The essential intelligence briefing for the security community is accomplished through the weekly cybersecurity newsletter.
As it discusses a range of things including new strains of malware, advanced phishing techniques, software vulnerabilities, and emerging defense strategies among other topics.
While besides this, it also lets people know about new regulations and trends in the industry which helps them to stay ahead of these risks and threats.
With such an essential set data greatly helps the readers to maintain a proactive stance by giving briefs that keep them active even in the changing cyberspace that is evolving at a rapid pace.
Cyber Attack
Authorities Arrested DDoS Attack Service Provider
A number of people who were involved in a number of DDoS (Distributed Denial of Service) attacks directed at different online services have been arrested by the authorities.
Concerted action by law enforcement agencies has resulted in suspects being taken into custody who are thought to be behind major disruptions to internet services.
These attacks consisted of huge volumes of traffic aimed at specific sites making them unattainable on webpages.
This operation illustrates the ongoing war against cybercrime, and how important it is for agencies to cooperate in order to tackle these threats. The arrests will discourage other attackers from attacking and improve safety in online infrastructures.
A new type of malware is known as swap file skimmer has been discovered by researchers. This kind of malware monitors the browser’s swap file in order to steal payment card data even after a user clears their cache or closes the browser because it can still have sensitive information.
The site where this theft is happening remains undetected despite being attacked by one called a swap file skimmer which operates stealthily and does not change the website’s code.
The report states that through compromised themes or plugins, the malware is actually distributed, signifying the importance of maintaining up-to-date and secure e-commerce platforms as well as their components.
It also ensures that website owners must employ strong security measures such as regularly checking for suspicious behavior within their systems if they intend to keep customers’ data safe.
69% of API Services Were Susceptible to DoS Attacks
The “State of GraphQL Security 2024” report has come up with a number of serious security flaws in GraphQL APIs whereby 69% of these APIs can be compromised using Denial of Service (DoS) attacks.
An assessment of various GraphQL services’ problems totaling to about 13,720 revealed that high-severity vulnerabilities accounted for 33%, while multiple services failed to satisfy the most important safety requirements.
The key flaws consist of unbounded resource consumption, security misconfiguration, and exposed secrets.
In its report, the study highlights the need for better security measures that include robust access control, input validation, rate limiting, and schema whitelisting among others to mitigate risks as GraphQL is expected to gain significant ground.
Telegram Zero-Day Vulnerability
ESET researchers have uncovered “EvilVideo,” a major zero-day vulnerability in the Telegram messaging app for Android.
The exploit can be used by attackers to upload dangerous content that looks like video without any threat, through various channels and chats of Telegram.
The vulnerability affects Telegram versions 10.14.4 and older, making it possible for malicious apps to be installed as people try to play these disguised videos.
On July 11th, 2024, ESET informed Telegram about this problem, and a patch was made available in version 10.14.5.
Researchers urged users to promptly update their apps and also recommended handling media from unknown sources carefully.
According to recent reports, hackers are exploiting cloud services by using Cloudflare WARP for their own ends, as they take advantage of its anonymity to aim at susceptible internet-facing systems.
Cloudflare WARP is a free VPN that enhances user traffic and has been used in campaigns like the SSWW campaign which mainly focuses on cryptojacking exposed Docker instances.
By hacking into WARP initially, the attackers can carry out commands within compromised containers while hiding their real IP addresses.
These attacks seem to be coming from Cloudflare’s data center in Zagreb, Croatia but the command and control servers are hosted elsewhere.
Researchers urged users to properly configure the firewalls and always update services such as SSH to reduce the risks related to this method of attack.
Pentagon IT Service Provider Hacked
Leidos Holdings Inc., a major IT services provider to the US government, has suffered a significant cyber security breach.
The leak of insider documents heightened concerns about the safety of sensitive public data that is managed by third-party vendors.
The company receives most of its revenues from contracts with the United States Government, including 87% in this fiscal year.
These were apparently stolen from the Diligent Corp. breaches in 2022 which one of Leidos’ platforms is based on.
There have been no official reports regarding what exactly was contained in these leaked documents nor their nature however it is an indication of flaws within those enterprises handling sensitive government information and systems for securing it.
A group of researchers from Check Point Technologies has found a well-developed platform for spreading malware on GitHub named Stargazers Ghost Network run by the Stargazer Goblin threat actor.
They have been in operation at least starting June 2023 and involve more than 3000 “ghost” accounts that make malicious repositories seem legitimate via starring and forking them.
Some of these repositories are used to host phishing links as well as malware like Atlantida stealer which targets user credentials as well as cryptocurrency wallets.
This network has allegedly slashed around $100,000 through such tactics as manipulating platforms’ community tools and automated engagement.
It also highlights the evolving risks on legal platforms necessitating strengthening measures to curb this kind of advanced attack.
Hackers Allegedly Leaked CrowdStrike’s Threat Actor Database
USDoD is a hacktivist organization that has admitted being behind the information leak regarding the whole CrowdStrike’s threat actor database which supposedly contains over 250 million data points inclusive of opponent nicknames, activity statuses, and nationalities.
The statement was made via a cybercrime forum on July 24, 2024, where they dropped a link to download as well as sample data as supporting evidence.
However, according to CrowdStrike, this breach should be taken with caution given that these sets of records are widespread among various users and they also stress their dedication towards sharing the threat intelligence.
Potential implications could threaten investigations in progress and assist criminals in preparing for future activities by providing insight into how to avoid detection.
Moreover, USDoD has been simulating stories throughout their history thereby undermining its credibility in view of statements that were previously disproved by industry insiders.
Hackers Abuse Microsoft Office Forms
This report focuses on two-step phishing attacks which blend conventional ones with additional steps to deceive the victims.
Usually, this kind of attack involves creating false websites and using social engineering tricks to trick users into giving out their sensitive data.
The report highlights the importance of awareness and education in recognizing these threats, as attackers become increasingly sophisticated.
Moreover, organizations should build up strong security systems like multi-factor authentication that would help them fight against these new forms of phishing.
Besides this, the report is cautioning individuals on how more complex phishing is becoming, and consequently, they should be cautious about cybersecurity practices.
Vulnerabilities
Critical Vulnerabilities Discovered In AC Charging Controller
The report is about the Pwn2Own car hack competition that brought out critical flaws in an AC charging controller used for electric vehicles.
They could allow attackers to execute remote code which could endanger vehicle safety and security.
This contest also highlighted on the necessity of addressing automotive cybersecurity, especially with the advent of more electric cars.
The report calls upon manufacturers to be more concerned with security measures to avoid these types of hacks in the future.
Critical Flaws In Traffic Light Controller
Intelight X-1 traffic light controller had a critical vulnerability that can be used by attackers to gain access over the traffic signals bypassing the verification process.
An attacker who successfully skips the login prompt can do any modifications of their choice like extending the time for certain days, uploading their own configuration, or making an intersection into 4-way flash mode.
It has been tagged as CVE-2024-38944 and is linked to an SNMP vulnerability that lets this device use MIBs of the controller only through which it could obtain truths and switch between writing modes without authentication.
The researcher also hinted at how this technique could be employed in compromising digital signs, although this has not been verified yet.
Cisco has exposed a critical flaw in its Small Business VPN routers that may let external hackers execute an arbitrary code and gain control of the affected devices.
This vulnerability, tracked as CVE-2023-20025 has a severity score of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. It affects Cisco RV160, RV160W, RV260, RV260P, and RV260W VPN routers with firmware versions before 1.0.03.26.
Firmware updates have been released by Cisco to fix the vulnerability and advise users to promptly upgrade their devices to reduce the risk.
The presence of this bug highlights an important lesson for all network device owners – keep your network devices updated with the latest security patches to prevent potential attacks.
The Okta Browser Plugin, used by millions of people competing in different browsers, is found to have a Cross-Site Scripting (XSS) vulnerability, identified as CVE-2024-0981, with a severity rating of 7.1 (High).
This bug enables any attacker to run arbitrary JavaScript code once the users save new credentials.
Although it affects versions ranging from 6.5.0 through 6.31.0 other than workforce identity cloud users who do not use Okta Personal.
Version 6.32.0 has been issued by Okta to fix this vulnerability and recommends all its users to upgrade their systems to this version as a way of minimizing any potential risks that may be associated with it.
Google Chrome 127 Released With Fix
The new Chrome 127 release by Google has a fix for different security vulnerabilities that can crash the browser.
Notably, this update resolves 24 security issues with significant help from independent researchers who were given compensation for identifying the flaws.
Major patches include use-after-free vulnerabilities in Downloads, Loader, Dawn, and Tabs as well as an out-of-bounds memory access in ANGLE and heap buffer overflow in Layout.
It is highly recommended that users of Chrome upgrade their browser to receive these important Security Fixes such as stability improvements and performance enhancements that protect against potential attacks.
The authentication bypass and unauthorized access can be achieved by the attacker with a critical vulnerability in the Docker Engine called CVE-2024-41110.
In particular, it is affecting various versions of Docker Engine including ones that use authorization plugins, having a CVSS score of 10 which means the risk is high.
This regression in the authorization plugin system results in the vulnerability that allows exploitation through API requests crafted specifically.
Docker has released patches to fix this issue by requesting users to update and change their AuthZ plugins but if they can’t do this instantaneously they may disable them temporarily.
Such incident clearly shows that regular container environment security updates must be carried out in order to prevent probable vulnerabilities.
GitLab Patched XSS Vulnerability
Patching a critical cross-site scripting (XSS) vulnerability in GitLab, the popular web-based Git-repository manager, it had recently put into consideration that would have allowed attackers to execute arbitrary code on the server of GitLab.
A cybersecurity researcher Evan Custodio discovered this vulnerability in versions 14.9.0 to 14.9.5 of GitLab and assigned CVE ID CVE-2022-2884 to it.
The GitLab team has fixed this issue with the new versions 14.9.6 and 15.0.1 hence users are recommended to upgrade their instances of GitLab to the most recent version so that their systems can be secured at all times.
Progress Telerik Report Server Flaw
A critical vulnerability in the Progress Telerik Report Server named CVE-2023-27350 allowing for remote code execution is focused in this report.
There is an inappropriate input validation that happens on server-side report requests.
This kind of loophole can be used by hackers to write and execute any code into affected systems which helps in increasing the possibilities of useful information leaks.
The problem has been addressed by Progress Software, and users are advised to update their systems immediately.
This study serves as a reminder that it’s essential to address these kinds of security flaws for the sake of computer safety. Organizations should re-evaluate their security measures in order to avoid misuse.
SN_BLACKMETA, a group of hacktivists made a record by launching the largest ever recorded distributed denial of service (DDoS) attack against one of the Middle Eastern financial institutions that lasted for six days.
The DDoS attack consisted of 10 waves with an average rate of 4.5 million malicious requests per second and a peak of 14.7 million.
Radware’s Web DDoS Protection Services effectively mitigated this by blocking more than 1.25 trillion malicious requests.
The company was targeted by SN_BLACKMETA which is also involved in cyber warfare as it has been in support of Palestine’s rights and had criticized any actions done against Islam religion.
This strike illustrates the increasing sophistication and persistence that cyber threat actors demonstrate, highlighting the need for strong cybersecurity measures to protect against such advanced attacks.
Threats
Patchwork Hackers Upgraded Their Arsenal with Advanced PGoShell
The Advanced Threat Intelligence Team at Knownsec 404 has uncovered a new attack vector by the Patchwork group, targeting Bhutan with an advanced Go backdoor and the Brute Ratel C4 red team tool. This APT group, active since 2014, has significantly updated its arsenal to include sophisticated tools like PGoShell and deceptive LNK files. The malware now features remote shell, screen capture, and payload execution, using RC4 encryption and base64 encoding for data obfuscation. This evolution highlights the increasing complexity of cyber threats from Patchwork.
Read more: Patchwork Hackers Upgraded Their Arsenal
Konfety Hackers Hosted 250 Apps on Google’s Play Store to Push Malicious Ads
Researchers have identified a new ad fraud scheme named Konfety, which involves over 250 decoy apps on the Google Play Store and their malicious “evil twin” counterparts. These evil twins commit ad fraud, install extensions, monitor web searches, and inject code. The scheme generates up to 10 billion fraudulent ad requests daily, leveraging malvertising campaigns and URL shortener services to spread malware. The complexity of this scheme underscores the need for heightened vigilance in-app security.
Read more: Konfety Hackers Hosted 250 Apps
Google Researchers Uncover APT41’s Advanced Tools
Google’s Threat Analysis Group has revealed new insights into APT41, a prolific Chinese cyber espionage group. APT41 has been utilizing advanced tools and techniques to conduct cyber operations targeting various sectors worldwide. The group is known for its sophisticated malware and strategic use of zero-day vulnerabilities, emphasizing the persistent and evolving nature of state-sponsored cyber threats.
Read more: Google Researchers Uncover APT41’s Advanced Tools
Patchwork Hackers Employ Advanced PGoShell in Bhutan Attacks
Patchwork hackers have been found using an advanced Go-based backdoor named PGoShell in their latest attacks targeting Bhutan. This malware includes features such as remote shell, screen capture, and payload execution, and uses RC4 encryption and base64 encoding for data obfuscation. The use of Brute Ratel C4 red team tool further complicates detection and mitigation efforts, highlighting the evolving tactics of cyber adversaries.
Read more: Patchwork Hackers Advanced PGoShell
Play Ransomware Targets ESXi Servers
A new ransomware variant named Play has been targeting ESXi servers, posing significant risks to virtualized environments. This ransomware encrypts virtual machine files, demanding substantial ransoms for decryption keys. The attacks underscore the importance of robust security measures and regular backups to mitigate the impact of ransomware on critical infrastructure.
Read more: Play Ransomware Targets ESXi Servers
Beware of Braodo Stealer: A New Threat for Login Theft
The Braodo Stealer is a newly identified threat designed to steal login credentials from unsuspecting users. This malware spreads through malicious emails and compromised websites, capturing sensitive information and sending it back to the attackers. Users are advised to exercise caution and implement strong security practices to protect their login information.
Read more: Beware of Braodo Stealer
Russian Malware Cuts Off Heaters in 600 Apartments
Cybersecurity researchers at Dragos have identified a new Russian malware named FrostyGoop that targets industrial control systems (ICS). This sophisticated malware exploits Modbus TCP communications to directly impact Operational Technology (OT), marking a significant advancement in ICS-targeted cyberattacks.
Read more: Russian Malware Cuts Off Heaters
Data Breach
ERP Provider Exposes 769 Million Records
A significant data breach involving ClickBalance, one of Mexico’s largest Enterprise Resource Planning (ERP) technology providers, has been uncovered by cybersecurity researcher Jeremiah Fowler. This breach exposed a staggering 769,333,246 records, totaling 395 GB of data, in a non-password-protected database. For more details, read the full story here.
Other News
Microsoft Offers New Recovery Tool for CrowdStrike Issue
Microsoft has released an updated recovery tool to assist customers affected by the recent CrowdStrike Falcon agent issue, which impacted millions of Windows devices globally. The tool provides two repair options: Recover from WinPE and Recover from Safe Mode. IT administrators can use this tool to create a bootable USB drive for system recovery. Microsoft has also deployed hundreds of engineers and collaborated with major cloud providers to support affected customers. For more details, visit the full article here.
Hacker’s Price List for Hijacking Server & WhatsApp Exposed
A shocking revelation has come to light in a lawsuit involving Israeli-Canadian businessman Ofer Baazov. Recordings obtained by the plaintiffs expose a hacker’s price list for illegal activities, including hacking phones and servers. The hacker, who cooperated with the plaintiffs, detailed his methods and pricing, such as 70,000 euros for hacking two individuals. This case highlights the dark side of litigation where illegal means are employed to gain an upper hand. Read the full story here.
Cellebrite Tool Cracks Trump’s Shooter’s Samsung Device in 40 Minutes
In a recent demonstration of its capabilities, Cellebrite’s tool successfully cracked the Samsung device of a shooter in just 40 minutes. This showcases the tool’s efficiency in accessing data from encrypted devices, which can be crucial for law enforcement investigations. For more information, check out the article here.
CrowdStrike Filed a FORM 8-K to Clarify Friday’s Update Event
CrowdStrike has filed a FORM 8-K to clarify details regarding the incident that affected millions of Windows systems worldwide. The document aims to provide transparency and address concerns about the impact and response measures taken by the company. To learn more, read the full article here.
KnowBe4 Hired Fake North Korean IT Worker, Catches While Installing Malware
In a surprising turn of events, KnowBe4 discovered that they had hired a fake North Korean IT worker who was caught installing malware. This incident underscores the importance of thorough background checks and monitoring of employees, especially in the cybersecurity sector. For the complete story, visit the article here.
CrowdStrike Details Incident Affecting Millions of Windows Systems Worldwide
CrowdStrike has provided detailed information about the incident that impacted millions of Windows systems. The company has been working closely with Microsoft and other stakeholders to address the issue and ensure such incidents do not recur. For a comprehensive overview, read the full details here.
Read More
