CyberSecurity Newsletter 27th January 2025
In this week’s news: PayPal settles for 2M, threat actor infects script kiddies, FBI warns of IT worker scheme, Ransomware actors targeting ESXi, security flaw has been disclosed in Meta's Llama, fake Reddit and WeTransfer pages are being used to spread Lumma Stealer malware, and Suburu Starlink flaw exposed vehicles and customer accounts
New York State has announced a $2,000,000 settlement with PayPal over charges it failed to comply with the state's cybersecurity regulations, leading to a 2022 data breach. The Department of Financial Services (DFS) action says that threat actors took advantage of security gaps in PayPal's systems to conduct credential stuffing attacks that provided access to sensitive customer information.
https://www.bleepingcomputer.com/news/security/paypal-to-pay-2-million-settlement-over-2022-data-breach/
A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers. Security researchers at CloudSEK report that the malware infected 18,459 devices globally, most located in Russia, the United States, India, Ukraine, and Turkey. "A trojanized version of the XWorm RAT builder has been weaponized and propagated," reads the CloudSEK report.
https://www.bleepingcomputer.com/news/security/hacker-infects-18-000-script-kiddies-with-fake-malware-builder/
A North Korean threat group has been using a technique called RID hijacking that tricks Windows into treating a low-privileged account as one with administrator permissions. The hackers used a custom malicious file and an open source tool for the hijacking attack. Both utilities can perform the attack but researchers at South Korean cybersecurity company AhnLab say that there are differences.
https://www.bleepingcomputer.com/news/security/hackers-use-windows-rid-hijacking-to-create-hidden-admin-account/
The FBI has warned that North Korean IT worker schemes are stealing data to extort their victims as part of efforts to generate revenue for the Democratic People's Republic of Korea (DPRK). The US intelligence agency confirmed it has observed North Korean IT workers engaging in this tactic over recent months. This involves exfiltrating stolen proprietary data and code from their former employers. This information is then held “hostage” until the ransom demand is met.
https://www.infosecurity-magazine.com/news/north-korea-it-workers-data/
UnitedHealth has revealed that 190 million Americans had their personal and healthcare data stolen in the Change Healthcare ransomware attack, nearly doubling the previously disclosed figure.In October, UnitedHealth reported to the US Department of Health and Human Services Office for Civil Rights that the attack affected 100 million people. However, as first reported by TechCrunch, UnitedHealth confirmed on Friday that the figure has nearly doubled to 190 million.
https://www.bleepingcomputer.com/news/security/unitedhealth-now-says-190-million-impacted-by-2024-data-breach/
Ransomware actors targeting ESXi bare metal hypervisors are leveraging SSH tunneling to persist on the system while remaining undetected. VMware ESXi appliances have a critical role in virtualized environments as they can run on a single physical server multiple virtual machines of an organization. They are largely unmonitored and have been a target for hackers looking to access corporate networks where they can steal data and encrypt files, thus crippling an entire business by rendering all virtual machines inaccessible.
https://www.bleepingcomputer.com/news/security/ransomware-gang-uses-ssh-tunnels-for-stealthy-vmware-esxi-access/
A high-severity security flaw has been disclosed in Meta's Llama large language model (LLM) framework that, if successfully exploited, could allow an attacker to execute arbitrary code on the llama-stack inference server. The vulnerability, tracked as CVE-2024-50050, has been assigned a CVSS score of 6.3 out of 10.0. Supply chain security firm Snyk, on the other hand, has assigned it a critical severity rating of 9.3.
https://thehackernews.com/2025/01/metas-llama-framework-flaw-exposes-ai.html
Cisco has released security updates to address a ClamAV denial-of-service (DoS) vulnerability tracked as CVE-2025-20128. The Cisco PSIRT experts warn of the availability of a proof-of-concept (PoC) exploit code for this flaw. The vulnerability resides in the Object Linking and Embedding 2 (OLE2) decryption routine of ClamAV. An unauthenticated, remote attacker could exploit the flaw to cause a denial of service (DoS) condition on a vulnerable device. Cisco ClamAV (Clam AntiVirus) is an open-source antivirus engine designed to detect malware, viruses, and other malicious threats. It is widely used for email scanning, file scanning, and web security, particularly in Linux-based systems.
https://securityaffairs.com/173446/uncategorized/cisco-fixed-clamav-dos-flaw.html
UK telecommunications company TalkTalk is investigating a third-party supplier data breach after a threat actor began selling alleged customer data on a hacking forum. "As part of our regular security monitoring, given our ongoing focus on protecting customers' personal data, we were made aware of unexpected access to, and misuse of, one of our third-party supplier's systems, however, no billing or financial information was stored on this system," TalkTalk told BleepingComputer.
https://www.bleepingcomputer.com/news/security/talktalk-investigates-breach-after-data-for-sale-on-hacking-forum/
Nearly 1,000 fake Reddit and WeTransfer pages are being used to spread Lumma Stealer malware, a Sekoia.io researcher reported this week. The Sekoia lead cybercrime analyst, who goes by crep1x, posted screenshots of the spoofed Reddit and WeTransfer pages on X Monday, and also shared a full list of the phishing domains.
https://www.scworld.com/news/reddit-wetransfer-pages-spoofed-in-lumma-stealer-campaign
The U.S. government is warning of a new exploit against multiple flaws in cloud applications. The Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are chaining a number of CVE-listed vulnerabilities into a single exploit script. The flaws in question are present in Ivanti appliances version 4.6 and earlier. The threat actors use the obsolete status of the appliances to gather account details and harvest credentials.
https://www.scworld.com/news/attacks-on-ivanti-appliances-demonstrate-danger-of-chained-exploits
Microsoft has reminded Windows administrators that driver synchronization in Windows Server Update Services (WSUS) will be deprecated on April 18, 90 days from now. The company first announced the deprecation in June 2024, when it also encouraged customers to adopt its newer cloud-based driver services.
https://www.bleepingcomputer.com/news/microsoft/microsoft-to-deprecate-wsus-driver-synchronization-in-90-days/
Cisco has released a patch for a critical vulnerability found in its Cisco Meeting Management feature that could allow a remote, authenticated attacker to elevate themselves to administrator privileges on an affected device.
https://www.darkreading.com/vulnerabilities-threats/cisco-critical-meeting-management-bug-urgent-patch
US prosecutors charged five, including North Koreans, for tricking firms into hiring fake IT workers, sending $866K+ to fund weapons programs. Stay alert, and report fraud.
https://hackread.com/us-charges-north-korean-it-worker-hiring-scam/
Suburu Starlink flaw exposed vehicles and customer accounts in the US, Canada, and Japan to remote attacks.
https://securityaffairs.com/173434/security/subaru-starlink-vulnerability-remote-attacks.html
Crooks stole at least $69 million from Singapore-based cryptocurrency platform Phemex in an alleged cyberattack.
https://securityaffairs.com/173478/digital-id/cryptocurrency-platform-phemex-cyber-heist.html
Threat hunters have detailed an ongoing campaign that leverages a malware loader called MintsLoader to distribute secondary payloads such as the StealC information stealer and a legitimate open-source network computing platform called BOINC.
https://thehackernews.com/2025/01/mintsloader-delivers-stealc-malware-and.html