A WinRaR zero-day exploited since April in attacks targeting traders

A financially-motivated threat actor has been exploiting a zero-day vulnerability in WinRAR (CVE-2023-38831) since April of this year to trick traders into installing malware that would allow them to steal money from broker accounts.

The bug was described as an input validation error issue that could allow a remote hacker to compromise the affected system using a malicious archive containing executable files with spoofed file extensions like .jpeg or .txt.

The threat actor has been using the vulnerability to remotely execute code that installs malware from families, including DarkMe, GuLoader, and Remcos RAT. The malicious archives were spotted on specialized online forums covering trading, investment and cryptocurrency topics.

Hackers are still exploiting patched Barracuda ESG zero-day, FBI warns

Fixes for a Barracuda Email Security Gateway (ESG) remote command injection vulnerability (CVE-2023-2868) are “ineffective,” and patched appliances are still at risk of being compromised by Chinese hackers, the US Federal Bureau of Investigation has warned, recommending that users isolate and replace immediately all affected servers.

Last month, CISA released technical details and Indicators of Compromise related to three different malware families deployed by hackers on compromised Barracuda Email Security Gateway (ESG) appliances.

Ivanti releases an emergency update to address critical zero-day exploited by hackers

The IT software company has rolled out urgent patches to fix a zero-day vulnerability affecting the Ivanti Sentry (formerly MobileIron Sentry) product.

The vulnerability, tracked as CVE-2023-38035, is an improper authentication issue that could be exploited by a remote hacker to bypass the authentication process and execute arbitrary code on the system. Ivanti Sentry versions 9.18 and prior are said to be impacted

Thousands of OpenFire servers are vulnerable to hacking

More than 3,000 Openfire cross-platform real-time collaboration servers are unpatched against the CVE-2023-32315 flaw, VulnCheck found. The vulnerability is a path traversal issue that allows unauthenticated attackers to access restricted pages in the admin console. The researchers said that CVE-2023-32315 has been exploited in the wild for more than two months.

Cuba ransomware using Veeam exploit in attacks against critical infrastructure, IT firms

The Cuba ransomware operation has been observed targeting critical infrastructure organizations in the US and IT firms in Latin America using an exploit for a Veeam vulnerability to steal credentials from configuration files.

Tracked as CVE-2023-27532, the flaw in question is a missing authentication issue within the Veeam.Backup.Service.exe. It allows remotely connect to the affected service that is listening on port 9401/TCP, obtain encrypted credentials stored in the configuration database and use this information to access the backup infrastructure hosts.

A ransomware attack paralyzes Danish hoster CloudNordic, wipes all servers

Denmark-based hosting service provider CloudNordic suffered a devastating ransomware attack, which paralyzed the company’s infrastructure, including websites and email systems, as well as its customers’ systems.

The CloudNordic team explained that the attackers managed to gain access to the company’s internal systems via a compromised machine previously infected with malware. From there, the intruders accessed central administration systems and backup systems. Through the backup system, they got access to all data stored by the company, the replication backup system, and the secondary backup system.

New Whiffy Recon malware scans for nearby Wi-Fi access points

Researchers at Secureworks published a technical analisys of a new piece of malware dubbed Whiffy Recon that triangulates the infected systems' positions using nearby Wi-Fi access points as a data point for Google's geolocation API. Whiffy Recon is being delivered via the Smoke Loader malware downloader. It targets Windows systems and is designed to conduct Wi-Fi scanning every 60 seconds.

New Chinese Carderbee APT hits Hong Kong orgs in a supply chain attack

A previously undocumented Chinese threat actor called “Carderbee” has been linked to a supply chain attack targeting organizations in Hong Kong and other regions in Asia. In the observed campaign the group has been deploying the Korplug backdoor (also known as PlugX) on victim systems via a Chinese legitimate security software named Cobra DocGuard.

Lazarus Group exploited a now-patched Zoho bug to infect victims with the QuiteRAT malware

The North Korean state-sponsored threat actor Lazarus Group has been targeting healthcare entities in Europe and the United States using a now-patched vulnerability (CVE-2022-47966) affecting Zoho ManageEngine ServiceDesk to deploy QuiteRAT and CollectionRAT malware. QuiteRAT is a fairly simple remote access trojan (RAT), which belongs to the previously disclosed MagicRAT family.

CollectionRAT has standard RAT capabilities, including the ability to run arbitrary commands on an infected system. The implant appears to be connected to Jupiter/EarlyRAT, another malware family attributed to Andariel, a subgroup within the Lazarus Group umbrella of threat actors.

N. Korean Kimsuky hackers targeted a joint US-S.Korea military exercise

The North Korean government-sponsored hacking unit Kimsuky has targeted a joint US-South Korea military exercise. The hackers have compromised the email accounts of South Korean contractors working at the South Korea-US combined exercise war simulation center, the authorities said, noting that classified information has not been compromised in the incident.

Chinese cyber spies target organizations in Taiwan

A China-linked state-backed cyberespionage group known as Flax Typhoon is hacking into organizations in Taiwan with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks.

The goal of the operation is to not only perform espionage on targeted Taiwanese entities but “maintain access to organizations across a broad range of industries for as long as possible,” Microsoft said.

Flax Typhoon has been active since mid-2021 and has targeted government agencies and education, critical manufacturing, and information technology organizations in Taiwan. Some victims have also been observed elsewhere in Southeast Asia, as well as in North America and Africa. Flax Typhoon focuses on persistence, lateral movement, and credential access.

Chinese-made 'spy chip' found in Korean state-run weather agency system

Chinese-made 'spy chip' containing malicious code that could be used to steal technical data and eavesdrop has been found by the National Intelligence Service at a state-run weather agency. The authorities are now investigating whether China intentionally planted it to steal weather observation-related data and technology. According to media reports, only 19 of 43 South Korean government agencies have a 24-hour system to monitor hacking and eavesdropping.

Russian 'Telekopye' Telegram bot helps unskilled scammers conduct phishing attacks

ESET released a report on a Russian phishing toolkit dubbed “Telekopye” designed as a Telegram bot that can write emails and SMS messages, as well as generate prefabricated phishing pages. Telekopye is designed to target online marketplaces mainly (but not exclusively) those popular in Russia.

Founders of Tornado Cash crypto mixer used by Lazarus hackers charged in the US

The US authorities charged two founders of Tornado Cash cryptocurrency mixer with money laundering, sanctions violations and operating an illegal business. According to the indictment, Roman Storm, 34, of Auburn, Washington, and Roman Semenov, 49, of Russia created, operated, and promoted the Tornado Cash cryptocurrency mixing service used by cyber crooks to launder criminal proceeds. Both men could face up to 45 years in prison if convicted.

‘Africa Cyber Surge II’ disrupts thousands of cybercriminal networks

A four-month crime-fighting operation involving police agencies from 25 African countries has led to the arrest of 14 suspected cybercriminals. The police have also identified more than 20,000 cyber networks linked to financial losses of more than $40 million.

Dubbed “Africa Cyber Surge II”, the Interpol-coordinated operation was launched in April 2023 and focused on identifying cybercriminals and compromised infrastructure.

Tesla confirms “insider wrongdoing” was the cause of the May data breach

Tesla’s massive data breach impacted the personal information of over 75,000 and was a result of an “insider wrongdoing,” the company revealed. In a notice to staff, Tesla said that it was informed of the breach on May 10. A further investigation revealed, “that two former Tesla employees misappropriated the information in violation of Tesla’s IT security and data protection policies and shared it with the media outlet.”

The impacted data included names and certain contact information such as address, phone number, and/or email address of current and former employees.

Lapsus$ teen hackers convicted in the UK

A London jury convicted two British teenagers of a series of computer crimes, blackmail and fraud undertaken while the pair had been key members of the hacking collective Lapsus$. Victims included multibillion-dollar and multinational companies Nvidia, Uber and Rockstar Games.

SpaceColon tool used to deploy Scarab ransomware

ESET researchers uncovered a malicious toolset named SpaceColon that has been used to deploy the Scarab ransomware to victims across the globe. The tool consists of three main components: a downloader, an installer and a backdoor used to deploy Scarab and is believed to gain access to victim organizations vulnerable web servers or via brute forcing RDP credentials.

ESET tracks the threat actor behind this campaign as CosmicBeetle. The researchers suspect that the developer behind SpaceColon is Turkish-speaking based on the presence of numerous Turkish strings in several builds of the toolkit.