.png "Cyber Security News Weekly Round-Up (Vulnerabilities, Cyber Attacks, Threats & New Stories)")
The weekly cybersecurity news summary highlights the recent threats, vulnerabilities, innovations, and emerging attack vectors.
It provides convenient insights into potential malicious tactics targeting the devices, which enables to implement the proactive defense measures.
This ongoing awareness facilitates a comprehensive understanding of the threat landscape that is evolving at a rapid pace.
So, this enables the timely implementation of appropriate security measures and ensures robust system protection against constantly emerging security threats.
Threats
Hackers Created Fake 250 npm Packages
Popular AWS, Microsoft, and other open-source projects are mimicked by 250 malicious npm packages. Created by a Russian hacker, these packets contain reverse shell and remote code execution vulnerabilities.
While the source of this vulnerability in the npm ecosystem was delayed just after the official versions.
This incident spotlights the ongoing supply chain security issues within the npm ecosystem and cybercrime versus cybersecurity research as there are malicious packages being sold by the hacker.
PyPl registry has been targeted again with packages focusing on AI, LLM developers, and Microsoft technology-dependent organizations.
This case demonstrates how important it is to manage package management efficiently and have lawful channels through which ethical security research can be reported.
“TRANSLATEXT” was a Chrome extension that served as malicious software carried by the North Korean hackers Kimsuky.
The “translation tool” disguised as an extension that allowed them to take away some important information like email addresses, passwords, and screenshots from South Korean individuals who were particularly in the education sector.
To avoid detection, this group used such things as the dead drop resolver technique passive construction for collecting data from users and directing them to genuine services.
Kimsuky’s changing cyber warfare tactics are exemplified through this operation and it is a reminder that programs should only be downloaded with caution from unknown sources.
Beware of Weaponized Notezilla, RecentX, & Copywhiz Windows Tools
Rapid7 has recently found that the popular productivity tools for Windows Notezilla, RecentX, and Copywhiz have been tampered with to deliver malware.
These malicious installers can be obtained from the Conceptworld website and are not signed nor do they have consistent file sizes as those of genuine versions.
The embedded malware is capable of stealing browser credentials, cryptocurrency wallet information, logging clipboard contents and keystrokes as well as downloading additional payloads.
Once contaminated, the malware persists via an appointed task that runs the key payload every three hours. Rapid7 suggests that one should check the integrity of files, look out for indicators of compromise and re-image affected systems to minimize exposure to danger.
This incident highlights the importance of being careful when downloading software and how threat actors continue to change their methods by using trusted programs for bad purposes.
Threat actors are actively using “HappyDoor” in their email attacks, specifically, the Kimsuky group is responsible for this attack which has been ongoing since 2012.
During its operation, HappyDoor acts as a backdoor and an information stealer. This malware goes through installation*, initiation* and running*.
To achieve this purpose, it utilizes some methods such as RSA encryption, HTTP communication with C&C servers, screen capture, key logging, and file leakage to steal sensitive data.
It facilitates encoded files in registry locations and uses certain packet formats for communication. It has been regularly updated over time with recent versions patched monthly.
To prevent infection, users have been advised by researchers to be cautious of email attachments and keep up with software updates.
Hackers have been exploiting CHM (Compiled HTML) files to deliver malware and gain unauthorized access to victims’ computers.
The CHM files are embedded with malicious codes or scripts, and most Windows systems will trust them causing their execution through security checks that may be negligible.
To deliver the harmful file and a hidden executable, the hackers use password-protected ZIP archives plus CHM files.
Trusted file formats are used by them for attacking defenses. The campaign PHANTOM#SPIKE is focused on Pakistan-related targets and may have political motives.
It is important to avoid downloading unsolicited files, verify file extensions and enable strong endpoint logging in order to prevent such attacks as the report suggests.
The Water Sigbin group, also known as “8220,” a Chinese hacking group that was first detected in June 2024, has developed another malware named K4spreader.
It comes with a modified UPX packer that drops other malware such as the PwnRig cryptominer and Tsunami DDoS botnet.
This multivariant tool boasts of persistence, self-update, and download capabilities, but is likely still in development.
Its command and control servers are linked to high levels of activity by the same “8220” mining gang using different attack vectors.
Several techniques are used by the malware for system persistence like changing startup files, making system services, or employing systems.
Besides this, it keeps the malicious software secret within its data and makes it possible to disable antivirus protection or stop all suspicious processes.
Cyber Attack
TeamViewer recently announced that attackers had compromised its internal corporate IT environment.
An “irregularity” was detected by the security team of the company and they initiated incident response procedures that drew external professionals to investigate and remedy the breach.
The investigation is still ongoing even though TeamViewer has said there is no evidence about the impact on customer data or its product.
Major technology providers are grappling with cybersecurity issues as indicated by an Advanced Persistent Threat (APT) group being behind this attack.
There is a need for users of TeamViewer to watch any updates from the institution about possible impacts or mandatory actions.
Rabbit R1’s Code Vulnerability Exposes Users Data
A security flaw has been revealed in Rabbit’s R1 AI assistant by Rabbitude, a group of developers and researchers.
In this case, the vulnerability is due to hardcoded API keys that the company used in its code base, meaning that any unauthorized person can gain access to sensitive user data like personal information, communication logs, and device settings.
The issue has been acknowledged by Rabbit who have confirmed they are looking into it but they have been criticized for their slow and ineffective response.
This security breach comes at a challenging time for Rabbit. Already facing criticism about the poor performance of the R1 device, another vulnerability may reduce public confidence further deteriorating the public trust in it and its products.
Polyfill JS Library Injected Malware
The February 2023 hacking of the popular Polyfill.js, a Javascript library that powers over one hundred thousand sites was done by a Chinese company that had acquired the cdn.polyfill.io domain and Github account.
According to researchers who found out, malware targeting mobile devices was being loaded from this domain, which redirected users to a simulated Google Analytics domain with anti-reverse engineering protections to make them visit gambling websites.
Due to this, Polyfill is now prohibited by its founder but Fastly and Cloudflare offer safe alternatives.
This attack on the supply chain shows why user-loaded third-party code must be monitored for such occurrences and the word “tiaozhuan” could potentially provide information about its origin or creators’ background.
In late May 2024, ANY.RUN, a leading cybersecurity company, suffered a sophisticated phishing attack. The incident began when an employee fell for a compromised email and filled in their login details on a fake web page enabling the attacker to gain initial access on May 27th.
The unauthorized entity kept entering the employee’s mailbox over the next 23 days and even installed software that could be used for sensitive data exfiltration later.
On June 18th, the attacker launched massive phishing campaigns through this compromised account. The company disabled the account promptly and reset affected credentials as well as removed active sessions.
It has been confirmed by the organization that there was indeed an intrusion into its system but no harm was done to any data or integrity of its systems.
CISA’s CSATm the Chemical Security Assessment Tool operated by The Cybersecurity and Infrastructure Security Agency was hacked from January 23 to 26, 2024.
This attack could have exposed critical information like Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, and Personnel Surety Program submissions.
CISA did not find evidence of data extraction but took prompt action against unauthorized entry.
CISA notified CFATS program participants and encouraged facilities to improve their digital and physical security mechanisms including changing CSAT account passwords.
To support stakeholders CISA has organized webinars while asking facilities to contact affected persons or provide their contacts for notification purposes.
Chinese Hacker Groups Using Off-The-Shelf Tools
The report explains about how ransomware has been used by suspected Chinese APT groups especially ChamelGang as the last stage of attack to gain financially, disrupt, or hide their tracks.
In 2022, ChamelGang attacked a leading Indian healthcare institution and the Brazilian Presidency with its CatB malware. International governments including Brazil and other government-associated infrastructures also suffered attacks by ChamelGang.
Another intrusion cluster associated with possible Chinese and North Korean APT groups focused on various industries in Canada, South America, and Eastern Europe while paying attention to American manufacturing mostly.
Cybercrime is merging with espionage tactics which calls for joint efforts between law enforcement agencies and intelligence organizations to be able to effectively tackle these challenges.
Vulnerability
Juniper Session Smart Router Flaw
Juniper Networks has announced a crucial vulnerability (CVE-2024-2973) that affects its Session Smart Router (SSR) and Session Smart Conductor products, enabling network-based attackers to evade authentication and take over the whole device within highly accessible redundant configurations.
The flaw threatens the security of SSRs and Conductors in duplicative peer setups.
To fix this bug, Juniper Networks has released new versions of software, consequently, it is recommended that all High-Availability clusters be upgraded to SSR-6.1.9 or SSR-6.2.5 as soon as possible.
It’s an undisturbed fix for the production traffic except for a short period when web-based management and APIs will not be available.
All affected users are advised by Juniper Networks to upgrade their systems promptly to mitigate the risk associated with this flaw.
Microsoft Unveils New AI Jailbreak
Recently, Microsoft researchers have found a new method called “Skeleton Key” that can jump over the ethical and secure checks and balances built into different generative AI models.
Any hacker can use this method to break policies, develop biases, or execute malicious instructions with the aim of crashing responsible AI systems.
Also, Microsoft has made these findings available to others in the industry by developing countermeasures such as Prompt Shields in Azure AI-managed models.
It is consequently a clear indication that developers of AI systems must consider such threats and put up strong security measures like input filtering, system message validation, output filtering, and abuse monitoring.
Apple AirPods Bluetooth Vulnerability
A major Bluetooth vulnerability tracked as CVE-2024-27867 has led to the release of important firmware updates by Apple for its AirPods and Beats headphones.
Security researcher Jonas Drebler came across this issue, which if exploited can allow attackers who are within a Bluetooth range to initiate connection request spoofing and eventually gain unauthorized access to those earphones.
This could be dangerous as it may lead to probable breaches in privacy or unauthorized collection of information.
To update their headphones, users need the latest firmware version, which is automatically downloaded when they connect them to an iPhone, iPad, or Mac computer. Users can navigate to Bluetooth settings on their devices in order to check the firmware version.
WordPress XSS and Path Traversal Flaws
The reason why WordPress had to release an urgent security update, version 6.5.5, is that it had a couple of dangerous security vulnerabilities that could put at risk the millions of websites it powers.
This update addresses three main security issues, Cross-Site Scripting (XSS) vulnerability in HTML API, XSS vulnerability in Template Part Block, and Path Traversal on Windows-hosted sites.
As a result, all administrators of WordPress sites are urged to keep their installations up to date as this will ensure that they do not fall victim to possible attacks and consequently suffer data loss and unauthorized access.
Afterward, Version 6.5.5 of WordPress follows another short one before the next major version is out on July 16th, 2024. It is said that the next version, which is expected by then to have numerous improvements and new features will be named WordPress 6.6 or maybe it will not even have any name at all but only numbers like the previous versions had.
Windows Bluetooth Service RCE Vulnerability
Windows Bluetooth service had a Remote Code Execution (RCE) vulnerability in March 2023.
On an arbitrary system, the unauthorized threat actor could exploit this vulnerability to run any code, but it can only be done if there is access to the same network as that of the victim system.
It was a buffer overflow problem in Bluetooth Low Energy (BLE) advertising data parsing functions that resulted in this vulnerability.
Microsoft has issued patches for this vulnerability, however, users of affected Windows versions are advised to update their systems to avoid falling prey to attackers.
New MOVEit Auth Bypass Vulnerability
Progress Software’s file transfer programs MOVEit Transfer and MOVEit Cloud are facing an authentication bypass vulnerability (CVE-2024-58060).
There is also a critical authentication bypass vulnerability (CVE-2024-5806) within the SFTP module.
This flaw allows attackers to get unauthorized access to important data without proper credentials. After the vendor confirmed this bug, the exploit code was quickly made public, resulting in a significant increase in attack attempts on vulnerable instances of MOVE it.
Due to its extensive use for exchanging crucial corporate information, experts worry that this loophole may lead to massive attacks like those experienced during last year’s Cl0p ransomware onslaught which leveraged a zero-day SQL injection vulnerability in MOVEit Transfer.
Progress Software has released updates for impacted versions and urges all users to apply them immediately as protection against this severe security hole.
Fortra Filecatalyst SQL Injection Vulnerability
A severe SQL injection vulnerability, CVE-2024-5276, has been discovered in previous versions of Fortra FileCatalyst Workflow, specifically 5.1.6 Build 135. Its gravity is showcased by the fact that it has a CVSS v3.1 score of 9.8.
This enables people who may attack an application to potentially change its data, create administrative users, and delete or modify the same within the app’s database.
There is now a proof-of-concept exploit (PoC) with which to demonstrate why users urgently need to update to the latest version of FileCatalyst Workflow in order to minimize their risk.
Until Fortra creates an official patch for this vulnerability, users should stay tuned for any updates issued via the vendor’s advisories tool.
1-Click Exploit In Kakaotalk’s Android App
The KakaoTalk Android app which is used by over 100 million people has a crucial vulnerability that allows hackers to leak the user’s access token and take over the account.
The vulnerability is a one-click exploit that can be enabled through a harmful deep link that further redirects the user to a DOM XSS vulnerability on a subdomain of KakaoTalk.
This will enable the attacker to get away with the user’s access tokens leading to a complete account takeover including reading the chat messages. The bug has been identified as CVE-2023-51219, and a proof of concept has been released on GitHub.
The Wiz Research cybersecurity analysts found a critical Remote Code Execution vulnerability, which they called “Probllama” and was tracked as “CVE-2024-37032” in the renowned open-source Ollama AI infrastructure platform.
This vulnerability was used by malicious actors to remotely execute code through the exploitation of lacking input verification on the /api/pull endpoint allowing bad files from private registries via path traversal.
If Docker installations are running with root privileges, it is very dangerous as there could be arbitrary file overwrites and remote code execution.
Ollama already fixed this problem but still, many internet-facing instances of Ollama were using insecure versions stressing that system users should update their software ASAP.
This incident highlights the need for strong safety precautions in fast-evolving AI technologies.
Data Breach
Three critical vulnerabilities in ESXi hypervisor have been disclosed by VMware, which allows hackers to bypass authentication mechanisms.
CVE-2024-37085, CVE-2024-37086, and CVE-2024-37087 are the CVE IDs given to these bugs and they pose significant risks to organizations deploying VMware ESXi.
In this case, successful exploitation of these vulnerabilities would enable an attacker to completely gain administrative access to the ESXi host without proper authentication leading to unauthorized control over virtual machines, data breaches, and potential disruption of services.
To address these vulnerabilities, VMware has provided patches that should be applied immediately by administrators, or else the risks will remain high.
A massive data leak has occurred at Bharat Sanchar Nigam Limited (BSNL), India’s state-owned telecom provider, in which 278GB of sensitive information like IMSI numbers, SIM card details, and security keys were exposed.
This breach was perpetrated by “kiberphant0m,” which may now result into millions of subscribers being vulnerable to identity theft, financial fraud, and sim card cloning. The stolen data is up for sale on the dark web for $5,000 which conveys volumes about its sensitivity to highly skilled cyber attackers targeting both BSNL itself and other connected network systems.
This is the second such case in the last six months caused by BSNL, making it more concerned about its users’ safety and national protection against cyber threats.
Experts are urging BSNL to urgently investigate, contain this breach, and strengthen its capacity to protect users as well as critical infrastructure.
Other news
$10 Million Reward For Russian Hacker
The U.S. Department of Justice has announced a reward worth $10 million for any information leading to the capture of Amin Timovich Stigal, aged 22, who is charged with conspiracy to hack into and destroy computer systems and their data.
Stigal and co-GRU members allegedly deployed WhisperGate malware to target Ukrainian government systems in January 2022 with the aim of destroying them together with their related data before the Russian invasion.
Moreover, it claims that in August 2022 the same conspirators hacked into the transportation infrastructure of a Central European country supporting Ukraine and probed Maryland-based federal government agency-owned computers.
1 Million Geisinger Patient’s Personal Data Stolen
A data breach occurred at Geisinger Health System affecting personal details of more than one million patients, occuring through an ex-Nuance Communications Inc. employee.
This data was accessed by the former employee within two days of being fired and could have included names, dates of birth, addresses, medical record numbers, and phone numbers that were sensitive in nature.
The police were involved in the matter which led to the apprehension and subsequent charges on the part of the ex-employee. Patients who it affected are being contacted by Geisinger Health Systems requesting that they go through their given details and use a special support line for enquires.
Google Announced Chrome Enterprise Core Features
Google has presented new developments for Chrome Enterprise Core, earlier known as Chrome Browser Cloud Management, in order to assist IT and security teams improve control over the environment of a browser and its security.
These improvements are centered on broadening policy management capabilities in the mobile sphere, adding JSON custom configurations, and permitting IT to have more flexible controls.
Moreover, security insights, crash reporting, and an inactive browser deletion policy have been unveiled by Google so as to boost visibility and data hygiene.
With these upgrades in place, companies can navigate their way through the intricate 21st century workspaces where the browser functions as both a productivity suite and a security platform.
Microsoft Announced AI Tool Copilot
Copilot, an AI-based tool integrated into the Defender XDR portal, by Microsoft has been released for general availability, aiming at changing the way businesses acquire and use threat intelligence data from Microsoft.
Copilot can ask users important questions about Microsoft Defender Threat Intelligence (MDTI) and Threat Analytics content in natural language prompts to provide timely responses on indicators of compromise (IoCs), intel articles, intel profiles, and guidance.
The embedded experience includes a blank prompt bar and a guided experience with three pre-populated prompts empowering different security personas to defend against threats at machine speed and scale.
As a research assistant, Copilot pulls in relevant intelligence then contextualizes it as well as summarizes it helping customers evaluate artifacts, correlate security information, assess vulnerabilities, and understand the scope of an attack.
The launch of Copilot for Security threat intelligence in Defender XDR marks a significant step forward in Microsoft’s commitment to providing cutting-edge cybersecurity solutions that will enable organizations to stay proactive within the changing threat landscape while effectively safeguarding their vital assets.