China-linked hackers exploited two zero-days in Ivanti Connect Secure VPN

A China-linked state-backed threat actor has been exploiting two previously unknown vulnerabilities in the Ivanti Connect Secure VPN product to place web shells on corporate servers.

One of the zero-day bugs (CVE-2023-46805) is an improper authentication issue in the Ivanti Connect Secure and Ivanti Policy Secure gateways that could be exploited by a remote attacker to bypass the authentication process. The other zero-day, tracked as CVE-2024-21887, is an OS command injection vulnerability that can be abused for remote arbitrary shell command execution.

The flaws affect all supported versions (9.x and 22.x) of Ivanti Connect Secure (ICS, formerly known as Pulse Connect Secure) and Ivanti Policy Secure gateways. Ivanti said it is working on security patches to address the flaws. In the meantime, the company has provided a workaround in the form of the mitigation.release.20240107.1.xml file to mitigate the risk of exploitation.

Microsoft's January 2024 Patch Tuesday fixes nearly 50 bugs

Microsoft released its first batch of security updates in 2024, addressing around 50 vulnerabilities impacting Microsoft products, including multiple remote code execution flaws.

One of the most notable flaws fixed as part of January 2024 Patch Tuesday is CVE-2024-20674, a security feature bypass issue that can allow a remote attacker to intercept a valid Kerberos authentication message from the authentication server and use it to impersonate the authentication server on the victim machine. While there’s no indication this vulnerability has been exploited in the wild, the exploitation is very likely following the public disclosure.

Besides the above-mentioned, Microsoft has fixed two bugs in the Windows Hyper-V subsystem (CVE-2024-20700 and CVE-2024-20699) that could allow to achieve remote code execution and perform a denial of service (DoS) attack, respectively.

Researchers sound alarm over the surge in exploitation of critical Apache OFBiz RCE flaw

SonicWall researchers said they have been observing thousands of daily attempts to exploit a critical vulnerability in the Apache OFBiz (Open For Business) system for nearly two weeks.

Tracked as CVE-2023-51467, the vulnerability is an authentication bypass flaw, which, if exploited, would allow a remote hacker to circumvent authentication processes, enabling them to remotely execute arbitrary code. The flaw was first disclosed in December 2023, and since then, attackers have been relentless in their efforts to exploit it.

Separately, researchers at VulnCheck created a proof-of-concept (PoC) code that exploits CVE-2023-51467 to execute payloads directly from memory.

Admins are urged to patch MS SharePoint Server vulnerability exploited by hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Microsoft SharePoint Server vulnerability (CVE-2023-29357) to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the flaw is being actively exploited by threat actors.

CVE-2023-29357 is described as an authentication bypass issue that could allow an attacker to gain administrator privileges.

Cisco fixes a high-severity bug in Cisco Unity Connection

Cisco released security updates designed to address a high-severity vulnerability in the Unity Connection unified messaging and voicemail solution.

Tracked as CVE-2024-20272, the vulnerability is an arbitrary file upload issue that can be exploited remotely, without authentication, to upload arbitrary files to a system, execute commands on the underlying operating system, and elevate privileges to root.

Dutch engineer planted billion-dollar Stuxnet malware at an Iran nuclear site

Dutch engineer Erik van Sabben, an operative of the Dutch General Intelligence and Security Service (AIVD), played a pivotal role in a covert operation that used the infamous Stuxnet malware to sabotage Iran’s nuclear program, the Dutch newspaper de Volkskrant revealed.

Van Sabben, who posed as an Iranian engineer, managed to infiltrate the Natanz nuclear facility, a critical site for Iran's nuclear program, and introduced the Stuxnet malware into the facility through a water pump. The meticulously planned mission, conducted in collaboration with the CIA and Mossad, reportedly cost a staggering $1 billion.

New report examines cyberattacks on energy sectors in Denmark and Ukraine

Forescout released a report analyzing cyberattacks against energy sectors in Denmark and Ukraine. In the case of Denmark, the attackers exploited remote command execution vulnerabilities (CVE-2023-28771, CVE-2023-33009 and CVE-2023-33010) in Zyxel firewalls.

In the Ukrainian incident, the Russian threat actor Sandworm orchestrated a coordinated disruptive cyberattack on one of the power plants that contributed to power outages across the country caused by the Russian missile strikes on the Ukrainian electrical grid.

The key takeaway in the report is that “critical infrastructure organizations across Europe should remain alert to attacks on unpatched network infrastructure devices.”

Turkey-linked Sea Turtle cyber spies target Dutch orgs

Researchers uncovered a series of cyberattacks in the Netherlands, believed to be orchestrated by a threat actor acting in the interests of Turkey, that have targeted telecommunication, media, ISPs, and IT-service providers, particularly those associated with Kurdish websites.

In its recent campaigns spanning 2021 to 2023, the threat actor, tracked as Sea Turtle, Teal Kurma, Marbled Dust, SILICON, and Cosmic Wolf, exploited vulnerabilities in the targets' infrastructure, utilizing supply chain and island-hopping attacks to collect intelligence and personal data of minority groups and potential political dissidents.

Chinese Volt Typhoon hackers target Cisco devices belonging to the US, UK and Australian governments

SecurityScorecard’s STRIKE team said it identified new infrastructure associated with the state-sponsored cyberespionage group known as Volt Typhoon, based in China. Approximately 30% of Cisco RV320/325 devices observed over a 37-day period may have been compromised by Volt Typhoon, leveraging well-known vulnerabilities (CVE-2019-1653, CVE-2019-1652) in Cisco routers, as well as 35 known vulnerabilities for the Dual Gigabit Wan VPN Router Firmware.

Researchers discovered evidence of a previously unspecified webshell called ‘fy.sh’ on Cisco routers and other network edge devices targeted by Volt Typhoon, revealing another web shell in addition to the well-known China Chopper. There is evidence that the hackers may have compromised devices belonging to the US, UK, and Australian governments.

UAC-0184 using IDF-themed lures in attacks targeting the Ukrainian military

CERT-UA warned of a new cyberespionage campaign targeting members of the Ukrainian Armed Forces, orchestrated by a threat actor tracked as UAC-0184. The campaign uses phishing lures linked to themes of war and military operations to deploy the RemcosRAT and ReverSessh malware.

Separately, the Ukrainian cyber defenders shared technical details and Indicators of Compromise (IOCs) related to the most recent cyberespionage campaign by a threat actor tracked as UAC-0050 that distributes RemcosRAT and QuasarRAT malware.

Ukrainian hacktivists leak the personal data of 38M clients of Russia’s largest bank

A Ukrainian hacktivist group known as KibOrg leaked the entire customer database of Russia's largest commercial bank, Alfa-Bank. The database contains full names, dates of birth, telephone numbers, account details and other sensitive data, totaling over 115 million records overall. Of these records, around 38 million are unique, the group said, noting that the database contains records dating as far back as 2004.

Pro-Ukraine hacktivists claim responsibility for a cyberattack on the Russian ISP M9com

A pro-Ukraine hacktivist group called 'Blackjack' claimed responsibility for a cyberattack on the Russian internet service provider (ISP) M9com. The group said that they not only disrupted M9com's internet services but also stole confidential data from the company. On their Telegram channel, the hackers provided a Tor URL containing three ZIP archives with images purportedly proving their access to M9com's systems, along with texts containing account credentials of employees and customers and 50GB of call data.

Screenshots revealed various destructive actions, including FTP command execution, deletion of server files, wiping of data from a backup device, removal of configuration files, and attacks on the RIPE database, billing portal, vSphere client, and Resource Public Key Infrastructure (RPKI) dashboard.

Threat actors abuse YouTube to distribute Lumma Stealer malware

Threat actors are using YouTube channels as a platform to distribute a variant of the Lumma Stealer malware. The attackers are using deceptive videos with content related to cracked software to lure unsuspecting users into downloading malicious content. These YouTube videos offer users installation guides incorporating malicious URLs often shortened using services like TinyURL and Cuttly. To circumvent web filter blacklists, the threat actors exploit open-source platforms like GitHub and MediaFire instead of deploying their malicious servers.

Atomic Stealer malware gets an update

Malwarebytes’ analyst Jérôme Segura takes a look at an updated version of a macOS information stealer called Atomic (or AMOS), indicating that the threat actors behind the malware are actively enhancing its capabilities to justify its $3000/month price tag. The new version comes with a new encryption routine to thwart detection by security software. Additionally, campaigns delivering Atomic Stealer have undergone some changes, using Google search ads impersonating Slack deploy Atomic Stealer or a malware loader called EugenLoader (aka FakeBat) depending on the operating system.

FBot hacking tool hijacks cloud, SaaS, and web services

A new report from SentinelLabs examines a recently discovered Python-based hacking tool called FBot designed to target targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio.

Financially motivated hackers target MSSQL servers, deploy Mimic ransomware

The Securonix Threat Research team discovered a malicious campaign, codenamed RE#TURGENCE, which involves targeting and exploitation of Microsoft SQL (MSSQL) database servers. The modus operandi of the campaign suggests a two-fold conclusion, with the threat actors either selling unauthorized access to compromised hosts or culminating in the deployment of ransomware payloads.

New Mirai-based NoaBot botnet used for crypto mining

A new Mirai-based botnet dubbed 'NoaBot' has been discovered. It has been used by threat actors as part of a crypto mining campaign since the beginning of 2023.

The botnet’s capabilities include a wormable self-spreader and an SSH key backdoor to download and execute additional binaries or spread itself to new victims. As part of the attack, a modified version of the XMRig miner is dropped. The miner obfuscates its configuration and also uses a custom mining pool to avoid exposing the wallet address used by the miner.

Ransomware actors pose as security researchers in extortion attempts

Researchers at Arctic Wolf Labs said they observed multiple instances of ransomware cases where victim organizations were contacted post-compromise for additional extortion attempts. In two investigated cases, threat actors posed as helpful entities offering to hack into the server infrastructure of the attackers to delete exfiltrated data. This marks the first known instance of a threat actor disguising as a legitimate security researcher to delete hacked data from a separate ransomware group. For more details, read Arctic Wolf’s report.

Decryptor for Babuk Tortilla ransomware variant released

Security researchers at Cisco Talos and Avast in cooperation with Dutch police, released an updated decryptor for the Babuk ransomware family to help victims of the Tortilla variant restore encrypted files without paying a ransom. The Talos team said they obtained executable code capable of decrypting files affected by the Babuk Tortilla ransomware variant following the arrest of the hacker behind Babuk Tortilla operations. This allowed the researchers to obtain the private decryption key and incorporate it into the Avast Babuk decryptor, released in 2021.

Finland’s cyber authorities warn of Akira ransomware attacks

The Finish National Cybersecurity Center (NCSC-FI) has warned of increased Akira ransomware activity in December, targeting companies in the country and wiping backups. Of the ransomware malware cases reported in December, six out of seven involved Akira family malware, the agency said.

ShinyHunters hacker gets 3 years, ordered to pay $5M

A 22-year-old member of the infamous ShinyHunters hacking group was sentenced in the US for his role in a global cybercrime operation. Sebastien Raoult, aka Sezyo Kaizen, was apprehended in 2022 in Morocco and was extradited to the United States in January 2023, where he was charged with conspiracy to commit wire fraud and aggravated identity theft.

Raoult and his co-conspirators hacked enterprise computer networks worldwide to steal confidential information and customer records, including private and financial data. Hackers then sold stolen data on underground forums, such as RaidForums, EmpireMarket, and Exploit. Between April 2020 and July 2021, ShinyHunters posted sales of hacked data from more than 60 companies.

US charges 19 people involved in running and using xDedic dark web marketplace

The US authorities said they concluded the investigation into a dark web marketplace called ‘xDedic’ that sold stolen login credentials, access to hacked servers, and personally identifiable information (PII). As a result, 19 people involved in running and using xDedic dark web marketplace were charged and sentenced. Among the sentenced are two key figures behind the marketplace, as well as a top buyer and a top seller.

China says it cracked Apple’s AirDrop encryption

The Beijing Municipal Bureau of Justice announced that a local forensic institute has successfully cracked the encryption around Apple’s AirDrop wireless file sharing function to identify those who are using the feature.

This allows the extraction of mobile phone numbers and email addresses of AirDrop content senders from the devices of content receivers. Chinese authorities said the information helped catch people sending ”inappropriate information.”

Mandiant’s X account hack linked to $900K cryptocurrency phishing scheme

Google-owned cybersecurity firm Mandiant revealed that its X (formerly known as Twitter) account was hacked using a “brute force password attack.” The account hijacking was part of a cryptocurrency phishing campaign linked to a drainer-as-a-service (DaaS) called ‘CLINKSINK.’ The operators of the service provide the drainer scripts to affiliates in exchange for a percentage of the stolen funds, typically around 20%. Mandiant estimates the total value of assets stolen by affiliates in these recent campaigns to be at least $900,000.

Mandiant’s X account hack is just one in the long list of similar incidents affecting entities like Hyundai, Netgear, CertiK, CoinGecko, Bloomberg Crypto, and most recently, the US Securities and Exchange Commission (SEC). In the latter incident, a threat actor posted a message on the SEC’s X account announcing the approval of a long-awaited bitcoin exchange-traded fund.

X's Safety team said that the SECgov account did not have two-factor authentication enabled, and the attacker was able to gain control over a phone number tied to the account.