Cyber Security News Weekly Round-Up (Vulnerabilities, Cyber Attacks, Threats & New Stories)

This weekly cybersecurity news recap keeps you informed about the latest threats, exposures, mitigation techniques, and emerging malicious tactics that could compromise systems. 

Staying updated allows implementing preventive measures proactively rather than reactively. 

EHA

Consistent cybersecurity awareness builds a comprehensive knowledge base to protect networks from an evolving risk landscape.

Threats

Fake PuTTY Client

Potential Linux administrators are advised of a fake PuTTY client code-named “Rhadamanthys” Stealer, which is given away through malvertising. They use holes in PuTTY to take over machines, make secret entrances and extend their domination.

These malicious ads seem to be from trusted sources like PuTTY that infect victims’ computers with malware loaders to remain undetected and launch more malicious software. Such campaign employs a series of redirects before initiating a final malware injection after testing for proxies and checking IP addresses of victims.

The complexity of the delivery scheme indicates how stealthy are the distribution tactics employed by these threat actors.

BlueDucky

BlueDucky is a new tool that exploits an important Bluetooth pairing vulnerability through automation, thereby permitting execution of codes without intervention on unpatched tools.

It was created by Opabinia and it can be found on GitHub. BlueDucky makes everything easy because it scans Bluetooth devices around you, selects the target and executes a Rubber Ducky script without any manual changes required.

The device is one of the biggest milestones in exploiting bluetooth vulnerabilities which underlinines the need to fix popular security issues such as CVE-2023-45866 to fend off automatic cyber attacks.

Chinese Govt Hackers

Seven Chinese citizens have been accused by the US Justice Department in a hacking and wire fraud conspiracy. They were connected to APT31, a Chinese Ministry of State Security hacking group.

This is the group that has carried out worldwide cyberattacks on journalists, politicians, and corporations with the aim of stifling critics of China’s government, compromising official institutions and corporate espionage.

These hackers employed highly advanced methods such as zero-day exploits for hijacking electronic mail systems, stealing intellectual property and potentially tampering with American elections. Political dissidents, media professionals, public officials, technology manufacturers and political parties are among the organizations affected.

Hackers Delivering Mispadu Malware via Weaponized PDFs

The Mispadu banking trojan is being delivered by hackers using weaponized PDF files, which has carried its attacks from Latin America to Europe, focusing on the stealing of credentials through phishing emails and malicious URLs. 

However, Mexico still continues to be one of the main targets where thousands of credentials have been stolen since April 2023. The infection chain contains multiple stages where the malware comes in either as an MSI or HTA file that deploys a first-stage VB script running in memory to avoid detection.

Mispadu’s last payload steals passwords from web browsers and email clients targeting over 200 different services for credential theft while uploading stolen data to a command and control server.

New Tools & Tactics of Agent Tesla

The notoriety of the Remote Access Trojan (RAT), called Agent Tesla, has recently been increased with new tools and tactics that have compelled it to become a significant threat in the cyber security environment. 

Consequently, the malware operators have introduced techniques that are more advanced aiming at improving evasion capabilities as well as enhancing its stay on infected devices. 

Some of these improvements include using polymorphic loaders which are obfuscated through phishing emails while fetching payloads by means of proxies to silently implant Agent Tesla into memory.

This new version of Agent Tesla is centred on memory-resident information stealing, keystroke logging, credential thefts, and SMTP exfiltrations showing a complex and changing threat landscape.

New ‘HelloFire’ Ransomware

The present report cautions about a fresh ransomware threat referred to as ‘HelloFire’ that pretends to engage in lawful penetration testing. This ransomware does not have the usual markings of ransomware. Instead, it poses as a pentester whose main objective is to fool victims.

It encrypts files with the “.afire” extension using the Curve25519 encryption algorithm which is also used by Babuk malware. The ransom note and technical analysis provided hints at a potential Russian origin with mentions of “hello” in both English and Russian.

Organizations and individuals are urged to remain alert and upgrade their cyber security measures so as to guard themselves against such sophisticated hidden threats.

StrelaStealer Malware Hacked 100+ Organizations

StrelaStealer malware has affected more than 100 companies in the U.S. and EU through DLL payloads launched by spam attachments. In 2022, this malicious software was discovered which exfiltrates email login information to threat actors.

Sophisticated obfuscation techniques and file format switching have been adopted in recent campaigns to bypass detection. However, there is still a possibility of detecting the malware using the “strela” string found in the DLL payload, mainly targeting high-tech industries.

Russian Hackers Attacking Political Parties

The report looks into political parties and organizations that Russian hackers have targeted in their bid to influence the 2020 US elections. 

Among other things, it exposes foreign entities spreading false information so as to corrupt faith in poll processes. The Russian government carried out influence campaign against President Biden, supported ex-President Trump, and fanned the flames of social-political discord in America. 

Russia’s emphasis on manipulating public opinions, gathering information for decision-making, and engaging in cyber operations without continuous probing at election systems is highlighted in the report.

170K+ Python Developers GitHub Accounts Hacked

The recent cyber-attack resulted in a complex supply chain attack that saw more than 170,000 Python developers’ GitHub accounts being hacked. The attackers used fake Python infrastructure to spread out malware and infiltrate the security of many developers as well as companies.

Few tactics such as account takeover through stolen cookies were used to conduct this attack campaign on particular high-reputation GitHub accounts.

The consequences of this breach are far-reaching and include major victims like the Top.gg GitHub organization, which underscores the urgent necessity of alertness and heightened cybersecurity against changing cyber threats.

Chinese Hackers Attacking Southeast Asian Nations

Targeting the healthcare and government sectors, the Chinese APT groups are found to be actively participating in cyber-espionage campaigns. Some of the identified threat actors include those associated with China, for example APT 31 and APT 40. These are known for involving themselves in cyber activities such as phishing and exploiting vulnerabilities within Microsoft Office.

Governments are their main targets but they also steal trade secrets and engage in espionage. The attacks go on to involve things like implanting backdoors, using malware frameworks as well as focusing on specific industries or individuals from selective locations.

Hackers Actively Exploiting Ray AI Framework Flaw

CVE-2023-48022 is a critical vulnerability in the Ray AI framework that hackers have been actively exploiting for the last seven months and enables threat actors to compromise numerous servers across different sectors. 

They allow threat actors to seize the computing power and pour out classified information compromising all those companies availing of Ray services today. Despite having patched four vulnerabilities in Ray version 2.8.1, there remains an ongoing argument about CVE-2023-48022 still unpatched leading to an attack campaign named “ShadowRay.” 

These clusters were compromised for crypto-mining purposes which emphasizes the need for organizations to quickly investigate their Ray environments against exposure and suspicious activities.

Cyber Attack

Sanctions on APT 31 Chinese Hackers

A Chinese hacker group called APT31 has been sanctioned by the United States and the United Kingdom because of its cyber-attacks. These sanctions come after a series of alleged cyber-spying activities that targeted millions of people including legislators, voters, and critics of the Chinese government.

These hackers are linked to the Chinese Ministry of State Security who they blamed for carrying out advanced phishing campaigns that compromised email systems as well as networks with the intention to silence dissenters, steal business information through tracking systems, and monitor high-ranking politicians.

TA450 Hackers Uses Embedded Links in PDF Attachments

In a worrying trend in cyber warfare, TA450, an actor related to Iran and known for its new methods of phishing, is now involved in embedding malicious links via PDF attachments that it sends to Israeli-based global corporations’ staff.

This way adds more complexity to their attacks and endangers organizations as well as individuals. By enticing employees into clicking on such embedded links, TA450 can penetrate victims’ systems which may result in information theft or spying among other unfavorable acts.

Hackers Exploiting SQL Injection Flaws

This report from CISA and FBI brings to the forefront the real problems posed by SQL injection vulnerability in software, which is used by hackers to compromise servers. Product vendors have not stopped releasing software with this defect despite their being aware of it since long ago, which exposes many organizations to potential attacks.

The joint Secure by Design Alert implores technology manufacturers to review codes diligently in order to systematically eliminate SQL injection vulnerabilities. It also highlights that all applications must use parameterized queries for better security and avoid dangerous arbitrary requests caused by threat actors.

Cisco Warns of Password Spraying Attacks

A warning coming from Cisco indicates that there are some password-spraying attacks targeting VPN services such as Remote Access VPN (RAVPN). These kinds of attacks make it possible for hackers to illegally gain access into numerous accounts by applying one password across several different accounts. 

Threat actors employ this technique against both Cisco products and third-party VPN concentrators, leveraging vulnerabilities in the VPN service to break into networks and steal sensitive information. 

By getting around account lockout mechanisms, a feat that is easy to execute but with minimal risk associated, presents an imminent threat to enterprises depending on VPNs for remote access.

CISA & FBI Warns That Hackers Use SQL Injection Vulnerabilities

Even though SQL injection vulnerabilities have been documented for over twenty years, the report reveals that these threats are still present. This puts a lot of organizations at risk through their commercial software products.

Database confidentiality, integrity, and availability can be compromised by malicious actors using SQL injection flaws to execute arbitrary queries. The report shows the need to use limited queries with prepared statements as an effective way of preventing SQL injection attacks.

It also discusses how security teams face the continuing problem of vulnerability fatigue when they try to sort out these many vulnerabilities.

EagleSpy Android RAT 3.0 Steals 2FA Google Authenticator Code

EagleSpy Android RAT 3.0 comes up for discussion in the report as a highly sophisticated malware directed at Android devices. It poses huge threat to users by skirting around security tools including banking apps, and claiming it can steal 2FA Google Authenticator codes. 

In conclusion, the advanced features of EagleSpy Android RAT 3.0 highlight the dynamic nature of threats facing Android phone users. This necessitates being on top of information and developing preventive security systems that will minimize risks of such malware.

New Tycoon 2FA Phishing Kit

Tycoon 2FA phishing kit is a complex Adversary-in-The-Middle (AiTM) platform that targets Microsoft 365 and Gmail users by evading Two-Factor Authentication (2FA). It was found in August 2023 and is used actively by the actors of threats. The current state of affairs however depicts it as one of the most prevalent AiTM kits with over 1,100 domains linked to it.

The package proceeds through several stages which entail impersonating legitimate login pages, grabbing session cookies, and overcoming MFA. Recent upgrades have made the kit more stealthy which makes its detection and analysis difficult while improving its evasion ability against security measures and bypassing 2FA.

17,000+ Microsoft Exchange Servers Vulnerable

This report is about exposed Microsoft Exchange servers that are at risk of being hacked. The most vital security concerns the report takes into account include such threats, as remote code execution vulnerabilities like CVE-2020-0688, CVE-2021-26855, CVE-2021-27065, CVE-2022-41082, CVE-2023-21529, CVE-2023-36745, CVE-2023-36439 and CVE 2024 21410.

Insights on these vulnerabilities are given based on daily scans to highlight the need to immediately address these kinds of risks in order to prevent potential exploitation of Exchange servers.

Google Revealed Kernel Address Sanitizer

The Kernel Address Sanitizer (KASan) has been introduced by Google for enhancing security of Android firmware and beyond. In the process, KASan helps to identify and remove over 40 memory safety bugs through proactive detection of memory corruption risks. 

In view of the wide acceptance of this platform, fragmentation and delayed software updates, this tool remains indispensable in boosting the security levels of Android devices.

Weaponized Air Force Invitation PDF

Indian government entities and energy companies have been targeted by a cyberespionage operation called “Operation FlightNight” which is highlighted in the report. The attackers are state-sponsored and they used the modified version of HackBrowserData to steal sensitive information by using Slack channels for exfiltration.

The attackers disguised malicious codes as Indian Air Force invitations in emails that were sent out. In this case, data breaches occurred within government agencies as well as private energy firms with financial documents and employee information being compromised while the data was being exfiltrated via Slack channels.

Research

ZENHAMMER

Researchers at ETH Zurich demonstrated the ZenHammer attack on systems with AMD Zen 2 and Zen 3 CPUs. It has been shown by this method of attack that it is not true that DDR4 and even DDR5 memories cannot be subjected to bit flips thereby adding more difficulties to the repair of DRAMs.

These researchers have described a way out in terms of mitigation measures that will go a long way in safeguarding against such attacks like ZenHammer.

Beware Of Free Android VPN Apps

Proxy nodes can be formed by Android VPN apps that are able to secretly turn devices into them, which made experts in cyber security become worried about the safety of free VPN applications on Google Play Store. 

The team called Satori Threat Intelligence detected use of a Golang library named PROXYLIB in the VPN application Oko VPN, which was first discovered in May 2023.

Further analysis showed that there were 28 other related apps removed from Play Store. The threat has continued evolving with actors mandating developers to inject their malicious SDKs which helps in growing the proxy network. 

However, since Google Play Protect now offers automatic protection against these attacks especially those involving PROXYLIB, it highlights how cautious one should be when downloading free VPN applications.

Vulnerabilities

Firefox Zero-Days Exploited

Mozilla swiftly addressed two critical zero-day vulnerabilities exploited in the Firefox web browser during the Pwn2Own Vancouver 2024 hacking competition. Manfred Paul successfully demonstrated these vulnerabilities, earning $100,000 and 10 Master of Pwn points. 

The vulnerabilities, CVE-2024-29943 and CVE-2024-29944, allowed for out-of-bounds access and privileged JavaScript execution, respectively. 

Mozilla released Firefox 124.0.1 and Firefox ESR 115.9.1 to patch these security flaws just one day after they were reported, ensuring protection against potential remote code execution attacks on unpatched browsers.

Critical OpenVPN Flaw

OpenVPN released version 2.6.10 with bug fixes and improvements for the Windows Platform, addressing four vulnerabilities. One critical flaw (CVE-2024-27459) allowed privilege escalation through a stack overflow attack. 

Other vulnerabilities included disallowed access, loading of plugins, and an integer overflow. Discovered by Microsoft security researcher Vladimir Tokarev, these vulnerabilities were fixed in the latest version to prevent exploitation by threat actors.

Agenda Ransomware

One of the greatest problems posed by ransomware is its increasing attacks on VMware ESXi servers, with a case in point being the ESXiArgs ransomware campaign that has infected thousands of servers across Europe, Canada, and the United States.

The report highlights an exploitation of a two-year-old vulnerability that affects earlier versions of VMware ESXi to result in the encryption of configuration files and potentially render virtual machines useless.

The reason behind the success in the ESXiArgs campaign lies in the high number of vulnerable targets especially where there are a huge percentage of unpatched servers. It also mentions about CISA releasing decryption script to help mitigate damage from ESXiArgs ransomware.

TeamViewer macOS Client Vulnerability

Versions of TeamViewer Client for macOS before 15.52 were prone to a vulnerability that allowed attackers to gain root access by manipulating symbolic links. This vulnerability is a critical security threat that could let an attacker disable services or even raise their privileges in a given environment.

It has been given the highest level of severity, Base Score 7.1 in CVSS3.0, showing how dangerous this bug can be with respect to the system’s security. To moderate such danger, users are urged to update TeamViewer Client for macOS to version 15.52 and above so as to secure their systems from any potential threats.

Microsoft Edge Flaw

Microsoft Edge was recently found to contain a significant vulnerability that lets attackers put up harmful extensions even without the owner’s consent. With the name CVE-2024-26246, this flaw impacts on Chromium-based version of Edge which enables possible security breaches such as data theft and unauthorized access.

However, Microsoft asks customers to update their browsers to the latest versions to reduce these risks which show that browser security is important especially in an evolving cyber threat landscape. This incident highlights the necessity for constant vigilance and proper cybersecurity measures which can defend against malicious exploits.

Chrome Zero-Days Exploited

Google recently patched seven vulnerabilities in Chrome, including two zero-day exploits from Pwn2Own 2024. The zero-days, a Type Confusion in WebAssembly (CVE-2024-2887) and a Use after free in WebCodecs (CVE-2024-2886), were fixed in Chrome Stable channel versions 123.0.6312.86/.87 for Windows and Mac, and 123.0.6312.86 for Linux. 

Manfred Paul won the competition by exploiting the Type Confusion flaw and received a $42,500 award. Other vulnerabilities addressed include a critical use after free in ANGLE (CVE-2024-2883) and a high severity Use after free in Dawn (CVE-2024-2885). Users are advised to update their browsers promptly to protect against these vulnerabilities.

NVIDIA ChatRTX For Windows App Vulnerability

On 26th March 2024, ChatRTX released a security update that patched two flaws (CVE-2024-0082 and CVE-2024-0083) in the NVIDIA ChatRTX for Windows software. These vulnerabilities could let hackers run malicious code, manipulate data or rise through access levels.

The said vulnerabilities resulted from inadequate input checking and privilege management mechanisms hence posing a high risk with a severity rating of 8.2. While users are highly encouraged to upgrade their ChatRTX versions to combat these threats effectively.

Microsoft Releases Out-Of-Band Update

An out-of-band update, KB5037422, was released by Microsoft to resolve this critical memory leak problem in Local Security Authority Subsystem Service (LSASS) on Windows Server 2022. This memory leak occurred after the installation of security updates for March 2024 and affected both on-premises and cloud-based Active Directory Domain Controllers during Kerberos authentication requests.

Because of this, LSASS crashes were caused by high amounts of memory usage and unexpected domain controller restarts. It also addresses the LSASS memory leak and enhances servicing stack functionality for future Windows updates to provide system stability and security.

GitLab Security Flaw

It should be noted that the Proxyjacking campaign, called LABRAT, mentioned in this report seems to have taken advantage of vulnerable GitLab servers through cross-platform malware as well as kernel rootkits which are designed to avoid detection. This flaw makes way for exploitation by hackers who can now remotely control targeted devices through inappropriate image file validation.

For instance, the campaign is so advanced that it uses obfuscation techniques and legitimate processes to hide its activities due to this it would be hard to know whether one is under attack or not. The operation also demonstrates high levels of stealth and evasion tactics urging users to secure their GitLab instances.

Other Stories

Metasploit Framework 6.4 Released

In the recent past, Metasploit Framework 6.4 was recently unveiled with remarkable advancements and fresh competencies in cyber security area. This version has notable improvements of Kerberos authentication support including new techniques like diamond and sapphire alongside golden and silver.

Additionally, dumping Kerberos tickets from compromised hosts is a new module that enhances the toolkit for exploiting Unconstrained Delegation instances. Also, this release concentrated on DNS configuration enhancements and new session types in order to reaffirm their position as cutting-edge tool providers for penetration testers as well as cyber security professionals.

Wireshark 4.2.4 Released

Wireshark 4.2.4 was just released with a focus on improving network protocol analysis tools meant for troubleshooting, analysis, and training purposes. This update includes important bug fixes that address issues like T.38 Dissector Crash and disputed CVEs.

No new features have been added but the release comes with much enhanced support for protocols ensuring their compatibility with new communication standards across networks. The software is now available for download from the official website.

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]