APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware The threat actor known as Mysterious Elephant has been observed using an advanced version of malware called Asyncshell. The attack campaign is said to have used Hajj-themed lures to trick victims into executing a malicious payload under the guise of a Microsoft Compiled HTML Help (CHM) file, the Knownsec 404 team said in an analysis published today. Mysterious Elephant, which is also known as APT-K-47, is a threat actor of South Asian origin that has been active since at least 2022, primarily targeting Pakistani entities. The group's tactics and tooling have been found to share similarities with those of other threat actors operating in the regions, such as SideWinder, Confucius, and Bitter. See more:

The Hacker News

APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware

APT-K-47, aka Mysterious Elephant, exploits Hajj themes and Asyncshell malware in Pakistan-targeted cyberattacks.

#cybersecurity #malware #asyncshell

Chinese hackers target Linux with new WolfsBane malware A new Linux backdoor called 'WolfsBane' has been discovered, believed to be a port of Windows malware used by the Chinese 'Gelsemium' hacking group. ESET security researchers who analyzed WolfsBane report that WolfsBane is a complete malware tool featuring a dropper, launcher, and backdoor, while it also uses a modified open-source rootkit to evade detection. The researchers also discovered 'FireWood,' another Linux malware that appears linked to the 'Project Wood' Windows malware. However, FireWood is more likely a shared tool used by multiple Chinese APT groups rather than an exclusive/private tool created by Gelsemium. See more BleepingComputer: https://www.bleepingcomputer.com/news/security/chinese-gelsemium-hackers-use-new-wolfsbane-linux-malware/ Infosecurity magazine:

Infosecurity Magazine

Linux Malware WolfsBane and FireWood Linked to Gelsemium APT

New Linux malware WolfsBane and FireWood have been linked to Gelsemium APT, a cyber-espionage group targeting critical systems

#cybersecurity #malware #linux

Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia Threat actors with ties to Russia have been linked to a cyber espionage campaign aimed at organizations in Central Asia, East Asia, and Europe. Recorded Future's Insikt Group, which has assigned the activity cluster the name TAG-110, said it overlaps with a threat group tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0063, which, in turn, overlaps with APT28. The hacking crew has been active since at least 2021. "Using custom malware tools HATVIBE and CHERRYSPY, TAG-110 primarily attacks government entities, human rights groups, and educational institutions," the cybersecurity company said in a Thursday report. "HATVIBE functions as a loader to deploy CHERRYSPY, a Python backdoor used for data exfiltration and espionage." See more:

The Hacker News

Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia

Russia-linked TAG-110 hacks 62 victims across 11 nations using HATVIBE and CHERRYSPY malware.

#cybersecurity #malware

Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites Government agencies and non-governmental organizations in the United States have become the target of a nascent China state threat actor known as Storm-2077. The adversary, believed to be active since at least January 2024, has also conducted cyber attacks against the Defense Industrial Base (DIB), aviation, telecommunications, and financial and legal services across the world, Microsoft said. The activity cluster, the company added, overlaps with a threat group that Recorded Future's Insikt Group is tracking as TAG-100. This comes with Google's Threat Intelligence Group (TAG) shed light on a pro-China influence operation (IO) called GLASSBRIDGE that employs a network of inauthentic news sites and newswire services to amplify narratives that are aligned with the country's views and political agenda globally. See more:

The Hacker News

Google Exposes GLASSBRIDGE: A Pro-China Influence Network of Fake News Sites

Microsoft and Google expose China-based cyber threats Storm-2077 and GLASSBRIDGE, targeting U.S. agencies and amplifying propaganda globally.

#cybersecurity #malware #fakenews

Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices A threat actor is monetizing vulnerable Internet-of-Things (IoT) devices by infecting them with malware and listing them as residential proxies within minutes after exploitation, Trend Micro reports. Tracked as Water Barghest, the adversary has compromised over 20,000 IoT devices to date, renting them to threat actors looking to anonymize their activities. Active for at least five years, Water Barghest has remained under the radar by extensively relying on automation, erasing log files to cover its tracks, and only accepting cryptocurrency payments. The threat actor acquires IoT device vulnerabilities (including zero-days), uses publicly available online scanners to identify vulnerable devices, and then attempts to exploit them from a set of data center IP addresses. Compromised devices are quickly monetized on specialized marketplaces. See more Security Week:

SecurityWeek

Threat Actor Turns Thousands of IoT Devices Into Residential Proxies

A threat actor tracked as Water Barghest has compromised over 20,000 IoT devices and monetizes them as residential proxies.

The Hackers News:

The Hacker News

Ngioweb Botnet Fuels NSOCKS Residential Proxy Network Exploiting IoT Devices

Ngioweb malware fuels NSOCKS proxy service, exploiting IoT vulnerabilities for botnet monetization in minutes

#cybersecurity #malware #ngioweb

China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks A new China-linked cyber espionage group has been attributed as behind a series of targeted cyber attacks targeting telecommunications entities in South Asia and Africa since at least 2020 with the goal of enabling intelligence collection. Cybersecurity company CrowdStrike is tracking the adversary under the name Liminal Panda, describing it as possessing deep knowledge about telecommunications networks, the protocols that undergird telecommunications, and the various interconnections between providers. The threat actor's malware portfolio includes bespoke tools that facilitate clandestine access, command-and-control (C2), and data exfiltration. See more The Hackers News:

The Hacker News

China-Backed Hackers Leverage SIGTRAN, GSM Protocols to Infiltrate Telecom Networks

China-linked "Liminal Panda" exploits telecom vulnerabilities in South Asia and Africa, using advanced malware for espionage since 2020.

Infosecurity magazine:

Infosecurity Magazine

T-Mobile Breached in Major Chinese Cyber-Attack on Telecoms

T-Mobile was hit by Salt Typhoon, a Chinese cyber-espionage group targeting US and global telecom firms

#cybersecurity #c2 #hack #SaltTyphoon

NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data Threat hunters are warning about an updated version of the Python-based NodeStealer that's now equipped to extract more information from victims' Facebook Ads Manager accounts and harvest credit card data stored in web browsers. "They collect budget details of Facebook Ads Manager accounts of their victims, which might be a gateway for Facebook malvertisement," Netskope Threat Labs researcher Jan Michael Alcantara said in a report shared with The Hacker News. "New techniques used by NodeStealer include using Windows Restart Manager to unlock browser database files, adding junk code, and using a batch script to dynamically generate and execute the Python script." See more:

The Hacker News

NodeStealer Malware Targets Facebook Ad Accounts, Harvesting Credit Card Data

NodeStealer malware targets Facebook Ads accounts, harvesting credit card data and spreading via malvertising

#cybersecurity #nodestealer #malware

Brave on iOS adds new "Shred" button to wipe site-specific data Brave Browser 1.71 for iOS introduces a new privacy-focused feature called "Shred," which allows users to easily delete site-specific mobile browsing data. Many sites use first-party cookies for paywall systems and usage limits, which technically enables user tracking across sessions and makes this data susceptible to sharing with third parties. Brave's new Shred feature works on a per-site basis, meaning that it can wipe data from a single website without affecting others. See more:

BleepingComputer

Brave on iOS adds new "Shred" button to wipe site-specific data

Brave Browser 1.71 for iOS introduces a new privacy-focused feature called "Shred," which allows users to easily delete site-specific mobile browsi...

#cubersecurity #privacy #brave

Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects Google has revealed that its AI-powered fuzzing tool, OSS-Fuzz, has been used to help identify 26 vulnerabilities in various open-source code repositories, including a medium-severity flaw in the OpenSSL cryptographic library. "These particular vulnerabilities represent a milestone for automated vulnerability finding: each was found with AI, using AI-generated and enhanced fuzz targets," Google's open-source security team said in a blog post shared with The Hacker News. The OpenSSL vulnerability in question is CVE-2024-9143 (CVSS score: 4.3), an out-of-bounds memory write bug that can result in an application crash or remote code execution. The issue has been addressed in OpenSSL versions 3.3.3, 3.2.4, 3.1.8, 3.0.16, 1.1.1zb, and 1.0.2zl. See more:

The Hacker News

Google's AI-Powered OSS-Fuzz Tool Finds 26 Vulnerabilities in Open-Source Projects

Google’s AI tool OSS-Fuzz uncovers 26 vulnerabilities, including a decades-old OpenSSL flaw, boosting open-source security.

#cybersecurity #fuzzing #ai

New Ghost Tap attack abuses NFC mobile payments to steal money Cybercriminals have devised a novel method to cash out from stolen credit card details linked to mobile payment systems such as Apple Pay and Google Pay, dubbed 'Ghost Tap,' which relays NFC card data to money mules worldwide. The tactic builds upon the methods previously deployed by mobile malware like NGate, documented by ESET in August, which involved relaying Near Field Communication (NFC) signals from payment cards. Ghost Tap is more obfuscated and more challenging to detect, does not require the card or the victim's device, doesn't need continual victim interchange, and involves money mules on multiple remote locations interacting with Point of Sale (PoS) terminals. See more: BleepingComputer:

BleepingComputer

New Ghost Tap attack abuses NFC mobile payments to steal money

Cybercriminals have devised a novel method to cash out from stolen credit card details linked to mobile payment systems such as Apple Pay and Googl...

The Hacker News:

The Hacker News

Ghost Tap: Hackers Exploiting NFCGate to Steal Funds via Mobile Payments

Hackers exploit NFC technology and mobile payments, enabling global fraud through Google Pay and Apple Pay.

#cybersecurity #ghosttap #malware

New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems Cybersecurity researchers have shed light on a Linux variant of a relatively new ransomware strain called Helldown, suggesting that the threat actors are broadening their attack focus. "Helldown deploys Windows ransomware derived from the LockBit 3.0 code," Sekoia said in a report shared with The Hacker News. "Given the recent development of ransomware targeting ESX, it appears that the group could be evolving its current operations to target virtualized infrastructures via VMware." Helldown was first publicly documented by Halcyon in mid-August 2024, describing it as an "aggressive ransomware group" that infiltrates target networks by exploiting security vulnerabilities. Some of the prominent sectors targeted by the cybercrime group include IT services, telecommunications, manufacturing, and healthcare. Like other ransomware crews, Helldown is known for leveraging data leak sites to pressure victims into paying ransoms by threatening to publish stolen data, a tactic known as double extortion. It's estimated to have attacked at least 31 companies within a span of three months. The new 'Helldown' ransomware operation is believed to target vulnerabilities in Zyxel firewalls to breach corporate networks, allowing them to steal data and encrypt devices. The Hacker News:

The Hacker News

New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems

Helldown ransomware targets VMware and Linux systems using Zyxel flaws, disrupting IT, healthcare, and more.

BleepingComputer: https://www.bleepingcomputer.com/news/security/helldown-ransomware-exploits-zyxel-vpn-flaw-to-breach-networks/ Infosecurity magazine:

Infosecurity Magazine

Helldown Ransomware Expands to Target VMware and Linux Systems

Helldown ransomware has expanded its reach to target Linux and VMware systems, exploiting Zyxel firewall vulnerabilities and exfiltrating data

#cybersecurity #helldown #ransomware

Known platforms were used to promote scammy or pirate content, see more: Amazon and Audible flooded with 'forex trading' and warez listings:

BleepingComputer

Amazon and Audible flooded with 'forex trading' and warez listings

Amazon, Amazon Music, and Audible, an Amazon-owned online audiobook and podcast service, have been flooded with bogus listings that push dubious "f...

Spotify abused to promote pirated software and game cheats:

BleepingComputer

Spotify abused to promote pirated software and game cheats

Spotify playlists and podcasts are being abused to push pirated software, game cheat codes, spam links, and "warez" sites. By injecting targeted ke...

#cybersecurity #warez

The latest reported data breaches 👀 US space tech giant Maxar discloses employee data breach:

BleepingComputer

US space tech giant Maxar discloses employee data breach

Hackers breached U.S. satellite maker Maxar Space Systems and accessed personal data belonging to its employees, the company informs in a notificat...

Ford Investigating Potential Breach After Hackers Claim Data Theft:

SecurityWeek

Ford Investigating Potential Breach After Hackers Claim Data Theft

Ford has launched an investigation after hackers claimed on a hacking forum to have stolen 44,000 customer data records.

Fintech giant Finastra investigates data breach after SFTP hack:

BleepingComputer

Fintech giant Finastra investigates data breach after SFTP hack

Finastra has confirmed it warned customers of a cybersecurity incident after a threat actor began selling allegedly stolen data on a hacking forum.

Cyberattack at French hospital exposes health data of 750,000 patients:

BleepingComputer

Cyberattack at French hospital exposes health data of 750,000 patients

A data breach at an unnamed French hospital exposed the medical records of 750,000 patients after a threat actor gained access to its electronic pa...

#cybersecurity #databreach

Hackers Hijack Unsecured Jupyter Notebooks to Stream Illegal Sports Broadcasts Misconfigured data science environments have been targeted by threat actors for sports stream ripping, according to cloud security firm Aqua Security. Honeypots operated by the company showed that cybercriminals are targeting misconfigured JupyterLab and Jupyter Notebook applications, which are web-based development environments for notebooks, code, and data. Aqua Security believes that Jupyter solutions are typically used for data science by individuals who may lack awareness of common misconfigurations that can leave servers vulnerable to hackers. Shodan shows roughly 15,000 internet-exposed Jupyter servers and approximately 1% of them — including ones belonging to individuals and companies — allow remote code execution. See more Security Week:

SecurityWeek

Vulnerable Jupyter Servers Targeted for Sports Piracy

Misconfigured instances of JupyterLab and Jupyter Notebook have been targeted by threat actors for sports stream ripping.

The Hackers News:

The Hacker News

Hackers Hijack Unsecured Jupyter Notebooks to Stream Illegal Sports Broadcasts

Hackers hijack Jupyter Notebooks to exploit FFmpeg for illegal sports streaming, posing serious risks.

Infosecurity magazine:

Infosecurity Magazine

Hackers Hijack Jupyter Servers for Sport Stream Ripping

Aqua Security has observed threat actors using compromised Jupyter servers in a bid to illegally stream sporting events

#cybersecurity #jupyternotebook

Oracle warns of Agile PLM file disclosure flaw exploited in attacks Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287 (CVSS score: 7.5), which was actively exploited as a zero-day to download files. Oracle Agile PLM is a software platform that enables businesses to manage product data, processes, and collaboration across global teams. Yesterday, Oracle urged Agile PLM customers to install the latest version to fix the CVE-2024-21287 flaw. "This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure," warned Oracle. See more: BleepingComputer:

BleepingComputer

Oracle warns of Agile PLM file disclosure flaw exploited in attacks

Oracle has fixed an unauthenticated file disclosure flaw in Oracle Agile Product Lifecycle Management (PLM) tracked as CVE-2024-21287, which was ac...

The Hacker News:

The Hacker News

Oracle Warns of Agile PLM Vulnerability Currently Under Active Exploitation

Critical flaw CVE-2024-21287 in Oracle Agile PLM allows unauthenticated file leaks; urgent patch advised.

SecurityWeek:

SecurityWeek

Oracle Patches Exploited Agile PLM Zero-Day

Oracle has patched a high-severity information disclosure zero-day in Agile PLM that has been exploited in the wild.

#cybersecurity #oracle #zeroday

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. "Apple is aware of a report that this issue may have been exploited," the company said in an advisory issued on Tuesday. The two bugs were found in the macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components of macOS. The JavaScriptCore CVE-2024-44308 flaw allows attackers to achieve remote code execution through maliciously crafted web content. The other flaw, CVE-2024-44309, allows cross-site scripting (CSS) attacks. See more: The Hacker News:

The Hacker News

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Apple issues security updates for iOS, macOS, and Safari to fix two active zero-day exploits.

BleepingComputer:

BleepingComputer

Apple fixes two zero-days used in attacks on Intel-based Macs

Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems.

SecurityWeek:

SecurityWeek

Apple Confirms Zero-Day Attacks Hitting macOS Systems

Apple rushes out out major macOS and iOS security updates to cover a pair of vulnerabilities already being exploited in the wild.

Infosecurity magazine:

Infosecurity Magazine

Apple Issues Emergency Security Update for Actively Exploited Flaws

Apple has urged customers to download the security updates, which address vulnerabilities relating to the JavaScriptCore and WebKit frameworks

#cybersecurity #apple #zeroday

Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root Five local privilege escalation (LPE) vulnerabilities have been discovered in the needrestart utility used by Ubuntu Linux, which was introduced over 10 years ago in version 21.04. It could allow a local attacker to gain root privileges without requiring user interaction. The flaws were discovered by Qualys and are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. They were introduced in needrestart version 0.8, released in April 2014, and fixed only yesterday, in version 3.8. Needrestart is a utility commonly used on Linux, including on Ubuntu Server, to identify services that require a restart after package updates, ensuring that those services run the most up-to-date versions of shared libraries. See more BleepingComputer:

BleepingComputer

Ubuntu Linux impacted by decade-old 'needrestart' flaw that gives root

Five local privilege escalation (LPE) vulnerabilities have been discovered in the needrestart utility used by Ubuntu Linux, which was introduced ov...

Infosecurity magazine:

Infosecurity Magazine

Five Privilege Escalation Flaws Found in Ubuntu needrestart

Five LPE flaws in Ubuntu’s needrestart utility enable attackers to gain root access in versions prior to 3.8

The Hacker News:

The Hacker News

Decades-Old Security Vulnerabilities Found in Ubuntu's Needrestart Package

Critical Ubuntu needrestart flaws allow local root privilege escalation; update immediately to safeguard systems.

#cybersecurity #ubuntu

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers Cybersecurity researchers have shed light on a new stealthy malware loader called BabbleLoader that has been observed in the wild delivering information stealer families such as WhiteSnake and Meduza. BabbleLoader is an "extremely evasive loader, packed with defensive mechanisms, that is designed to bypass antivirus and sandbox environments to deliver stealers into memory," Intezer security researcher Ryan Robinson said in a report published Sunday. Evidence shows that the loader is being used in several campaigns targeting both English and Russian-speaking individuals, primarily singling out users looking for generic cracked software as well as business professionals in finance and administration by passing it off as accounting software. See more:

The Hacker News

New Stealthy BabbleLoader Malware Spotted Delivering WhiteSnake and Meduza Stealers

New stealthy malware loader BabbleLoader evades antivirus and sandboxes, delivering WhiteSnake and Meduza stealers globally.

#cybersecurity #malware

Critical RCE bug in VMware vCenter Server now exploited in attacks Broadcom warned today that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execution flaw. TZL security researchers reported the RCE vulnerability (CVE-2024-38812) during China's 2024 Matrix Cup hacking contest. It is caused by a heap overflow weakness in the vCenter's DCE/RPC protocol implementation and affects products containing vCenter, including VMware vSphere and VMware Cloud Foundation. The other vCenter Server flaw now exploited in the wild (reported by the same researchers) is a privilege escalation flaw tracked as CVE-2024-38813 that enables attackers to escalate privileges to root with a specially crafted network packet. See more BleepingComputer:

BleepingComputer

Critical RCE bug in VMware vCenter Server now exploited in attacks

​Broadcom warned today that attackers are now exploiting two VMware vCenter Server vulnerabilities, one of which is a critical remote code execut...

Security Week:

SecurityWeek

VMware Discloses Exploitation of Hard-to-Fix vCenter Server Flaw

The saga of VMWare’s critical CVE-2024-38812 vCenter Server bug has reached the “exploitation detected” stage.

#cybersecurity #rce #exploit

Swiss Cyber Agency Warns of QR Code Malware in Mail Scam A new malware campaign targeting Swiss residents through fake postal letters has been uncovered by the country’s National Cyber Security Centre (NCSC). The scam involves fraudulent correspondence disguised as official communication from MeteoSwiss, the Federal Office of Meteorology and Climatology, urging recipients to scan a QR code and download a malicious weather app for Android devices. The fake app, called “Severe Weather Warning App,” mimics the legitimate Alertswiss app but is labeled “AlertSwiss” with a slightly altered logo. Unlike the authentic app, which is available on the Google Play Store, the fraudulent version is hosted on an unverified third-party website. Once installed, the app deploys a Coper Trojan variant to steal sensitive data, including banking credentials, and intercepts two-factor authentication (2FA) codes. See more:

Infosecurity Magazine

Swiss Cyber Agency Warns of QR Code Malware in Mail Scam

Switzerland’s National Cyber Security Centre has warned of a new QR code scam in fake MeteoSwiss letters spreading Android malware

#cybersecurity #malware