Cyber Security News Weekly Round-Up (Vulnerabilities, Cyber Attacks, Threats & New Stories)

Our weekly summary of cybersecurity news provides information on the most recent threats, vulnerabilities, innovations, attacks, dangers, and stories in the field.

It also discusses possible upcoming malicious tactics that can threaten the devices and make you take defensive measures just in time.

EHA

This is important as it enables us to put appropriate security measures in place on time consequently being defensive.

In addition, this continuing situational comprehension promotes a comprehensive perception that ensures proper system strengthening against ever-changing threat matrixes and risk management.

Threats

8220 Gang Exploiting Oracle WebLogic Server Flaw

A notorious cryptojacking group, ‘The 8220 Gang’ is actively leveraging a six-year-old Oracle WebLogic loophole (CVE-2017-3506) to release cryptocurrency mining viruses.

Once this vulnerable point is exploited then any person can gain unauthenticated access to remote commands and it means that someone’s sensitive data or even the whole system could get compromised.

To evade the detection from the Windows Antimalware Scan Interface, the gang has been using PowerShell and gets its payload as an obfuscated one. Further, they take advantage of the valid Linux tool “lwp-download” to write random files on compromised hosts that affect numerous services.

This group of individuals has changed their techniques and tools over time consequently posing as a major threat to organizations in contemporary society.

CarnavalHeist Weaponizing Word Documents

The CarnavalHeist campaign is a cyberattack that is highly sophisticated and makes use of Microsoft Word documents to steal user credentials. Victims are sent malicious Word documents through the attack which will force them to download a malicious HTML file as soon as they are opened.

This then exploits a vulnerability in Microsoft Office Equation Editor permitting execution of PowerShell script. Through this, the attackers can steal login credentials.

The campaign mainly targets the financial sector organizations. To avoid detection, attackers adopt social engineering and exploit techniques.

Ransomware Group Creation Touched Yearly All-Time High

The report shows that the number of ransomware attacks has increased significantly as ransomware creation is at its peak. The pandemic-induced increase in remote work has contributed to this surge. Attacks have gone up by 148%.

Additionally, in 2023, the average demand for ransom rose to $1.54 million from $0.88 million in 2022.

Moreover, companies experience an average of 22 days of downtime after a ransomware attack while the ransomware attacks cost has risen by 13% over the past five years and it stands at an average price of $1.85 million per incident.

Malicious npm Package Delivers Sophisticated RAT

According to the report, there is an increasing danger of malicious npm packages that aim at developers. The malicious packages stole SSH keys from developer computers by uploading them to GitHub repositories.

They were taken down from npm in January, and an alarming rise of malicious packages on open-source package managers has been identified between 2020 and 2023, a considerable share of which is hosted using GitHub.

Hackers Using Packers To Hide Malware

Packers are commonly utilized by hackers to bundle legitimate content with malicious code, these packers are also legitimate tools.

Among other things, the report shows that phishing campaigns often employ ZIP and SFX archives while UPX enables code extraction and encryption into memory for malware.

The significance of recognizing which packer has been employed within packed malware and extracting the contents using relevant utilities is also stressed by it.

Phishing-As-A-Service V3B Toolkit

A new phishing tool called the V3B phishing kit was developed to target bank customers in the EU.

It comprises of a scenario-based credentials interception system and mirrors online banking authorization pages.

The kit is highly configurable, works with multiple countries and banks, has advanced anti-bot measures, and enables real-time interaction with victims.

Moreover, it contains a live chat system that helps fraudsters to initiate one-time password (OTP) requests and make people enter their codes unknowingly.

Prices range between $130 and $450 per month paid in cryptocurrency with regular updates that help it evade detection as new abilities emerge.

UNC1151 Hackers Weaponizing Excel Documents

The report highlights a recent information campaign by a threat actor group, “UNC1151,” targeting Ukraine, Lithuania, Latvia, and Poland with disinformation. 

This campaign involves weaponizing Excel documents to attack Windows machines. The attackers use malicious XLS files to compromise systems, which can lead to data breaches and other security issues. 

This tactic is particularly dangerous as it can evade traditional security measures and remain undetected for extended periods. 

The report highlights the importance of staying informed about emerging threats and vulnerabilities to ensure timely safeguarding measures and preventive actions.

Package from PyPI Contains Wiper Components

Over 300 downloads have been made of a dangerous Python package labeled “xFileSyncerx” at the Python Package Index (PyPI).

This was a data wiping package that was detected by ReversingLabs researchers.

The person behind the sophisticated multi-step attack campaign that uses a CoinMiner executable to affect Linux devices’ performance is identified as the author of this package, “sastra.”

To escape detection, this malware disguises its malicious payload on different remote URLs and then gradually releases it in several steps.

Sticky Werewolf Weaponizing LNK Files

Weaponized LNK files have been discovered to be used by hackers for malware deployment, where the infection chain begins with a benign-looking LNK file that has a malicious command hidden in it while pretending to be an image file.

This is followed by the HTA file being downloaded and executed using PowerShell from a remote server, inside of which there is an embedded executable file pretending to be a genuine system program.

Moreover, when these shortcuts are opened by users they are usually made to execute some PowerShell code as the study of the evil LNK files’ content revealed.

Hackers Exploiting MS-SQL Servers

Unauthorized access and control of Windows systems by hackers is due to the exploitation of flaws in Microsoft SQL (MS-SQL) servers.

This way, they may try to brute force an SQL admin access using the weak credentials after scanning for MS-SQL servers with port 1433 open.

Once they gain access, threat actors can execute malicious commands, install malware like ransomware and RATs, and potentially command whole networks.

Suspicious activities are capable of being detected early with a strong endpoint detection and response (EDR) solution that uses behavior-based monitoring.

Mitigation includes but is not limited to applying strong credentials, keeping servers patched, as well as restricting external connections to MS-SQL instances by administrators.

Fake Google Chrome Update

One new malware dissemination program makes use of the deceptive Google Chrome Update pop-ups. Malicious code is injected into the websites and asks users to upgrade their browsers to trigger the attack.

Clicking on these links will redirect them to harmful URLs that download malware like remote access trojan or infostealer.

The attack reached 341 websites, consequently users are advised not to update from pop-ups or error messages.

Vulnerability

Zyxel NAS Devices Vulnerability

Zyxel has recently released patches for its end-of-vulnerability support NAS326 and NAS542 devices. The said vulnerabilities are command injection and remote code execution flaws, and improper privilege management.

Users should apply these patches as soon as possible to save their systems from possible attacks.

CVE IDs CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974 have already been assigned to the vulnerabilities with CVSS scores of 9.8.

NAS326 V5.21(AAZF.16)C0 and older firmware versions for NAS542 V5.21(ABAG.13)C0 are available for patching purposes now.

Microsoft Details AI Jailbreaks

The report, “Jailbreaks in large language models: the case of GPT-3” talks about jailbreaks in Large Language Models (LLMs) that seek to disturb the security alignment of such models and make them perform ill-intentioned tasks.

Microsoft recently invented an innovative multi-turn jailbreak technique known as Crescendo which evades the safety regulations using harmless inputs.

Crescendo can be fully automated by a software tool named Crescendomation, which has made it possible to jailbreak several open-source AI chatbots.

Implementing a series of defense mechanisms such as input filters, system meta-prompt, and Azure AI Content Safety could help reduce some of these attacks.

Hackers Exploiting Amazon, Google & IBM Cloud Services

Hackers are now using cloud storage applications such as Amazon Aws, Google Cloud, and IBM Cloud to prefer phishing attacks through text messages. 

These attacks entail creating and sharing expected links that lead users to genuine-looking sites where they can be taken to the phishing sites to be used to rip off their identity and banking details. 

According to the surprising results exposed in this particular investigation, the attackers make use of the cloud storage services to host phishing domains and utilize such methods as HTML meta refresh in an effort to bring the users automatically to the corresponding fraudulent domains. 

The advantage of this type of attack is the fact that when performed, they take advantage of cloud platform domains and as such it easily penetrate firewalls.

Critical Flaw In SkyBridge Routers

SkyBridge or SkyBridge BASIC series products have a critical vulnerability, which allows command injection without authentication.

CVE-2024-32850 is the name given to this particular vulnerability and it enables an attacker to execute arbitrary commands with full administrative privileges.

This vulnerability affects SkyBridge MB-A100/110 up to Ver 4.2.2 and SkyBridge BASIC MB-A130 up to Ver 1.5.5

To prevent exploitation by threat actors users should upgrade their firmware versions to the latest ones (SkyBridge MB-A100/110 Ver 4.2.3 or later and SkyBridge BASIC MB-A130 Ver 1.5.7 or later).

macOS Root Access Vulnerability

As far as Mac OS is concerned, a critical bug, CVE-2024-27822 has been identified which provides unauthorized access to a root.

The exploit arises from a vulnerability within the macOS kernel which fails to properly validate certain user inputs which gives an attacker the ability to escalate privileges from a standard user to the root level.

A proof-of-concept (PoC) exploit code was published in order to stress how easy it is for this issue to be misused and consequently immediate action should be taken about it. This means that multiple versions of macOS are affected by this loophole and it should consequently be addressed quickly.

Even so, experts have called for precautionary measures among Mac users like upgrading to fixed versions in order to avoid its risks being exploited.

Checkpoint 0-Day Flaw

Checkpoint’s security software has a critical zero-day vulnerability that hackers are currently exploiting, using CVE-2024-24919.

The flaw in question enables attackers to remotely run arbitrary code and take over the whole compromised system.

However, malicious actors discovered the problem before Checkpoint could even issue a patch.

In order to reduce this problem organizations should use patching measures, keep an eye on their network traffic, and update security policies, as well as educate employees on how to identify phishing emails among other common attack vectors.

Microsoft Azure Vulnerability

For instance, a very significant vulnerability has been found to exist in Microsoft Azure which enables an attacker to bypass the firewall rules by making forged requests from trusted services.

Various Azure services have been affected by this problem. Those affected include Application Insights, DevOps, Machine Learning, and many others.

Tenable Research has classified this as a Security Feature Bypass issue with a severity rating of High due to its impact on data integrity and confidentiality.

Microsoft has acknowledged the issue and is addressing it through centralized documentation updates. Users of affected services should implement additional authentication and authorization measures to mitigate the risk.

Tripwire Enterprise Flaw

The report aims to underline Tripwire Enterprise’s vulnerability as a security configuration management solution.

The bug which is known as CVE-2022-26243 permits trespassing, authentication bypass, and entry into the system without proper references. The Tripwire Enterprise 12.5.0 and its earlier versions are susceptible to this flaw.

A fix for this problem has been issued by Tripwire, and all users are asked to update their system software to the most recent version for security purposes.

Cisco Webex Meetings Meeting Flaw

Webex Meetings of Cisco was disclosed to be having a significant security vulnerability that could let any unauthorized person gain entry to the meeting information and metadata.

The issue which was discovered in early May 2024 affected some customers hosted in the Frankfurt data center of Cisco.

The flaw was identified during targeted security research operations and allowed for an illicit entry into private meeting details, consequently possibly compromising the confidentiality and integrity of such meetings among others.

By May 28, 2024, these bugs had been fixed globally by Cisco. Affected customers have been alerted about this development, they also confirmed that no more unauthorized attempts at accessing the meeting data have taken place since its resolution.

Cisco has continued to monitor any unauthorized activity while conducting ongoing investigations aimed at protecting the platform’s security.

Apache HugeGraph RCE flaw

This exploitation of the vulnerability bypasses protection mechanisms by using the SecurityManager’s lack of reflection filtering. It does this by renaming the current thread and then employing ProcessBuilder class to run commands.

The flaw in question permits an attacker to take control over the entire server, which is quite alarming for those organizations that are running on affected versions of HugeGraph.

The patch has critical changes that enhance security and clients are advised to upgrade to Version 1.3.0 or later as a measure to reduce risk levels.

Critical PHP Remote Code Execution Flaw

A critical remote code execution (RCE) vulnerability has been discovered in PHP for Windows, affecting all versions since 5.x. 

The vulnerability, tracked as CVE-2024-4577, allows unauthenticated attackers to bypass previous protections and execute arbitrary code on remote PHP servers. 

The flaw arises from an oversight in handling character encoding conversions on Windows, particularly in CGI mode. 

To mitigate the vulnerability, users should upgrade to newer PHP versions or apply suggested mitigations, such as applying mod_rewrite rules to block attacks.

Data Breach

Massive Ticketmaster, Santander Data Breaches 

The alleged cybercrime has been claimed to be behind a massive data leakage of Ticketmaster and Santander Bank, which may potentially influence over 590 million accounts.

The event, related to the compromise of a Snowflake employee’s compromised credentials has raised serious concerns about the security of cloud storage services.

It is said that the breach exposed personal details for 560 million Ticketmaster users and 30 million Santander Bank customers, such as full names, email addresses, phone numbers, and hashed credit card numbers.

ShinyHunters, a group of hackers has taken responsibility for this breach and attempted to sell it on the dark web for $500,000.

According to Hudson Rock cybersecurity firm, it all started from one stolen password belonging to an employee at Snowflake company.

TikTok Zero-Day Vulnerability

High-profile accounts, including celebrities such as Paris Hilton, CNN, and Sony which are major Media organizations, were taken over by hackers after they exploited a zero-day vulnerability in TikTok’s direct messaging (DM) feature.

They managed to get into the accounts by simply sending a malicious message through the app’s DMs without requiring any downloads or link clicks.

The incident was first reported on June 4, 2024, since then TikTok has been taking steps to stop this from happening again. Security concerns have stopped the company from giving out an exact number of compromised accounts or describing the vulnerability in detail.

Linux Kernel Privilege Escalation Vulnerability

CVE-2023-32233 is a vital Linux kernel flaw enabling unprivileged local users to boost their rights to the root, consequently giving them full control over a host.

This bug results from Netfilter nf_tables that allows for invalid updates of the configuration and this leads to memory corruption and use-after-free bugs. A piece of code that demonstrates this has been developed by security researchers who plan to publish it online.

The vulnerability affects various Linux kernel versions, including the latest stable release 6.3.1, requiring exploitation at the local level. However, the patch has already been submitted in order to fix this security problem.

Telerik Report Server Flaw

A critical authentication bypass vulnerability (CVE-2024-4358) has been discovered in the Progress Telerik Report Server which was found to be affecting the versions 2024 Q1 (10.0.24.305) and earlier. 

This vulnerability allows unauthenticated attackers to access restricted functionality and create admin accounts without checks. 

The flaw achieved the CVSS score of 9.8 and is considered critical. To mitigate this vulnerability, users are advised to update to version 2024 Q2 (10.1.24.514) or later or implement a URL Rewrite mitigation technique.

New York Times Internal Data and Source Code Leaked

An anonymous hacker claimed that it had obtained 240GB of proprietary information and source code of The New York Times and placed the files on 4chan. 

It also comprises over 5,000 repositories consisting of text documents, source code for games like Wordle, promotional emails, and advertising campaign reports. 

This is despite the fact that the hacker stated that fewer than 30 of such repositories actually use encryption. The leak also brings into question safety breaches in the newspaper, especially in their online platform and privacy on the internet. 

The New York Times has stated that it has identified the stolen data to have come from its GitHub repositories that were attacked in January 2024, it also ascertained that the company’s own systems were not infiltrated by the hackers.

Other News

Kali Linux 2024.2 Released

Several updates and new tools are featured in the release of Kali Linux 2024.2. Future package compatibility for 32-bit platforms has also been included in this version, which features improvements to GNOME 46 and Xfce, along with eighteen new tools.

Some of the new tools are coercer, autorecon, dploot, getsploit among others. Additionally, Kali NetHunter has been updated to include support for Android 14 as well as new modules.

Besides this, there have been some improvements concerning the Kali on ARM Single Board Computer (SBC) devices including the Gateworks Newport kernel updated to 5.15 and the Raspberry Pi 5 kernel updated to 6.1.77 in this release too.

Parrot Security OS 6.1 Released

Parrot OS 6. 1 is a real progress in comparison with the previous versions as it has many improvements and added features for its users. The core updates consist of a base on Debian 12, Linux Kernel v6, and X. Org Server version 1. 20. 5, and DM targets and modules, advanced kernel, and drivers with the Wi-Fi proposed solution. 

The look of the ecosystem has become polished, and such features are experiments in enabling users to containerize things not supported by the system. 

It also optimizes the new performance, corrects the drivers plus supports the current Raspberry Pi devices.

Databricks Is Acquiring Tabular

When acquiring Tabular, a data management startup, by Databricks, we precisely see the return of the founders of Apache Iceberg and Delta Lake. 

This acquisition is to help the businesses upgrade the lakehouse structure and the data exchange compatibility while retaining the corporate data ownership and consequently, escaping the proprietary vendors’ control. 

Overall, Tabular’s founders themselves are known to support open-source formats, whereas CDI’s acquisition will combine two main creators of Apache Iceberg and Delta Lake, which will work for the development of data compatibility. 

The move is considered to be a milestone to reach data reflexivity of the lakehouse architecture as a revolutionary concept of the digital age that has boosted enterprise productivity by providing equal data access to everybody.

NSA Warns iPhone & Android Users to Restart Devices Once Every Week

For better protection of mobile devices, the National Security Agency (NSA) has advised both iPhone and Android users to reboot their systems at least once in a week.

This approach helps to interfere with the functioning of malware and any other illicit software that may have found its way into the system.

In addition to regular reboots, good practices like keeping software applications as well as operating system up-to-date, using strong passwords, and enabling multiple authentications should be followed according to NSA.

At present, cyber threats on mobile phones have become increasingly sophisticated so such advice is necessary.

TotalRecall: A New Tool

It talks about a new feature in Windows 11 called Recall, it captures screenshots of what users are doing every five seconds and saves them on the device.

It is aimed at enabling users to search for previous content using natural language. However, there is a TotalRecall tool that exploits the security loophole in the feature consequently allowing hackers to steal sensitive information like passwords as well as credit card numbers from an unencrypted SQLite database.

This poses serious privacy and security issues more so given that data remains saved locally rather than being sent to cloud servers.

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]