A new Truebot variant targets orgs in the US and Canada

The US cybersecurity agency CISA and partners have issued a warning about a new variant of the Truebot malware that exploits a known vulnerability in the Netwrix Auditor application to compromise organizations in the US and Canada.

Tracked as CVE-2022-31199, the flaw is a deserialization of untrusted data issue in the protocol in the Netwrix Auditor User Activity Video Recording component that allows remote code execution.

The Truebot botnet has been used by malicious cyber groups like the Clop ransomware operation to collect and exfiltrate information from its target victims.

The authorities say the number of attacks using the new Truebot variant spiked since May 31, 2023. Cyber threat actors have been observed leveraging both phishing campaigns with malicious redirect hyperlinks and CVE-2022-31199 to deliver new Truebot malware variants.

Google rolls out July security updates for Android

Google has released security updates for its Android operating system, addressing over 40 vulnerabilities, including three bugs believed to be under active exploitation.

The exploited vulnerabilities (CVE-2023-26083, CVE-2021-29256, and CVE-2023-2136) affect Android's Skia and Arm Mali components.

Hundreds of SolarView solar panel stations are at risk of getting hacked

Hundreds of solar panels were found to be exposed to cyberattacks due to a command injection flaw (CVE-2022-29303) present in Contec's SolarView products. SolarView products facilitate active monitoring of solar farms and have been installed in around 30,000 locations to date.

Since March 2023, the flaw has been targeted by a new variant of the Mirai botnet. According to the data from the vulnerability scanning service VulnCheck, there are more than 600 SolarView systems exposed to the internet, and less than one-third of them are patched against CVE-2022-29303.

Over 300,000 FortiGate firewalls remain vulnerable to a critical RCE flaw

More than 300,000 of FortiGate firewalls still remain unpatched against a critical remote execution flaw (CVE-2023-27997), almost a month after Fortinet released security updates to patch the issue.

According to cybersecurity firm Bishop Fox, out of nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, about 69% are still vulnerable.

Suspected OPERA1ER kingpin detained in Côte d’Ivoire

Interpol announced the arrest of a suspected key member of the OPERA1ER cybercrime ring believed to have stolen millions of dollars from organizations in the financial sector over the past four years.

The suspect, who was not named was arrested in Côte d’Ivoire in early June as part of an international law enforcement operation called “Operation Nervone.”

Neo_Net cybercrime actor targets users of prominent banks globally

A cybercrime threat actor known as Neo_Net stole hundreds of thousands of euros and compromised the personal information of thousands of victims in an Android mobile malware campaign targeting financial institutions globally. The smishing campaign ran from June 2021 to April 2023 and was focused on Spanish and Chilean banks, including major banks such as Santander, BBVA and CaixaBank. Some other major targets include Deutsche Bank, Crédit Agricole and ING.

Poly Network hit with a major hack

The DeFi platform Poly Network has suffered a major hack that affected over 57 assets across several blockchain platforms on 10 blockchains, including Ethereum, Binance’s BNB Chain, Metis, Polygon and more.

The attackers minted millions of tokens after exploiting a smart contract mechanism in the bridge tool of Poly Network. The bug allowed the hacker to “craft a malicious parameter containing a fake validator signature and block header” and bypass the verification process. The attacker then issued tokens from Poly Network’s Ethereum pool to their address on other chains, such as Metis, BNB Chain, and Polygon.

A cybercriminal group busted in Ukraine

The Security Service of Ukraine announced the arrests of 12 members of a cybercriminal gang that used malware to steal funds from the bank accounts of Ukrainians.

According to the authorities, the hackers used custom malware to gain access to depositors’ accounts in one of the banks in Kyiv. The group worked with several bank employees who helped them to look for potential victims and the obtain personal information of residents who opened deposit accounts with the bank.

The cybercrooks then sent a phishing email to their victims to obtain their login credentials and gain access to their bank accounts. The stolen money was transferred to accounts controlled by the criminals.

Free decryptor released for the Akira ransomware

Czech cybersecurity firm Avast released a free decryptor for the Akira ransomware to help victims to recover their data without paying a ransom.

Chinese hackers are targeting embassies in Europe in new SmugX campaign

A Chinese threat actor has been targeting Foreign Affairs ministries and embassies in Europe since at least December 2022 using a variant of the PlugX implant.

Dubbed “SmugX,” the campaign leverages a technique called HTML Smuggling, in which attackers hide malicious payloads inside HTML documents. According to Check Point researchers who spotted the attacks this campaign overlaps with previous attacks by Chinese state-sponsored groups RedDelta and Mustang Panda.

Iran’s Charming Kitten targets nuclear security experts using Mac, Windows malware

Cybersecurity firm Proofpoint detailed a recent campaign by an Iran-linked threat actor known as TA453, Charming Kitten, APT42, Mint Sandstorm, or Yellow Garuda, targeting nuclear security experts.

The researchers noted that in May 2023 the threat actor began deploying LNK infection chains instead of Microsoft Word documents with macros.