including ones belonging to individuals and companies — allow remote code execution. 

See more
Security Week: https://www.securityweek.com/vulnerable-jupyter-servers-targeted-for-sports-piracy/

The Hackers News:
https://thehackernews.com/2024/11/hackers-hijack-unsecured-jupyter.html

Infosecurity magazine:
https://www.infosecurity-magazine.com/news/hijack-jupyter-servers-sport/

#cybersecurity #jupyternotebook 

 Oracle warns of Agile PLM file disclosure flaw exploited in attacks

Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287 (CVSS score: 7.5), which was actively exploited as a zero-day to download files.

Oracle Agile PLM is a software platform that enables businesses to manage product data, processes, and collaboration across global teams.

Yesterday, Oracle urged Agile PLM customers to install the latest version to fix the CVE-2024-21287 flaw.

"This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure," warned Oracle.

See more:
BleepingComputer: https://www.bleepingcomputer.com/news/security/oracle-warns-of-agile-plm-file-disclosure-flaw-exploited-in-attacks/

The Hacker News:
https://thehackernews.com/2024/11/oracle-warns-of-agile-plm-vulnerability.html

SecurityWeek:
https://www.securityweek.com/oracle-patches-exploited-agile-plm-zero-day/

#cybersecurity #oracle #zeroday 

 Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems.

"Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday.

The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS.

The JavaScriptCore CVE-2024-44308 flaw allows attackers to achieve remote code execution through maliciously crafted web content. The other flaw, CVE-2024-44309, allows cross-site scripting (CSS) attacks.

See more:
The Hacker News:
https://thehackernews.com/2024/11/apple-releases-urgent-updates-to-patch.html

BleepingComputer:
https://www.bleepingcomputer.com/news/security/apple-fixes-two-zero-days-used-in-attacks-on-intel-based-macs/

SecurityWeek:
https://www.securityweek.com/apple-confirms-zero-day-attacks-hitting-intel-based-macs/

Infosecurity magazine:
https://www.infosecurity-magazine.com/news/apple-security-update/

#cybersecurity #apple #zeroday 

 Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root

Five local privilege escalation (LPE) vulnerabilities have been discovered in the needrestart utility used by Ubuntu Linux, which was introduced over 10 years ago in version 21.04. It could allow a local attacker to gain root privileges without requiring user interaction.

The flaws were discovered by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They were introduced in needrestart version 0.8, released in April 2014, and fixed only yesterday, in version 3.8.

Needrestart is a utility commonly used on Linux, including on Ubuntu Server, to identify services that require a restart after package updates, ensuring that those services run the most up-to-date versions of shared libraries.

See more
BleepingComputer: https://www.bleepingcomputer.com/news/security/ubuntu-linux-impacted-by-decade-old-needrestart-flaw-that-gives-root/

Infosecurity magazine:
https://www.infosecurity-magazine.com/news/5-privilege-escalation-flaws/

The Hacker News:
https://thehackernews.com/2024/11/decades-old-security-vulnerabilities.html


#cybersecurity #ubuntu

 

 New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza.

BabbleLoader is an "extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory," Intezer security researcher Ryan Robinson said in a report published Sunday.

Evidence shows that the loader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software.

See more: https://thehackernews.com/2024/11/new-stealthy-babbleloader-malware.html

#cybersecurity #malware 

 Critical RCE bug in VMware vCenter Server now exploited in attacks

Broadcom warned today that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execution flaw.

TZL security researchers reported the RCE vulnerability (CVE-2024-38812) during China's 2024 Matrix Cup hacking contest. It is caused by a heap overflow weakness in the vCenter's DCE/RPC protocol implementation and affects products containing vCenter, including VMware vSphere and VMware Cloud Foundation.

The other vCenter Server flaw now exploited in the wild (reported by the same researchers) is a privilege escalation flaw tracked as CVE-2024-38813 that enables attackers to escalate privileges to root with a specially crafted network packet.

See more
BleepingComputer: https://www.bleepingcomputer.com/news/security/critical-rce-bug-in-vmware-vcenter-server-now-exploited-in-attacks/

Security Week:
https://www.securityweek.com/vmware-discloses-exploitation-of-hard-to-fix-vcenter-server-flaw/

#cybersecurity #rce #exploit 

 Swiss Cyber Agency Warns of QR Code Malware in Mail Scam

A new malware campaign targeting Swiss residents through fake postal letters has been uncovered by the country’s National Cyber Security Centre (NCSC).

The scam involves fraudulent correspondence disguised as official communication from MeteoSwiss, the Federal Office of Meteorology and Climatology, urging recipients to scan a QR code and download a malicious weather app for Android devices.

The fake app, called “Severe Weather Warning App,” mimics the legitimate Alertswiss app but is labeled “AlertSwiss” with a slightly altered logo. Unlike the authentic app, which is available on the Google Play Store, the fraudulent version is hosted on an unverified third-party website.

Once installed, the app deploys a Coper Trojan variant to steal sensitive data, including banking credentials, and intercepts two-factor authentication (2FA) codes.

See more: https://www.infosecurity-magazine.com/news/swiss-cyberagency-qr-code-mail-scam/

#cybersecurity #malware 

 Ransomware Attack on Oklahoma Medical Center Impacts 133,000

Great Plains Regional Medical Center in Oklahoma is notifying over 133,000 individuals that their personal information was compromised in a ransomware attack.

The public, not-for-profit healthcare system discovered the attack on September 8, 2024, when ransomware was deployed, but the attackers had access to its systems for at least three days prior.

According to the medical center, the attackers accessed and encrypted certain files between September 5 and September 8, and exfiltrated information from its systems.

See more: https://www.securityweek.com/ransomware-attack-on-oklahoma-medical-center-impacts-133000/

#cybersecurity #databreach 

 AnnieMac Data Breach Impacts 171,000 People

New Jersey-based mortgage loan provider AnnieMac Home Mortgage (American Neighborhood Mortgage Acceptance Company) is informing many individuals of a recent data breach.

In notification letters to impacted individuals, AnnieMac revealed that it detected suspicious activity on some systems on August 23, 2024.

An investigation showed that hackers had access to its systems between August 21 and August 23, and they viewed and/or copied files containing personal information. The compromised information includes names and Social Security numbers.

See more: https://www.securityweek.com/anniemac-data-breach-impacts-171000-people/

#cybersecurity #databreach 

 Fortinet VPN Zero-Day Exploited in Malware Attacks Remains Unpatched: Report

The recently detailed DeepData malware framework was caught exploiting a zero-day vulnerability in the Fortinet VPN client for Windows to steal credentials, cybersecurity firm Volexity reports.

DeepData is a surveillance framework that relies on multiple plugins to target sensitive information stored in browsers, communication applications, and password managers, and which can record audio using the system’s microphone.

According to BlackBerry, both DeepData and the LightSpy iOS malware have been used by China-lined advanced persistent threat (APT) actor APT41 to spy on journalists, politicians, and political activists in Southeast Asia.

On Friday, Volexity revealed that DeepData was seen targeting Fortinet’s Windows VPN client to extract usernames, passwords, and other information from the process’ memory, by exploiting a zero-day vulnerability.

See more: https://www.securityweek.com/fortinet-vpn-zero-day-exploited-in-malware-attacks-remains-unpatched-report/

#cybersecurity #malware #zeroday

nostr:nevent1qqs97rpez3s0sjds4et5twsr344sqtazj8hn7hce4l9xfmaa0nfylasppemhxue69uhkummn9ekx7mp0qgspdlfx7qq9fanp28rt67f9ahh5zkrpqwh3n4z9lylkda0zfv6yy7srqsqqqqqpg3m0h0 

 Gmail's New Shielded Email Feature Lets Users Create Aliases for Email Privacy

Google appears to be readying a new feature called Shielded Email that allows users to create email aliases when signing up for online services and better combat spam.

The feature was first reported by Android Authority last week following a teardown of the latest version of Google Play Services for Android.

The idea is to create unique, single-use email addresses that forward the messages to the associated primary account, thereby preventing the need for providing the real email address when filling out forms or registering for new services online.

See more: https://thehackernews.com/2024/11/shielded-email-googles-latest-tool-for.html

#cybersecurity #privacy #gmail 

 Palo Alto Networks patches two firewall zero-days used in attacks

Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW).

The first flaw, tracked as CVE-2024-0012, is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction.

The second one (CVE-2024-9474) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges.

While CVE-2024-9474 was disclosed today, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw tagged last Friday as CVE-2024-0012.

See more
Bleeping Computer: https://www.bleepingcomputer.com/news/security/palo-alto-networks-patches-two-firewall-zero-days-used-in-attacks/

Security Week:
https://www.securityweek.com/palo-alto-networks-releases-iocs-for-new-firewall-zero-day/  

 Fake Discount Sites Exploit Black Friday to Hijack Shopper Information

A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season.

"The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII)," EclecticIQ said.

The activity, first observed in early October 2024, has been attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the impersonated brands include IKEA, L.L.Bean, North Face, and Wayfare.

See more: https://thehackernews.com/2024/11/fake-discount-sites-exploit-black.html

#cybersecurity #phishing 

 Phishing emails increasingly use SVG attachments to evade detection

Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection.

Most images on the web are JPG or PNG files, which are made of grids of tiny squares called pixels. Each pixel has a specific color value, and together, these pixels form the entire image.

SVG, or Scalable Vector Graphics, displays images differently, as instead of using pixels, the images are created through lines, shapes, and text described in textual mathematical formulas in the code.

See more: https://www.bleepingcomputer.com/news/security/phishing-emails-increasingly-use-svg-attachments-to-evade-detection/

#cybersecurity #phishing #svg 

 T-Mobile confirms it was hacked in recent wave of telecom breaches

T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests.

"T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information," T-Mobile told the Wall Street Journal, which first reported about the breach.

T-Mobile shared a similar statement with BleepingComputer, stating it has found no evidence of any customer data being accessed or exfiltrated.

See more
Bleeping Computer: https://www.bleepingcomputer.com/news/security/t-mobile-confirms-it-was-hacked-in-recent-wave-of-telecom-breaches/

Security Week:
https://www.securityweek.com/t-mobile-also-targeted-in-chinese-telecom-hacking-campaign/

#cybersecurity #hack 

 GitHub projects targeted with malicious commits to frame researcher

GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects.

Most recently, the GitHub repository of Exo Labs, an AI and machine learning startup, was targeted in the attack, which has left many wondering about the attacker's true intentions.
 https://www.bleepingcomputer.com/news/security/github-projects-targeted-with-malicious-commits-to-frame-researcher/

#cybersecurity #backdoors #malware 

 Sentry just gave $750k to open source projects

"Sentry started out as an Open Source side project in 2008. Today we are a Fair Source company with 100,000+ organizations on our SaaS and $100M+ ARR, but we have not forgotten our roots nor the hundreds of Open Source maintainers whose work we depend on for our success. Every year we share our success with the community, and 2024 is no different. This year, our budget is $750,000, up 50% from last year.

The big news this year is that, together with dozens of other companies, we launched the Open Source Pledge. It’s great that Sentry pays maintainers, but we can’t solve the Open Source sustainability crisis by ourselves. The good news is that we’re not alone. Through the Pledge, many other companies are also stepping up to the plate, paying maintainers at least $2,000 per year per dev on staff and blogging about it annually to drive awareness and accountability."

See more: https://blog.sentry.io/we-just-gave-750-000-dollars-to-open-source-maintainers/

#opensource  

 Botnet exploits GeoVision zero-day to install Mirai malware

A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks.

The flaw is tracked as CVE-2024-11120 and was discovered by Piort Kijewski of The Shadowserver Foundation. It is a critical severity (CVSS v3.1 score: 9.8) OS command injection problem, allowing unauthenticated attackers to execute arbitrary system commands on the device.

"Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device," warns Taiwan's CERT.

"Moreover, this vulnerability has already been exploited by attackers, and we have received related reports."

See more: https://www.bleepingcomputer.com/news/security/botnet-exploits-geovision-zero-day-to-install-mirai-malware/

#cybersecurity #malware #zeroday 

 These 8 Apps on Google Play Store Contain Android/FakeApp Trojan

Russian cybersecurity firm Dr. Web has exposed several Android apps on the Google Play Store that contain a sophisticated trojan, Android[.]FakeApp[.]1669 (also known as Android/FakeApp).

These apps, which claim to provide practical functions like financial tools, planners, and recipe books; contain a hidden payload that redirects users to unwanted websites, compromising their data. What’s worse, more than 2 million users have downloaded these infected apps from Google Play, unaware of the threat.

Malware on the official Google Play Store is nothing new. In fact, reports from last month indicate a rise in malicious apps on both the Apple App Store and Google Play Store.

See more: https://hackread.com/google-play-store-apps-android-fakeapp-trojan/

#cybersecurity #android #malware 

 Summary of noteworthy news from the last week by SecurityWeek!

TSA proposes new cyber rules for pipelines and railroads, Google adds scam call detection to Android, SIM swappers arrested in US, and more...

See more: https://www.securityweek.com/in-other-news-tsa-wants-new-cyber-rules-scam-call-detection-in-android-sim-swappers-arrested/

#cybersecurity #news 

 Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations

Cybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands.

Cybersecurity company Check Point has codenamed the malware WezRat, stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform.

"WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files," it said in a technical report. "Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor's main component less suspicious."

WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that's better known under the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA).

See more: https://thehackernews.com/2024/11/iranian-hackers-deploy-wezrat-malware.html

#cybersecurity #malware #trojan 

 NSO Group used another WhatsApp zero-day after being sued, court docs say

Israeli surveillance firm NSO Group reportedly used multiple zero-day exploits, including an unknown one named "Erised," that leveraged WhatsApp vulnerabilities to deploy Pegasus spyware in zero-click attacks, even after getting sued.

Pegasus is NSO Group's spyware platform (marketed as surveillance software for governments worldwide), with multiple software components that provide customers with extensive surveillance capabilities over victims' compromised devices. For instance, NSO customers could monitor the victims' activity and extract information using the Pegasus agent installed on the victims' mobile phones.

See more: https://www.bleepingcomputer.com/news/security/nso-group-used-another-whatsapp-zero-day-after-being-sued-court-docs-say/

#cybersecurity #spyware #privacy 

 Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform

Cybersecurity researchers have disclosed two security flaws in Google's Vertex machine learning (ML) platform that, if successfully exploited, could allow malicious actors to escalate privileges and exfiltrate models from the cloud.

"By exploiting custom job permissions, we were able to escalate our privileges and gain unauthorized access to all data services in the project," Palo Alto Networks Unit 42 researchers Ofir Balassiano and Ofir Shaty said in an analysis published earlier this week.

"Deploying a poisoned model in Vertex AI led to the exfiltration of all other fine-tuned models, posing a serious proprietary and sensitive data exfiltration attack risk."

Vertex AI is Google's ML platform for training and deploying custom ML models and artificial intelligence (AI) applications at scale. It was first introduced in May 2021.

See more: https://thehackernews.com/2024/11/researchers-warn-of-privilege.html

#cybersecurity #vertexai 

 Fraud network uses 4,700 fake shopping sites to steal credit cards

A financially motivated Chinese threat actor dubbed "SilkSpecter" is using thousands of fake online stores to steal the payment card details of online shoppers in the U.S. and Europe.

The fraud campaign started in October 2024, offering steep discounts for the upcoming Black Friday shopping period that usually sees elevated shopping activity.

EclecticIQ threat researcher Arda Buyukkaya, who discovered the campaign, told BleepingComputer that, as of the publishing of their report, SilkSpecter operates 4,695 fraudulent domains.

These sites impersonate well-known brands such as the North Face, Lidl, Bath & Body Works, L.L. Bean, Wayfair, Makita, IKEA, and Gardena.

See more: https://www.bleepingcomputer.com/news/security/fraud-network-uses-4-700-fake-shopping-sites-to-steal-credit-cards/

#cybersecurity #phishing 

 watchTowr Finds New Zero-Day Vulnerability in Fortinet Products

Attack surface management provider watchTowr claims to have found a new zero-day vulnerability in cybersecurity provider Fortinet’s products.

This flaw would allow a managed FortiGate device to elevate privileges and seize control of the FortiManager instance.

This vulnerability, which carries a common vulnerability severity score (CVSS) of 9.8, is actively exploited in the wild, sometimes together with CVE-2024-23113.

It allows threat actors to use a compromised FortiManager device to execute arbitrary code or commands against other FortiManager devices. 

See more: https://www.infosecurity-magazine.com/news/watchtowr-new-vulnerability/

#cybersecurity #fortinet 

 ChatGPT allows access to underlying sandbox OS, “playbook” data

OpenAI's ChatGPT platform provides a great degree of access to the LLM's sandbox, allowing you to upload programs and files, execute commands, and browse the sandbox's file structure.

The ChatGPT sandbox is an isolated environment that allows users to interact with the it securely while being walled off from other users and the host servers.

It does this by restricting access to sensitive files and folders, blocking access to the internet, and attempting to restrict commands that can be used to exploit flaws or potentially break out of the sandbox.

Marco Figueroa of Mozilla's 0-day investigative network, 0DIN, discovered that it's possible to get extensive access to the sandbox, including the ability to upload and execute Python scripts and download the LLM's playbook. 

See more: https://www.bleepingcomputer.com/news/artificial-intelligence/chatgpt-allows-access-to-underlying-sandbox-os-playbook-data/

#cybersecurity #chatgpt 

 Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover

A critical-severity vulnerability in the Really Simple Security plugin for WordPress potentially exposed four million websites to complete takeover, WordPress security firm Defiant warns.

Tracked as CVE-2024-10924 (CVSS score of 9.8), the issue is described as an authentication bypass that allows an unauthenticated attacker to log in as any user, including an administrator.

According to Defiant, the security defect exists because of an improper user check error handling in the plugin’s two-factor REST API action. Specifically, the bug is triggered if two-factor authentication (2FA) is enabled.

See more: https://www.securityweek.com/critical-plugin-flaw-exposed-4-million-wordpress-websites-to-takeover/

#cybersecurity #wordpress 

 Vietnamese Hacker Group Deploys New PXA Stealer Targeting Europe and Asia

A Vietnamese-speaking threat actor has been linked to an information-stealing campaign targeting government and education entities in Europe and Asia with a new Python-based malware called PXA Stealer.

The malware "targets victims' sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software," Cisco Talos researchers Joey Chen, Alex Karkins, and Chetan Raghuprasad said.

"PXA Stealer has the capability to decrypt the victim's browser master password and uses it to steal the stored credentials of various online accounts"

See more: https://thehackernews.com/2024/11/vietnamese-hacker-group-deploys-new-pxa.html

#cybersecurity #malware 

 Palo Alto Networks warns of critical RCE zero-day exploited in attacks

Palo Alto Networks is warning that a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces, currently tracked as 'PAN-SA-2024-0015,' is actively being exploited in attacks.

The flaw was originally disclosed on November 8, 2024, with Palo Alto Networks warning customers to restrict access to their next-generation firewalls because of a "potential" remote code execution (RCE) vulnerability impacting them.

No signs of exploitation were detected at that time, but now, one week later, the situation has changed.

See more: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-critical-rce-zero-day-exploited-in-attacks/

#cybersecurity #rce #zeroday

nostr:nevent1qqsft2dh06hte2n8zqw4ncjs3vkpukq5f7y3dr63yx0lx34mk52tmuspz4mhxue69uhkummnw3ezummcw3ezuer9wchsygqkl5n0qqz57es4r34a0yj7mm6ptpss8tce63zlj0mx7h3ykdzz0gpsgqqqqqqs3y406q 

 Known Brand, Government Domains Hijacked via Sitting Ducks Attacks

Tens of thousands of domains, including those of well-known brands, non-profits, and government entities, have been hijacked over the past five years because DNS providers failed to properly verify domain ownership, cybersecurity firm Infoblox reports.

The issue was initially disclosed in late July, when Eclypsium and Infoblox said that roughly 35,000 domains had been hijacked since 2018 by abusing the weakness as part of so-called Sitting Ducks attacks.

However, that was just the tip of the iceberg, Infoblox says in a new report. Further investigation into this configuration-oriented attack vector has revealed that at least 800,000 domains could be hijacked, and that 70,000 have already fallen victim to attackers.

Sitting Ducks poses a threat to both businesses and their users, Infoblox warns. The attacks cause reputational damage and financial losses, and could lead to malware infections, credential theft, and fraud.
 https://www.securityweek.com/known-brand-government-domains-hijacked-via-sitting-ducks-attacks/

#cybersecurity #dns 

 New Glove infostealer malware bypasses Chrome’s cookie encryption

A newly identified information stealer can bypass the App-Bound Encryption mechanism in Chromium-based browsers, cybersecurity software provider Gen Digital reports.

Written in .NET and dubbed Glove Stealer, the malware targets multiple browsers and extensions to exfiltrate sensitive information such as cookies and credentials, along with data from cryptocurrency wallets, authenticators, password managers, email clients, and other applications.

What makes Glove Stealer stand out from the crowd, however, is its ability to bypass Application-Bound (App-Bound) Encryption, the cookie protection mechanism that was introduced in Chrome 127 to prevent their theft.

See more:
Bleeping Computer https://www.bleepingcomputer.com/news/security/new-glove-infostealer-malware-bypasses-google-chromes-cookie-encryption/

Security Week: https://www.securityweek.com/glove-stealer-malware-bypasses-chromes-app-bound-encryption/

#cybersecurity #malware 

 High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables

Cybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure.

The vulnerability, tracked as CVE-2024-10979, carries a CVSS score of 8.8.

Environment variables are user-defined values that can allow a program to dynamically fetch various kinds of information, such as access keys and software installation paths, during runtime without having to hard-code them. In certain operating systems, they are initialized during the startup phase.

See more
The Hackers News: https://thehackernews.com/2024/11/high-severity-flaw-in-postgresql-allows.html

Hackread:
https://hackread.com/postgresql-vulnerability-puts-databases-at-risk/

#cybersecurity #postgres 

 CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday warned that two more flaws impacting the Palo Alto Networks Expedition software have come under active exploitation in the wild.

To that end, it has added the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to apply the necessary updates by December 5, 2024.

The security flaws:
- CVE-2024-9463 (CVSS score: 9.9) - Palo Alto Networks Expedition OS Command Injection Vulnerability
- CVE-2024-9465 (CVSS score: 9.3) - Palo Alto Networks Expedition SQL Injection Vulnerability

See more
The Hackers News https://thehackernews.com/2024/11/cisa-flags-critical-palo-alto-network.html

Bleeping Computer: https://www.bleepingcomputer.com/news/security/cisa-warns-of-more-palo-alto-networks-bugs-exploited-in-attacks/

#cybersecurity #injection 

 Low-Code, High Risk: Millions of Records Exposed via Misconfigured Microsoft Power Pages

Researchers have discovered multiple misconfigured implementations of Microsoft Power Pages, and suspect the problem may be widespread.

The problem is purely a configuration issue, and not a Microsoft issue. In fact, the MS product displays numerous banner warnings when it notes potential configuration concerns. What Microsoft cannot do is ensure that its users respond to the warnings. 

Since the problems are not down to Microsoft code, but the users’ use of that code, AppOmni has not reported its findings directly to Microsoft because there is nothing for Microsoft to fix. The firm has however, reported its findings to all the affected companies it has discovered – and all the discovered misconfigurations have now been fixed.

See more: https://www.securityweek.com/low-code-high-risk-millions-of-records-exposed-via-misconfigured-microsoft-power-pages/

#cybersecurity 

 The true (and surprising) cost of forgotten passwords

Password resets are expensive because their hidden costs can quickly add up.

When an employee forgets their password, there are some obvious expenses — for example, the time your help desk employee needs to verify the user’s identity and implement the reset.

Research from Forrester estimates the average password reset cost is $70, including direct (IT staff time) and indirect costs (lost productivity). That means if you handle IT for a mid-sized organization with 1,000 employees, and each employee only needs a password reset two times a year, you could be spending $140,000 annually on password resets.


See more: https://www.bleepingcomputer.com/news/security/the-true-and-surprising-cost-of-forgotten-passwords/

#cybersecurity #passwords 

 Hamas-Affiliated WIRTE Employs SameCoin Wiper in Disruptive Attacks Against Israel

A threat actor affiliated with Hamas has expanded its malicious cyber operations beyond espionage to carry out disruptive attacks that exclusively target Israeli entities.

The activity, linked to a group called WIRTE, has also targeted the Palestinian Authority, Jordan, Iraq, Saudi Arabia, and Egypt, Check Point said in an analysis.

APT (advanced persistent threat) Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

See more
The Hackers News https://thehackernews.com/2024/11/hamas-affiliated-wirte-employs-samecoin.html

Dark Reading
https://www.darkreading.com/threat-intelligence/hamas-hackers-spy-mideast-govts-disrupt-israel

#cybersecurity 

 Leaked info of 122 million linked to B2B data aggregator breach

The business contact information for 122 million people circulating since February 2024 is now confirmed to have been stolen from a B2B demand generation platform.

The data comes from DemandScience (formerly Pure Incubation), a B2B demand generation company that aggregates data.

Data aggregation is the process of collecting, compiling, and organizing data from public sources to create a comprehensive dataset valuable for digital marketers and advertisers in creating rich "profiles" used to generate leads or marketing information.

In the case of DemandScience, the firm collected business data from public sources and third parties, including full names, physical addresses, email addresses, telephone numbers, job titles and functions, and social media links.

See more: https://www.bleepingcomputer.com/news/security/leaked-info-of-122-million-linked-to-b2b-data-aggregator-breach/

#cybersecurity #databreach 

 New Google Pixel AI feature analyzes phone conversations for scams

Google is adding a new AI-powered scam protection feature that monitors phone call conversations on Google Pixel devices to detect patterns that warn when the caller may be a scammer.

Although all processing happens on the device, Google has opted to keep the feature off by default, allowing users to activate it through the Phone app settings or even during a particular call.

Google has also added a new real-time protection feature to Google Play Protect that detects when unsafe apps are found on Google Play.

The scanning and detection process is handled locally on the device through Android's Private Computer Core to protect users' privacy.

See more: https://www.bleepingcomputer.com/news/google/new-google-pixel-ai-feature-analyzes-phone-conversations-for-scams/

#cybersecurity #android 

 Microsoft patches Windows zero-day exploited in attacks on Ukraine

Suspected Russian hackers were caught exploiting a recently patched Windows vulnerability as a zero-day in ongoing attacks targeting Ukrainian entities.

The security flaw (CVE-2024-43451) is an NTLM Hash Disclosure spoofing vulnerability reported by ClearSky security researchers, which can be exploited to steal the logged-in user's NTLMv2 hash by forcing connections to a remote attacker-controlled server.

"Minimal interaction with a malicious file by a user such as selecting (single-click), inspecting (right-click), or performing an action other than opening or executing could trigger this vulnerability.

See more: https://www.bleepingcomputer.com/news/security/microsoft-patches-windows-zero-day-exploited-in-attacks-on-ukraine/

#cybersecurity #patches #zeroday 

 Hive0145 Targets Europe with Advanced Strela Stealer Campaigns

Ongoing campaigns by cybercriminal group Hive0145 have launched a series of attacks across Europe, deploying the sophisticated Strela Stealer malware to steal sensitive email credentials.

IBM X-Force researchers reported in a new advisory today that this wave primarily targets Spain, Germany and Ukraine, and employs stolen, authentic invoices in phishing emails to deceive recipients and boost infection success.

See more: 
https://www.infosecurity-magazine.com/news/hive0145-targets-eu-strela-stealer/
 

 Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Romanian cybersecurity company Bitdefender has released a free decryptor to help victims recover data encrypted using the ShrinkLocker ransomware.

The decryptor is the result of a comprehensive analysis of ShrinkLocker's inner workings, allowing the researchers to discover a "specific window of opportunity for data recovery immediately after the removal of protectors from BitLocker-encrypted disks."

ShrinkLocker was first documented in May 2024 by Kaspersky, which found the malware's use of Microsoft's native BitLocker utility for encrypting files as part of extortion attacks targeting Mexico, Indonesia, and Jordan.

See more
The Hackers News: https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html

Bleeping Computer:
https://www.bleepingcomputer.com/news/security/new-shrinklocker-ransomware-decryptor-recovers-bitlocker-password/

Hackread:
https://hackread.com/bitdefender-shrinklocker-ransomware-decryptor-tool/

#cybersecurity #ransomware 

 Free Decryptor Released for BitLocker-Based ShrinkLocker Ransomware Victims

Intel and AMD have published November 2024 Patch Tuesday security advisories to inform customers about vulnerabilities found recently in their products.  

Intel has released 44 new advisories for over 80 vulnerabilities, including more than 20 high-severity issues.

AMD published eight new advisories on Tuesday. Four of them cover incorrect default permissions vulnerabilities discovered by a researcher who uses the online moniker ‘Pwni’ in HIP SD, Cloud Manageability Service (ACMS), Ryzen Master Monitoring SDK and Ryzen Master Utility, and Provisioning Console.

See more: https://thehackernews.com/2024/11/free-decryptor-released-for-bitlocker.html

#cybersecurity #patches 

 Ivanti Patches 50 Vulnerabilities Across Several Products

IT software company Ivanti on Tuesday announced patches for close to 50 vulnerabilities, including eight critical-severity bugs in Connect Secure, Policy Secure, and Endpoint Manager.

The critical issues, tracked as CVE-2024-38655, CVE-2024-38656, CVE-2024-39710 to CVE-2024-39712, and CVE-2024-11005 to CVE-2024-11007, are described as argument and command injection flaws that could allow authenticated attackers with administrator privileges to achieve remote code execution (RCE).

See more: https://www.securityweek.com/ivanti-patches-50-vulnerabilities-across-several-products/

#cybersecurity 

 High-Severity Vulnerabilities Patched in Zoom and Chrome 

Zoom and Chrome security updates released on Tuesday patch over a dozen vulnerabilities affecting users across desktop platforms.

Zoom announced fixes for six security defects, including two high-severity issues that could allow remote attackers to escalate privileges or leak sensitive information.

Google announced the promotion of Chrome 131 to the stable channel with patches for 12 vulnerabilities, including eight reported by external researchers.

The most severe of the externally reported flaws is a high-severity inappropriate implementation bug in Blink, tracked as CVE-2024-11110, which was reported last month.

See more: https://www.securityweek.com/high-severity-vulnerabilities-patched-in-zoom-chrome/

#cybersecurity #patches 

 Chinese Hackers Target Tibetan Websites in Malware Attack, Cybersecurity Group Says

A hacking group that is believed to be Chinese state-sponsored has compromised two websites with ties to the Tibetan community in an attack meant to install malware on users’ computers, according to findings released Wednesday by a private cybersecurity firm.

The hack of the Tibet Post and Gyudmed Tantric University websites appears geared toward obtaining access to the computers of people visiting to obtain information on them and their activities, according to the analysis by the Insikt Group, the threat research division of the Massachusetts-based cybersecurity consultancy Recorded Future.

See more: https://www.securityweek.com/chinese-hackers-target-tibetan-websites-in-malware-attack-cybersecurity-group-says/

#cybersecurity #malware 

 Signal introduces convenient "call links" for private group chats

The Signal messenger application has announced a set of new features aimed at making private group chats more convenient and easier for people to join.

The highlight feature announced is "call links," which allow users to create and share links with other Signal users without needing to create a group chat.

The links can be created from the new "calls" tab in the Signal app and then shared with contacts with a single tap/click.

Users can control who joins the secure group chats by requiring admin approval when a new join request is created, so the host can approve or decline them.

See more: https://www.bleepingcomputer.com/news/software/signal-introduces-convenient-call-links-for-private-group-chats/

#privacy #signal 

 TA455’s Iranian Dream Job Campaign Targets Aerospace with Malware

A complex phishing campaign attributed to the Iranian-linked threat actor TA455, has been observed using sophisticated techniques to impersonate job recruiters on LinkedIn and other platforms.

ClearSky Cyber Security released the report today, which outlines TA455’s methods, targets and infrastructure.

The campaign, active since at least September 2023, begins with a spear phishing approach in which TA455 lures individuals with fake job offers. Using LinkedIn to gain trust, the attackers prompt victims to download a ZIP file titled “SignedConnection.zip,” which was flagged as malicious by five antivirus engines.

This ZIP file contains an EXE file designed to load malware into the victim’s system through DLL side-loading, where a malicious DLL file called “secur32[.]dll” is loaded instead of a legitimate one, allowing the attacker to run undetected code within a trusted process.

See more
Infosecurity magazine: https://www.infosecurity-magazine.com/news/ta455s-iranian-dream-job-campaign/

The Hackers News:
https://thehackernews.com/2024/11/iranian-hackers-use-dream-job-lures-to.html

#cybersecurity #phishing #malware 

 D-Link won’t fix critical bug in 60,000 exposed EoL modems

Tens of thousands of exposed D-Link routers that have reached their end-of-life are vulnerable to a critical security issue that allows an unauthenticated remote attacker to change any user's password and take complete control of the device.

The vulnerability was discovered in the D-Link DSL6740C modem by security researcher Chaio-Lin Yu (Steven Meow), who reported it to Taiwan’s computer and response center (TWCERTCC).

It is worth noting that the device was not available in the U.S. and reached end-of-service (EoS) phase at the beginning of the year.

See more: https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-bug-in-60-000-exposed-eol-modems/

#cybersecurity #dlink

nostr:nevent1qqsdepw3x9z978x4smw0ell7l574h4qcdd6u4ape287kkmtcavn67zspzpmhxue69uhkummnw3ezumt0d5hsygqkl5n0qqz57es4r34a0yj7mm6ptpss8tce63zlj0mx7h3ykdzz0gpsgqqqqqqs7x8rk2 

 Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws

Today is Microsoft's November 2024 Patch Tuesday, which includes security updates for 91 flaws, including four zero-days, two of which are actively exploited.

This Patch Tuesday fixed four critical vulnerabilities, which include two remote code execution and two elevation of privileges flaws.

See more
Bleeping Computer: https://www.bleepingcomputer.com/news/microsoft/microsoft-november-2024-patch-tuesday-fixes-4-zero-days-91-flaws/

SecurityWeek:
https://www.securityweek.com/microsoft-confirms-zero-day-exploitation-of-task-scheduler-flaw/

The Hackers News:
https://thehackernews.com/2024/11/microsoft-fixes-90-new-vulnerabilities.html

#cybersecurity #zeroday 

 SAP Patches High-Severity Vulnerability in Web Dispatcher

Enterprise software maker SAP on Tuesday announced the release of eight new and two updated security notes as part of its November 2024 security updates.

Marked as ‘high priority’, the second most severe rating in SAP’s playbook, the most important of these notes resolves a high-severity vulnerability in Web Dispatcher, the appliance that distributes incoming requests to the adequate SAP instances.

In its advisory, SAP describes the security defect, which is tracked as CVE-2024-47590 (CVSS score of 8.8), as a cross-site scripting (XSS) bug.

According to enterprise security firm Onapsis, the flaw can be exploited by unauthenticated attackers by creating a malicious page to execute content in the victim’s browser. The vulnerability can be exploited for both XSS and server-side request forgery (SSRF) attacks, leading to remote code execution on the server

See more: https://www.securityweek.com/sap-patches-high-severity-vulnerability-in-web-dispatcher/

#cybersecurity #sap #patches 

 Volt Typhoon rebuilds malware botnet following FBI disruption

The Chinese state-sponsored hacking group Volt Typhoon has begun to rebuild its "KV-Botnet" malware botnet after it was disrupted by law enforcement in January, according to researchers from SecurityScorecard.

Volt Typhoon is a Chinese state-sponsored cyberespionage threat group that is believed to have infiltrated critical U.S. infrastructure, among other networks worldwide, since at least five years ago.

Their primary strategy involves hacking SOHO routers and networking devices, such as Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras, to install custom malware that establishes covert communication and proxy channels and maintain persistent access to targeted networks.

In January 2024, the U.S. authorities announced the disruption of Volt Typhoon's botnet, which involved wiping malware from infected routers.

See more: https://www.bleepingcomputer.com/news/security/volt-typhoon-rebuilds-malware-botnet-following-fbi-disruption/

#cybersecurity #malware 

 New GitLoker-Linked GoIssue Tool Targets GitHub Users for Phishing

SlashNext researchers have discovered a new, sophisticated phishing tool GoIssue targeting GitHub developers. Learn about its capabilities, the impact in case of successful attacks, and how to protect yourself from this growing threat.

Cybersecurity researchers at SlashNext have identified a new threat called GoIssue. This advanced tool, possibly linked to the GitLoker extortion campaign, enables attackers to carry out large-scale phishing attacks aimed at GitHub users.

According to SlashNext’s investigation, shared with Hackread[.]com ahead of publishing on Tuesday, GoIssue can also harvest email addresses from public GitHub profiles.

See more: https://hackread.com/gitloker-goissue-tool-targets-github-phishing-users/

#cybersecurity #phishing 

 New Citrix Zero-Day Vulnerability Allows Remote Code Execution

A new zero-day vulnerability in Citrix’s Session Recording Manager can be exploited to enable unauthenticated remote code execution (RCE) against Citrix Virtual Apps and Desktops, according to watchTowr.

The attack surface management provider investigated the architecture behind Citrix’s Session Recording Manager, a feature that provides a record of user activity to help with audits, detecting unusual behavior and troubleshooting problems.

See more: https://www.infosecurity-magazine.com/news/new-citrix-zeroday-vulnerability/

#cybersecurity #citrix #zeroday #rce 

 North Korean Hackers Target macOS Using Flutter-Embedded Malware

Threat actors with ties to the Democratic People's Republic of Korea (DPRK aka North Korea) have been found embedding malware within Flutter applications, marking the first time this tactic has been adopted by the adversary to infect Apple macOS devices.

Jamf Threat Labs, which made the discovery based on artifacts uploaded to the VirusTotal platform earlier this month, said the Flutter-built applications are part of a broader activity that includes malware written in Golang and Python.

It's currently not known how these samples are distributed to victims, and if it has been used against any targets, or if the attackers are switching to a new delivery method. That said, North Korean threat actors are known to engage in extensive social engineering efforts targeting employees of cryptocurrency and decentralized finance businesses.

See more: https://thehackernews.com/2024/11/north-korean-hackers-target-macos-using.html

#cybersecurity #malware #flutter 

 iPhones now auto-restart to block access to encrypted data after long idle times

Apple has added a new security feature with the iOS 18.1 update released last month to ensure that iPhones automatically reboot after long idle periods to re-encrypt data and make it harder to extract.

While the company has yet to officially confirm this new "inactivity reboot" feature, law enforcement officers were the first to discover it after observing suspects' iPhones restarting while in police custody, as first reported by 404 Media.

This switches the idle devices from an After First Unlock (AFU) state to a Before First Unlock (BFU) state, where the devices are more challenging to break using forensic phone unlocking tools.

See more: https://www.bleepingcomputer.com/news/security/iphones-now-auto-restart-to-block-access-to-encrypted-data-after-long-idle-times/

#cybersecurity #ios 

 Microsoft Visio Files Used in Sophisticated Phishing Attacks

"A surge in two-step phishing attacks leveraging Microsoft Visio files has been identified by security researchers, marking a sophisticated evolution in phishing tactics.

Discovered by Perception Point, the new attacks use Visio’s .vsdx format, a file type commonly employed for business diagrams, to disguise malicious URLs and bypass traditional security scans.

Microsoft Visio, often used for flowcharts and network diagrams, has now become a tool of deception in phishing campaigns. Attackers exploit the platform by embedding URLs within Visio files. The tactic takes advantage of users’ trust in Microsoft tools and creates a covert way to bypass security systems.

Unlike common attachments like PDFs or Word documents, Visio files are rarely flagged as threats, making them an ideal vehicle for delivering phishing links."

See more: https://www.infosecurity-magazine.com/news/microsoft-visio-files-phishing/

#cybersecurity #phishing 

 Facebook Asks Supreme Court to Dismiss Cambridge Analytica Lawsuit

The US Supreme Court will soon decide whether to allow a longstanding shareholder lawsuit against Meta's Facebook to proceed or to dismiss it as lawyers for the social media giant have asked.

The lawsuit involves a 2015 incident in which UK-based consultancy Cambridge Analytica obtained Facebook user data from a third-party firm and used it to create granular profiles for targeting users during political campaigns, on behalf of the Trump campaign. News of the data misuse surfaced in 2018 and provoked considerable concern in the US and elsewhere over privacy violations, data protection, and the role of social media in influencing politics.

See more: https://www.darkreading.com/application-security/facebook-supreme-court-dismiss-cambridge-analytica-lawsuit

#meta #lawsuit 

 HIBP notifies 57 million people of Hot Topic data breach

Have I Been Pwned warns that an alleged data breach exposed the personal information of 56,904,909 accounts for Hot Topic, Box Lunch, and Torrid customers.

Hot Topic is an American retail chain specializing in counterculture-related clothing, accessories, and licensed music merchandise. The company operates over 640 stores across the United States and Canada, primarily located in shopping malls, and has a vast customer base.

According to HIBP, the exposed details include full names, email addresses, dates of birth, phone numbers, physical addresses, purchase history, and partial credit card data for Hot Topic, Box Lunch, and Torrid customers.

See more: https://www.bleepingcomputer.com/news/security/hibp-notifies-57-million-people-of-hot-topic-data-breach/

#cybersecurity #databreach 

 Amazon confirms employee data breach after vendor hack

Amazon confirmed a data breach involving employee information after data allegedly stolen during the May 2023 MOVEit attacks was leaked on a hacking forum.

The threat actor behind this data leak, known as Nam3L3ss, published over 2.8 million lines of Amazon employee data, including names, contact information, building locations, email addresses, and more.

Amazon spokesperson Adam Montgomery confirmed Nam3L3ss' claims, adding that this data was stolen from systems belonging to a third-party service provider

See more: https://www.bleepingcomputer.com/news/security/amazon-confirms-employee-data-breach-after-vendor-hack/

#cybersecurity #databreach 

 FBI Warns US Organizations of Fake Emergency Data Requests Made by Cybercriminals

The FBI has issued an alert to warn US-based companies and law enforcement agencies that threat actors are sending fake emergency data requests with the goal of harvesting personally identifiable information (PII).

An emergency data request enables law enforcement agencies to obtain information from online service providers in emergency situations, when there is no time to get a subpoena.

Emergency data requests have been abused by Lapsus$ and other threat actors, but the FBI has observed a spike in cybercrime forum posts related to the process of emergency data requests.

See more: https://www.securityweek.com/fbi-warns-us-organizations-of-fake-emergency-data-requests-made-by-cybercriminals/

#cybersecurity #privacy 

 Microsoft says recent Windows 11 updates break SSH connections

Microsoft has confirmed that last month's Windows security updates are breaking SSH connections on some Windows 11 22H2 and 23H2 systems.

This newly acknowledged issue affects enterprise, IOT, and education customers, but the company says that only a "limited number" of devices are impacted.

Microsoft is also investigating whether consumer customers using Windows 11 Home or Pro editions are affected.

See more: https://www.bleepingcomputer.com/news/microsoft/microsoft-says-recent-windows-11-updates-break-ssh-connections/

#cybersecurity #windows #ssh 

 Scammers target UK senior citizens with Winter Fuel Payment texts

As the winter season kicks in, scammers are not missing the chance to target senior British residents with bogus "winter heating allowance" and "cost of living support" scam texts.

The scam campaign is opportunistic given the UK government's recent controversial stance on cutting winter fuel payments from approximately 10 million pensioners across Britain.

See more: https://www.bleepingcomputer.com/news/security/scammers-target-uk-senior-citizens-with-winter-fuel-payment-texts/

#cybersecurity #scam 

 Ymir: new stealthy ransomware in the wild

"In a recent incident response case, we discovered a new and notable ransomware family in active use by the attackers, which we named “Ymir”. The artifact has interesting features for evading detection, including a large set of operations performed in memory with the help of the malloc, memmove and memcmp function calls.

In the case we analyzed, the attacker was able to gain access to the system via PowerShell remote control commands. After that, they installed multiple tools for malicious actions, such as Process Hacker and Advanced IP Scanner. Eventually, after reducing system security, the adversary ran Ymir to achieve their goals.

In this post, we provide a detailed analysis of the Ymir ransomware, as well the tactics, techniques and procedures (TTPs) employed by the attackers."

See more: https://securelist.com/new-ymir-ransomware-found-in-colombia/114493/

#cybersecurity #ransomware 

 Debt Relief Firm Forth Discloses Data Breach Impacting 1.5 Million People

Debt relief solutions provider Forth (Set Forth) is notifying 1.5 million individuals that their personal information was compromised in a May 2024 data breach.

See more: https://www.securityweek.com/debt-relief-firm-forth-discloses-data-breach-impacting-1-5-million-people/

#cybersecurity #databreach 

 Security Flaws in Popular ML Toolkits Enable Server Hijacks, Privilege Escalation

Cybersecurity researchers have uncovered nearly two dozen security flaws spanning 15 different machine learning (ML) related open-source projects.

These comprise vulnerabilities discovered both on the server- and client-side, software supply chain security firm JFrog said in an analysis published last week.

The server-side weaknesses "allow attackers to hijack important servers in the organization such as ML model registries, ML databases and ML pipelines," it said.

The vulnerabilities, discovered in Weave, ZenML, Deep Lake, Vanna.AI, and Mage AI, have been broken down into broader sub-categories that allow for remotely hijacking model registries, ML database frameworks, and taking over ML Pipelines.

See more: https://thehackernews.com/2024/11/security-flaws-in-popular-ml-toolkits.html

#cybersecurity #machinelearning 

 Hackers now use ZIP file concatenation to evade detection

Hackers are targeting Windows machines using the ZIP file concatenation technique to deliver malicious payloads in compressed archives without security solutions detecting them.

The technique exploits the different methods ZIP parsers and archive managers handle concatenated ZIP files.

This new trend was spotted by Perception Point, who discovered a a concatentated ZIP archive hiding a trojan while analyzing a phishing attack that lured users with a fake shipping notice.

The researchers found that the attachment was disguised as a RAR archive and the malware leveraged the AutoIt scripting language to automate malicious tasks.

See more: https://www.bleepingcomputer.com/news/security/hackers-now-use-zip-file-concatenation-to-evade-detection/

#cybersecurity #malware #windows 

 5 Most Common Malware Techniques in 2024

Tactics, techniques, and procedures (TTPs) form the foundation of modern defense strategies. Unlike indicators of compromise (IOCs), TTPs are more stable, making them a reliable way to identify specific cyber threats. 

Here are some of the most commonly used techniques, according to ANY.RUN's Q3 2024 report on malware trends, complete with real-world examples.

1. Disabling of Windows Event Logging (T1562.002), e.g. XWorm Disables Remote Access Service Logs

2. PowerShell Exploitation (T1059.001), e.g. BlanGrabber Uses PowerShell to Disable Detection

3. Abuse of Windows Command Shell (T1059.003), e.g. Lumma Employs CMD in Payload Execution

4. Modification of Registry Run Keys (T1547.001), e.g. Remcos Gains Persistence via RUN Key

5. Time Based Evasion (T1497.003), e.g. DCRAT Delays Execution During Attack

See more: https://thehackernews.com/2024/11/5-most-common-malware-techniques-in-2024.html

#cybersecurity #malware 

 Summary of noteworthy news from the last week by SecurityWeek!

China’s Volt Typhoon hacked Singtel, GuLoader targets European industrial organizations, and US agency warns employees about phone use.

See more https://www.securityweek.com/in-other-news-china-hacked-singtel-guloader-attacks-on-industrial-firms-phone-use-warning-in-us-agency/

#cybersecurity #news 

 Bitcoin Fog Founder Sentenced to 12 Years for Cryptocurrency Money Laundering

The 36-year-old founder of the Bitcoin Fog cryptocurrency mixer has been sentenced to 12 years and six months in prison for facilitating money laundering activities between 2011 and 2021.

Roman Sterlingov, a dual Russian-Swedish national, pleaded guilty to charges of money laundering and operating an unlicensed money-transmitting business earlier this March.

The U.S. Department of Justice (DoJ) described Bitcoin Fog as the darknet's longest-running cryptocurrency mixer, allowing cybercriminals to conceal the source of their cryptocurrency proceeds.

See more: https://thehackernews.com/2024/11/bitcoin-fog-founder-sentenced-to-12.html

#privacy #bitcoin 

 Critical Veeam RCE bug now used in Frag ransomware attacks

After being used in Akira and Fog ransomware attacks, a critical Veeam Backup & Replication (VBR) security flaw was also recently exploited to deploy Frag ransomware.

Code White security researcher Florian Hauser found that the vulnerability (tracked as CVE-2024-40711) is caused by a deserialization of untrusted data weakness that unauthenticated threat actors can exploit to gain remote code execution (RCE) on Veeam VBR servers.

watchTowr Labs, which published a technical analysis on CVE-2024-40711 on September 9, delayed releasing a proof-of-concept exploit until September 15 to give admins enough time to apply security updates issued by Veeam on September 4.

Veeam says over 550,000 customers worldwide use its products, including roughly 74% of all companies in the Global 2,000 list.

See more: https://www.bleepingcomputer.com/news/security/critical-veeam-rce-bug-now-used-in-frag-ransomware-attacks/

#cybersecurity #ransomware 

 D-Link won’t fix critical flaw affecting 60,000 older NAS devices

More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.

The flaw, tracked as CVE-2024-10914, has a critical 9.2 severity score and is present in the ‘cgi_user_add’ command where the name parameter is insufficiently sanitized.

An unauthenticated attacker could exploit it to inject arbitrary shell commands by sending specially crafted HTTP GET requests to the devices.

See more: https://www.bleepingcomputer.com/news/security/d-link-wont-fix-critical-flaw-affecting-60-000-older-nas-devices/

#cybersecurity #injection 

 US Gov Agency Urges Employees to Limit Phone Use After China ‘Salt Typhoon’ Hack

The US government’s Consumer Financial Protection Bureau (CFPB) is directing employees to minimize the use of cellphones for work-related activities, following an intrusion into major telco systems attributed to Chinese government hackers.

According to a Wall Street Journal report, the agency sent an email to all employees and contractors with a simple directive: “Do NOT conduct CFPB work using mobile voice calls or text messages.”

The warning comes on the heels of a series of hacks into US telcos and broadband providers blamed on Salt Typhoon, a Chinese government-backed cyberespionage hacking operation. The group has reportedly broken into companies like Verizon, AT&T and Lumen Technologies and has used that access to surveil politicians and critical communications systems

See more: https://www.securityweek.com/us-gov-agency-urges-employees-to-limit-phone-use-after-china-salt-typhoon-hack/

#cybersecurity #hack #china 

 The US government wants developers to stop using C and C++

"The report on Product Security Bad Practices warns software manufacturers about developing "new product lines for use in service of critical infrastructure or [national critical functions] NCFs in a memory-unsafe language (eg, C or C++) where there are readily available alternative memory-safe languages that could be used is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety."

In short, don't use C or C++. Yeah, that's going to happen."

See more:
https://www.theregister.com/2024/11/08/the_us_government_wants_developers/

#cybersecurity 

 Tor Project released a blog post: "Defending the Tor network: Mitigating IP spoofing against Tor"

"At the end of October, Tor directory authorities, relay operators, and even the Tor Project sysadmin team received multiple abuse complaints from their providers about port scanning. These complaints were traced back to a coordinated IP spoofing attack, where an attacker spoofed non-exit relays and other Tor-related IPs to trigger abuse reports aimed at disrupting the Tor Project and the Tor network.

Thanks to a joint effort from the Tor community, InterSecLab, and the support of Andrew Morris and the team at GreyNoise, the origin of these spoofed packets was identified and shut down on November 7th, 2024."

See more:
https://blog.torproject.org/defending-tor-mitigating-IP-spoofing/

#tor #spoofing #privacy

nostr:nevent1qqsqm3yjuknu9pqlq9fwgmmuvlypv47xucl0hf0f35mqxzgr982wvhgppemhxue69uhkummn9ekx7mp0qgspdlfx7qq9fanp28rt67f9ahh5zkrpqwh3n4z9lylkda0zfv6yy7srqsqqqqqpz2hear 

 "Someone is attacking nostr:nprofile1qqszr7k0w6gclv3usnqmey68uzs6h2yt7dpw2dyeqt0sh8ehaxl8xyqpz4mhxue69uhhyetvv9ujumt0wd68ytnsw43qz9thwden5te0v35hgar09ec82c30wfjkccte89v5nr right now and has been for a few weeks. 

The attacker is spoofing the IPs of Tor Exit and Directory nodes, and blasting TCP SYN packets indiscriminately  on 22/TCP- spurring a large amount of abuse complaints to hosting providers, which are then temp blocking/banning Tor infrastructure which isn't actually doing anything wrong."

See more in the original Twitter post:
https://x.com/Andrew___Morris/status/1854289771197329517

#tor #privacy 

 North Korean Hackers Target Crypto Firms with Hidden Risk Malware on macOS

A threat actor with ties to the Democratic People's Republic of Korea (DPRK) has been observed targeting cryptocurrency-related businesses with a multi-stage malware capable of infecting Apple macOS devices.

Cybersecurity company SentinelOne, which dubbed the campaign Hidden Risk, attributed it with high confidence to BlueNoroff, which has been previously linked to malware families such as RustBucket, KANDYKORN, ObjCShellz, RustDoor (aka Thiefbucket), and TodoSwift.

The activity "uses emails propagating fake news about cryptocurrency trends to infect targets via a malicious application disguised as a PDF file," researchers Raffaele Sabato, Phil Stokes, and Tom Hegel said in a report shared with The Hacker News.

"The campaign likely began as early as July 2024 and uses email and PDF lures with fake news headlines or stories about crypto-related topics."

See more: https://thehackernews.com/2024/11/north-korean-hackers-target-crypto.html

#cybersecurity #crypto