hacking news

VIEH Daily Threat Analysis, 29 | November 2024

Hackers are rewriting the rules of game development with malicious intent. By embedding the GodLoader malware into assets of the popular Godot game engine, attackers have compromised over 17,000 systems globally. Disguised within GitHub repositories, the malware steals credentials, installs crypto miners, and targets developers and gamers alike. WhatsApp’s trust is being turned against its users. The PixPirate malware, which began in Brazil, now spans countries like India, Italy, and Mexico. Spreading through social engineering on YouTube and malicious WhatsApp messages, it manipulates contacts, creates spam groups, and exploits its victims’ trust in the messaging platform. Unpatched software remains an open door for cybercriminals. A critical authentication bypass flaw in ProjectSend is enabling attackers to upload webshells and remotely access servers. Despite the availability of a patch since May 2023, most instances remain vulnerable, highlighting the importance of timely updates. Top Malware Reported in the Last 24 Hours Hackers abuse Godot to deploy GodLoader Hackers utilized the GodLoader malware, taking advantage of the popular Godot game engine to infect over 17,000 systems across multiple platforms. By exploiting the engine’s flexibility and GDScript capabilities, they embedded harmful scripts in game asset files to execute malicious code. The malware enables theft of credentials and the download of additional payloads, including a crypto miner. The attackers utilized the Stargazers Ghost Network to distribute the malware through seemingly legitimate GitHub repositories, targeting developers and gamers. APT-C-60 targets Japan with SpyGrace South Korea-linked cyber-espionage group APT-C-60 conducted a cyberattack on an organization in Japan using a job application theme to deliver the SpyGlace backdoor. The attack employed legitimate services like Google Drive, Bitbucket, and StatCounter. A phishing email disguised as a job application was sent to the organization’s recruiting contact, which led to malware infection. The attack involved an RCE vulnerability in WPS Office, which initiated the infection chain through a file hosted on Google Drive. SpyGlace allowed the attackers to steal files and execute commands by connecting to a C2 server.  PixPirate resurfaces, spreads via WhatsApp The PixPirate malware, originally targeting financial services in Brazil, has evolved to spread through WhatsApp and now affects countries like India, Italy, and Mexico. It uses social engineering tactics on YouTube to trick users into installing it and then spreads through malicious WhatsApp messages. The malware hides itself on devices and exploits WhatsApp’s trust-based system to send and delete messages, manipulate contacts, and create spam groups.  Top Vulnerabilities Reported in the Last 24 Hours Microsoft re-releases Exchange updates Microsoft re-released the November 2024 security updates for Exchange Server after initially pulling them due to email delivery issues caused by custom mail flow rules. The re-released update, called Nov 2024 SUv2, resolves the mail delivery problems and provides more granular control over email headers. Admins are advised to install the re-released update and run the Exchange Health Checker script after installation. The update also adds detection and warnings for a high-severity Exchange Server vulnerability (CVE-2024-49040).  ProjectSend flaw under exploit Threat actors are actively exploiting a critical authentication bypass flaw (CVE-2024-11680) in ProjectSend, allowing them to upload webshells and gain remote access to servers. Despite a patch being available since May 16, 2023, the majority of ProjectSend instances (99%) remain vulnerable. Public exploits released in September 2024 have led to an increase in exploitation, with attackers altering system settings, enabling user registrations, and deploying webshells. It’s crucial for users to upgrade to ProjectSend version r1750 to mitigate the widespread attacks. Top Scams Reported in the Last 24 Hours “You’re Fired!” Beware of this new scam A new phishing campaign deceives people into thinking they have lost their jobs. It starts with an email that looks like a legal notice of termination. Cloudflare observed this attack targeting 14 customers, indicating a single actor behind it. One email subject, “Action Required: Tribunal Proceedings Against You,” threatens legal action and prompts users to click a link to download malware. This attack mainly targets Windows users, downloading harmful software, including a banking trojan, named Ponteiro, that steals credentials. Wanna be a hacker: Make it your profession: Click here Credit: Checkpoint, thehackersnews, securityintelligence, bleeping computer, the register, cyware

VIEH Daily Threat Analysis, 29 | November 2024 Read More »

VIEH Daily threat analysis | 28 October 2024

Threat actors are refining their methods, transforming even the most familiar apps and games into dangerous tools of deception. The latest version of Qilin ransomware now boasts stronger encryption, advanced evasion techniques, and the power to block data recovery efforts. Meanwhile, WrnRAT is hiding in plain sight, masquerading as popular gambling games, giving attackers full control over infected systems to steal data and disrupt processes. In other news, the White House released a memo to advance safe AI development for national security interests. Read on for more. 01 Halcyon researchers discovered a new version of the Qilin ransomware, named Qilin.B, with enhanced encryption, improved evasion tactics, and the ability to disrupt data recovery methods. 02 The WrnRAT malware is being distributed disguised as gambling games like Badugi, Go-Stop, and Texas Hold’em. The malware controls infected systems to steal information, capture user screens, and terminate processes. 03 Aqua Security discovered a critical vulnerability in the AWS Cloud Development Kit that could result in a full account takeover. The exploit involves creating a bucket with a predictable name, known as ‘S3 bucket namesquatting’ or ‘bucket sniping’. 04 The White House released a National Security Memorandum (NSM) focused on advancing safe, secure, and trustworthy AI development for US national security interests. It includes steps to track and counter adversary development and the use of AI. 05 Siemens issued a security advisory for its InterMesh wireless alarm reporting system, highlighting multiple vulnerabilities, including CVE-2024-47901, CVE-2024-47902, CVE-2024-47903, and CVE-2024-47904. 06 The U.K government introduced a new Data Use and Access Bill, aiming to reform the country’s data privacy regime and potentially boost the economy by £10 billion over the next decade. 07 NVIDIA released a security bulletin concerning vulnerabilities in its GPU Display Driver for Windows and Linux that attackers could exploit for code execution, privilege escalation, and DoS attacks. 08 The CISA added a high-severity deserialization vulnerability in Microsoft SharePoint, tracked as CVE-2024-38094, to its Known Exploited Vulnerabilities (KEV) Catalog. 09 Rome-based cybersecurity awareness training platform Cyber Guru raised $25 million in Series B funding led by Riverside Acceleration Capital, with participation from Educapital, Adara Ventures, and P101 Ventures. 10 Managed cybersecurity service provider RKON Technologies announced its acquisition of Bridge Security Advisors, a solution provider focused on cloud security, governance risk and compliance (GRC), and identity and access management. Wants to get expertise in cybersecurity Join our Training cum internship Program. Click here Post Credit: Halcyon, ahnlab, aquasec, therecord, siemens, custhelp, dark reading, eu startups, crn, cyware

VIEH Daily threat analysis | 28 October 2024 Read More »

VIEH Daily threat analysis | 14 August 2024

In a disconcerting twist of events, CERT-UA has sounded the alarm on a phishing campaign that unleashed the ANONVNC malware and compromised over 100 government computers. The ransomware landscape is growing ever more treacherous with the emergence of DeathGrip, a newly minted RaaS that lures aspiring cybercriminals with sophisticated ransomware capabilities. A troubling set of security vulnerabilities in Google’s Quick Share has come to light, exposing users to the QuickShell attack chain that could enable hackers to take complete control of devices and do more harm.  Top Malware Reported in the Last 24 Hours Phishing campaign targets Ukraine CERT-UA warned of a new phishing campaign impersonating the Security Service of Ukraine to distribute malware called ANONVNC, which allows for unauthorized access to infected computers. More than 100 computers, including those belonging to government bodies, have been infected since July 2024. The agency also noted an increase in campaigns distributing the PicassoLoader malware to deploy Cobalt Strike Beacon, with a threat actor tracked as UAC-0057. DeathGrip: New RaaS emerges A new Ransomware-as-a-Service (RaaS) called DeathGrip has appeared in the ransomware landscape. It is being promoted on underground forums and offers aspiring threat actors sophisticated ransomware tools. The emergence of DeathGrip ransomware highlights the evolving threat landscape, emphasizing the importance of robust cybersecurity measures to safeguard against ransomware attacks. The scream of Banshee Stealer  A new cyber threat called Banshee Stealer targets macOS systems, posing a significant risk to users. This malicious software can extract sensitive information like passwords from Keychain, system data, and browser details. It also targets cryptocurrency wallets and plugins, making it a comprehensive tool for cybercriminals. Click here for internship Top Vulnerabilities Reported in the Last 24 Hours Google patches critical flaw Security researchers discovered critical vulnerabilities in Google’s Quick Share, leading to remote code execution and the potential for attackers to gain full system control. The vulnerabilities could have allowed attackers to force file downloads, hijack Wi-Fi connections, and ultimately gain full system control through a series of exploits known as the QuickShell attack chain. Google has acknowledged the severity of the issue and deployed fixes for the reported vulnerabilities. Patch this FreeBSD bug! The FreeBSD Project has released urgent security updates to fix a high-severity flaw in OpenSSH (CVE-2024-7589), which could allow remote attackers to execute arbitrary code with elevated privileges. The flaw stems from a race condition in the privileged sshd context, caused by calling functions that are not async-signal-safe. Users are urged to upgrade to a supported FreeBSD stable version and restart sshd to mitigate the issue. Top Scams Reported in the Last 24 Hours BEC scam targets Orion SA Orion SA, a Luxembourg-based chemicals and manufacturing company, disclosed in a filing with the U.S. SEC that it fell victim to a criminal wire fraud scheme, potentially losing around $60 million. The incident, believed to be a BEC scheme, involved fraudulent wire transfers to accounts controlled by unknown parties. Orion is working with law enforcement to recover the funds and has not found evidence of further fraudulent activity or unauthorized access to its systems. Post Credit: The hackers news, broadcom, cybersecurity news, safebreach, security affairs, the register, Cyware

VIEH Daily threat analysis | 14 August 2024 Read More »

VIEH Daily threat Analysis | 10 August 2024

The cyber espionage group Earth Baku has significantly broadened its operational reach, moving from the Indo-Pacific into Europe, the Middle East, and Africa. The threat group has been deploying advanced tools like the Godzilla webshell, StealthVector, StealthReacher, and a new backdoor.  Kimsuky makes the headline again as it has been found targeting university professors with phishing emails. The goal is to capture login credentials and redirect victims to decoy PDF documents hosted on Google Drive. Meanwhile, Cisco has issued a critical warning concerning five remote code execution vulnerabilities in the web-based management interface of its now end-of-life Small Business SPA 300 and SPA 500 series IP phones. Top Malware Reported in the Last 24 Hours Earth Baku expands operations Earth Baku, linked to APT41, has expanded its operations from the Indo-Pacific to Europe, Middle East, and Africa. Countries like Italy, Germany, the UAE, and Qatar are targeted, with suspected activity in Georgia and Romania. The attackers use IIS servers as entry points, deploying advanced tools like Godzilla webshell, StealthVector, StealthReacher, and SneakCross. The latest backdoor, SneakCross, utilizes Google services for command-and-control. Post-exploitation, Earth Baku uses tools like iox, Rakshasa, Tailscale, and MEGAcmd for persistence and data exfiltration.  Google Authenticator phishing site  Cyble discovered a phishing website posing as Google Safety Centre, distributing two types of malware – Latrodectus and ACR Stealer. The ACR Stealer uses Dead Drop Resolver to hide its Command and Control server details within legitimate platforms, while Latrodectus shows signs of continuous development. The phishing site tricks users into downloading a file disguised as Google Authenticator, which installs the malicious software. Kimsuky targets university professors The North Korean APT group Kimsuky has been found phishing university professors, staff, and researchers. The group uses DMARC exploitation to conceal social engineering and employs a webshell called Green Dinosaur to facilitate its attacks. Green Dinosaur allows remote operators to upload, download, and delete files, enabling the creation of phishing websites disguised as legitimate university portals. These phishing pages target specific universities like Dongduk, Korea, and Yonsei, capturing credentials and redirecting victims to decoy PDFs hosted on Google Drive. Top Vulnerabilities Reported in the Last 24 Hours Sonos smart speakers bug allows eavesdropping NCC Group disclosed vulnerabilities in Sonos smart speakers, including a flaw that could allow attackers to eavesdrop on users. One of the vulnerabilities, CVE-2023-50809, could be exploited by attackers in Wi-Fi range for remote code execution. Sonos has released patches for the issue, which was caused by a wireless driver failing to validate information during a WPA2 four-way handshake. Additionally, NCC researchers found flaws in the Sonos Era-100 secure boot implementation, allowing for persistent code execution with elevated privileges.  Cisco warns of RCE 0-days Cisco has issued a warning about five critical remote code execution vulnerabilities in the web-based management interface of the Small Business SPA 300 and SPA 500 series IP phones, which have reached their end of life. The vulnerabilities allow attackers to execute arbitrary commands and cause denial of service. Cisco has not provided fixes or mitigation tips, so users are urged to transition to newer and supported models. The flaws are tracked as CVE-2024-20450, CVE-2024-20452, CVE-2024-20454, CVE-2024-20451, and CVE-2024-20453. Looking for internship: Click here Post Credit: trendmicro, cyble, cyberressilience, security week, bleeping computer, cyware

VIEH Daily threat Analysis | 10 August 2024 Read More »

VIEH Daily threat Analysis | 08 August 2024

In the shadowy world of cyber espionage, a new player has emerged: GoGra, a Go-based backdoor that stealthily infiltrated a South Asian media organization. The malware wielded the Microsoft Graph API as its weapon of choice for command-and-control operations. Mozilla and Google have fortified their defenses, releasing critical browser updates to patch vulnerabilities that could otherwise serve as gateways for malicious exploits. While Chrome received patches for six bugs, Firefox got patches for 14.  Researchers uncovered a vulnerability in Microsoft 365, which could leave users dangerously exposed to phishing attacks. This flaw allows hackers to invisibly cloak the ‘First Contact Safety Tip’ in Outlook, which alerts users to emails from unknown senders, by manipulating CSS in HTML emails. Top Malware Reported in the Last 24 Hours New GoGra targets media organization A new Go-based backdoor called GoGra targeted a South Asian media organization, using the Microsoft Graph API for command-and-control. The backdoor executes commands via cmd.exe and sends encrypted results to the user. It is linked to a nation-state hacking group known as Harvester. Once infiltrated, GoGra is designed to read messages from an Outlook user account, indicating a focus on cyber espionage. Chameleon masquerades as CRM app The Chameleon Android banking trojan has been targeting users in Canada by posing as a CRM app. The campaign expanded its victimology footprint to Canada and Europe, mirroring previous attacks in Australia, Italy, Poland, and the U.K. The trojan uses CRM-related themes to target customers in the hospitality sector and B2C employees. It bypasses Google’s Restricted Settings to deploy its payload, which can conduct on-device fraud and transfer funds illegally. By masquerading as a CRM tool, Chameleon aims to access corporate banking and poses a significant risk to organizations. New ransomware strain spotted A new ransomware strain called Zola was discovered, which was found to be a rebranding of the existing Proton family. The ransomware employs common hacking tools and techniques to escalate privileges and hinder recovery efforts. The attackers used common hacking tools like Mimikatz and ProcessHacker to escalate privileges and gain access rights. The ransomware payload of Zola was around 1MB in size and created a mutex to prevent concurrent execution. It also checked for administrative rights and had a kill switch to terminate the process if a Persian keyboard layout was detected. Top Vulnerabilities Reported in the Last 24 Hours Chrome and Firefox released updates Mozilla and Google released updates for their web browsers to fix multiple vulnerabilities. Google’s Chrome version 127.0.6533.99 addresses six vulnerabilities, including a critical out-of-bounds memory access issue. Mozilla’s Firefox version 129 patches 14 vulnerabilities, with 11 rated as high severity. The patched vulnerabilities in both web browsers could be exploited for various malicious activities, such as spoofing, arbitrary code execution, and obtaining sensitive information. Microsoft 365 bug found Researchers found a way to bypass a key anti-phishing feature in Microsoft 365, increasing the risk of users falling for malicious emails. The flaw allows attackers to hide the ‘First Contact Safety Tip’ in Outlook, which alerts users about emails from unfamiliar senders. By manipulating the CSS in HTML emails, hackers can make the safety message invisible to recipients. In addition, they can also spoof security icons in encrypted emails to appear more legitimate.  Kibana bug patch released Kibana has a security flaw (CVE-2024-37287) allowing arbitrary code execution via prototype pollution. This affects self-managed Kibana installations on host OS, Kibana Docker instances, Elastic Cloud, Elastic Cloud Enterprise, and Elastic Cloud on Kubernetes. The issue is limited within the Kibana Docker container and can be prevented by seccomp-bpf. Affected versions include Kibana 8.x prior to 8.14.2 and Kibana 7.x prior to 7.17.23. Join our internship: Click here Post Credit: symantec enterprise, threatfabric, acronis, security week, bleeping computers, elastic, cyware

VIEH Daily threat Analysis | 08 August 2024 Read More »