Threat and Vulnerability Roundup

This week’s Threat and Vulnerability Roundup from Cyber Writes brings you the most recent cybersecurity news. 

The most recent attack methods, critical flaws, and exploits have all been emphasized. To keep your devices safe, we additionally provide you with the most recent software updates.

The task of locating, analyzing, and deciding how to fix existing vulnerabilities in your systems is made easier by these alarming discoveries. Stay safe by following our daily updates.


Akira Ransomware

In recent developments, reports have surfaced regarding the Akira ransomware threat actors targeting Cisco VPNs lacking multi-factor authentication (MFA). 

This vulnerability tracked as CVE-2023-20269, can potentially allow unauthorized access to VPN connections, raising concerns about the security of remote access environments. 

Cisco acknowledges these reports and the observed instances where organizations without MFA on their VPNs have been vulnerable to infiltration.

This vulnerability could severely affect organizations relying on Cisco ASA and FTD software for remote access solutions.

Weaponized Telegram App

Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various languages (traditional Chinese, simplified Chinese, and Uighur), claiming to be the fastest apps with a global network of data centers.

Despite Google Play testing, Telegram mods pose risks; threat actors penetrate and sell their versions. Researchers analyzed one such mod, which appears identical to the original Telegram upon launch.

Loda Malware Attack

Threat actors have been actively employing Loda, a remote access trojan (RAT) developed in AutoIT, an accessible language for automating Windows computer scripting.

The malware may deliver various harmful payloads in addition to keylogging, taking pictures, and stealing passwords and other sensitive information.

The Kasablanka group, an advanced persistent threat (APT) from Morocco that often released new versions of the malware, appears to have been the original developers of Loda.

Massive Ransomware Attack on SriLanka

The Information and Communication Technology Agency (ICTA) has officially confirmed a severe data loss incident that has had a far-reaching impact on all government offices using the “” email domain.

The Information and Communication Technology Agency is the lead agency in Sri Lanka for implementing information and communications technology initiatives by the Government of Sri Lanka.

Approximately 5,000 email addresses fell victim to this ransomware attack, according to ICTA’s report.

OriginBotnet Attack

A recent cyberattack effort was discovered that used a malicious Word document delivered via phishing emails, causing victims to download a loader that launched a succession of malware payloads. 

OriginBotnet, RedLine Clipper, and Agent Tesla were among the payloads used. OriginBotnet is used for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and AgentTesla for sensitive information gathering.

OriginBotnet is capable of a variety of tasks, including gathering private information, connecting to its C2 server, and downloading extra files to carry out keylogging or password recovery operations on infected Windows machines.

ANY RUN Interactive Malware Sandbox Tool

The versatility of malware sandboxes extends beyond behavioral analysis, making them a valuable asset in many contexts. The list of use cases grows even larger when you add a layer of interactivity provided by tools like the ANY.RUN service. 

However, numerous organizations have yet to grasp the full range of benefits these solutions offer. As a result, they fail to integrate them into their security posture effectively, which leads to inefficiencies. Let’s explore the most common scenarios where the capabilities of sandboxes can come in handy.

A malware sandbox is a service that lets you upload a file or link to a virtualized environment isolated from your computer for closer analysis of any malicious behavior. 

APT36 Using Customized Malware

APT36 is a highly sophisticated APT (Advanced Persistent Threat) group that is known for conducting targeted espionage in South Asia and is strongly linked to Pakistan.

Zscaler analysts dubbed the Windows backdoor used by APT36 ‘ElizaRAT,’ because of unique strings in observed C2 commands.

ElizaRAT, delivered as .NET binaries in password-protected Google Drive archives, deploys as a Control Panel applet, launching CplApplet() and Main() functions that lead to malicious operations in MainAsync().

UNC3944 SMS Phishing Attacks

A financially driven threat group, UNC3944 has frequently employed phone-based social engineering and SMS phishing attacks to gain credentials and escalate access to target organizations.

The hacking group has been observed to target a wide range of businesses, including hospitality, retail, media and entertainment, financial services, and telecommunication and business process outsourcer (BPO) firms.

Hive0117 Group Attack

Hive0117 group has launched a new phishing campaign, which targets individuals working for significant industries in the energy, banking, transportation, and software security sectors with headquarters in Russia, Kazakhstan, Latvia, and Estonia.

This group is known for disseminating the fileless malware known as DarkWatchman, which has keylogging, information-gathering, and secondary payload deployment capabilities.

The emails are sent to people’s work email accounts, and use an electronic summons for conscription in the Russian Armed Forces as their phishing lure.

Gamaredon Infrastructure Uncovered

Gamaredon, also known as Primitive Bear, Actinium, or Shuckworm, is a Russian Advanced Persistent Threat (APT) group active since at least 2013.

It is a very aggressive threat group that employs prolonged attacks that are highly disguised and particularly aggressive.

The gang distributes malware disguised in MS Word documents via spear phishing and social engineering attacks.

Sponsor Malware

The Ballistic Bobcat is an Iran-aligned APT group, and initially, about two years ago, cybersecurity researchers at ESET tracked this threat group. 

Security experts uncover Sponsor, a new backdoor deployed by the Ballistic Bobcat APT group, from an interesting sample on an Israeli victim’s system in May 2022.

Sponsor backdoor employs innocuous configuration files and a modular approach to evade scans, a tactic frequently used by Ballistic Bobcat for over two years, alongside open-source tools on compromised systems.

Windows Arbitrary File Deletion

Threat actors were using Windows Arbitrary File Deletion to perform Denial-of-service attacks on systems affected by this vulnerability. However, recent reports indicate that this Windows Arbitrary file deletion can be used for a full compromise.

The possibility of this attack depends on the CVE-2023-27470 arbitrary file deletion vulnerability combining it with a Time-of-Check to Time-of-Use (TOCTOU) race condition, which enables the deletion of files on a Windows system and subsequently creates an elevated Command Prompt.

Weaponized Free Download Manager

In recent years, Linux systems gained prominence among diverse threat actors, with more than 260,000 unique samples emerging in H1 2023.

In the case of Linux, threat actors can run multiple campaigns without being detected for years, and maintain long-term existence on the compromised systems.

Cybersecurity researchers at Kaspersky Lab recently detected that threat actors are weaponizing the Free Download manager for Linux to steal system data and passwords.

Hackers Attack Facebook Business Users

A new and highly concerning cyber threat has emerged, as a botnet known as “MrTonyScam” has been orchestrating an extensive Messenger phishing campaign on Facebook. 

Recently, this campaign has flooded the platform with malicious messages, posing a significant risk to business accounts. 

The threat actors behind this operation, originating from a Vietnamese-based group, are using deceptive tactics to target millions of businesses with disturbingly high success rates.

Microsoft Teams as a Tool for Attack Corporates

According to recent reports, a threat actor known as Storm-0324 has been using email-based initial infection vectors to attack organizations.

However, as of July 2023, the threat actor has been found to have been using Microsoft Teams to send Phishing emails. Once the threat actor gains access, they hand off the access to other threat actors who continue to further exploit the systems for sensitive information.

3AM Ransomware Attack

Ransomware is a universal threat to enterprises, targeting anyone handling sensitive data when profit potential is high.

A new ransomware named 3AM has surfaced and is used in a limited manner. Symantec’s Threat Hunter Team witnessed it in a single attack, replacing LockBit when blocked.

3AM is a Rust-written ransomware that is completely unexplored that ceases services, encrypts files, and tries to delete VSS copies. However, besides this, its connections to cybercrime groups remain uncertain.

Memory Corruption Flaw

Multiple memory corruption vulnerabilities have been discovered in the ncurses library, which various programs use on multiple operating systems like Portable Operating System Interface (POSIX) OS, Linux OS, macOS, and FreeBSD. 

Threat actors can chain these vulnerabilities with environment variable poisoning attacks to gain escalated privileges and run codes under the name of the target program or perform other malicious actions.


Proton Mail Vulnerabilities

A group of Researchers unearthed critical code Proton Mail vulnerabilities that could have jeopardized the security of Proton Mail, a renowned privacy-focused webmail service. 

These vulnerabilities posed a significant risk to the privacy and confidentiality of Proton Mail users, highlighting the importance of robust code security in safeguarding sensitive communications.

Chrome Security Update

Google has upgraded the Stable and Extended stable channels to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows as part of a security update for Chrome. 

This release comes with one “Critical” security patch. The upgrade will roll out over the following days and weeks.

SAP Security Vulnerabilities

SAP has released its September security patches in which 13 vulnerabilities were related to Information Disclosure, Code Injection, Memory Corruption, and much more. The severity for these vulnerabilities ranges between 2.7 (Low) and 10.0 (Critical).

These vulnerabilities existed in multiple SAP products like SAP Business Client, Business Intelligence Platform, SAP NetWeaver, SAP CommonCryptoLib, SAP PowerDesigner, SAP BusinessObjects Suite, SAP S/4HANA, SAPUI5, SAP Quotation Management, and S4CORE.

Adobe PDF Creator Zero-day Vulnerability

Adobe has published a security update for Adobe Acrobat PDF and Reader for Windows and macOS as part of its regular Patch Tuesday updates.

This patch fixes a ‘Critical’ vulnerability, which might allow an attacker to run malicious code on unprotected PCs.

“Adobe is aware that CVE-2023-26369 has been exploited in the wild in limited attacks targeting Adobe Acrobat and Reader”, Adobe said in its security advisory. Successful exploitation could lead to arbitrary code execution.

Kubernetes Command Injection Flaw

As per recent reports, Kubernetes has been discovered with a remote code execution vulnerability, which could allow a threat actor to execute code on the affected Windows endpoints inside a Kubernetes Cluster with SYSTEM privileges.

To exploit this vulnerability, the threat actor must have “apply” privileges on Kubernetes, which is needed to interact with the Kubernetes API.

Exploitation takes place via a malicious YAML file on the cluster. This vulnerability has a CVE ID of CVE-2023-3676 and a CVSS score of 8.8 (High).

GitHub Vulnerability

Researchers uncover a novel Github vulnerability that might let an attacker exploit a race condition in GitHub’s repository creation and username renaming operations.

A Repojacking attack may be carried out using this method. Exploiting this issue successfully impacts the open-source community by allowing the hijacking of over 4,000 code packages in languages such as Go, PHP, and Swift, as well as GitHub operations.

Mozilla Zero-Day Vulnerability

In a race against the clock to protect user security, major browser vendors, including Google and Mozilla, have rushed to release critical updates in response to a critical vulnerability discovered in the WebP Codec.

This newly discovered vulnerability with the identifier CVE-2023-4863 has sent shockwaves throughout the cybersecurity community due to its exploitability.

Notepad++ v8.5.7 Released

Notepad++ v8.5.7 has been released, which has several bug fixes and new features. There has also been Integrity and authenticity validation, added Security enhancement, and a memory leak while reading Utf8-16 files.

Multiple vulnerabilities in Notepad++ relating to Heap buffer read overflow, Heap buffer write overflow, and global buffer read overflow were previously reported. However, the new version of Notepad++ claims to have patched these vulnerabilities.

Chrome Zero-Day Vulnerability

Chrome’s Stable and Extended stable channels have been upgraded to 116.0.5845.187 for Mac and Linux and 116.0.5845.187/.188 for Windows as part of a security update.

One “Critical” security upgrade is included in this release. In the coming days and weeks, the upgrade will be implemented.

Mozilla Zero-Day Vulnerability

In a race against time to safeguard user security, major browser vendors, including Google and Mozilla, have scrambled to release urgent updates in response to a critical vulnerability discovered in the WebP Codec. 

This newly unearthed vulnerability, bearing the identifier CVE-2023-4863, has sent shockwaves through the cybersecurity community due to its potential for active exploitation.

Cisco IOS Verification Flaw

Cisco has been discovered with an arbitrary code execution flaw on their Cisco IOS XR Software image verification checks, which allows an authenticated, local attacker to execute arbitrary code on their underlying operating system.

Cisco Internetwork Operating System (IOS) is a network operating system that can be used in large-scale enterprise environments for high-performance and reliable routing. It is a privately owned Operating System that runs on the Cisco Systems routers and switches.

Trellix DLP Vulnerability

A privilege escalation vulnerability has been identified in the Trellix Windows DLP endpoint for Windows, which may be exploited to delete any file/folder for which the user does not have authorization.

Trellix DLP Endpoint protects against all potential leak channels, including portable storage devices, the cloud, email, instant messaging, web, printing, clipboard, screen capture, file-sharing applications, and more.

This ‘medium’ severity vulnerability is tracked as CVE-2023–4814 with a CVSS base score of 7.1. Trellix, a cybersecurity firm, recently addressed the issue of privilege escalation.

Windows11 Themes vulnerability

An Arbitrary code execution vulnerability has been found in Windows 11. This vulnerability is a result of several factors, such as a Time-of-Check Time-of-Use (TOCTOU) race condition, malicious DLL, cab files, and the absence of Mark-of-the-Web validation.

This particular vulnerability can be exploited by a threat actor using a .theme file used for changing the appearance of Windows OS and supported by Windows 11. Microsoft Security Response Center (MSRC) has been alerted about this vulnerability.

8 XSS Vulnerabilities

Azure HDInsight has been identified with multiple Cross-Site Scripting – XSS vulnerabilities related to Stored XSS and Reflected XSS. The severity for these vulnerabilities ranges between 4.5 (Medium) and 4.6 (Medium). 

These vulnerabilities have affected multiple products, including Azure Apache Oozie, Apache Ambari, Jupyter Notebooks, Apache Hadoop, and Apache Hive 2. However, Microsoft fixed these vulnerabilities on their 8th August Security update.

Research Papers

Detecting Malicious HTTP Traffic that Hides Under the Real Traffic

The malware generates malicious network behavior, often hiding it in HTTP traffic to avoid detection. So, in cyber security, detecting malicious traffic is one of the critical issues caused by malware.

However, besides this, all the current methods primarily rely on artificial features and outdated data, lacking generalization.

HTTP traffic carries much of this behavior, with adversaries mimicking innocent user behavior and hiding negative data within standard fields.

Data Breach

MGM Systems Hack

In a recent development, MGM Resorts, a prominent hotel and casino giant, has confirmed the presence of a cybersecurity issue responsible for an ongoing system outage that has affected its properties in Las Vegas.

In a statement on social media, the company stated, “MGM Resorts recently identified a cybersecurity issue affecting some of the company’s systems.”

Airbus Cyber Attack

According to recent reports, a threat actor has compromised the confidential information of 3,200 Airbus vendors. The exposed data includes sensitive details such as names, phone numbers, and email addresses.

In addition, the perpetrator behind the recent attack announced their intention to target Lockheed Martin and Raytheon in upcoming attacks. The actor, known as “USDoD,” had previously sold the FBI’s sharing system database, InfraGrad, in December 2022.

Hackers Claim MGM Resorts Were Compromised in 10 Minutes

In a recent cyber incident, the ALPHV/BlackCat ransomware group has claimed responsibility for causing disruptions at MGM Resorts. 

Their method involved gaining an employee’s trust via a phone call, which reportedly took only 10 minutes to execute.

The ALPHV ransomware group detailed their approach, stating, “All ALPHV ransomware group did to compromise MGM Resorts was hopped on LinkedIn, find an employee, then call the Help Desk.”

Caesars Entertainment Hacked

Caesars Entertainment Inc. has reportedly paid a substantial sum to hackers who infiltrated the company’s systems and threatened to release sensitive data. 

This breach follows closely on the heels of another cyberattack on MGM Resorts International.

Caesars Entertainment has not officially commented on the situation, but after Bloomberg News initially reported the cyberattack, the company disclosed it in a regulatory filing. 

This revelation had a minimal impact on the company’s stock, with shares remaining relatively unchanged.


Massive DDoS Attacks at 633.7 Gbps

DDoS attack evolves with changing tech and attacker motivations, with recent cases involving significant damages and legal consequences.

Recently, the DDoS defense platform of Akamai Prolexic prevented the largest DDoS attack on a major U.S. financial institution’s platform, reaching 633.7 Gbps and 55.1 Mpps. Security analysts at Akamai reported that this largest DDoS attack lasted for less than 2 minutes.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.