Russian hackers, known as Midnight Blizzard, launch targeted spear-phishing on U.S. officials, exploiting RDP files to gain access to data.
Security | TechRepublic – Read More
Cyble’s weekly sensor intelligence report for clients detailed new attacks on popular WordPress plugins, and IoT exploits continue to occur at very high rates.
Two 9.8-severity vulnerabilities in LightSpeed Cache and GutenKit are under attack, as WordPress and other CMS and publishing systems remain attractive targets for threat actors.
Vulnerabilities in IoT devices and embedded systems continue to be targeted at alarming rates. In addition to older exploits, this week Cyble Vulnerability Intelligence researchers highlighted an older RDP vulnerability that may still be present in some OT networks. Given the difficulty of patching these systems, vulnerabilities may persist and require additional mitigations.
Vulnerabilities in PHP, Linux systems, and Java and Python frameworks also remain under attack.
Here are some of the details of the Oct. 23-29 sensor intelligence report sent to Cyble clients, which also looked at scam and brute-force campaigns. VNC (Virtual Network Computing) was a prominent target for brute-force attacks this week.
CVE-2024-44000 is an Insufficiently Protected Credentials vulnerability in LiteSpeed Cache that allows Authentication Bypass and could potentially lead to account takeover. The issue affects versions of the WordPress site performance and optimization plugin before 6.5.0.1.
An unauthenticated visitor could gain authentication access to any logged-in users – and potentially to an Administrator-level role. Patchstack notes that the vulnerability requires certain conditions to be exploited:
Despite those requirements, Cyble sensors are detecting active attacks against this WordPress plugin vulnerability.
The GutenKit Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor plugin for WordPress is vulnerable to CVE-2024-9234, with arbitrary file uploads possible due to a missing capability check on the install_and_activate_plugin_from_external() function (install-active-plugin REST API endpoint) in all versions up to, and including, 2.1.0. The vulnerability makes it possible for unauthenticated attackers to install and activate arbitrary plugins or utilize the functionality to upload arbitrary files spoofed like plugins.
As malicious WordPress plugins are becoming an increasingly common threat, admins are advised to take security measures seriously.
IoT device attacks first detailed two weeks ago continue at a very high rate, as Cyble honeypot sensors in the past week detected 361,000 attacks on CVE-2020-11899, a medium-severity Out-of-bounds Read vulnerability in the Treck TCP/IP stack before 6.0.1.66, in attempts to gain administrator privileges.
Also of concern for OT environments are attacks on four vulnerabilities in the Wind River VxWorks real-time operating system (RTOS) for embedded systems in versions before VxWorks 7 SR620: CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263. Cyble sensors routinely detect 3,000 to 4,000 attacks a week on these vulnerabilities, which can be present in a number of older Siemens devices.
New to the report this week are several hundred attacks on CVE-2019-0708, a 9.8-severity remote code execution vulnerability in Remote Desktop Services found in several older Siemens devices.
A number of other recent exploits observed by Cyble remain active:
Attacks against Linux systems and QNAP and Cisco devices detailed in our Oct. 7 report remain active.
Previously reported vulnerabilities in PHP, GeoServer, and Python and Spring Java frameworks also remain under active attack by threat actors.
Cyble sensors detect thousands of phishing scams a week, and this week identified 385 new phishing email addresses. Below is a table listing the email subject lines and deceptive email addresses used in four prominent scam campaigns.
| E-mail Subject | Scammers Email ID | Scam Type | Description |
| VERIFICATION AND APPROVAL OF YOUR PAYMENT FILE | infohh@aol.com | Claim Scam | Fake refund against claims |
| Online Lottery Draw Reference Claim Code | annitajjoseph@gmail.com | Lottery/Prize Scam | Fake prize winnings to extort money or information |
| RE: Great News | cyndycornwell@gmail.com | Investment Scam | Unrealistic investment offers to steal funds or data |
| Re: Consignment Box | don.nkru3@gmail.com | Shipping Scam | Unclaimed shipment trick to demand fees or details |
Of the thousands of brute-force attacks detected by Cyble sensors in the most recent reporting period, Virtual Network Computing (VNC, port 5900) servers were among the top targets of threat actors. Here are the top 5 attacker countries and ports targeted:
Security analysts are advised to add security system blocks for the most attacked ports (typically 22, 3389, 443, 445, 5900, 1433, 1080, and 3306).
Cyble researchers recommend the following security controls:
With active threats against multiple critical systems highlighted, companies need to remain vigilant and responsive. WordPress and VNC installations and IoT devices were some of the bigger attack targets this week and are worth additional attention by security teams. The high volume of brute-force attacks and phishing campaigns demonstrates the general vulnerability crisis faced by organizations.
To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is key in protecting defenses against exploitation and data breaches.
The post Cyble Sensors Detect New Attacks on LightSpeed, GutenKit WordPress Plugins appeared first on Cyble.
Blog – Cyble – Read More
The crooks hacked legitimate shopping websites and redirected people to fake online shops that sold, but never shipped, hard-to-find items.
The Record from Recorded Future News – Read More
Cybersecurity researchers uncovered the “Xiū gǒu” phishing kit targeting users in the UK, US, Spain, Australia, and Japan.…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
Cisco Talos’ Vulnerability Research team recently discovered five Nvidia out-of-bounds access vulnerabilities in shader processing, as well as eleven LevelOne router vulnerabilities spanning a range of possible exploits.
For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website.
NVIDIA Graphics remote out-of-bounds execution vulnerabilities
Discovered by Piotr Bania.
NVIDIA Graphics drivers are software for NVIDIA Graphics GPU installed on the PC. They are used to communicate between the operating system and the GPU device. This software is required in most cases for the hardware device to function properly.
Talos discovered multiple out-of-bounds read vulnerabilities in Nvidia that could be triggered remotely in virtualized environments, via web browser, potentially leading to disclosure of sensitive information and further memory corruption. Researchers used RemoteFX; while recently deprecated by Microsoft, some older machines may still use this software.
Advisories related to these vulnerabilities:
TALOS-2024-1955 (CVE-2024-0121)
TALOS-2024-2012 (CVE-2024-0117)
TALOS-2024-2013 (CVE-2024-0118)
TALOS-2024-2014 (CVE-2024-0120)
TALOS-2024-2015 (CVE-2024-0119)
LevelOne wireless SOHO router vulnerabilities
Discovered by Patrick DeSantis and Francesco Benvenuto.
Eleven vulnerabilities of different types were discovered in the LevelOne WBR-6012 SOHO router.
The LevelOne WBR-6012 is a low-cost wireless SOHO router, marketed as an easy-to-configure and operate internet gateway for homes and small offices.
Talos discovered these vulnerabilities in the R0.30e6 version of the router:
TALOS-2024-1979 (CVE-2024-28875,CVE-2024-31151): Hard-coded credentials exist in the web service, allowing attackers to gain unauthorized access during the first 30 seconds post-boot. Used with other vulnerabilities that force a reboot, time restrictions for exploitation can be greatly reduced. An undocumented user account with hard-coded credentials also exists.
TALOS-2024-1981 (CVE-2024-24777): A cross-site request forgery vulnerability exists in the web application, and a specially crafted HTTP request can lead to unauthorized access. An attacker can stage a malicious web page to trigger this vulnerability.
TALOS-2024-1982 (CVE-2024-31152): An improper resource allocation vulnerability exists due to improper resource allocation within the web application. A series of HTTP requests can cause a reboot, which could lead to network service interruptions and access to a backdoor account.
TALOS-2024-1983 (CVE-2024-32946): A cleartext transmission vulnerability exists, and sensitive information is transmitted via FTP and HTTP services, exposing it to network sniffing attacks.
TALOS-2024-1984 (CVE-2024-33699): A weak authentication vulnerability exists in the web application firmware, which allows attackers to change the administrator password to gain higher privileges without knowing the current administrator password.
TALOS-2024-1985 (CVE-2024-33603): An information disclosure in the web application allows unauthenticated users to access an undocumented verbose system log page and obtain sensitive data, such as memory addresses and IP addresses for login attempts. This flaw could lead to session hijacking due to the device’s reliance on IP addresses for authentication.
TALOS-2024-1986 (CVE-2024-33626): A web application information disclosure vulnerability can reveal sensitive information, such as the Wi-Fi WPS PIN, through a hidden page accessible by an HTTP request. Disclosure of this information could enable attackers to connect to the device’s Wi-Fi network.
TALOS-2024-1996 (CVE-2024-23309): An authentication bypass vulnerability results from the web application’s reliance on client IP addresses for authentication. Attackers can spoof an IP address to gain unauthorized access without a session token.
TALOS-2024-1997 (CVE-2024-28052): A buffer overflow vulnerability can be caused by specially crafted HTTP POST requests with URIs containing 1,454 or more characters, not starting with “upn” or “upg”.
TALOS-2024-1998 (CVE-2024-33700): An improper input validation within the FTP functionality can enable attackers to cause denial of service through a series of malformed FTP commands.
TALOS-2024-2001 (CVE-2024-33623): A denial-of-service vulnerability, triggered by multiple types of specially crafted HTTP POST requests, will cause the router to crash.
Cisco Talos Blog – Read More
Software developers tend to be advanced computer users at the very least, so you could assume they’d be more likely to spot and thwart a cyberattack. However, experience shows that no one is fully immune to social engineering — all it takes is the right approach. For IT professionals, such an approach might involve the offer of a well-paid job at a high-profile company. Chasing a dream job can make even seasoned developers lower their guard and act like kids downloading pirated games. And the real target (or rather —victim) of the attack might be their current employer.
Recently, a new scheme has emerged in which hackers infect developers’ computers with a backdoored script disguised as a coding test. This isn’t an isolated incident, but just the latest iteration of a well-established tactic. Hackers have been using fake job offers to target IT specialists for years — and in some cases with staggering success.
You might think that the consequences should remain the particular individual’s problem. However, in today’s world, it’s highly likely that the developer uses the same computer for both their main work and the coding test for the new role. As a result, not only personal but also corporate data may be at risk.
One of the most notorious cases of fake job ads used for malicious purposes was witnessed in 2022. Hackers managed to contact (likely through LinkedIn) a senior engineer at Sky Mavis, the company behind the crypto game Axie Infinity, and offer him a high-paying position.
Enticed by the offer, the employee diligently went through several stages of the interview set up by the hackers. Naturally, it all culminated in a “job offer”, sent as a PDF file.
The document was infected. When the Sky Mavis employee downloaded and opened it, spyware infiltrated the company’s network. After scanning the company’s infrastructure, the hackers managed to obtain the private keys of five validators on Axie Infinity’s internal blockchain — Ronin. With these keys they gained complete control over the cryptocurrency assets stored in the company’s wallets.
This resulted in one of the largest crypto heists of the century. The hackers managed to steal 173,600 ETH and 25,500,000 USDC, which was worth approximately $540 million at the time of the heist.
In 2023, several large-scale campaigns were uncovered in which fake job offers were used to infect developers, media employees, and even cybersecurity specialists (!) with spyware.
One attack scenario goes like this: someone posing as a recruiter from a major tech company contacts the target through LinkedIn. After some back-and-forth, the target receives an “exciting job opportunity”.
However, to land the job, they must demonstrate their coding skills by completing a test. The test arrives in executables within ISO files downloaded from a provided link. Running these executables infects the victim’s computer with the NickelLoader malware, which then installs one of two backdoors: either miniBlindingCan or LightlessCan.
In another scenario, attackers posing as recruiters initiate contact with the victim on LinkedIn, but then smoothly transition the conversation to WhatsApp. Eventually they send a Microsoft Word file with the job description. As you might guess, this file contains a malicious macro that installs the PlankWalk backdoor on the victim’s computer.
Yet another variation of the attack targeting Linux users featured a malicious archive titled “HSBC job offer.pdf.zip”. Inside the archive was an executable file disguised as a PDF document. Interestingly, in this case, to mask the file’s true extension, the attackers used an exotic symbol: the so-called one dot leader (U+2024). This symbol looks like a regular period to the human eye but is read as a completely different character by the computer.
Once opened, this executable displays a fake PDF job description while, in the background, launching the OdicLoader malware, which installs the SimplexTea backdoor on the victim’s computer.
A recently discovered variation of the fake job attack starts similarly. Attackers contact an employee of the target company pretending to be recruiters seeking developers.
When it comes to the interview, the victim is asked to complete a coding test. However, unlike the previous variations, instead of sending the file directly, the criminals direct the developer to a GitHub repository where it is stored. The file itself is a ZIP archive containing a seemingly innocuous Node.js project.
However, one component of this project contains an unusually long string, specially formatted to be overlooked when scrolling quickly. This string holds the hidden danger: heavily obfuscated code that forms the first stage of the attack.
When the victim runs the malicious project, this code downloads, unpacks, and executes the code for the next stage. This next stage is a Python file without an extension, with a dot at the beginning of the filename signaling to the OS that the file is hidden. This script launches the next step in the attack — another Python script containing the backdoor code.
Thus, the victim’s computer ends up with malware that can maintain continuous communication with the command-and-control server, execute file system commands to locate and steal sensitive information, download additional malware, steal clipboard data, log keystrokes, and send the collected data to the attackers.
As with the other variations of this scheme, the hackers count on the victim using their work computer to complete the “interview” and run the “test”. This allows the hackers to access the infrastructure of the target company. Their subsequent actions can vary, as history shows: from trojanizing software developed by the victim’s company to direct theft of funds from the organization’s accounts, as seen in the Sky Mavis case mentioned at the beginning of this article.
As we noted above, there’s currently no bulletproof defense against social engineering. Virtually anyone can be vulnerable if the attacker finds the right approach. However, you can make the task significantly more challenging for attackers:
Kaspersky official blog – Read More
The issue of GitHub data protection is increasingly discussed among developers on platforms like Reddit, X, and HackerNews.…
Hackread – Latest Cybersecurity, Tech, Crypto & Hacking News – Read More
British EDR vendor Sophos details a years-long “cat-and-mouse” tussle with sophisticated Chinese government-backed hackers.
The post Sophos Used Custom Implants to Surveil Chinese Hackers Targeting Firewall Zero-Days appeared first on SecurityWeek.
SecurityWeek – Read More
On the heels of a Chinese APT eavesdropping on phone calls made by Trump and Harris campaign staffers, Beijing says foreign nations have mounted an extensive seafaring espionage effort.
darkreading – Read More
