Maker of MOVEit protocol discloses flaws in WS_FTP Server software

Progress Software, the developer behind the MOVEit Transfer file-sharing protocol exploited in a large-scale data theft campaign, has warned of multiple vulnerabilities in its WS_FTP Server software. Some of them could lead to remote code execution.

The vendor has also shared recommendations on how to remove or disable the vulnerable WS_FTP Server Ad Hoc Transfer Module if it's not being used.

Cisco warns of a zero-day in IOS and IOS XE software

Networking giant Cisco released security updates to address a zero-day vulnerability affecting its IOS and IOS XE software actively exploited in the wild.

Tracked as CVE-2023-20109, the flaw is an out-of-bounds write issue that stems from insufficient validation of attributes in the Group Domain of Interpretation (GDOI) and G-IKEv2 protocols within the Cisco Group Encrypted Transport VPN (GET VPN) feature. A remote authenticated user with administrative control of either a group member or a key server can trigger an out-of-bounds write and execute arbitrary code on the target system.

Users are recommended to apply the updates as soon as possible.

Google addresses yet another Chrome zero-day

Google has released emergency security updates to fix a Chrome zero-day vulnerability exploited by hackers. Tracked as CVE-2023-5217, the zero-day flaw is a heap-based buffer overflow issue, which exists due to a boundary error when processing untrusted HTML content in vp8 encoding in libvpx. The vulnerability can be exploited by a remote attacker to achieve code execution on the system by tricking a user into visiting a malicious web page.

New Apple zero-days weaponized in Predator attacks targeting Egyptian opposition

A leading Egyptian opposition politician was targeted with the Predator malware developed by mercenary spyware firm Citrox using an iPhone exploit chain involving three recently disclosed zero-day vulnerabilities.

A joint investigation conducted by Citizen Lab and Google’s TAG team discovered that the malware was delivered through links sent on SMS and WhatsApp.

Zero-day exploit broker offers up to $20M for iOS, Android exploit chains

Russian exploit broker Operation Zero announced it was increasing payments for zero-days in iOS and Android platforms from $200,000 to $20 million.

Booking.com users targeted in a large-scale phishing campaign

Perception Point researchers discovered a new phishing campaign that targets users of the Booking.com platform. The four-step attack involves the threat actors breaching a hotel’s systems and gaining access to the hotel’s Booking.com account. The attackers then steal the personal data of hotel guests (names, booking dates, hotel details and partial payment methods) and use it to create phishing emails. Once on the phishing page, victims are prompted to re-enter their credit card or bank information.

Chinese 'BlackTech' hackers backdoor Cisco routers to breach orgs in the US, Japan

A China-linked state-sponsored hacker group has been modifying router firmware to install custom backdoors to gain access to corporate networks in the United States and Japan, a new security advisory from the US and Japanese intelligence services and law enforcement agencies warns.

The threat actor uses the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network. The advisory also provides a list of measures that organizations can implement to minimize the risk of attacks.

Hackers exploit popularity of UAVs to infect Ukraine’s military with malware

A threat actor has been observed targeting Ukraine’s military with phishing attacks that use lures themed as drone or unmanned aerial vehicles (UAVs) service manuals to infect targets with the MerlinAgent malware. The campaign, dubbed ‘STARK#VORTEX,’ has been attributed to a threat cluster tracked as UAC-0154.

At least 23 Russian hacker groups targeted Ukraine in 2023

More than two dozen Russia-linked hacker groups targeted Ukraine in 2023, with the most activity coming from the Gamaredon and Sandworm APTs as well as various “hacktivist” collectives that, in reality, are just a front for state-controlled criminals.

While the energy and media sectors remain among the major targets of the Russian hackers, in the first half of 2023 the threat actors have been observed switching focus to law enforcement agencies in order to collect information on what evidence on Russian war crimes Ukrainian law enforcement teams have obtained, collected and submitted materials for trials and prosecution, arrest warrants for suspected agents, etc.

There was also an increase in attacks against the private sector with the goal of monitoring the outcomes of Russia’s kinetic operations, including missile and drone attacks.

Overall, Ukraine saw a rise of 123% in security incidents in the first half of 2023, however, the number of critical incidents and high-severity incidents decreased by 81% and 46% respectively.

Chinese Budworm APT targets governments and telecoms in the Middle East and Asia

Symantec has a report out on a recent cyberespionage campaign by a China-linked state-backed hacker group known as Budworm, LuckyMouse, Emissary Panda or APT27 targeting a Middle Eastern telecommunications organization and an Asian government.

The threat actor uses a variety of tools such as China Chopper web shell, Gh0st RAT, HyperBro, PlugX, SysUpdate, and ZXShell to exfiltrate information and maintain persistent access to sensitive systems.

Stealth Falcon cyber spies use unusual backdoor in attacks on government entities in the Middle East

Researchers at ESET shared technical details on a sophisticated, previously undocumented backdoor called ‘Deadglyph’ used in a cyberespionage attack against a government entity in the Middle East.

Red Cross-themed phishing campaigns deliver DangerAds and AtlasAgent trojans

A new threat actor named ’AtlasCross’ has been leveraging Red Cross-themed phishing lures to deliver two previously undocumented malware strains called ‘DangerAds’ and ‘AtlasAgent,’ according to a new report from NSFOCUS Security Labs.

The researchers note that AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain.

New ZenRAT malware delivered via fake Bitwarden password manager

A new malware strain called ZenRAT has been spotted in the wild that is being delivered via fake installation packages of Bitwarden password manager. ZenRAT supports several commands, including transmitting logs, which reveal detailed system checks, geofencing, mutex creation, disk size verification and anti-virtualization measures. The researchers noted that ZenRAT is designed to be a modular, extendable implant, however, they have not seen other modules being used in the wild, as of yet.

Hackers spoof GitHub’s Dependabot to steal passwords

Hundreds of GitHub repositories have been targeted in a new campaign involving malicious code masked as Dependabot contributions designed to infect victims with information-stealing malware. The malicious code exfiltrates the GitHub project’s secrets and sends them to a command-and-control (C&C) server. It then modifies any existing javascript files in the targeted project with malware that steals passwords from a submitted web form.

Xenomorph banking trojan targets over 30 US banks

Security researchers uncovered an updated version of the Xenomorph mobile banking trojan aimed at users of cryptowallets and banks in the US. Xenomorph uses overlays to obtain Personally Identifiable Information (PII) such as usernames, passwords, credit card numbers, and much more. The command-and-control server transmits to the bot a list of URLs containing the address from which the malware can retrieve the overlays for the infected device.

Mixin Networks suffers $200M hack - the largest crypto heist in 2023 so far

Hong Kong-based decentralized peer-to-peer network Mixin Network has lost $200 million in digital assets after unknown hackers compromised the database of Mixin’s cloud provider. The crypto heist is considered to be the biggest so far this year and the 10^th largest of all time.

Following the incident, the company halted its deposit and withdrawal services and launched an investigation into the incident.

In related news, crypto exchange Remitano revealed that $2.7 million has been stolen from its hot wallets following “a data breach from a third-party source” that compromised its sensitive data.

Ukraine, Germany raid homes of DoppelPaymer ransomware actors

Police in Germany and Ukraine conducted raids at the homes of a 44-year-old Ukrainian national believed to be a key member of the DoppelPaymer ransomware gang and a 45-year-old man from southern Germany suspected of his involvement in laundering the criminal proceeds.

The authorities believe that evidence seized in the recent raids may help them to track down the alleged gang’s leaders.

Ukraine’s cyberpolice dismantles scam ring that defrauded victims out of  CZK 2M

Ukrainian cyberpolice together with Czechia’s National Center for Combating Terrorism, Extremism, and Cybercrime (NCTEKK) dismantled a phishing gang that defrauded victims out of CZK 2 million. The gang operated call centers in Kyiv that targeted users of Czech e-shops. Using social engineering techniques the fraudsters tricked victims into visiting phishing web pages designed to steal visitors’ payment details.

The criminal organization involved 40 people, including computer programmers who developed and supported various Telegram bots and phishing sites, as well as ensured the anonymity of the fraudsters on the internet. The police have arrested eight people allegedly involved in the criminal operation, including three suspected leaders of the group.

FBI warns of a trend of dual ransomware attacks

The FBI has warned about a new trend in ransomware attacks where threat actors deploy multiple strains on victims’ networks in various combinations. The agency provided a list of recommendations on how to reduce the risk of compromise by ransomware.