High-severity OpenSSH flaw discovered, mass exploitation unlikely

Cybersecurity researchers have warned about a high-severity OpenSSH vulnerability, named “regreSSHion,” that can allow unauthenticated attackers to execute remote code. Tracked as CVE-2024-6387, the vulnerability can potentially lead to complete system takeover, allowing malware and backdoors to be deployed. The flaw, a regression of a previously patched 2006 issue, was inadvertently reintroduced in 2020 and recently patched in OpenSSH version 9.8p1.

Qualys identified over 14 million potentially vulnerable OpenSSH instances using Shodan and Censys, with about 700,000 vulnerable systems. However, Palo Alto Networks said it has not been able to replicate remote code execution in their tests and suggested that mass exploitation is unlikely. Although there have been attempts to exploit CVE-2024-6387, confirmed in-the-wild attacks have yet to be reported.

Juniper Networks releases out-of-band security updates to fix critical router flaw

US-based networking products maker Juniper Networks has issued out-of-band security updates to address a critical vulnerability in some of its routers, which could lead to an authentication bypass. The flaw, identified as CVE-2024-2973, exists due to missing authentication checks when running with a redundant peer. A remote non-authenticated attacker can bypass authentication and take full control over the affected device. According to Juniper, the vulnerability affects only routers or conductors running in high-availability redundant configurations.

Chinese Velvet Ant APT caught exploiting Cisco zero-day to breach Nexus devices

A China-linked threat actor has been exploiting a zero-day vulnerability in Cisco Nexus devices as part of its cyberespionage campaign, cybersecurity firm Sygnia reported. Said zero-day (CVE-2024-20399) is an OS command injection issue that allows a local user to escalate privileges on the system. The vulnerability exists due to improper input validation. A local user can execute arbitrary commands as root on the underlying operating system of an affected device. The flaw has been exploited by a Chinese threat actor known as Velvet Ant to execute commands on the compromised Nexus devices and deploy a previously unreported malware that allowed the attackers to connect remotely to the breached device, upload additional files, and execute code.

Threat actors are exploiting Microsoft MSHTML flaw to deploy MerkSpy spyware

Unknown threat actors have been exploiting a now-patched security flaw in Microsoft MSHTML (CVE-2021-40444) to deliver a surveillance tool called MerkSpy. The campaign primarily targets users in Canada, India, Poland, and the US. MerkSpy is designed to monitor user activities, capture sensitive information, and establish persistence on compromised systems.

The attack begins with exploiting a vulnerability in the MSHTML component used by Internet Explorer, initiating the download of "olerender.html," which contains JavaScript and embedded shellcode. The shellcode decodes the content to execute an injector that loads MerkSpy into memory and integrates it with active system processes.

Polyfill supply chain attack affects over 380K hosts

A recently disclosed supply chain attack on the widely-used Polyfill[.]io JavaScript library has impacted over 380,000 hosts, according to new findings from Censys. The attack occurred in February 2024 when Chinese company Funnull acquired the previously legitimate Polyfill.io domain and GitHub account.

The majority of impacted hosts have been observed in Germany particularly within the Hetzner network (AS24940). Major companies such as Hulu, Mercedes-Benz, Pearson, and Warner Bros. are also affected, with many of their hosts linking to the compromised polyfill endpoint.

Censys said it also observed 182 affected hosts displaying a “.gov” domain.

TeamViewer hack linked to Russia’s Midnight Blizzard APT

Remote access software company TeamViewer has attributed the recent security breach to a Russian state-sponsored threat actor tracked as Midnight Blizzard aka APT29, believed to be associated with the Russian Foreign Intelligence Service (SVR). The company said that “credentials of a standard employee account” within its corporate IT environment were involved in the attack, although TeamViewer didn’t specify how exactly the hackers managed to breach the employee’s account and infiltrate the system.

The intruders leveraged a compromised employee account to copy employee directory data (names, corporate contact information, and encrypted employee passwords) for the company's internal corporate IT environment. In its latest update published on July 4, the company said it concluded the investigation, which showed that the incident was contained to its internal corporate IT environment. TeamViewer’s separated product environment, the connectivity platform, or customer data has not been impacted.

Twilio confirms Authy data breach exposing users' data

Cloud communications provider Twilio has disclosed a security breach involving its two-factor authentication service, Authy. Unidentified threat actors exploited an unauthenticated endpoint within Authy to gain access to sensitive data associated with user accounts, including cell phone numbers. The provider added that it has no evidence that the intruders obtained access to Twilio’s systems or other sensitive data. However, the company recommends that all Authy users update to the latest Android and iOS apps for the latest security updates.

Roll20 discloses a data breach

Roll20, a popular online platform for tabletop role-playing games (RPGs), disclosed that its systems had been breached. The breach, occurring on June 29, allowed an intruder to access the company's administrative website and view user accounts. The exposed data included users' personally identifiable information (PII), such as first and last names, email addresses, last known IP addresses, and the last four digits of credit cards for users with stored payment methods. The company said that passwords, protected by a salt and bcrypt hash, and full payment information were not compromised.

Transparent Tribe expands social engineering campaign with malware-laced Android apps

A Pakistan-linked cyber espionage group known as Transparent Tribe has been observed unleashing malware-laced Android apps as part of a sophisticated social engineering campaign, with malicious APKs targeting a broader range of individuals, including mobile gamers, weapons enthusiasts, and TikTok users.

The latest campaign, dubbed CapraTube, follows a similar operation observed in September 2023. During that campaign, the group used weaponized Android apps disguised as legitimate applications like YouTube to distribute CapraRAT, a modified version of AndroRAT spyware capable of capturing a wide range of sensitive data.

Unlike its predecessors, the current campaign's app, named Crazy Games, appears non-malicious as it lacks several critical CapraRAT permissions such as sending SMS, making calls, accessing contacts, or recording audio and video.

North Korean Kimsuky deploys Translatext Chrome extension to target South Korea

Zscaler ThreatLabz has uncovered new activity from the notorious North Korean-backed advanced persistent threat (APT) group tracked as Kimsuky. The latest findings reveal that Kimsuky has developed a new Google Chrome extension named “Translatext” to further their espionage efforts, specifically targeting the South Korean academic sector. The extension is designed to steal a wide range of sensitive information, including email addresses, usernames, passwords, cookies, and browser screenshots. It can bypass security measures of several major email service providers, such as Gmail, Kakao, and Naver, which are widely used in South Korea.

Info-stealer logs can help identify visitors of child abuse websites

Cybersecurity firm Recorded Future said it has identified thousands of credentials linked to child sexual abuse material (CSAM) websites within info-stealer logs sold on the dark web.

The researchers have managed to trace these individuals through credentials harvested by info-stealer malware. Typically designed to steal login details for banking services, info-stealer malware also captures credentials for other accounts, including those on .onion websites known for trafficking CSAM. Despite the Tor network's anonymity measures, these logs provide a link between anonymous CSAM website users and their accounts on clear web platforms like Facebook, where real names and personal details are often used.

The research team identified 3,324 unique credentials used to access known CSAM websites. This data provided statistics on individual sources and users, including usernames, IP addresses, and system information.

Unfurling Hemlock threat actor deploys up to 10 malware files simultaneously

A financially motivated East European threat actor dubbed “Unfurling Hemlock” has been deploying up to 10 unique malware files simultaneously on systems belonging to individuals in the US, Germany, Russia, and multiple other countries.

According to researchers at OutPost24, the attackers have been using compressed Microsoft Cabinet (CAB) files nested within other compressed CAB files—sometimes as many as seven levels deep—to distribute a variety of information stealers and malware loaders on victim systems. The malware deployed by Unfurling Hemlock includes notorious information stealers such as Mystic Stealer, Rise Pro, and Redline, along with loaders like SmokeLoader and Amadey.

Ethereum mailing list breach exposes thousands of users to crypto theft

A threat actor compromised Ethereum's mailing list provider and sent phishing emails to over 35,000 addresses. The email targeted 35,794 addresses, using a mix of their own email list and 3,759 addresses exported from Ethereum's blog mailing list. The phishing email lured recipients to a malicious website with a crypto drainer, which drained wallets if users initiated and signed a transaction.

New ransomware actor Volcano Demon phones execs to negotiate payment

Halcyon researchers discovered a new ransomware operation, dubbed Volcano Demon, which deploys the ransomware called LukaLocker. The malware encrypts victim files with the .nba extension, with both Windows and Linux versions detected on victim networks.

In the observed attacks, Volcano Demon successfully locked both Windows workstations and servers by utilizing common administrative credentials harvested from the network. Prior to encryption, data was exfiltrated to command-and-control (C2) services for double extortion.

Interestingly, Volcano Demon does not have a leak site but instead uses phone calls to leadership and IT executives to extort and negotiate payment. These calls are made from unidentified numbers and can be threatening in tone and expectations.

Indian IT firm hit with supply chain attack delivering info-stealers

Indian software company Conceptworld has had its website compromised in a supply chain attack that distributed info-stealing malware through the trojanized versions of the company’s apps named Notezilla, RecentX, and Copywhiz. The investigation revealed that the suspicious behavior originated from the installation of Notezilla, a desktop sticky notes application. Further analysis of the installation packages for Notezilla, RecentX, and Copywhiz confirmed that all three installers had been trojanized to execute information-stealing malware named dllFake.

South Korean ERP vendor's update systems hijacked to deploy Xctdoor backdoor

A threat actor has compromised an update server of an unnamed South Korean ERP vendor to distribute malware instead of legitimate updates, a recent report from AhnLab's Security Intelligence Center (ASEC) revealed. While the researchers didn’t attribute the attacks to a particular threat actor, they said that the attack techniques bore similarities to TTPs employed by the Andariel group, a subsidiary of the North Korea-linked Lazarus Group.

In an incident that took place in May 2024, the attackers inserted a routine to execute a DLL from a specific path using the Regsvr32.exe process, rather than inserting a downloader routine as seen in previous attacks. The identified DLL, now classified as “Xctdoor,” is capable of stealing system information and executing commands from the attackers.

Russia isreportedly using Kaliningrad to disrupt EU satellites

Russia has been utilizing Kaliningrad, its strategic exclave bordering Poland and Lithuania, as a base to disrupt European Union satellite systems. For several months, European satellite companies have reported being targeted by Russian radio frequency interference, leading to broadcast interruptions and, in at least two instances, violent programming overriding content on children’s channels. Initially, complaints from several NATO members identified the sources of disruption as mainland Russia and occupied Crimea. However, the RRB’s latest findings indicate that recent interference originated from locations including Kaliningrad and Moscow.

Global police op shuts down Cobalt Strike servers used by cybercriminals

A coordinated law enforcement effort has resulted in the disruption of nearly 600 servers linked to the misuse of the penetration testing tool Cobalt Strike by cybercriminals. The action, dubbed ‘Operation Morpheus, led by the UK’s National Crime Agency (NCA), took place between June 24 and 28, targeting these unlicensed versions of Cobalt Strike. Law enforcement identified and flagged known IP addresses and domain names associated with criminal activities for online service providers to disable. This led to the identification of 690 IP addresses across 27 countries, 593 of these addresses had been successfully taken down.

In a separate report, Europol has raised concerns that home routing, a service allowing international travelers to route their communications through their home network, is significantly hindering law enforcement's ability to gather vital evidence. Criminals are exploiting this practice to evade detection, creating an “uneven equilibrium” that impedes police duties.

Once home routing is deployed, intercepting communications from suspects using foreign SIM cards becomes impossible, Europol said. This issue arises both when a foreign national uses their own SIM card in another country and when local citizens or residents use a foreign SIM card in their own country. The only exception is when a domestic service provider, which can receive domestic interception orders, has a cooperation agreement with the foreign service provider that disables PET in home routing.

Ransomware gang that encrypted Indonesian data center apologizes, promises to release decryption keys

A ransomware group that previously attacked a national Indonesian data center, causing major disruptions to public services and holding the country’s government to a $8 million ransom has issued an apology. The attack, which occurred last month, disrupted over 230 government agencies and services. The hackers have now promised to release the decryption keys and requested a public expression of gratitude from the government.