CyberSecurity Newsletter December 2nd, 2024
In this week’s news: Ransomware gangs seek cybersec services to find close holes in their attacks, Background Check database exposed online, 2012 Windows zero day gets free patch, Russian arrested in connection with LockBit and Hive, Bologna FC falls to Ransomware, Researchers have discovered malicious code circulating in the wild that hijacks the earliest stage boot process of Linux devices and A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale.
Cybercriminals are also advertising for individuals capable of creating dark AI models and penetration-testing products — that is, ransomware — to reduce the chance of defenders finding ways to circumvent the scheme. In advertisements on Telegram chats and forums — such as the Russian Anonymous Marketplace, or RAMP — ransomware affiliate groups and initial access providers are seeking cybersecurity professionals to help find and close holes in their malware and other attack tools:
https://www.darkreading.com/threat-intelligence/ransomware-gangs-seek-pen-testers-boost-professionalism
A publicly exposed database has left the sensitive information of hundreds of thousands of individuals vulnerable to potential misuse. Not protected by passwords or encryption, the database contained 644,869 PDF files, totaling 713.1 GB, exposing a treasure trove of personal information. The data, mostly labeled as “background checks,” included a wide range of personally identifiable information (PII) such as full names, home addresses, phone numbers, email addresses, employment details, family connections, social media accounts, and criminal history:
https://gbhackers.com/sensitive-records-exposed/
Free unofficial security patches have been released through the 0patch platform to address a zero-day vulnerability introduced over two years ago in the Windows Mark of the Web (MotW) security mechanism. Windows automatically adds Mark of the Web (MotW) flags to all documents and executables downloaded from untrusted sources. These MotW labels inform the Windows operating system, Microsoft Office, web browsers, and other applications that the file should be treated cautiously:
https://www.bleepingcomputer.com/news/security/new-windows-server-2012-zero-day-gets-free-unofficial-patches/
A Russian cybercriminal wanted in the U.S. in connection with LockBit and Hive ransomware operations has been arrested by law enforcement authorities in the country:
https://thehackernews.com/2024/11/wanted-russian-cybercriminal-linked-to.html
Italian professional football club Bologna FC is allegedly a recent victim of the RansomHub cybercrime gang, according to the group's dark web postings. The ransomware crims responsible for attacks on organizations including Planned Parenthood and Christie's – the same crew thought to have picked up LockBit's top talent post-disruption – posted an extensive collection of data it claims came from Bologna's systems:
https://www.theregister.com/2024/11/30/bologna_fc_ransomhub/
UNC2465, a financially motivated threat actor, leverages the SMOKEDHAM backdoor to gain initial access to target networks, which are often delivered via phishing emails, trojanized software, or supply chain attacks, enabling persistence and lateral movement. Once in the network, UNC2465 utilizes tools like Advanced IP Scanner and BloodHound for reconnaissance, RDP for lateral movement, and Mimikatz for credential harvesting:
https://gbhackers.com/smokedham-backdoor-exploit/
Researchers have discovered malicious code circulating in the wild that hijacks the earliest stage boot process of Linux devices by exploiting a year-old firmware vulnerability when it remains unpatched on affected models. The critical vulnerability is one of a constellation of exploitable flaws discovered last year and given the name LogoFAIL:
https://arstechnica.com/security/2024/11/code-found-online-exploits-logofail-to-install-bootkitty-linux-backdoor/
UK's National Health Service (NHS) systems appears to be under attack, with a ransomware gang threatening to leak stolen data it says is from one of England's top children's hospitals. The attack on Liverpool's Alder Hey Children's Hospital and Liverpool Heart and Chest Hospital NHS Foundation Trust is apparently unconnected to an ongoing cyber "incident" at the Wirral University Teaching Hospital NHS Trust that is causing severe disruption at hospitals nearby:
https://www.theregister.com/2024/11/29/inc_ransom_alder_hey_childrens_hospital/
A Russian script kiddie using little more than publicly available malware tools and exploits targeting weak credentials and configurations has assembled a distributed denial-of-service (DDoS) botnet capable of disruption on a global scale. In assembling the botnet, the attacker has targeted not just vulnerable Internet-of-Things (IoT) devices, as is the common practice these days, but also enterprise development and production servers, significantly increasing its potential for widespread disruption:
https://www.darkreading.com/cyberattacks-data-breaches/russian-script-kiddie-assembles-massive-ddos-botnet
An insufficient validation input flaw, one of 11 patched in an update this week, could allow for arbitrary code execution and is under active attack. Google has patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year as one in a series of fixes included in a stable channel update released Wednesday:
https://threatpost.com/google-patches-chromes-fifth-zero-day-of-the-year/180432/
Threat actors are using public exploits for a critical authentication bypass flaw in ProjectSend to upload webshells and gain remote access to servers. The flaw, tracked as CVE-2024-11680, is a critical authentication bug impacting ProjectSend versions before r1720, allowing attackers to send specially crafted HTTP requests to 'options.php' to change the application's configuration:
https://www.bleepingcomputer.com/news/security/hackers-exploit-projectsend-flaw-to-backdoor-exposed-servers/
Social Design Agency (SDA,) a Russian outfit the US government recently accused of operating a malign influence campaign dubbed "Doppelgänger," is running another similar campaign concurrently, targeting audiences in the US, Ukraine, and Europe. The primary objective of the SDA's "Operation Undercut" campaign, much like Doppelgänger, is to erode support for Ukraine in its war with Russia. However, the campaign also extends its interference to other areas, including the ongoing Middle East conflict, internal EU politics, and matters related to the 2024 US presidential election:
https://www.darkreading.com/cybersecurity-operations/operation-undercut-russia-malign-influence-campaigns
Cybersecurity researchers are warning about malicious email campaigns leveraging a phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA with an aim to steal Microsoft 365 account credentials. "This campaign employs an AitM [adversary-in-the-middle] attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multi-factor authentication (MFA) enabled can still be vulnerable,":
https://thehackernews.com/2024/11/phishing-as-service-rockstar-2fa.html
Cybersecurity researchers have discovered a software supply chain attack that has remained active for over a year on the npm package registry by starting off as an innocuous library and later adding malicious code to steal sensitive data and mine cryptocurrency on infected systems. The package, named @0xengine/xmlrpc, was originally published on October 2, 2023 as a JavaScript-based XML-RPC server and client for Node.js. It has been downloaded 1,790 times to date and remains available for download from the repository:https://thehackernews.com/2024/11/xmlrpc-npm-library-turns-malicious.html
Open-source enterprise network and application monitoring provider Zabbix is warning customers of a new critical vulnerability that could lead to full system compromise. Tracked as CVE-2024-42327, the SQL injection bug scored a near-perfect 9.9 when assessed using the Common Vulnerability Scoring System (CVSSv3) and can be exploited by users with API access.:
https://www.theregister.com/2024/11/29/zabbix_urges_upgrades_after_critical/
A recent firmware pushed to QNAP network attached storage (NAS) devices left a number of owners unable to access their storage systems. The company has pulled back the firmware and issued a fixed version, but the company's response has left some users feeling less confident in the boxes into which they put all their digital stuff:
https://arstechnica.com/gadgets/2024/11/qnap-firmware-update-leaves-nas-owners-locked-out-of-their-boxes/
Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,000 systems in just three months. As Check Point Research found while investigating the attacks, threat actors can use this malware loader to target gamers across all major platforms, including Windows, macOS, Linux, Android, and iOS:
https://www.bleepingcomputer.com/news/security/new-godloader-malware-infects-thousands-of-gamers-using-godot-scripts/
A sophisticated phishing scam has surfaced in Japan, targeting corporate internet banking users. This attack, which has rapidly gained attention nationwide, involves fraudsters impersonating bank representatives to deceive victims into providing sensitive banking information. The attack begins with a phone call from individuals pretending to be bank officials. These imposters inform unsuspecting victims that their Internet banking certificates have expired, a claim designed to create a sense of urgency and panic:
https://gbhackers.com/new-phishing-attack/
Attackers are targeting Magento e-commerce websites with a new card-skimming malware that can dynamically lift payment details from checkout pages of online transactions. The attack, discovered by a researcher from Web security firm Surcuri, comes as online retailers and shoppers are priming for this week's historically busy Black Friday online shopping day:
https://www.darkreading.com/application-security/sneaky-skimmer-malware-magento-sites-black-friday
A 59-year-old U.S. citizen who immigrated from the People's Republic of China (PRC) has been sentenced to four years in prison for conspiring to act as a spy for the country and sharing sensitive information about his employer with China's principal civilian intelligence agency. Ping Li, 59, of Wesley Chapel, Florida, is said to have served as a cooperative contact for the Ministry of State Security (MSS) as early as August 2012, working at their behest to obtain information that's of interest to the Chinese government. Li was employed at telecom giant Verizon and later at information technology service company Infosys.:
https://thehackernews.com/2024/11/us-citizen-sentenced-for-spying-on.html
Zyxel has announced awareness of active exploitation attempts by threat actors targeting their firewall products. This follows a detailed report by cybersecurity firm Sekoia highlighting vulnerabilities previously disclosed in Zyxel’s systems:
https://gbhackers.com/zyxel-firewall-vulnerability/
Nearly two dozen security vulnerabilities have been disclosed in Advantech EKI industrial-grade wireless access point devices, some of which could be weaponized to bypass authentication and execute code with elevated privileges. "These vulnerabilities pose significant risks, allowing unauthenticated remote code execution with root privileges, thereby fully compromising the confidentiality, integrity, and availability of the affected devices," cybersecurity company Nozomi Networks said in a Wednesday analysis.:
https://thehackernews.com/2024/11/over-two-dozen-flaws-identified-in.html
Russian law enforcement has arrested and indicted notorious ransomware affiliate Mikhail Pavlovich Matveev (also known as Wazawaka, Uhodiransomwar, m1x, and Boriselcin) for developing malware and his involvement in several hacking groups. While the prosecutor's office has yet to release any details on the individual's identity (described as a "programmer" in court documents), the individual is Matveev, according to an anonymous source of the Russian state-owned news agency RIA Novosti:
https://www.bleepingcomputer.com/news/security/russia-arrests-cybercriminal-wazawaka-for-ties-with-ransomware-gangs/
Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue:
https://github.com/zetraxz/CVE-2024-5910