Chinese hackers are exploiting new Barracuda ESG zero-day to deploy malware

China-linked state-sponsored hackers have been observed exploiting a zero-day vulnerability in Barracuda’s Email Security Gateway (ESG) appliances to deploy new variants of Seaspy and Saltwater malware.

Tracked as CVE-2023-7102, the issue is related to improper input validation (CVE-2023-7101) within the third-party Perl library called ‘Spreadsheet::ParseExcel’ used to parse Excel files. A remote attacker can send a specially crafted email with a malicious file inside and execute arbitrary code on the device. The flaw impacts ESG versions 5.1.3 - 9.2.1.001.

The attacks have been attributed to a Chinese cyberespionage group tracked as UNC4841 known for targeting Barracuda ESG devices in the past. The latest campaign is said to have been aimed at government, IT and high-tech organizations in the US and the Asia-Pacific and Japan (APJ) region.

Hackers are actively targeting Apache OFBiz RCE flaw

The Shadowserver Foundation warned that it has observed “quite a few scans” that leverage public PoCs, attempting to exploit CVE-2023-49070, a pre-authenticated Remote Code Execution (RCE) flaw in Apache OFBiz (Open For Business) business application suite. The flaw exists due to presence of an unmaintained XML-RPC interface and can be abused by a remote hacker to compromise the affected system. It was addressed in OFBiz version 18.12.10, released on December 5, 2023.

SonicWall researchers published a technical report on CVE-2023-51467, an authentication bypass vulnerability in Apache OFBiz that allows to achieve Server-Side Request Forgery (SSRF). The flaw was discovered while analyzing the patch for CVE-2023-49070, which hadn’t addressed the root issue, making authentication bypass possible.

Malicious actors are increasingly targeting Atlassian bugs

Researchers at threat intelligence company Grey Noise detected a spike in exploit attempts targeting multiple known vulnerabilities in Atlassian software. The list of exploited vulnerabilities is available here.

Russian military hackers APT 28 attack Ukraine and Poland with Masepie malware

Ukraine's Computer Emergency Response Team (CERT) shared Indicators of Compromise associated with a new phishing campaign targeting Ukraine and Poland orchestrated by the Russian government hacking team known as APT28 (Fancy Bear). The campaign involved phishing emails that delivered a new Python malware downloader called Masepie along with several malicious tools, including a set of PowerShell scripts named 'Steelhook' designed to steal data from Chrome-based web browsers, a C# backdoor called ‘Oceanmap,’ as well as Impaket and Smbexec (both are the tools for network reconnaissance and lateral movement).

North Korean Kimsuky deploys AppleSeed, Meterpreter, and TinyNuke to take over infected servers

South Korea-based cybersecurity company AhnLab released a report examining a latest series of attacks by the North Korean threat actor Kimsuky involving a variety of malware, including backdoors and tools such as AppleSeed, Meterpreter, and TinyNuke to commandeer compromised servers.

Of note, the South Korean authorities imposed sanctions this week on eight North Korean individuals, including Ri Chang-ho, the head of the Reconnaissance General Bureau, believed to be behind North Korea's major cyberattacks, orchestrated by such hacking groups as Kimsuky, Lazarus and Andariel.

Also, AhnLab said it detected a significant surge in cyberattacks targeting poorly managed Linux SSH servers to deploy malware, including DDoS bots and coin miners.

Iran-linked cyberattack halts Albania's parliament

The Albanian Parliament’s work was disrupted due to a cyberattack where intruders attempted to breach the government servers and wipe all data. According to the government’s statement, the attackers have not been able to gain access to the data.

Reports from local media indicate that a cellphone provider and an air flight company were also targeted by cyberattacks allegedly carried out by an Iranian-based hacker group known as Homeland Justice.

Malicious campaign targets users with fake VPN extensions

Researchers from ReasonLabs uncovered a large-scale malware campaign targeting users through a trojan installer hidden in thousands of torrent files. The installer, often disguised as popular video games such as Grand Theft Auto (GTA) and Assassins Creed, forcibly installs malicious web extensions for Google Chrome and Edge.

The malicious installers identified by ReasonLabs primarily deliver one of three different harmful web extensions for Google Chrome and Edge, all posing as Virtual Private Networks (VPNs). Google has removed malicious extensions from the Chrome Web Store but by that time, the offending extensions (netPlus, netSave, and netWin) had together accumulated nearly 1.5 million installs.

Suspected LockBit ransomware attack disrupts operations at three German hospitals

Three hospitals in Germany were hit with ransomware attacks on December 24 that caused service disruptions and forced the facilities to shut down their entire IT systems. The three impacted hospitals are Franziskus Hospital in Bielefeld, Sankt Vinzenz Hospital in Rheda-Wiedenbrück, and Mathilden Hospital in Herford. Initial checks suggest that the Lockbit ransomware group was behind the attack.

In other news, Australia's largest car dealership, Eagers Automotive suffered a cyberattack that impacted the company’s IT infrastructure, leading to widespread operational disruptions at numerous locations in Australia and New Zealand. The company is investigating the incident to determine its scope and impact.

Europe’s largest parking app operator discloses a data breach

Europe’s largest parking application operator, EasyPark Group, which owns the RingGo and ParkMobile brands, disclosed a security incident that saw customer data, including partial credit card numbers, stolen. The breach was detected on December 10, 2023, the company said, adding that it resulted in the theft of non-sensitive data but did not impact its services. The stolen information included customer names, phone numbers, addresses, email addresses and parts of credit card numbers. However, parking data had not been compromised in the incident.

Cybercrims leak massive volumes of personal data on the dark web

On Christmas Eve, multiple threat actors released substantial data dumps on the dark web tagged “Free Leaksmas,” containing compromised data from data breaches and hacks from a variety of companies and government agencies, including Peru’s leading telecom provider Movistar, Swedish fintech company Klarna, and Swiss technology company ESSEMTEC. More details are available in Resecurity’s report.

International police op identified 443 e-shops infected with credit card stealers

Europol, ENISA and law enforcement authorities from 17 countries identified hundreds of online merchants infected with credit card skimmers as part of an effort aimed at combating the rising threat of digital skimming attacks. The authorities notified 443 online merchants about the compromise of their customers' credit card and payment card data. During the operation, 23 families of JS-sniffers were detected and identified. Some of the identified families include ATMZOW, health_check, FirstKiss, FakeGA, AngryBeaver, Inter, and R3nin. 

Admin of Kingdom Market charged in the US

The US authorities indicted a 30-year-old Slovakian man, Alan Bill, on charges related to running Kingdom Market, a darknet market that facilitated the sale of drugs, stolen personal information, and various illegal goods. If convicted, Bill could face a very long time in prison and substantial fines.

New Xamalicious Android backdoor with potent capabilities discovered

McAfee Mobile Research Team discovered a novel Android backdoor that compromised more than 327,000 Android devices. Dubbed “Xamalicious,” the backdoor comes with potent capabilities that could facilitate device takeovers and further malicious actions.

Microsoft disables the MSIX app installer protocol abused by cybercriminals

Microsoft announced it is disabling the ms-appinstaller protocol handler by default due to its abuse by multiple threat actors, including financially motivated groups like Storm-0569, Storm-1113, Sangria Tempest, and Storm-1674, to distribute malware.

Multiple cybercriminals are also selling a malware kit as a service that abuses the MSIX file format and ms-appinstaller protocol handler. Signed malicious MSIX application packages are being distributed through malicious advertisements for legitimate popular software. Microsoft said threat actors have been abusing the app installer since mid-November 2023.

NASA issues first space cybersecurity best practices guide

NASA released the first version of its Space Security Best Practices Guide to bolster mission cybersecurity efforts for both public sector and private sector space activities. The guide is designed to provide security guidance for missions, programs, or projects of any size.