Cloudflare’s developer domains increasingly abused by threat actors Cloudflare's 'pages.dev' and 'workers.dev' domains, used for deploying web pages and facilitating serverless computing, are being increasingly abused by cybercriminals for phishing and other malicious activities. According to cybersecurity firm Fortra, the abuse of these domains has risen between 100% and 250% compared to 2023. The researchers believe the use of these domains is aimed at improving the legitimacy and effectiveness of these malicious campaigns, taking advantage of Cloudflare's trusted branding, service reliability, low usage costs, and reverse proxying options that complicate detection. Cloudflare Pages is a platform designed for front-end developers to build, deploy, and host fast, scalable websites directly on Cloudflare's global Content Delivery Network (CDN). See more:

BleepingComputer

Cloudflare’s developer domains increasingly abused by threat actors

Cloudflare's 'pages.dev' and 'workers.dev' domains, used for deploying web pages and facilitating serverless computing, ar...

#cybersecurity #phishing #cloudflare

Exploit released for critical WhatsUp Gold RCE flaw, patch now A proof-of-concept (PoC) exploit for a critical-severity remote code execution flaw in Progress WhatsUp Gold has been published, making it critical to install the latest security updates as soon as possible. The flaw is tracked as CVE-2024-8785 (CVSS v3.1 score: 9.8) and was discovered by Tenable in mid-August 2024. It exists in the NmAPI[.]exe process in WhatsUp Gold versions from 2023.1.0 and before 24.0.1. When launched, NmAPI[.]exe provides a network management API interface for WhatsUp Gold, listening for and processing incoming requests. Due to insufficient validation of incoming data, attackers could send specially crafted requests to modify or overwrite sensitive Windows registry keys that control where WhatsUp Gold configuration files are read from. See more:

BleepingComputer

Exploit released for critical WhatsUp Gold RCE flaw, patch now

A proof-of-concept (PoC) exploit for a critical-severity remote code execution flaw in Progress WhatsUp Gold has been published, making it critical...

#cybersecurity #rce #whatsup

Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability Cisco on Monday updated an advisory to warn customers of active exploitation of a decade-old security flaw impacting its Adaptive Security Appliance (ASA). The vulnerability, tracked as CVE-2014-2120 (CVSS score: 4.3), concerns a case of insufficient input validation in ASA's WebVPN login page that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a targeted user of the appliance. "An attacker could exploit this vulnerability by convincing a user to access a malicious link," Cisco noted in an alert released in March 2014. As of December 2, 2024, the networking equipment major has revised its bulletin to note that it has become aware of "additional attempted exploitation" of the vulnerability in the wild. See more:

The Hacker News

Cisco Warns of Exploitation of Decade-Old ASA WebVPN Vulnerability

Cisco warns of active exploitation of CVE-2014-2120 in ASA WebVPN; users urged to update.

#cybersecurity #xss #webvpn

760,000 Employee Records From Several Major Firms Leaked Online The information of more than 760,000 employees of several major organizations emerged online on Monday morning after a threat actor dumped it on a popular hacking forum. The data apparently originates from last year’s massive MOVEit hack, in which a zero-day vulnerability in Progress Software’s file transfer software was used to steal sensitive information from thousands of organizations. Roughly 2,800 organizations and close to 100 million individuals were affected by the attack, which is believed to have been carried out by the Russia-linked Cl0p ransomware gang.

SecurityWeek

760,000 Employee Records From Several Major Firms Leaked Online

Hacker posted online over 760,000 records belonging to employees of Bank of America, Koch, Nokia, JLL, Xerox, Morgan Stanley, and Bridgewater.

#cybersecurity #databreach #moveit

Horns&Hooves Campaign Delivers RATs via Fake Emails and JavaScript Payloads A newly discovered malware campaign has been found to target private users, retailers, and service businesses mainly located in Russia to deliver NetSupport RAT and BurnsRAT. The campaign, dubbed Horns&Hooves by Kaspersky, has hit more than 1,000 victims since it began around March 2023. The end goal of these attacks is to leverage the access afforded by these trojans to install stealer malware such as Rhadamanthys and Meduza. "Recent months have seen a surge in mailings with lookalike email attachments in the form of a ZIP archive containing JScript scripts," security researcher Artem Ushkov said in a Monday analysis. "The script files [are] disguised as requests and bids from potential customers or partners." See more:

The Hacker News

Horns&Hooves Campaign Delivers RATs via Fake Emails and JavaScript Payloads

Stealthy malware campaign targets Russian users, deploying NetSupport RAT and BurnsRAT via phishing emails.

#cybersecurity #malware

Hackers Stole $1.49 Billion in Cryptocurrency to Date in 2024 Nearly $1.49 billion in cryptocurrency losses have been registered to date in 2024, mainly due to hacking incidents, a new report from web3 bug bounty platform Immunefi shows. The total year-to-date losses have dropped compared to last year, when they surpassed $1.75 billion during the period, and were mainly driven by losses of over $359 million in May and of more than $282 million in July. In November, cryptocurrency losses surpassed $71 million, mainly due to hacks ($70,996,200), with only a small percentage lost to rug pulls ($25,300). Total losses were 79% lower compared to November 2023, when they exceeded $343 million. See more:

SecurityWeek

Hackers Stole $1.49 Billion in Cryptocurrency to Date in 2024

Hackers have caused close to $1.49 billion in cryptocurrency losses this year, with $71 million worth of assets stolen in November.

#cybersecurity #cryptocurrency #defi

BootKitty UEFI malware exploits LogoFAIL to infect Linux systems The recently uncovered 'Bootkitty' Linux UEFI bootkit exploits the LogoFAIL flaw, tracked as CVE-2023-40238, to target computers running on vulnerable firmware. This is confirmed by firmware security firm Binarly, which discovered LogoFAIL in November 2023 and warned about its potential to be used in actual attacks. Bootkitty and LogoFAIL connection Bootkitty was discovered by ESET, who published a report last week, noting that it is the first UEFI bootkit specifically targeting Linux. However, at this time, it is more of an in-development UEFI malware that only works on specific Ubuntu versions, rather than a widespread threat. LogoFAIL is a set of flaws in the image-parsing code of UEFI firmware images used by various hardware vendors, exploitable by malicious images or logos planted on the EFI System Partition (ESP). See more:

BleepingComputer

BootKitty UEFI malware exploits LogoFAIL to infect Linux systems

The recently uncovered 'Bootkitty' UEFI bootkit, the first malware of its kind targeting Linux systems, exploits CVE-2023-40238, aka &#03...

#cybersecurity #linux #uefi

SpyLoan Android malware on Google Play installed 8 million times A new set of 15 SpyLoan Android malware apps with over 8 million installs was discovered on Google Play, targeting primarily users from South America, Southeast Asia, and Africa. The apps were discovered by McAfee, a member of the 'App Defense Alliance,' and have now been removed from Android's official app store. However, their presence on Google Play is indicative of the threat actors' persistence, as even recent law enforcement actions against SpyLoan operators have not curbed the issue, says McAfee. The last major "SpyLoan cleanup" on Google Play was in December 2023, when over a dozen apps that had amassed 12 million downloads were removed. See more BleepingComputer:

BleepingComputer

SpyLoan Android malware on Google Play installed 8 million times

A new set of 15 SpyLoan Android malware apps with over 8 million installs was discovered on Google Play, targeting primarily users from South Ameri...

The Hacker News:

The Hacker News

8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google Play

Over 8M users affected by SpyLoan malware in Android apps exploiting trust for financial scams.

#cybersecurity #android #malware

Location tracking of phones is out of control. Here’s how to fight back. Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew? You likely have never heard of Babel Street or Location X, but chances are good that they know a lot about you and anyone else you know who keeps a phone nearby around the clock. Reston, Virginia-located Babel Street is the little-known firm behind Location X, a service with the capability to track the locations of hundreds of millions of phone users over sustained periods of time. See more:

Ars Technica

Location tracking of phones is out of control. Here’s how to fight back.

Unique IDs assigned to Android and iOS devices threaten your privacy. Who knew?

#privacy #tracking #mobile

Zello asks users to reset passwords after security incident Zello is warning customers to reset their passwords if their account was created before November 2nd in what appears to be another security breach. Zello is a mobile service with 140 million users that allows first responders, hospitality services, transportation, and family and friends to communicate via their mobile phones using a push-to-talk app. Over the past two weeks, numerous people have received security notices from Zello on November 15th asking them to reset their app password. See more:

BleepingComputer

Zello asks users to reset passwords after security incident

Zello is warning customers to reset their passwords if their account was created before November 2nd in what appears to be another security breach.

#cybersecurity #zello

U.S. Telecom Giant T-Mobile Detects Network Intrusion Attempts from Wireline Provider U.S. telecom service provider T-Mobile said it recently detected attempts made by bad actors to infiltrate its systems in recent weeks but noted that no sensitive data was accessed. These intrusion attempts "originated from a wireline provider's network that was connected to ours," Jeff Simon, chief security officer at T-Mobile, said in a statement. "We see no instances of prior attempts like this." The company further said its security defenses prevented the threat actors from disrupting its services or obtaining customer information. It has since confirmed that it cut off connectivity to the unnamed provider's network. It did not explicitly attribute the activity to any known threat actor or group, but noted that it has shared its findings with the U.S. government. See more The Hacker News:

The Hacker News

U.S. Telecom Giant T-Mobile Detects Network Intrusion Attempts from Wireline Provider

T-Mobile thwarts cyber intrusion from wireline provider’s network, ensuring no data breach or service disruption.

Bleeping Computer:

BleepingComputer

Chinese hackers breached T-Mobile's routers to scope out network

T-Mobile says the Chinese "Salt Typhoon" hackers who recently compromised its systems as part of a series of telecom breaches first hacked into som...

SecurityWeek:

SecurityWeek

T-Mobile Shares More Information on China-Linked Cyberattack

T-Mobile has confirmed being targeted by hackers, likely China’s Salt Typhoon, but reiterated that the attack was blocked.

#cybersecurity

Tor needs 200 new WebTunnel bridges to fight censorship The Tor Project has put out an urgent call to the privacy community asking volunteers to help deploy 200 new WebTunnel bridges by the end of the year to fight government censorship. Currently, the Tor Project operates 143 WebTunnel bridges, which help users in heavily censored regions bypass internet access restrictions and website blocks. This comes in response to increasing censorship in Russia, which Tor says currently impacts the browser's built-in censorship circumvention mechanisms, including obfs4 connections and Snowflake. The Tor Project believes that setting up more WebTunnel bridges is the best response to this censorship escalation, as analyzing new tactics and developing workarounds takes time, leaving users vulnerable and isolated from the free internet. See more:

BleepingComputer

Tor needs 200 new WebTunnel bridges to fight censorship

The Tor Project has put out an urgent call to the privacy community asking volunteers to help deploy 200 new WebTunnel bridges by the end of the ye...

#tor #privacy #censorship

Police bust pirate streaming service making €250 million per month An international law enforcement operation has dismantled a pirate streaming service that served over 22 million users worldwide and made €250 million ($263M) per month. Italy's Postal and Cybersecurity Police Service announced the action, codenamed "Taken Down," stating they worked with Eurojust, Europol, and many other European countries, making this the largest takedown of its kind in Italy and internationally. "More than 270 Postal Police officers, in collaboration with foreign law enforcement, carried out 89 searches in 15 Italian regions and 14 additional searches in the United Kingdom, the Netherlands, Sweden, Switzerland, Romania, Croatia, and China, involving 102 individuals," reads the announcement. See more:

BleepingComputer

Police bust pirate streaming service making €250 million per month

An international law enforcement operation has dismantled a pirate streaming service that served over 22 million users worldwide and made €250...

#pirate #streaming

ProjectSend Vulnerability Exploited in the Wild Threat actors are likely exploiting ProjectSend servers unpatched against a vulnerability that was publicly disclosed roughly a year and a half ago, VulnCheck warns. An open source application written in PHP, ProjectSend is designed for file sharing, enabling users to create client groups, assign user roles, and access statistics, detailed logs, notifications, and more. The exploited issue, tracked as CVE-2024-11680 (CVSS score of 9.8), is described as an improper authentication vulnerability that could allow remote, unauthenticated attackers to modify the application’s configuration. Attackers could send crafted HTTP requests to the options[.]php endpoint to create rogue accounts, upload webshells, and potentially embed malicious JavaScript code, a NIST advisory reads. See more:

SecurityWeek

ProjectSend Vulnerability Exploited in the Wild

VulnCheck warns of widespread exploitation of a year-and-a-half-old ProjectSend vulnerability for which multiple public exploits exist.

#cybersecurity #php

APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor. That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024. "In this attack, an email purporting to be from a prospective employee was sent to the organization's recruiting contact, infecting the contact with malware," the agency said. See more:

The Hacker News

APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign

APT-C-60 exploits WPS Office flaw to deliver SpyGlace malware via phishing, targeting Japan with advanced techniques.

#cybersecurity #malware

New NachoVPN attack uses rogue VPN servers to install malicious updates A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them. AmberWolf security researchers found that threat actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to attacker-controlled VPN servers using malicious websites or documents in social engineering or phishing attacks. Threat actors can use the rogue VPN endpoints to steal the victims' login credentials, execute arbitrary code with elevated privileges, install malicious software via updates, and launch code-signing forgery or man-in-the-middle attacks by installing malicious root certificates. See more: Bleeping Computer:

BleepingComputer

New NachoVPN attack uses rogue VPN servers to install malicious updates

A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN cli...

SecurityWeek:

SecurityWeek

New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products

Palo Alto Networks and SonicWall VPNs affected by vulnerabilities allowing remote code execution and privilege escalation.

#cybersecurity

Firefox and Windows zero-days exploited by Russian RomCom hackers Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America. The first flaw (CVE-2024-9680) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day after ESET reported it. The second zero-day exploited in this campaign is a privilege escalation flaw (CVE-2024-49039) in the Windows Task Scheduler service, allowing attackers to execute code outside the Firefox sandbox. Microsoft addressed this security vulnerability earlier this month, on November 12. RomCom abused the two vulnerabilities as a zero-day chain exploit, which helped them gain remote code execution without requiring user interaction. Their targets only had to visit an attacker-controlled and maliciously crafted website that downloaded and executed the RomCom backdoor on their system. See more: Bleeping Computer:

BleepingComputer

Firefox and Windows zero-days exploited by Russian RomCom hackers

​Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Euro...

The Hackers News:

The Hacker News

RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

RomCom exploits Firefox and Windows zero-day flaws to deliver malware via fake websites in Europe and North America.

SecurityWeek:

SecurityWeek

Russian APT Chained Firefox and Windows Zero-Days Against US and European Targets

The Russia-linked RomCom APT has been observed chaining two zero-days in Firefox and Windows for backdoor delivery.

#cybersecurity #zeroday #firefox

Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded to the VirusTotal platform on November 5, 2024. "The bootkit's main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)," ESET researchers Martin Smolár and Peter Strýček said. The development is significant as it heralds a shift in the cyber threat landscape where UEFI bootkits are no longer confined to Windows systems alone. See more The Hackers News:

The Hacker News

Researchers Discover

First Linux UEFI bootkit discovered: Bootkitty bypasses Secure Boot to exploit kernel integrity checks.

BleepingComputer:

BleepingComputer

Researchers discover first UEFI bootkit malware for Linux

The first UEFI bootkit specifically targeting Linux systems has been discovered, marking a shift in stealthy and hard-to-remove bootkit threats tha...

SecurityWeek:

SecurityWeek

ESET Flags Prototype UEFI Bootkit Targeting Linux

ESET researchers have uncovered a prototype UEFI bootkit targeting Ubuntu Linux, marking an expansion of bootkit attacks beyond Windows.

#cybersecurity #uefi #bootkit

Hackers abuse popular Godot game engine to infect thousands of PCs Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,000 systems in just three months. As Check Point Research found while investigating the attacks, threat actors can use this malware loader to target gamers across all major platforms, including Windows, macOS, Linux, Android, and iOS. It's also used to leverage Godot's flexibility and its GDScript scripting language capabilities to execute arbitrary code and bypass detection systems using the game engine .pck files, which package game assets, to embed harmful scripts. Once loaded, the maliciously crafted files trigger malicious code on the victims' devices, enabling attackers to steal credentials or download additional payloads, including the XMRig crypto miner. This miner malware's configuration was hosted on a private Pastebin file uploaded in May, which was visited 206,913 times throughout the campaign. See more:

BleepingComputer

Hackers abuse popular Godot game engine to infect thousands of PCs

​Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,0...

#cybersecurity #godot #malware

IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR IBM on Monday announced patches for multiple vulnerabilities across its products, including two high-severity remote code execution (RCE) issues in Data Virtualization Manager and Security SOAR. Tracked as CVE-2024-52899 (CVSS score of 8.5), the flaw in Data Virtualization Manager for z/OS could allow a remote, authenticated attacker to inject malicious JDBC URL parameters, which could lead to arbitrary code execution on the server. IBM has released fix packs for Data Virtualization Manager for z/OS versions 1.1 and 1.2, and has included instructions on how to download them in its advisory. See more:

SecurityWeek

IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR

IBM has released patches for two high-severity remote code execution vulnerabilities in Data Virtualization Manager and Security SOAR.

#cybersecurity #ibm #rce