Hackers are actively exploiting critical bugs in Citrix's products

The US Cybersecurity and Infrastructure Security Agency (CISA) warned that threat actors are actively targeting an improper-access-control bug in Citrix ShareFile collaboration and filesharing application (CVE-2023-24489). The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

Meanwhile, nearly 2,000 Citrix NetScaler servers have been infected with a web shell using a recently patched vulnerability (CVE-2023-3519) as part of a large-scale hacking campaign.

CVE-2023-3519 is a code injection flaw that can lead to remote code execution. The vulnerability exists due to improper input validation when the appliance is configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. A remote non-authenticated attacker can send a specially crafted request and execute arbitrary code on the target system.

Google fixes multiple vulnerabilities in Chrome

Google has patched multiple vulnerabilities in its Chrome browser, the most severe of which could allow for arbitrary code execution. The security issues of note include a use-after-free flaw in the Offline component (CVE-2023-2312), a use-after-free issue in Device Trust Connectors (CVE-2023-4349), an inappropriate implementation in Fullscreen (CVE-2023-4350), and a use-after-free bug in Network (CVE-2023-4351).

LinkedIn accounts targeted in a worldwide hacking campaign

A hacking campaign appears to be underway targeting owners of LinkedIn accounts across the globe, with security researchers observing a significant number of victims losing access to their accounts, with some of them pressured to pay a ransom for regaining access to their accounts. In some cases, users’ accounts were permanently deleted.

A new phishing campaign targets Zimbra email servers

Researchers at ESET uncovered a large-scale phishing campaign designed to collect Zimbra account users’ credentials. The campaign has been active since at least April 2023 and is still ongoing. It has primarily targeted small and medium-sized enterprises (SMEs) and governmental entities, with a majority of located victims in Poland, Ecuador and Italy.

Researchers tricked cybercriminals into revealing their secrets

Security researchers at GoSecure were able to take a glimpse at how hackers are conducting their nefarious activities through a carefully designed trap involving a network of internet-exposed Windows servers with Remote Desktop Protocol (RDP) enabled, meaning that threat actors could remotely control the compromised machines.

The researchers run the honeypot for three years, accumulating over 190 million events, including 100 hours of video footage, 470 files collected from threat actors, and more than 20,000 RDP captures. This allowed them to better understand how malicious actors install malware, mine cryptocurrencies, launch DDoS attacks using compromised servers, and conduct fraud operations.

Alleged LolekHosted bulletproof service operator charged in the US

The US Department of Justice has unsealed an indictment of a 36-year-old Polish national Artur Karol Grabowski for allegedly operating a bulletproof hosting service LolekHosted dismantled last week by Polish authorities.

LolekHosted’s operator was charged with computer fraud conspiracy, wire fraud conspiracy, and international money laundering. He could face up to 45 years in prison if found guilty.

Info-stealing infections expose hackers from top cybercrime forums

Over 120,000 computers infected with info-stealing malware, many of which belong to malicious actors, had credentials associated with cybercrime forums.

The vast majority of info-stealer infections were attributed to Redline, followed by Raccoon and Azorult. The top 5 countries from which hackers were infected and had at least 1 credential to a hacker forum include Tunisia (7.55%), Malaysia (6%), Belgium (5.14%), the Netherlands (4.8%), and Israel (4.43%).

Cybercriminals target victims via mobile beta-testing apps, FBI warns

Malicious actors are using a new tactic to defraud victims, which involves embedding malicious code in mobile beta-testing apps, the US Federal Bureau of Investigation (FBI) warned. The beta apps typically are not subject to mobile operating systems' review processes.

The agency said it is aware of scam operations where threat actors contact victims via dating and networking apps and instruct them to download mobile beta apps, such as cryptocurrency investment apps that steal crypto assets from users.

Discord.io suspends operations for “foreseeable future” following major data breach

Discord.io, a third-party service that offered custom invite URLs for Discord servers, shut down operations for the “foreseeable future” following a major data breach that saw the personal information of nearly 760,000 members compromised.

The team behind Discord.io said they are still investigating the incident. The team believes that the cause of the breach was a vulnerability in the website’s code, which allowed the threat actors to gain access to Discord.io’s database.

File-sharing site Anonfiles shuts down due to overwhelming abuse by its users

Popular anonymous file-sharing site, Anonfiles, is ceasing operations after years of extreme abuse by its users. Anonfiles was one of the most popular file-sharing services used by hackers to share stolen data.

Now the service’s administrators have decided to close shop “after trying endlessly for two years to run a file sharing site with user anonymity we have been tired of handling the extreme volumes of people abusing it and the headaches it has created for us.” The admins of the site are now trying to find a buyer for the domain.

PowerShell Gallery susceptible to software supply chain attacks

Aqua Security’s Nautilus researchers discovered security issues in PowerShell Gallery, a widely used repository for finding, publishing, and sharing PowerShell code modules that could be abused by threat actors to upload malicious packages using typosquatting or other supply chain attacks.

The researchers said they informed Microsoft of the design flaws almost a year ago but the problem still remains unfixed.

Hackers are increasingly abusing Google Drive, OneDrive, Notion, and GitHub to deploy malware

Recorded Future’s Insikt Group warns that malicious actors are increasingly exploiting trusted platforms like Google Drive, OneDrive, Notion, and GitHub to conceal malicious activities within normal internet traffic.

An analysis of more than 400 malware families deployed over the past two years revealed that at least 25% of them used legitimate internet services in some way as part of their infrastructure, allowing hackers to more easily hide within normal traffic and complicating the detection.

New campaign turns malware-infected Windows and macOS systems into a proxy

AT&T Alien Labs researchers discovered a massive campaign that delivered proxy server apps to at least 400,000 Windows systems to turn them into a residential proxy network. The proxy is written in the Go programming language and is spread by malware both on Windows and macOS.

Chinese hackers target gambling sector in Southeast Asia

SentinelLabs researchers said they identified China-linked malware and infrastructure potentially involved in China-associated operations directed at the gambling sector within Southeast Asia. The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons.

Although some evidence indicates the involvement China-aligned BRONZE STARLIGHT group, the exact grouping remains unclear due to the interconnected relationships among various Chinese threat actors, the researchers said.

A cloud outage caused some of Bambu Lab's 3D printers to start printing on their own

Multiple owners of Bambu Lab's X1C or P1P 3D printers reported that their machines suddenly started the print jobs in the middle of the night without any user input. Some owners reported that they woke to failed prints, while others complained that their device printed the second copy of the previous job, and in a few unfortunate cases, the machines sustained damage while trying to print two copies of an object.

Bambu Lab released an official statement acknowledging the issue. The company said the incident is still being investigated but it suspects it was caused by a cloud outage.