Google patches a Chrome zero-day flaw

Google has updated its security advisory released last week to warn of the active exploitation of CVE-2024-7965, an incorrect implementation issue in V8 in Google Chrome that could be used by a remote attacker for system compromise. The vendor said that in the wild exploitation of CVE-2024-7965 was reported after the initial release on August 21, 2024, addressing a Chrome type confusion zero-day flaw (CVE-2024-7971) along with a slew of other security issues.

SonicWall fixes a bug in its firewalls

SonicWall has released security updates to fix a security vulnerability (CVE-2024-40766) in its firewalls that could allow unauthorized access if exploited. The flaw, caused by improper access control, affects SonicWall Firewall Gen 5, Gen 6, and certain Gen 7 devices running older versions of SonicOS. The issue has been resolved in specific updated versions: SOHO (Gen 5) at 5.9.2.14-13o, Gen 6 at 6.5.2.8-2n and 6.5.4.15.116n. Although at present there is no evidence that the vulnerability has been exploited in the wild, users are recommended to update their systems as soon as possible.

CISA warns of a high-severity Apache OFBiz vulnerability exploited in the wild

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in the Apache OFBiz open-source ERP system to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2024-38856, is an Improper Authorization issue caused by missing permission checks on specific endpoints. This flaw allows remote attackers to send specially crafted requests and execute arbitrary code.

Fortra patches a high-risk FileCatalyst Workflow bug

Fortra has resolved a high-risk vulnerability in FileCatalyst Workflow, identified as CVE-2024-6633, which could allow a remote attacker to gain administrative access. The flaw stems from the use of a static password to connect to an HSQL database. According to Fortra's advisory, the default credentials for the HSQL database were published in a vendor knowledge base article. If exploited, this vulnerability could compromise the confidentiality, integrity, or availability of the software.

An unpatched AVTECH IP Camera Flaw exploited to spread Mirai botnet

A critical vulnerability (CVE-2024-7029) in AVTECH IP cameras has been exploited by hackers to incorporate these devices into a botnet. The flaw, a command injection vulnerability in the brightness function, allows for remote code execution (RCE). Once exploited, the vulnerability enables attackers to inject and execute commands, spreading a Mirai variant with references to the COVID-19 virus, which has been active since at least 2020.

Russian hackers caught using commercial spyware to compromise victims

Russian state-sponsored hacking group APT29 has used exploits similar to those of commercial spyware vendors NSO Group and Intellexa in a series of sophisticated attacks. According to Google's Threat Analysis Group (TAG), APT29 targeted Mongolian government websites through watering hole attacks from November 2023 to July 2024. The hackers exploited vulnerabilities in Apple’s Safari (CVE-2023-41993) and Google Chrome (CVE-2024-5274 and CVE-2024-4671) on Android, using these to steal user account cookies and compromise devices. This marks the first known instance of a state-backed group using commercial spyware techniques in such a campaign.

In a separate report, Google-owned Mandiant detailed a counterintelligence operation by Iran-linked state-sponsored actors (possible APT42) aimed at collecting data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in Israel.

Critical Atlassian Confluence bug exploited for crypto mining

Threat actors are exploiting a recently patched critical vulnerability in Atlassian Confluence Data Center and Confluence Server (CVE-2023-22527) to engage in illicit cryptocurrency mining. They use methods such as deploying shell scripts, XMRig miners, targeting SSH endpoints, eliminating competing mining processes, and maintaining persistence through cron jobs.

China-linked Volt Typhoon hackers exploit Versa zero-day to breach ISPs and MSPs

The Chinese state-backed hacking group Volt Typhoon has been observed targeting a zero-day vulnerability in Versa Director, a critical management platform used by Internet Service Providers (ISPs) and Managed Service Providers (MSPs). The vulnerability, tracked as CVE-2024-39717, allowed the threat actors to deploy a custom web shell, enabling them to steal credentials and breach corporate networks.

The attacks have targeted at least four US-based victims and one non-US victim, all within the ISP, MSP, and IT sectors. The initial access was gained through exposed Versa management ports intended for high-availability (HA) pairing of Director nodes. Once inside, the attackers deployed the VersaMem web shell to maintain persistence and further infiltrate the networks.

South Korean cyber espionage group exploits zero-day in WPS Office to install SpyGlace backdoor

A South Korea-aligned cyberespionage group known as APT-C-60 has been actively exploiting a zero-day vulnerability in the Windows version of WPS Office to install the SpyGlace backdoor on systems in East Asia. The vulnerability, tracked as CVE-2024-7262, has been exploited since at least February 2024. It affects WPS Office versions from 12.2.0.13110 (released in August 2023) to 12.1.0.16412 (released in March 2024). Kingsoft issued a patch for this flaw in March 2024 but did so without notifying customers.

Iranian hackers target Biden and Trump administration staffers

Social media giant Meta Platforms said it has uncovered a cyber espionage campaign by an Iran-linked hacking threat actor targeting the WhatsApp accounts of officials in both the Biden and Trump administrations. The group, identified as APT42, is believed to have also targeted the Democratic and Republican presidential campaigns in the past. The company said it has blocked a small amount of accounts, however, it found no evidence that the targeted WhatsApp accounts were compromised.

A separate report from Microsoft takes a look at a new custom multi-stage backdoor dubbed ‘Tickler’ attributed to an Iranian state-sponsored threat actor, known as Peach Sandstorm (also referred to as APT33, Elfin, Holmium, Magnallium, and Refined Kitten). The malware was used in cyberattacks targeting organizations in the United States and the United Arab Emirates.

A Vietnamese non-profit targeted in a APT32 cyberespionage campaign

A non-profit organization supporting Vietnamese human rights has been targeted by a multi-year cyber campaign attributed to the APT32 group, also known as OceanLotus, a Vietnamese-aligned hacking group, which has been active for at least four years. The analysis of the campaign revealed that four hosts were compromised, with the attackers adding scheduled tasks and Windows Registry keys to deploy Cobalt Strike Beacons and loaders that execute embedded DLL payloads. These attacks facilitate the theft of Google Chrome cookies across all user profiles on the affected systems.

Threat Actors target the Middle East using fake Palo Alto GlobalProtect VPN tool

Threat actors are reportedly targeting users in the Middle East with sophisticated malware disguised as the Palo Alto GlobalProtect Tool. The malware follows a two-stage infection process and utilizes advanced command-and-control (C2) infrastructure. It is delivered through a setup.exe file and employs the Interactsh project for beaconing, communicating with specific hostnames to report infection progress and gather victim data. The malware is capable of executing remote PowerShell commands, downloading and exfiltrating files, encrypting communications, and bypassing sandbox defenses.

Hackers are targeting Chinese-speaking users with Cobalt Strike payloads

A sophisticated campaign, codenamed SLOW#TEMPEST, is targeting Chinese-speaking users. The operation involves phishing emails that deliver malicious ZIP files. When these files are extracted, they trigger an infection chain that installs Cobalt Strike payloads on Windows systems. The attack employs the post-exploitation toolkit to compromise and control the targeted systems.

Iranian hacker groups collaborate with ransomware actors to target the US

A joint advisory from US government agencies - the FBI, CISA, and DC3 - has warned that the Iranian-linked hacking group Fox Kitten has been collaborating with various ransomware gangs to target US organizations from 2017 to August 2024. The campaign has affected a range of sectors including schools, local governments, financial institutions, and healthcare facilities.

The group’s activities often involve breaching networks to facilitate ransomware attacks by other actors. In addition to ransomware, Fox Kitten is also involved in espionage activities supporting the Iranian government, such as stealing sensitive data from organizations in Israel and Azerbaijan.

Threat actors use AppDomainManager Injection to deploy CobaltStrike beacons

A new wave of cyber attacks utilizing a rare technique known as AppDomainManager Injection has been observed by the threat research team of Japanese telecom giant NTT since July 2024. AppDomainManager Injection was first publicly discussed in 2017, followed by some proof-of-concept (PoC) code and explanatory blogs. The technique leverages the .NET Framework's version redirection and the AppDomainManager class to inject malicious code, which is executed when the targeted application loads.

NGate Android malware steals NFC data from victims’ payment cards

Researchers at ESET have uncovered a sophisticated crimeware campaign targeting customers of three major Czech banks. The malicious operation, which began in November 2023, employs a novel Android malware named “NGate,” designed to relay near field communication (NFC) data from victims' payment cards to attackers, enabling unauthorized ATM withdrawals.

US offers $2.5M reward for information on hacker linked to Angler exploit kit

The United States Department of State has announced a reward of up to $2.5 million for information leading to the arrest and conviction of Volodymyr Kadariya, a 38-year-old dual national of Belarus and Ukraine, who is accused of playing a central role in a major international hacking operation that involved the creation and distribution of several notorious ransomware strains, including Reveton and Ransom Cartel, as well as the distribution of the Angler Exploit Kit, a tool used in "malvertising" campaigns.

IT engineer arrested for trying to extort $750,000 from his employer

Daniel Rhyne, a 57-year-old IT engineer from Kansas City, Missouri, has been charged with extortion, intentional damage to a protected computer, and wire fraud following an attempted data extortion scheme against his former employer, a US-based industrial company.

Rhyne allegedly sent an extortion email on November 25, 2023, threatening to shut down the company's servers and delete backups unless a ransom of 20 Bitcoin (about $750,000) was paid. The investigation revealed that Rhyne gained unauthorized access to the company’s network and manipulated its systems to execute his threats. He was arrested on August 27, 2024, and released after an initial court appearance. The charges carry significant potential penalties, including up to 20 years in prison and fines totaling $750,000.