Cyber Security News Weekly Round-Up (Vulnerabilities, Cyber Attacks, Threats & New Stories)

Welcome to this week’s edition of the Cyber Security News Weekly Round-Up. This issue covers the latest vulnerabilities, cyber attacks, and emerging threats that have been making headlines. Stay informed and stay secure!

Threat

EHA

ToddyCat APT Hackers Deploy Multiple Tools to Hijack Network Infrastructure 

Advanced Persistent Threat (APT) group known as ToddyCat, new insights have emerged regarding their sophisticated methods of hijacking network infrastructure to steal sensitive data from governmental organizations across the Asia-Pacific region.

Meet the New Flexible Kapeka Backdoor With Destructive Attacking Capabilities

A new backdoor named “Kapeka” has been identified to be attacking victims in Eastern Europe since mid-2022. Kapeka is a flexible backdoor that acts as an initial stage toolkit for the threat actors.

Hackers Offering Admin Access to 3000 Fortinet SSL-VPN 

Hackers are now offering administrative access to over 3000 Fortinet SSL-VPN devices. This breach poses a significant threat to the security of numerous organizations relying on these devices for secure remote access

Cactus Ransomware Exploiting Qlik Servers Vulnerability

The Cactus ransomware gang has been exploiting vulnerable Qlik sense servers ever since November 2023 using multiple vulnerabilities such as CVE-2023-41266 (Path Traversal), CVE-2023-41265 (HTTP request Tunneling) and CVE-2023-48365 (Unauthenticated Remote Code Execution).

PlugX USB worm Infected Over 2.5M Devices

A new menace has emerged, affecting millions of devices worldwide. The PlugX USB worm, a sophisticated malware, has been reported to have infected over 2.5 million devices, posing a significant threat to global cybersecurity. The PlugX malware, initially identified several years ago, has gained fame for its resilience and ability to spread through USB drives.

Beware Of Fake MetaMask Android Apps That Steal Login Details 

Threat actors exploit fake Android apps primarily for illicit reasons, such as stealing sensitive and personal information from unsuspecting users. Besides this, these fake apps often mimic legitimate ones to trick users into downloading and installing them from unofficial sources.

Seedworm Hackers Exploit RMM Tools to Deliver Malware

The notorious hacking group Seedworm, also known as MuddyWater, has been found exploiting legitimate remote monitoring and management (RMM) tools to orchestrate sophisticated malware attacks. This revelation underscores a significant shift in cybercriminals’ tactics, with them leveraging trusted software to bypass traditional security measures.

Beware! Notorious Samurai Stealer Used in Targeted Attacks

A new type of malware, the “Samurai Stealer,” has been identified in a series of targeted attacks. This malicious software is reportedly designed to infiltrate systems, steal sensitive information, and evade detection with alarming sophistication.

New Qiulong Ransomware Well-Equiped To Make Waves

The Qiulong ransomware gang, a new cyber threat actor, has emerged targeting Brazilian victims as the group announced their arrival by compromising Dr. Lincoln Graca Neto and Rosalvo Automoveis, two entities located in Brazil.  The attackers created a website on which they posted data breaches containing summaries of the compromised targets, including mocking content directed at Dr. Lincoln Graca Neto. 

Hackers Weaponized Electron Framework to Steal Data Stealthy

Hackers abuse Electron Framework’s cross-platform desktop app capabilities, which are based on web technologies like HTML, JS, and CSS.  The flexibility and widespread adoption of the Electron Framework enables the creation of several malicious programs cross-OS. 

New Wavestealer Spotted in Wild Stealing Login Credentials & Credit Card Data

A new type of malware dubbed “Wavestealer” has been identified. This malicious software reportedly steals sensitive information such as login credentials and credit card data from unsuspecting users. Wavestealer is designed to infiltrate computer systems silently and remains undetected by most conventional antivirus programs.

Malicious PyPI Package Steals Discord Credentials

A malicious package found on the Python Package Index (PyPI) has been discovered stealing Discord credentials. The package, named “DiscordSafety,” masquerades as a security tool but performs malicious activities in the background. Users are advised to verify the authenticity of packages before installation. [Read more]()

SIM Swap Fraud Scheme Uncovered

A sophisticated SIM swap bribery scheme has been uncovered, involving insiders at mobile service providers. This scheme allows attackers to gain control over victims’ mobile phone numbers, leading to potential financial fraud and identity theft. Awareness and preventive measures are key to combating such schemes.

Citrix UberAgent Flaw Allows Privilege Escalation

A critical vulnerability in Citrix’s monitoring tool, uberAgent, identified as CVE-2024-3902, could allow attackers to escalate their privileges within affected systems. This flaw impacts specific versions of uberAgent and has been rated with a CVSS score of 7.3. Users are urged to upgrade to uberAgent version 7.1.2 or later to mitigate this risk. [Read more]()

VMware ESXi Shell Service Exploit Circulates Online

A new exploit targeting the VMware ESXi Shell Service has been discovered, posing significant risks to virtual environments managed via VMware. This exploit could allow unauthorized command execution, potentially leading to data theft and system disruption. VMware has issued an urgent advisory for users to apply the latest patches.

Windows MagicDot Vulnerability Exposed

A newly discovered vulnerability in Windows, dubbed “MagicDot,” has been reported. This vulnerability can potentially allow attackers to bypass security mechanisms and execute malicious code. Details on mitigation and patches are still forthcoming. [Read more](https://gbhackers.com/windows-magicdot-vulnerability/)

APT29 Targets German Political Parties with WINELOADER Malware

APT29, a notorious Russian threat group, has been actively targeting German political entities using a sophisticated malware known as WINELOADER. The attack vector involves spear-phishing emails with malicious ZIP files. Understanding the tactics, techniques, and procedures (TTPs) used can help in defending against such targeted attacks.

Data Breach

Hackers Abuse Autodesk Drive For Hosting Weaponized PDF Files

Autodesk Drive is a data-sharing platform for organizations to share documents and files in the cloud.

It also supports 2D and 3D data files, including PDF files, which are free to use when other Autodesk products are subscribed.

Cyber Attack

MuddyWater Hackers Abusing Legitimate RMM Tool to Deliver Malware

The Iranian state-sponsored threat actor MuddyWater has been observed exploiting a legitimate remote monitoring and management (RMM) tool, Atera Agent, to conduct a sophisticated malware delivery campaign. This alarming trend has been under scrutiny since the beginning of 2024, with a notable increase in activity since October 2023, coinciding with the Hamas attack during the same period.

Hackers Exploit Google Ads to Spread IP Scanner with Concealed Backdoor

Malicious actors are distributing a new backdoor, MadMxShell, through a Google Ads campaign that impersonates an IP scanner. This Windows backdoor leverages DNS MX queries for communication with its command-and-control server. The technique involves encoding data within subdomains of DNS MX queries to send information to the attacker and receiving commands encoded within the response packets.

Hackers Employ Black Hat SEO Techniques To Deliver Malware 

Hackers use black hat SEO methods to manipulate search engine rankings and make malicious or fraudulent websites more visible. Recently, Zscaler cybersecurity researchers have seen a wave of fraudulent sites hosted on well-known web hosting services and blogging platforms that threat actors use for SEO poisoning and malware distribution. 

Volkswagen Hacked – Hackers Stolen 19,000 Documents From VW Server

Volkswagen, one of the world’s leading automotive manufacturers, has fallen victim to a sophisticated hacking operation in a significant cybersecurity breach. Investigations suggest that the cyberattack originated in China, raising concerns over international cyber espionage and its implications for the global electric vehicle (EV) industry. The cyberattack on Volkswagen was first detected earlier this week. Still, details of the incident have only recently come to light following investigations by ZDF’s frontline journalism team and Der Spiegel.

WordPress Plugin Flaw Exposes 10k+ Websites to Cyber Attacks

A critical vulnerability in the WP Datepicker WordPress plugin was identified, affecting over 10,000 active installations.  This Arbitrary Options Update vulnerability (CVE-2024-3895) has been assigned a CVSS score of 8.8, indicating a high severity level.

Russian Hackers Claim Responsibility for Cyber Attack on Indiana Water Plant 

In a recent cybersecurity incident, a group of Russian-speaking hackers claimed responsibility for a cyber attack on a wastewater treatment plant in Tipton, Indiana. The attack, which occurred on Friday evening, was part of a broader pattern of similar incidents targeting water facilities in small American towns.

Russian Hackers Launched Sabotage Attacks On 20 Critical Infrastructure

Researchers identified a cyberattack by the Sandworm group targeting critical infrastructure in Ukraine in March 2024. The attack aimed to disrupt the information and communication systems (ICS) of energy, water, and heat suppliers across ten regions. 

Megazord Ransomware Attacking Healthcare And Government Entities

Hackers primarily use ransomware to gain financial gain from their victims by blackmailing them for payments to recover their encrypted files and systems. However, ransomware can also be weaponized as a destructive cyber weapon that creates confusion in critical infrastructures.

Leicester City Cyber Attack Leads to Street Light Burning All Day & Night

Residents of Leicester have been facing an unusual urban phenomenon: street lights that stay lit day and night.

This issue stems from a severe cyber attack that targeted Leicester City Council’s IT systems, leading to a series of disruptions in city services, including street lighting management.

Hackers Hijacking Antivirus Updates to Deliver GuptiMiner

A sophisticated malware campaign has been compromising the update mechanism of eScan antivirus software to distribute malicious backdoors and cryptocurrency mining software. The campaign, dubbed GuptiMiner, has been linked to a threat actor with potential connections to the notorious Kimsuky group.

FBI Director Wray Issues Warning on Chinese Cyber AttacksVanderbilt Summit on Modern Conflict and Emerging Threats, FBI Director Christopher Wray highlighted the severe and ongoing cyber threats the Chinese government poses to U.S. national and economic security. Speaking to an audience of experts from various sectors, including national security, cybersecurity, and academia, Director Wray articulated the immediate risks the Chinese government presents to the United States

UnitedHealth Group Ransomware Attack : Hackers Stolen Patients Data

The global American health insurance and services corporation UnitedHealth Group has announced that its health IT subsidiary Change Healthcare was the target of a malicious cyberattack. Based on its initial targeted data sampling, the company has discovered files containing personally identifiable information (PII) or protected health information (PHI), which may include a significant proportion of the US population. 

Forminator WordPress Plugin Flaw Exposes Over 50,000 Websites to Cyber Attacks 

In a recent cybersecurity revelation, over 50,000 websites using the popular WordPress plugin Forminator are at risk due to multiple critical vulnerabilities. If exploited, these flaws could allow attackers to perform a range of malicious activities, from stealing sensitive data to taking complete control of the affected websites.

TransparentTribe Hackers Weaponize Websites & Documents to Attack Indian Orgs 

The hacker group known as TransparentTribe, also referred to as APT-36, has intensified its cyber espionage activities. This group, originating from Pakistan, has been actively targeting Indian government organizations, military personnel, and defense contractors with sophisticated cyberattacks aimed at compromising security and gathering sensitive information.

Hackers Mimic Road Toll Collection Services to Steal Your Money 

The FBI’s Internet Crime Complaint Center (IC3) has warned about a sophisticated smishing scam targeting drivers across multiple states. Since early March 2024, over 2,000 complaints have been filed with the IC3, detailing fraudulent text messages that masquerade as road toll collection services notifications.

APT29 Targets German Political Parties with WINELOADER Malware

APT29, a notorious Russian threat group, has been actively targeting German political entities using a sophisticated malware known as WINELOADER. The attack vector involves spear-phishing emails with malicious ZIP files. Understanding the tactics, techniques, and procedures (TTPs) used can help in defending against such targeted attacks. 

Vulnerability

Hackers Actively Exploiting WP Automatic Updates Plugin Vulnerability

Hackers often target WordPress plugins as they have security loopholes that they can exploit to hack into sites without permission. Once they have found them, threat actors can insert corrupted scripts into these loopholes to compromise the system, obtain secret data, and carry out any other attack that serves their requirements.

PoC Exploit Released For Critical Flowmon Vulnerability 

Progress addressed a critical vulnerability last week, which was associated with an unauthenticated Command injection on the Progress Flowmon product. This vulnerability was assigned CVE-2024-2189, and the severity was given as 10.0 (Critical).

Chrome Critical Flaw Let Attackers Execute Arbitary Code : Patch Now 

Google announced the release of Chrome 124, which fixes four vulnerabilities, including a critical security issue that allows attackers to execute arbitrary code. Over the next few days or weeks, the Google Stable channel will be updated to 124.0.6367.78/.79 for Windows and Mac and 124.0.6367.78 for Linux. 

ArcaneDoor Exploiting Cisco Zero-Days To Attack Government Networks 

Hackers target Cisco zero-days as they can abuse the widely used networking equipment that contains vulnerabilities which means they can affect many systems and networks in one shot. Attackers use these vulnerabilities to gain unauthorized entry, execute any code, or perform any other malicious actions that enable them to put at great risk those establishments that use Cisco infrastructure.

Social Engineering Paves the Way for the XZ Cyber Incident 

The XZ cyber incident is a textbook example of how sophisticated social engineering tactics can lead to significant security breaches. Over the course of two years, a carefully planned attack was executed against the popular XZ Utils open-source project.

CrushFTP Zero-Day Could Allow Attackers To Gain Complete Server Access 

CrushFTP disclosed a zero-day vulnerability (CVE-2024-4040) affecting versions below 10.7.1 and 11.1.0. The vulnerability allows remote attackers with low privileges to bypass the VFS sandbox and read arbitrary files on the underlying filesystem.  It could be exploited for server-side template injection (SSTI) attacks, granting attackers complete control over the compromised CrushFTP server and allowing remote attackers to bypass authentication, read arbitrary files with root privileges, and execute code on the server. 

IBM QRadar XSS Flaw Let Attackers Arbitrary JavaScript Code 

A significant vulnerability was detected in IBM QRadar Suite Software and Cloud Pak for Security, allowing attackers to execute arbitrary JavaScript code. An attacker can insert harmful executable scripts into the code of a reliable program or website via stored cross-site scripting, which affects IBM QRadar Suite Software and Cloud Pak for Security.

GitLab High-severity Flaw Let Attackers Takeover Account – Update Now

GitLab released security patches 16.11.1, 16.10.4, and 16.9.6 for both Community and Enterprise Editions, and upgrading to these versions is strongly recommended to address vulnerabilities. Scheduled patch releases occur twice a month, while ad-hoc critical patches are released for high-severity vulnerabilities. Details of the vulnerabilities will be made public 30 days after the corresponding patch release. 

Major Security Flaw in Popular Keyboard Apps Puts Millions at Risk 

Researchers have uncovered critical security vulnerabilities in several widely used keyboard apps, including those from major tech giants Samsung, OPPO, Vivo, and Xiaomi.

These flaws could allow network eavesdroppers to intercept and decipher every keystroke a user makes, exposing sensitive personal and financial information.

Citrix UberAgent Vulnerability Allows Attackers To Escalate Privileges

Citrix’s uberAgent, a sophisticated monitoring tool used to enhance performance and security across Citrix platforms, has been identified as having a critical vulnerability. The flaw, tracked under CVE-2024-3902, could allow attackers to escalate their privileges within the system, posing a significant threat to organizations using affected software versions.

Russian Hackers Exploiting Windows Print Spooler Using GooseEgg Tool 

Hackers abuse Windows Print Spooler vulnerabilities because it runs with elevated SYSTEM privileges, allowing privilege escalation.  Also, exploiting it enables remote code execution and credential theft.

48 Vulnerabilities Uncovered In AI systems : Surge By 220%

Since the initial disclosure of 15 vulnerabilities in November 2023, a 220% increase in vulnerabilities impacting AI systems has been discovered, bringing the total to 48 vulnerabilities. The world’s first AI/ML bug bounty program, Protect AI, analyzes the whole OSS AI/ML supply chain for significant vulnerabilities. 

GPT-4 Is Capable Of Exploiting 87% Of One-Day Vulnerabilities 

Large language models (LLMs) have achieved superhuman performance on many benchmarks, leading to a surge of interest in LLM agents capable of taking action, self-reflecting, and reading documents.  While these agents have shown potential in areas like software engineering and scientific discovery, their ability in cybersecurity remains largely unexplored. 

WordPress Responsive Theme Flaw Let Attackers Inject Malicious HTML Scripts 

A vulnerability was identified in the WordPress theme, “Responsive,” allowing attackers to inject arbitrary HTML content into websites. This flaw, as CVE-2024-2848, poses a severe risk to website integrity and user safety.

Lambda Layers Code Execution Flaw Leads To Supply Chain On AI/ML Applications 

A new supply-chain vulnerability has been identified in the Lambda Layers of third-party TensorFlow-based Keras models. This vulnerability could allow threat actors to inject arbitrary code into any AI/ML application. Any Lambda Layers that were built before version Keras 2.13 are susceptible to a supply chain attack.

New Stories

Microsoft Releases Historical MS-DOS 4.0 Source Code to the Public 

In a significant move for tech enthusiasts and historians alike, Microsoft has made the source code for MS-DOS 4.0 publicly available. This decision marks a pivotal moment in the accessibility of historical software, allowing developers, students, and technology aficionados to explore the inner workings of one of the most influential operating systems in the history of personal computing.

KnowBe4 to Acquire Egress for Aids in Email Awareness Training

KnowBe4, the leader in security awareness training and simulated phishing platforms, has announced its definitive agreement to acquire Egress, a pioneer in adaptive and integrated cloud email security. This acquisition is set to create the most extensive, AI-driven cybersecurity platform focused on managing human-related risks.

AeroNet Wireless Launches 10Gbps Internet Plan: A Landmark Moment in Puerto Rico’s Telecommunications Industry 

The telecom company AeroNet Wireless announced the launch of its new 10Gbps speed Internet plan, marking an important landmark for the telecommunications sector in Puerto Rico. “We have invested millions to expand and strengthen our network, demonstrating our commitment to launching Puerto Rico to the next level of connectivity and Internet services.

Founders of Cryptocurrency Mixing Service Arrested for Money Laundering Offenses 

Rodriguez and Hill, founders of the cryptocurrency mixing service Samourai, have been arrested for operating an unlicensed money-transmitting business and facilitating large-scale money laundering activities. The service, operational since 2015, is accused of processing over $2 billion in transactions, a substantial portion of which were derived from criminal proceeds.

AI-Based Brute-Forcing Attack Outperforming Probabilistic Model 

Web Vulnerability Assessment and Penetration Testing (Web VAPT) aims to identify vulnerabilities in web apps. However, current wordlist-based methods are ineffective since directory brute-forcing attacks can establish reachable directories.

Google Meet Now Allows Non-Google Account Users to Join Encrypted Calls 

Google has announced that external participants without Google accounts can join client-side encrypted Google Meet calls. This move marks a substantial step in balancing user accessibility with robust security measures.

Research

Proton Mail Unveils Dark Web Monitoring to Check for Credentials Leaks 

Proton Mail has introduced a new feature to enhance the safety of its users’ online identities. The new Dark Web Monitoring tool is designed to alert users about potential credential leaks, ensuring they can take immediate action to protect their accounts.

This week’s roundup highlights the importance of vigilance and timely updates in the realm of cyber security.

The landscape continues to evolve from critical vulnerabilities in widely used software to sophisticated cyber attacks and emerging threats.

Stay updated, stay secure, and ensure you’re taking proactive steps to protect your digital assets.

Visit our platform regularly for more detailed analysis and up-to-date cyber security news. Stay safe and informed!

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: [email protected]