Cyber Security News Weekly Round-Up Vulnerabilities & Threats
The weekly news summary keeps you up to date with what’s happening in cybersecurity, including developments, vulnerabilities, breaches, threats, and defensive strategies.
Knowing about new cyber risks and attack vectors helps you put up safeguards and preventive measures as soon as possible to protect your systems.
Remaining constantly aware gives you a holistic view of the fast-changing world of cyber security so that you can protect your assets from an environment filled with dynamic threats effectively.
Cyber Attack
Russian Hackers Exploit Outlook Flaw
APT28 or Fancy Bear, Russian state-sponsored hackers have taken advantage of a critical flaw in Microsoft Outlook to steal email accounts at scale.
This group, which is associated with Russia’s military intelligence agency GRU, has attacked government agencies, energy facilities, transportation systems, and other important institutions in the US, Europe, and the Middle East.
The vulnerability exploited, “CVE-2023-23397,” is an ‘extremely critical’ elevation of privilege bug within Windows Outlook.
Although Microsoft issued a patch for it back in March 2023 already, but, still these threat actors continue using this and other bugs to carry out advanced cyber espionage actions across various countries.
According to Microsoft Exchange’s infrastructure knowledge displayed by them, it seems that they know how exactly it works internally so that such precise assaults are possible against particular victims.
ArcaneDoor Hackers Exploited Cisco Firewall Zero-Days
A state-sponsored threat actor called “UAT4356” has been identified as the group behind the ArcaneDoor campaign that exploited Cisco Firewall zero-days and targeted government perimeter network devices worldwide, according to an analysis of the report on ArcaneDoor hackers and their link to China.
Cisco Firewalls were chosen for attack due to their presence and potential flaws which could allow unauthorized access or cyber-attacks, said the campaign known as “ArcaneDoor.”
Hackers set up their infrastructure sometime in late 2023 but it wasn’t until early January 2024 that any noticeable activity was recorded, this is according to findings made public by Censys. The researchers from Censys came across strong evidence connecting those responsible with Beijing such as employing Trojan Panel – a Chinese scheme designed for masking malware-like activities.
Hackers Attacking GitLab Password Reset Vulnerability
A widely utilized open-source cloud-based Git repository platform, GitLab, is at the center of attention after CISA declared a critical alert related to a flaw. The vulnerability identified as CVE-2023-7028 allows hackers to skip password reset protocols which helps attackers in getting unauthorized access to private projects and confidential information.
This is especially dangerous for many companies around the world that employ GitLab in their software development, continuous integration, and continuous deployment pipelines.
In view of this weakness, the agency has declared immediate action such as patching up any vulnerable systems with updates from official sources while monitoring them closely among other recommended mitigations against potential attacks exploiting this vulnerability according to another report published by CISA, who also said we should use some methods like enhanced monitoring which may include logging and analysis tools.
Hackers Infiltrated 9-days Within UnitedHealth Network
A significant ransomware attack was carried out on UnitedHealth Group, a major healthcare provider, by a cybercriminal group going by the name ALPHV or BlackCat. The network of Change Healthcare, an important part of the UnitedHealth network, was breached by these attackers during a 9-day time frame before they launched their ransomware.
This permitted them to slip through undetected by the defenses laid out in the computer system and prepare for their assault, as a result, this software virus encoded the files across systems which caused severe disruptions in many areas such as functions of Change Healthcare.
In order to prevent the further spread of malware from data centers run by Change Healthcare, UnitedHealth Group had to act fast and cut off connection with them immediately after noticing what had happened.
Though only affecting Change Healthcare directly, this attack greatly impacted different aspects of UnitedHealth Group’s activities. While working together with the FBI to look into this matter and improve its cyber security measures.
Millions of Docker Hub Repositories Found Pushing Malware
Almost one-fifth of the repositories in Docker Hub have been used to distribute malware and phishing scams.
JFrog’s security research team made this discovery after finding that there were more than 3 million malicious repositories active on the platform — with some operating for over three years.
Upon learning of these findings, the team quickly alerted Docker’s security team who then removed 3.2 million potentially harmful repositories from their system. This serves as a reminder that we need better monitoring systems throughout our software ecosystem if we want it to stay safe.
0-Day Vulnerability in Zyxel VPN Device
Threat actors say they have found a zero-day bug in Zyxel VPN devices, which might enable them to hack private networks. The flaw is described as critical because it puts at risk every major sector such as government, finance, and health.
The Chinese company has not yet acknowledged this issue, however, it did ask people to keep an eye on their networks and follow approved measures of security.
Zyxel still needs to make any comment regarding what steps will be taken next concerning this huge security threat that might affect many organizations across various industries.
Mal.Metrica Malware Hijacks 17,000+ WordPress Sites
In 2024, over 17,000 websites were infected by a major malware campaign known as Mal.Metrica targets WordPress sites by inserting harmful scripts into vulnerable plugins that look like legitimate services. This malware uses Yandex.Metrica to do this and takes advantage of well-known plugins such as tagDiv Composer, Popup Builder, WP Go Maps, or Beautiful Cookie Consent Banner among others.
To boost click-through rates on scams the attackers employ fake CAPTCHA-like prompts which redirect users towards malicious domains.
Researchers have identified those responsible for Mal.Metrica and point out that if these security holes had been fixed earlier there would not have been so many infections spread around.
Hackers Exploit Microsoft Graph API
Through the use of Microsoft cloud services, hackers have been able to exploit the Microsoft Graph API for command-and-control communications.
Security analysts have found a new malicious software called BirdyClient which uses Microsoft OneDrive to carry out malicious activities on an organization in Ukraine.
This new threat displays a worrying tendency among threat actors who are now using legitimate cloud services as a cover for their activities by making it difficult to detect the malware since it can appear like any other valid program.
Vulnerability
A directory traversal vulnerability (CVE-2024-23334) is shown in the report to affect versions previous than 3.9.2 of aiohttp, which permits attackers from remote locations to access sensitive files due to insufficient validation.
There are more than 43,000 publicly accessible instances that are affected by this weakness and it has become a popular target for exploitation. Scanning activities designed at vulnerable systems have started being carried out by groups like ShadowSyndicate who were first in line to exploit this vulnerability.
The potential implications include data breach, intellectual property theft as well as financial loss hence there is an immediate need for patching up systems with Aiohttp 3.9.2 or later version in order to mitigate this risk.
Android Bug Leaks DNS Traffic
The report points out an important Android bug that causes DNS traffic to leak while switching VPN servers, which in turn can disclose a user’s online activity to threat actors.
Different versions of Android are affected by the vulnerability, even the newest Android 14, and it was first published on Reddit and verified by Mullvad VPN.
DNS leaks happen in certain situations like when there is no DNS server specified in a running VPN or during reconfigurations of VPN apps. To plug this hole until the problem is marketed with upstream at Android OS level, Mullvad VPN plans to employ a temporary fix which involves setting up a fake DNS server.
Path Traversal Vulnerability
The account shows that a path-crossing vulnerability has been reported in Xiaomi’s File Manager and WPS Office, among other widely used Android apps. Each of these applications has been installed more than 500 million times, the misuse of this flaw allows hackers to rewrite files by initiating random code execution and stealing tokens.
Microsoft and Google have advised developers on how to avoid the occurrence of such flaws. They stress the need for carefulness when dealing with file names, avoidance of some methods without caution as well as updating apps only from trusted sources.
Various apps were found vulnerable by Microsoft who took part in fixing them while working together with Google to come up with recommendations that will complain up security measures surrounding them.
Postman API Testing Platform Flaw
More than 4,000 active credentials were exposed and multiple SaaS and cloud providers were affected after a critical vulnerability was found in Postman by Truffle Security Co.
The bug resulted in the exposure of sensitive URIs and live secrets from major firms like GitHub, GCP, and AWS. The seriousness of this situation lies in the fact that it may allow unauthorized access as well as lead to data breaches.
Workspace settings need to be checked by users who should also scan for exposed secrets with TruffleHog’s Postman secret scanner.
Judge0 Security Flaw
Judge0, an open-source service for secure sandboxed code execution, has a critical security flaw. Attackers can execute arbitrary code on the host machine with root access due to this vulnerability (known as CVE-2024-29021, CVE-2024-28185, and CVE-2024-28189).
As a consequence of unauthorized entry into sensitive data or causing disturbances in service provision and promoting other types of attacks across networks, this discovery made by Tanto Security demands rapid reactions from cyber defense experts who advise immediate fixes need to be deployed on all instances running Judge0 to ensure its safety.
Cisco IP Phone Vulnerability
There are some vulnerabilities in the IP Phone firmware of Cisco, and these affect many models in the series of Cisco IP Phones. They might allow attackers who are not authenticated or those who are remote to launch denial of service (DoS) attacks, access without permission, and view sensitive information.
To fix such vulnerabilities, Cisco has issued software updates which it says do not have any practical solutions for now. Some of the vulnerabilities include the web-based management interface and XML service problems which should be updated as soon as possible on affected devices.
Cyber News
AI-Based Webshell Detection Model
There has been a boom in AI-powered webshell detection techniques, with researchers exploring various approaches such as attention mechanisms, word embeddings, abstract syntax tree analysis, opcode vectorization, pattern matching, and session modeling from weblogs.
These AI and deep learning models have been shown to outperform traditional static and rule-based methods in detecting webshells with diverse forms, obfuscation techniques, and stealthy features.
However, the report notes that these methods are still limited by their inflexible filtering rules and reliance on specific programming languages.
It emphasizes the need for further improvements in feature engineering and the design of new model architectures to keep up with the evolving webshell threats.
CISA & FBI Urges Developers to Eliminate Directory Traversal Flaws
In their joint alert, CISA and the FBI are calling on developers to fix directory traversal vulnerabilities that have been used in some recent cyber-attacks. Healthcare and education were among the critical sectors affected by such disruptions as “CVE-2024-1708” and “CVE-2024-20345.”
The warning stresses transparency about security testing practices, while also noting ongoing difficulties in protecting software from cyber threats. According to CISA’s Known Exploited Vulnerabilities catalog, there are 55 different varieties of this vulnerability alone.
Russian Hackers Attacking Critical National Infrastructure
The UK’s critical national infrastructure is being targeted again by Russian-backed gangs in a new wave of cyber threats, according to the National Cyber Security Centre (NCSC). These groups have grown and changed greatly since one and a half years ago when they started demonstrating strong ideological affinity with Russia’s geopolitical interests following its invasion of Ukraine.
In contrast with traditional state-run cyber espionage units, these organizations have some independence which makes it hard to predict what they will do next or how far their actions could reach. They seem to be driven mainly by ideology rather than money.
Organizations should improve their cybersecurity immediately if they want protection against potential disruptions warned NCSC which particularly highlighted critical sectors such as energy or transport.
Massive Social Engineering Attack From North Korean Hackers
North Korean hackers, also known as the cyber team Kimsuky, are responsible for a large social engineering attack that the US government has warned about.
The Department of State released this advisory together with the FBI and NSA where they outlined some of the sophisticated methods employed by this group such as targeting think tanks among other organizations including academic institutions or media personnel.
Moreover, it also highlighted the need for being watchful, due to which they are working together more closely as well as taking proactive measures towards protecting networks from spear-phishing campaigns while rolling up their security systems.
Utilize Azure Logs To Identify Threats
The report discusses how Microsoft suggests using Azure Logs to improve threat-hunting abilities by stressing the need for being proactive in monitoring to detect security threats before they become major problems.
It points out that Azure has strong logging and monitoring tools, which include strategies, methods and log analysis techniques advised by security professionals working at Microsoft. The report uses a hypothetical attack scenario as an example to show why it is important to closely watch what is happening in Azure logs so that we could catch such sophisticated attacks like ‘Pass the Cookie’ assault.
Also, it underlines the importance of investigating attackers’ activities within the Azure environment through log analysis methods in order not only to prevent further attacks but also strengthen cloud security altogether.
Threats
New macOS Adload Malware
A new variation of the Adload virus has been found that can get around macOS’ built-in antivirus detection. Although Apple recently improved its XProtect malware signature list to better guard against Adload, this new variant has already neutralized those efforts.
According to the report, the hackers have made some small changes — like swapping out a string in the code — to hide from being caught. This poses a major risk for Mac security since this version of Adload evades Apple’s integrated antivirus protection even with their most recent updates.
Threat Actors Selling RDP Access
Underground hacker forums are selling Remote Desktop Protocol (RDP) access, putting cyber security communities on red alert.
This worrying new development means that people’s and businesses’ online safety could be in serious danger. If an unauthorized person were to use this, they might be able to get hold of important data or even take control of vital systems.
Typically the sale includes a username, password, and IP address for an already compromised or vulnerable system found either through phishing attacks, credential stuffing, or by exploiting vulnerabilities within RDP itself among other methods.
MailCleaner Vulnerabilities
There were critical vulnerabilities in MailCleaner before 2023.03.14 that let attackers take over the device remotely with administrator interaction with attacker links or sites, malicious emails, and SOAP endpoint exploitation.
This vulnerability affects the confidentiality and integrity of the whole system as well as all processed emails. If authenticated attackers gain administrative rights they may execute arbitrary commands or manipulate files on the system which can be dangerous especially when deployed in clusters.
Remote attackers can gain root access through a crafted email by exploiting an OS command injection flaw in the email cleaning cronjob of MailCleaner that is considered critical.
Dropbox Sign Hacked
A massive security compromise hit Dropbox Sign, a product of Dropbox. In this incident, attackers gained access that was not permitted to consumer information sensitive in nature including names as well as email addresses among other personal details. On April 24th the violation was discovered, however, API keys were compromised together with MFA and hashed passwords.
As a result, they acted quickly by resetting all passwords but also logging out users who were connected through various devices while at the same time rotating API keys alongside OAuth tokens so that safety could be improved more effectively.
The damage caused affected many individuals which forced them into taking instant measures towards securing their systems from further unauthorized entry into user data records maintained by Dropbox.
New Android Trojan
The report shows that the researchers at XLab, a cyber security firm, have discovered a new strain of Android malware called “Wpeeper.” It is an advanced backdoor Trojan horse that gets into Android systems through repackaged apps on third-party platforms such as UPtodown and avoids antivirus software detection.
Wpeeper uses hacked WordPress sites to distribute itself as relay servers so it can hide its full functionality better while increasing the number of installations.
Being multi-staged and having command-and-control infrastructure designed to be hard to find makes this one dangerous piece of software, consequently the importance of user collaboration with security personnel who should involve themselves in dealing with emerging threats like Wpeeper.
GoldDigger Malware
The GoldFamily trojan, also known as GoldDigger Malware, has been revised to use AI-generated deep fake photos. It does this so that it can trick people into giving up control over their bank accounts.
This malware is designed for Android and iOS devices primarily but not exclusively, it steals facial recognition data along with personal identification documents. With these stolen items in hand, it can gain entry anywhere that requires authentication or sensitive information on various platforms.
Infoblox’s DNS Early Detection Program works by spotting early which domains are related to the suspicious activities of GoldFamily consequently preventing cyber-attacks at their onset through blocking them on time. The transformation undergone by this software signifies how much deeper cybersecurity needs to go when combating against deepfake verification attacks.
VNC Is The Hacker’s New Remote Desktop Tool
The report highlights VNC as a prevalent tool for cyber attacks due to its base port structure, making it challenging to secure with firewalls.
Attackers exploit weak credentials and software vulnerabilities, with a significant portion of attacks originating from China. VNC, a platform-independent remote desktop tool, has been the most targeted application, leveraging a critical vulnerability in RealVNC.
Remote desktop software poses security challenges for IT teams, with VNC being a prime target due to its widespread use and vulnerabilities.
Russian Hackers Attacking Small-Scale Infrastructure Sectors
Russian hackers are actively targeting small-scale operational technology systems in critical sectors like Water and Wastewater Systems, Dams, Energy, and Food and Agriculture across North America and Europe.
These cyberattacks pose significant threats to public safety and health, emphasizing the importance of robust cybersecurity measures to defend against unauthorized access and disruptions in essential infrastructure.
USB Malware Attacks
The Honeywell 2024 GARD USB Threat Report shows that there has been a notable rise in the use of malware on industrial USB devices, with detections increasing by 33% from last year.
This type of malicious software can cause severe damage to operational technology (OT) systems, as 26% of them can create problems such as loss of control or data visibility.
The report underscores how important it is to have strong safeguards against cyber-attacks via USBs in place for critical infrastructure, mainly focusing on industrial control systems and internet-of-things (IoT) devices.
New Android Malware Mimic As Social Media Apps
To steal sensitive user data, Android malware is imitating well-known social media apps more and more. A typical method of these harmful applications is to pretend to be real ones so that users unknowingly give permissions and install them.
When it gets installed, the virus can view private information, track what the user does, or even do things on the device without authorization. To prevent this kind of risk, individuals have to download applications only from trusted app stores, check permissions carefully, and employ anti-malware software.
It is important to stay watchful and follow safety measures in order not to fall for such advanced attacks of Android malware.
Darkgate Malware
The DarkGate malware is a Remote Access Trojan (RAT) developed using Borland Delphi and marketed as a Malware-as-a-Service (MaaS) offering on a Russian-language cybercrime forum since at least 2018.
It has a wide range of capabilities, including process injection, file download and execution, data theft, shell command execution, and keylogging. Researchers have observed a concerning increase in the spread of DarkGate over the past three months, with a significant global presence.
One of the key findings is that the DarkGate malware can evade detection by Microsoft Defender SmartScreen, which prompted Microsoft to release a patch to address the underlying vulnerability.
The DarkGate malware’s sophisticated infection chain, leveraging vulnerabilities in Microsoft Defender SmartScreen and the AutoHotkey utility, highlights the evolving tactics employed by threat actors.
New Research
Pathfinder
By exploiting the conditional branch predictor, Pathfinder steals modern chips’ sensitive data. This flaw allows hackers to control branch mispredictions with precision and disclose private information such as encryption keys.
The attack works by seizing the Path History Register (PHR), which keeps track of the last 194 taken branches’ addresses and orders. Consequently, this opens up an unheard-of ability for attackers to see how victim programs are controlled, enabling complex Spectre-style attacks.
In the researchers’ analysis that will be presented at the ACM ASPLOS Conference in 2024, the scientists leaked secret images through it and extracted encryption keys thereby pointing out its significant security consequences. Intel along with AMD has been informed about these findings which they are now looking into fixing.
Safari Flaw
The EU iPhone users could be subject to unauthorized tracking due to a serious security flaw in Apple’s Safari browser. It has been found that this loophole is related to iOS 17.4’s new feature which allows installing applications from different marketplaces through Safari.
Researchers found out that they can track people on various sites by the misuse of a fresh URI scheme named marketplace-kit.Apple lacks some protections against such abuses present in Brave and other browsers consequently posing threats to privacy and security.
Concerns about privacy and security have been raised because of this misimplementation of marketplace kits by Apple when compared with those used by Brave or any other browser which also led them to discover vulnerabilities. Reliable advice would be not to install apps from third-party stores until the problem is fixed.
Empty S3 Bucket Led to a Massive AWS Bill
The report highlights an incident where an AWS customer faced a substantial $1,300 bill due to an empty S3 bucket misconfiguration caused by a popular open-source tool. Despite creating the bucket for testing, unauthorized backups led to a surge in requests, resulting in unexpected costs.
The customer’s experience underscores the importance of proper tool configuration and S3 bucket naming conventions to prevent security risks and unexpected charges.
Gemini 1.5 Pro
Gemini 1.5 Pro is an advanced AI tool introduced by Google for automated malware analysis, capable of processing up to 1 million tokens. This tool revolutionizes malware analysis by providing a comprehensive understanding of complex malware samples, even identifying zero-day threats undetected by traditional antivirus software.
By analyzing the entire code at once, Gemini 1.5 Pro gains a deep understanding of malware behavior, enabling accurate and thorough analysis. It significantly expands the scope of automated analysis, offering a groundbreaking approach to detecting malicious intent in previously unseen threats.
