Hardcoded credential issue found in SolarWinds Web Help Desk

SolarWinds has released patches to address a critical security flaw in its Web Help Desk (WHD) software, which could allow remote, unauthenticated users to gain unauthorized access and modify data. The vulnerability, tracked as CVE-2024-28987, involves hardcoded credentials that can be exploited to access internal functionality. Users are urged to update to version 12.8.3 Hotfix 2 to mitigate the risk. This comes after SolarWinds addressed another severe vulnerability (CVE-2024-28986) in the same software, which could enable arbitrary code execution.

CISA warns of actively exploited security flaws in Dahua cameras

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two authentication bypass vulnerabilities affecting various Dahua products in its list of actively exploited flaws (KEV). The vulnerabilities, identified as CVE-2021-33044 and CVE-2021-33045 affect Dahua firmware on IP cameras, indoor monitors, intercom stations, and DVRs. CVE-2021-33044 can be exploited by specifying a NetKeyboard type argument during authentication, while CVE-2021-33045 is triggered by specifying a loopback device. Both vulnerabilities allow attackers to bypass authentication, and impact Dahua firmware versions released before June 2021 and mid-2020, respectively.

Google fixes Chrome zero-day exploited in the wild

Google rolled out Chrome version 128.0.6613.84/.85 for Windows and macOS users, and 128.0.6613.84 for Linux users, addressing a high-severity zero-day vulnerability that has been actively exploited in the wild. The vulnerability, tracked as CVE-2024-7971, is caused by a type confusion flaw in Chrome's V8 JavaScript engine. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.

CISA warns of actively exploited Jenkins RCE bug

CISA has added a high-risk vulnerability affecting Jenkins, a widely-used open-source automation server, to its Known Exploited Vulnerabilities Catalog (KEV).

The flaw, tracked as CVE-2024-23897, is an improper access control issue, which exists due to the affected application does not disable a feature of its CLI command parser that replaces an "@" character followed by a file path in an argument with the file’s contents. A remote attacker can read arbitrary files on the Jenkins controller file system, leading to arbitrary code execution.

Jenkins developers released patches to address the bug in January 2024. Shortly after, multiple proof-of-concept (PoC) exploits emerged online, with exploitation attempts being reported just one day later.

Chinese Velvet Ant APT uses a zero-day to deploy malware on Cisco Nexus switches

Cybersecurity company Sygnia shared additional details on the cyberattack by the China-linked Velvet Ant actor targeting a now-patched (previously exploited as a zero-day) security flaw in Cisco switches to seize control of the appliances and evade detection. The flaw (CVE-2024-20399) is an OS command injection issue that allows a local user to escalate privileges on the system. The vulnerability exists due to improper input validation. A local user can execute arbitrary commands as root on the underlying operating system of an affected device.

Velvet Ant used this vulnerability to deploy custom malware that is undetectable by standard security tools, enabling extensive system control, data exfiltration, and persistent access. New Signia's report highlights the technique used by the threat actor to compromise Cisco Switch appliances and use them to perform stealthy attacks.

New MoonPeak RAT linked to North Korean cyber espionage group

A new remote access trojan (RAT) named MoonPeak has been used as part of a malicious campaign attributed to a North Korean state-sponsored threat group. The cyber campaign, discovered and analyzed by Cisco Talos, is linked to a cluster of activity tracked under the codename UAT-5394. The group is suspected to have tactical similarities with the well-known North Korean cyber espionage group Kimsuky. MoonPeak, which is still under active development, is a variant of the open-source XenoRAT malware. Cisco Talos’ investigation revealed that MoonPeak, while retaining many features of XenoRAT, has undergone modifications that suggest the threat actors are evolving the code independently from its original open-source version.

North Korean hackers BlueNoroff add new macOS malware TodoSwift to their arsenal

A new strain of macOS malware has been discovered believed to be the work of a North Korean state-backed APT group known as BlueNoroff. Dubbed ‘TodoSwift’ by Kandji researchers, the malware was first discovered when a signed file named TodoTasks was uploaded to VirusTotal on July 24, 2024. TodoSwift shares several behavioral patterns with other known malware linked to North Korea, particularly those associated with the BlueNoroff group, including KANDYKORN and RustBucket.

Recently patched Windows zero-day exploited by North Korea’s Lazarus hackers

The North Korean state-sponsored hacking outfit Lazarus Group has been observed exploiting a zero-day vulnerability in Microsoft Windows fixed by Microsoft as part of this month's Patch Tuesday release. The flaw, tracked as CVE-2024-38193, is a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock, which can be exploited by a local attacker for code execution with elevated privileges.

According to cybersecurity researchers at Gen Digital, the Lazarus Group, known for its sophisticated cyber espionage campaigns, began exploiting this hidden flaw as early as June 2024. The researchers found that the AFD.sys driver was being used by the group to gain unauthorized access to highly sensitive system areas, bypassing standard security restrictions.

Hackers exploit PHP vulnerability to deploy Msupedge backdoor

Threat actors have deployed a previously undocumented backdoor dubbed ‘Msupedge’ in an attack targeting an unnamed university in Taiwan, according to new findings from the Symantec Threat Hunter Team. In the observed attack, the adversary has been exploiting a recently patched PHP vulnerability tracked as CVE-2024-4577. This is an OS command injection flaw that can be exploited for OS commands execution via specially crafted HTTP request.

Msupedge is a backdoor embedded within a dynamic link library (DLL) that allows attackers to maintain persistent access to the compromised systems. The backdoor uses DNS tunneling for communication with the C&C server.

UAC-0020 hackers exploit POW theme to deliver spyware, CERT-UA says

Ukraine's Government Computer Emergency Response Team (CERT-UA) has detected a series of cyberattacks leveraging the sensitive topic of prisoners of war (POWs) captured during Ukraine’s incursion into Russia’s Kursk region. The attacks are being carried out through emails that contain photographs purportedly showing POWs and include a link to download an archive file. The campaign had been attributed to the UAC-0020 group, also known as Vermin, which is linked to security agencies based in Ukraine’s Luhansk region, which has been occupied by Russia since 2014.

US intelligence agencies blame Iran for cyberattacks on Trump and Harris campaigns

The US ODNI, FBI, and CISA have released a joint statement confirming that Iran is responsible for a series of cyberattacks targeting the presidential campaigns of former President Donald Trump and Vice President Kamala Harris.

Following an extensive investigation, intelligence officials concluded that Iran has intensified its cyber operations, aiming to exploit societal tensions and undermine confidence in the US democratic process. The agencies highlighted that Iran has a longstanding interest in influencing US elections, particularly through cyber operations designed to access sensitive information and sway public opinion.

Researchers uncover new FIN7 infrastructure

Cybersecurity researchers have uncovered new infrastructure linked to a financially motivated threat group known as FIN7, indicating that the group is continuing its operations despite previous attempts to disrupt its activities. The findings, which were detailed in a report by Team Cymru, reveal two distinct clusters of potential FIN7 activity associated with IP addresses in Russia and Estonia.

OpenAI blocks ChatGPT accounts used for Iranian influence operations

OpenAI said it has removed a network of ChatGPT accounts used by an Iranian threat actor for influence operations. The company has linked the accounts to a group tracked as Storm-2035, first identified in April 2024.

A novel phishing campaign targeting Android and iOS users

A new phishing campaign is targeting mobile banking users in the Czech Republic, exploiting Progressive Web Applications (PWAs) to steal banking credentials. The attack, uncovered by Slovak cybersecurity firm ESET, has already targeted clients of banks in Czechia, Hungary and Georgia. The phishing campaign employs a variety of delivery mechanisms, including automated voice calls, SMS messages, and malvertising on social media platforms like Facebook and Instagram. Once a user is tricked, they are prompted to install a malicious PWA or WebAPK, depending on their device’s operating system.

Styx Stealer developer's OPSEC blunder sheds light on malware ops

A suspected developer behind the recently emerged malware known as Styx Stealer has made a significant operational security (OPSEC) mistake, leading to the exposure of critical data, including information about clients and earnings. This slip-up was noticed by researchers at the Israel-based cybersecurity firm Check Point, which has been closely analyzing the malware.

New Cthulhu Stealer malware harvests data from macOS systems

Cybersecurity researchers have discovered a new macOS-targeted malware called Cthulhu Stealer, designed to harvest a wide range of user data. Available under a malware-as-a-service (MaaS) model for $500 per month since late 2023, Cthulhu Stealer can target both x86_64 and Arm architectures.

Qilin ransomware steals credentials stored in Google Chrome

The Sophos X-Ops team released a report detailing a recent cyberattack where threat actors behind a Qilin ransomware attack stole credentials stored in Google Chrome browsers on a few compromised endpoints. The attackers gained access to the target network through compromised VPN credentials that lacked multi-factor authentication (MFA). After infiltrating the network, they waited 18 days before initiating post-exploitation activities.

Hackers linked to a $14M Holograph crypto heist arrested in Italy

Two individuals suspected of orchestrating a $14 million cryptocurrency heist from blockchain tech firm Holograph have been apprehended in Italy.

Holograph, Cayman Islands-based cryptocurrency exchange and WEB3 platform suffered a cyberattack on June 13, 2024, when malicious actors exploited a flaw in the platform's smart contract. The vulnerability allowed the hackers to mint 1 billion HLG, Holograph's proprietary token, and withdraw the amount across nine transactions. At the time of the heist, the stolen tokens were valued at $14 million.

A member of the Karakurt cybercrime group charged with data theft and extortion

The US has charged Russian national Deniss Zolotarjovs believed to be a member of the Karakurt cybercrime group with extortion, fraud, and money laundering. Operating under the alias ‘Sforza_cesarini,’ Zolotarjovs was linked to six extortion cases through cryptocurrency transactions, IP addresses, and internal gang chats. Arrested in Georgia in December 2023, he was extradited to the United States to face charges, becoming the first Karakurt member to be prosecuted. The Karakurt group has been previously linked by cybersecurity researchers to the Conti ransomware gang.

A hacker who faked his death to avoid paying child support receives prison sentence

Jesse Kipf, 39, was sentenced to 81 months in a US prison for computer fraud and aggravated identity theft. He accessed the Hawaii Death Registry System in January 2023, using a physician's credentials, to falsely register his own death, partly to evade child support obligations. Kipf also infiltrated other state death registries, private business networks, and governmental systems using stolen credentials, selling access to these networks on the dark web. He caused over $195,000 in damages. After serving 85% of his sentence, Kipf will be under US Probation Office supervision for three years.

A Russian man who laundered money for the Lazarus hackers arrested in Argentina

The Argentine Federal Police (PFA) have arrested a 29-year-old Russian national in Buenos Aires on charges of money laundering linked to the North Korean Lazarus Group's cryptocurrency heists. The suspect, identified as V.B., allegedly processed $100 million from Lazarus, including funds from the 2022 Harmony Horizon hack.

The authorities discovered a money laundering operation in V.B.'s apartment, where large sums were exchanged and transferred via cryptocurrency. Investigations revealed that V.B. purchased over 1.3 million USDT using Russian rubles and conducted over 2,400 transfers via Binance Pay, amounting to $4.5 million USDT. Additionally, $15 million was seized from a related location. The operation also involved exchanging currencies through a Telegram bot.