.png?w=1600&resize=1600,900&ssl=1 "Cyber Security News Weekly Round-Up (Vulnerabilities, Cyber Attacks, Threats & New Stories)")
The weekly cyber security newsletter is a brief summary of what the most recent threats, vulnerabilities, and innovations in the digital security space are all about.
This weekly drill encourages a deeper comprehension of the quick-changing malicious tactics, and threat environment by facilitating timely adjustments to security protocols.
Eventually, this helps organizations and individuals to maintain stronger system protection against the constantly shifting array of cyber threats.
.png
)
Threats
Hackers Weaponizing ScreenConnect Remote Access
eSentire’s Threat Response Unit (TRU) reports that hackers have been using the ScreenConnect remote access client to install the AsyncRAT trojan on victims.
The trick is using hacked sites to offer a fake version of ScreenConnect, from where AsyncRAT will be downloaded and used by the attacker as it takes control of computer systems that are infected.
To avoid recognition, this infection chain applies complex delaying tactics and conditional script execution techniques.
This would mean implementing Endpoint Detection and Response (EDR), Phishing and Security Awareness Training (PSAT), and strong password management practices, as recommended by eSentire’s TRU.
There are international hacking groups such as team ARXU that have been on the binge of breaking into schools and bank servers in order to get individuals’ personal information and bank details which they then sell on the dark web.
The reason they target schools is that school networks are not well secured while banks have large amounts of financial information.
In India, Bangladesh, Israel, the Philippines, and America among other places, this group has conducted various DDoS attacks, data breaches, and website defacement.
The reasons for their actions seem to be connected with hacktivism and making money as seen through hashtags like FreePalestine, as well as possible cooperation with other hacker activists.
Organizations should adopt a multi-tiered defense approach including hardening website security, strong access control mechanisms, data encryption, and proactive measures to prevent emerging threats or risks posed by Team ARXU.
Neptune Stealer is a kind of open-source malware that has just been detected by cyber security analysts and is distributed on GitHub.
The primary function of Neptune Stealer is to steal sensitive details like passwords, private information, and financial data from the infected computers. In addition, due to its open-source nature, it can be modified by attackers to make it undetectable by security software.
To guard against Neptune Stealer or similar threats, experts advise checking the origin of any code before installing it, utilizing reputable security programs, regularly updating systems as well as activating multi-factor authentication.
Volcano Demon Ransomware Group
In no time after the outbreak, Volcano Demon started targeting Windows workstations and servers of a company. Their main objective is to hijack administrative passwords on the victim’s network and encrypt all files with an extension of .nba.
They demand money from executives through phone calls made from untraceable numbers without any leaksites. The ransomware LukaLocker evades detection by API obfuscation by being compiled as x64 PE binary written in C++.
LukaLocker was also found on the victim’s network in a Linux version. Volcano Demon used stolen admin credentials to lock systems and exfiltrate data for double extortion purposes.
Anatsa banking malware has been found being distributed by a malicious QR code reader app on Google Play. The QR code has already had thousands of downloads and consequently harmed many users’ financial data.
Keyloggers, remote access, and overlay attacks are among the capabilities of Anatsa that make it a serious danger to individuals’ bank security.
Google has taken the corrupted app down from its online store and is trying to boost its application scanning system. However, this event illustrates how difficult it can be to secure mobile platforms as well as the significance of user consciousness in downloading apps even from official stores.
A new type of malware using InnoSetup installer to bypass security measures and infecting systems has been discovered by researchers. Cracked versions of Microsoft Office are the main sources of distribution for this Trojan that targets those who download pirated software.
The malware can also run any code it wants which may lead to more compromise and stealing of information. This shows the significance of purchasing real software as well as avoiding pirated ones as they frequently have malicious codes.
Additionally, there is a need for users to be extremely careful when downloading software from untrusted sources and always make sure that their operating systems are kept up-to-date with the most recent security patches available for download.
The FakeBat malware has been weaponizing notable apps such as AnyDesk, Zoom, Teams, and Chrome to infect users and steal confidential information
This malware is offered as Loader-as-a-Service on the dark web marketplace and it spreads using drive-by-download techniques, malvertising, or through social engineering.
The authors of FakeBat have incorporated MSIX format builds and digital signatures into the latest versions in order to evade detection by security systems.
Since then, the distribution of malware has become a more complex process that includes malvertising, software impersonation as well as targeted campaigns.
FakeBat’s C2 infrastructure comprises numerous servers with varying communication patterns between them, obfuscation methods adopted within the code, and filtering of traffic based on user attributes.
HappyDoor Executed Via regsvr32 File
The report delves into the use of the HappyDoor backdoor and regsvr32.exe tool by the Kimsuky APT group in order to avoid being detected. They have been found to target South Korean government agencies and think tanks.
HappyDoor backdoor is designed to facilitate connection with the attacker’s C&C server. In this case, regsvr32.exe which is a legal Windows utility has been misused for purposes of executing malicious payload and evading security considerations.
The report discusses how the malware works in technical terms and also describes various strategies used by Kimsuky in the infiltration of target systems, avoiding detection by security products.
Hackers Using Polyglot Files In the Wild
Hackers have found a new way to evade security measures and deliver malware through the use of polyglot files which can be interpreted as multiple file types.
Malicious code can be embedded into these files, which execute once the file is opened or processed by an application with security hole. Security experts have come across a fresh tool known as PolyConv, which helps in creating polyglot files that can go undetected by antivirus solutions.
By creating polyglot files that masquerade as different file types, this tool enables hackers to bypass firewalls and antivirus applications. This makes it hard for security solutions to identify or remove malicious content since it appears disguised as other document formats like PDFs, JPEG images, or zip archives.
This report explains how attackers can get around securities using PolyConv. Additionally, it discusses various ways they can use when creating several kinds of documents.
CapraRAT Mimics As Popular Android Apps
Caprarat is a new Android malware that can mimic real Android applications in order to carry out attacks. It avoids detection through a number of methods including obfuscation, dynamic code loading, and encrypted payloads.
Caprarat has the capability to perform several malicious activities such as stealing user data, sending premium SMS messages, and downloading additional malware.
Primarily Caprarat is spread via third-party app stores and infected websites. Security experts have identified multiple versions of Caprarat implying that it is actively being worked on and maintained by its developers.
To safeguard their devices from this threat, users are advised to download apps only from official app stores and avoid suspicious links or downloads.
Vulnerability
PoC Exploit Released for HTTP File Server RCE Flaw
A critical vulnerability, CVE-2024-39943, which allows attackers to execute code remotely has been identified in HTTP File Server (HFS) software versions prior to 0.52.10 on Linux, UNIX, and macOS systems.
The vulnerability arises due to the use of execSync in place of spawnSync in Node.js child_process Module through which remote authenticated users with upload permissions can execute OS commands.
A proof-of-concept (PoC) exploit has been posted online showing how an attacker can compromise a vulnerable system using this vulnerability.
Users of HFS are highly recommended to upgrade to version 0.52.10 or later which fixes this issue by swapping execSync with spawnSync inside the child_process module.
To counter any possible exploitation attempts targeting the above flaws, administrators must ensure they have installed up-to-date versions of HFS on their systems.
Hackers Using ProxyLogon & ProxyShell
In multiple regions, including Afghanistan, Georgia, Argentina, and Laos, hackers are using the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange servers to break into sensitive government communications.
Attackers can impersonate users to execute commands and access mailboxes as a result of these bugs that were revealed in 2021.
A DigitalOcean server was found harboring thousands of files that are targeted at government offices, this is an indication of highly organized threat actors directing their operations towards the government sector.
The conciseness of the exposure context also highlights that malicious actors are still actively exploiting vulnerabilities that have been around for some time now.
Flaws in Splunk Enterprise https://cybersecuritynews.com/multiple-flaws-splunk-enterprise/
Splunk has released critical security updates to address multiple vulnerabilities in Splunk Enterprise versions 9.0.x, 9.1.x, and 9.2.x that could allow remote code execution and denial-of-service attacks.
The flaws, discovered by internal and external researchers, include an authenticated RCE through serialized session payloads (CVE-2024-36984), a low-privileged RCE via external lookup (CVE-2024-36985), command injection using external lookups (CVE-2024-36983), and a null pointer reference crash (CVE-2024-36982).
Several cross-site scripting (XSS) vulnerabilities were also patched. Splunk strongly recommends upgrading to the latest patched versions 9.0.10, 9.1.5, or 9.2.2 to mitigate the risks. The company noted that Splunk Cloud Platform instances are being patched and monitored.
Multiple critical vulnerabilities in the CocoaPods dependency manager expose iOS and macOS apps to supply chain attacks.
Attackers can take control of thousands of unclaimed pods and inject malicious code into numerous well-known apps, potentially infecting almost all Apple devices.
The flaws allow exploiting the “Claim the Pods” process, executing arbitrary code on the Trunk server, and hijacking session verification.
As of October 2023, CocoaPods has patched the bugs, but enterprises need to be aware of this attack vector and continue learning about package and dependency management techniques used by developers.
Researchers from the University of California have discovered an unknown high-precision Branch Target Injection (BTI) attack called “Indirector” that exploits vulnerabilities in the Indirect Branch Predictor (IBP) and the Branch Target Buffer (BTB) of recent Intel CPUs, including Raptor Lake and Alder Lake generations.
The attack, which targets the IBP’s structure and prediction mechanisms, can bypass existing defenses and compromise CPU security. Two types of high-precision injection attacks are possible, and they are the IBP Injection Attack and the BTB Injection Attack.
To mitigate the risks, the researchers recommend aggressive use of the Indirect Branch Predictor Barrier (IBPB) and more complex tags in future IBP designs for finer-grained isolation across security domains.
Intel has been informed of these findings and will present the full details of the Indirector attack at the upcoming USENIX Security Symposium in August 2024.
Contents of this report include the risks discovered in Gogs, a well-known open-source Git hosting platform in the market. In it, there are two highly exposed vulnerabilities that would enable one to break into the system and steal sensitive source code.
The first vulnerability is a path transversal bug which can be used to view any file while the second one is remote code execution which can help an attacker run their own malicious codes on the server.
Proofs-of-concept (PoCs) are provided for both vulnerabilities and users are recommended to upgrade to the latest version of Gogs in order to eliminate these threats.
In addition, it stresses on having updated software and proper security measures against potential threats.
regreSSHion – OpenSSH RCE Vulnerability
A remote code execution (RCE) vulnerability has been found in the very popular open-source regression testing framework called Regresshion.
This vulnerability could enable the attacker to run any codes on the Regresshion server, a situation that would expose the entire system to compromise.
The report contains information on how to exploit this vulnerability and also includes some proof-of-concept code. In addition, it mentions that there is a fix for this security issue with the latest version of Regresshion and hence advises all users to upgrade their installations immediately.
Users of Regresshion are cautioned through this report about keeping their software up-to-date in order to address issues related to security vulnerabilities.
Cyber Attack
Teamviewer Discloses Investigation Update
TeamViewer has recently disclosed an investigation into unauthorized access to its systems.
The company stated that it has taken immediate action to secure its systems and is working closely with law enforcement agencies to investigate the incident.
TeamViewer has assured its customers that there is no evidence of any data breach or compromise of customer data. The company has emphasized its commitment to maintaining the highest standards of security and privacy for its users.
TeamViewer has also advised its customers to remain vigilant and report any suspicious activity related to their accounts.
New SnailLoad Side-Channel Attack
A new side-channel attack called SnailLoad has been discovered by researchers from Graz University of Technology. This technique exploits network latency to conclude users’ actions without requiring Javascript, code execution, or user interaction.
The method enables one to find out which videos were watched or websites visited on the victim’s machine, merely by measuring the change in latency from a server controlled by an attacker to an accuracy level of 62.8% for the top 100 websites and up to 98% for YouTube videos.
SnailLoad is unlike previously used methods as it works without any active involvement from any internet server and requires almost no network traffic.
By extending such side-channels attacks into remote non-PITM scenarios, this technique opens up fresh security concerns. In video fingerprinting experiments using different internet connections, SnailLoad turned out to be between 37-98% accurate while website fingerprinting was evaluated at 62.8%.
Kematian stealer represents a sophisticated PowerShell malware that stealthily steals and moves out sensitive data.
Firstly, it starts with a 64-bit portable executable loader file in C++ that decompresses and decrypts a batch file to start the next phase of the attack.
The virus obtains stability through the Windows Task Scheduler as well as gathering different system details such as IP address, hostname, system model, UUID, MAC addresses, and network statistics.
This gathered data is then formatted and sent via webhook to the discord channel where it is compressed by the malware into a zip archive for exfiltration with Curl.exe.
Kematian Stealer shows how more sophisticated modern malwares has become and these pose big threats to both individual users and organizations.
Malicious PDF Files That Mimic Microsoft 2FA Security Update
A new phishing campaign targeting Microsoft users has been discovered by cybersecurity researchers, this comes as the threat actors behind these campaigns begin disguising malicious PDF files as Two-Factor Authentication (2FA) warnings.
This link contained a redirection that sends the person to a fraudulent Microsoft login site where he or she will be asked to enter the system’s login credentials. Once they have captured this, the hackers can use it to gain unauthorized entry into their victim’s Microsoft account.
The experts recommend that recipients of uninvited emails requesting for sensitive information exercise caution and check if such sources are reliable before clicking on attached links or documents.
The popular HTTP File Server (HFS) software has a serious remote code execution vulnerability, CVE-2024-23692 that is being actively exploited by hackers.
The flaw is the reason why attackers are capable of hacking into vulnerable computers through running arbitrary malicious commands remotely and planting malware.
Coin miners, Remote Access Trojans (RATs), and backdoors such as LemonDuck and other China-based groups are known to be installed via this exploit.
Cryptocurrency mining, information stealing, and establishment of backdoors form part of the purposes for which the malware is used. HFS users ought to update their software first and then set up effective security features so as to reduce the risk this loophole poses.
Other News
International Operation Takes Down 593 Malicious Cobalt Strike Servers
Europol coordinated police forces from all over the world, as well as the UK’s National Crime Agency (NCA), and successfully dismantled 593 malicious servers hosting unauthorized versions of the Cobalt Strike tool which is often abused by cybercriminals.
Titled “Operation Morpheus,” this weeklong action targeted 690 spots with malicious Cobalt Strike software in 129 ISPs situated in 27 different countries.
To disrupt activities of threat actors who use Cobalt Strike in their attacks, this operation used a combination of real-time threat intelligence sharing, and network scanning, involving ISPs as well as direct server takedowns.
However, experts warn that it might be only temporary progress since threat actors are known for being very resilient and adaptable.
Proton Launched a Free encrypted Document Editor
Proton, a privacy-oriented tech company, has now released a new end-to-end encrypted document editor known as ‘Docs’ to compete with the Google Docs and Microsoft 365 giants.
The service provides features for real-time collaboration such as comments, photos, and secure file storage where all contents and metadata are encrypted for user privacy.
This step by Proton was informed by increasing concerns about the data collection practices of Big Tech and the potential misuse of personal information.
It is integrated into Proton Drive’s new editor which forms part of the bigger ecosystem that consists of email, cloud storage, and calendar services consequently offering users a complete privacy-focused alternative to big tech solutions.
Proton underscores that its document editor is protected by strict Swiss data protection laws making it especially attractive to professionals in industries where data privacy is essential.
The report discusses the evolution of DDoS attacks, with Mirai-like botnets setting new records in 2023 and 2024. Attack frequency and intensity increased notably, with 1+ Tbps attacks becoming almost daily by 2024.
Cybersecurity researchers at OVHcloud spotted record-breaking DDoS attacks of 840 Mpps and asserted that peaks of ~2.5 Tbps were also observed.
The new trend in DDoS is employing hacked network core devices, mostly MikroTik Cloud Core Routers (CCR), which can generate up to 12 Mpps each.
The analysis revealed that over 99,000 CCR devices were exposed online, and if only 1% were used in a hypothetical botnet, it could theoretically generate up to 2.28 Gpps.
Cloudflare Details 1.1.1.1 Service Outage
A major content delivery network (CDN) and web security provider, Cloudflare experienced a widespread outage on July 2, 2019, that affected many websites and online services around the world.
Cloudflare’s network experienced a significant increase in CPU utilization due to a bug that was introduced during a regular network change.
As such, several websites remained inaccessible or took longer than usual to load for about half an hour. The engineers at Cloudflare promptly identified and fixed the problem, making it possible for service to return to its normal state again.
The firm stressed that no customer information had been lost and they would conduct a thorough investigation in order to avoid similar events happening again in the future.