Friday, June 21st, 2024

Cybersecurity Week in Review (21/06/24)

New Malware Targets Exposed Docker APIs for Cryptocurrency Mining

Cybersecurity researchers have uncovered a new malware campaign that targets publicly exposed Docket API endpoints with the aim of delivering cryptocurrency miners and other payloads.

Included among the tools deployed is a remote access tool that’s capable of downloading and executing more malicious programs as well as a utility to propagate the malware via SSH

Analysis of the campaign has uncovered tactical overlaps with a previous activity dubbed Spinning YARN, which was observed targeting misconfigured Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis services for cryptojacking purposes.


Critical VMware Bugs Open Swaths of VMs to RCE, Data Theft

VMware sports more than 400,000 customers, including 100% of all Fortune 500 and Fortune Global 100 companies. Its technology supports more than 80% of virtualized workloads and a good chunk of business-critical applications.

Broadcom has released fixes for three vulnerabilities affecting VMware vCenter, two of which are of critical severity and allow remote code execution (RCE). vCenter is the centralized management console for VMware virtual environments, and is used to view and manage VMs, multiple ESXi hosts, and all dependent components from a single centralized location.

The disclosures come as virtual machines (VMs) continue to attract the notice of hackers, thanks to the rich repositories of sensitive data and applications they tend to house. Patching immediately is a good idea.


Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates. Details of the malware were first shared by researchers kevross33 and Gi7w0rm last month.

It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before. BadSpace, in addition to employing anti-sandbox checks and setting up persistence using scheduled tasks, is capable of harvesting system information and processing commands that allow it to take screenshots, execute instructions using cmd.exe, read and write files, and delete the scheduled task.


Critical Microsoft Outlook Zero-Click RCE Flaw Executes as Email is Opened

A critical zero-click remote code execution (RCE) vulnerability has been discovered in Microsoft Outlook.

This vulnerability, designated as CVE-2024-30103, enables attackers to run arbitrary code by sending a specially designed email. When the recipient opens the email, the exploit is triggered.

The vulnerability, CVE-2024-30103, is particularly alarming due to its zero-click nature. Unlike traditional phishing attacks that require user interaction, this flaw can be exploited without any action from the user.


Critical Vulnerability in Trellix IPS Manager Flaw Allows Remote Code Execution

Trellix has patched a critical security vulnerability in its Intrusion Prevention System (IPS) Manager, tracked as CVE-2024-5671.

This flaw, caused by insecure deserialization in certain workflows, could allow unauthenticated remote attackers to execute arbitrary code, posing a severe risk to network security.

The vulnerability has been assigned a CVSSv3 score of 9.8, indicating its critical nature. The flaw allows remote attackers to exploit insecure deserialization, leading to arbitrary code execution and potentially giving attackers complete control over the affected systems.

This could result in data theft, service disruption, and compromise of the entire network managed by the Trellix IPS Manager.


Keytronic faces data breach by Black Basta ransomware group

Keytronic, a manufacturer of printed circuit board assembly (PCBA), has confirmed a data breach after the Black Basta ransomware group leaked 530GB of its data.

The American technology company, initially known for producing keyboards and mice, disclosed in an SEC filing that a cyberattack on May 6 disrupted its operations, limiting access to essential business applications.

In a late Friday SEC filing, Keytronic reported the attack forced the shutdown of its domestic and Mexico operations for 2 weeks.


Hospitals cyber-attack impacts 800 operations

More than 800 planned operations and 700 outpatient appointments were rearranged in the first week after a cyber attack hit London hospitals, it has been revealed. The disruption was caused when hackers targeted pathology services provider Synnovis.

Two NHS trusts were affected the most – King’s College Hospital NHS Foundation Trust and Guy’s and St Thomas’ NHS Foundation Trust – NHS England said. According to NHS London, five planned C-sections were rescheduled and 18 organs were diverted for use by other trusts, while 736 hospital outpatient appointments and 125 community outpatient appointments had to be postponed.

NHS England London declared a regional incident and has been working to cover affected services by using neighbouring providers and national partners.


New Satanstealer Malware Steals Browser Cookies and Passwords

A new malware named “Satanstealer” has been identified, targeting browser cookies and passwords. The discovery was first reported by MonThreat, a prominent cybersecurity research group, via their official Twitter account.

Satanstealer operates by embedding itself within the victim’s system, often through phishing emails or malicious downloads. Once installed, it scans the browser for stored cookies and passwords. These cookies can contain session information, which allows the malware to hijack active sessions and gain unauthorized access to various online accounts.

The stolen passwords are then transmitted to the attackers’ servers, which can be used for further malicious activities or sold on the dark web.


AMD investigates breach after data for sale on hacking forum

AMD is investigating whether it suffered a cyberattack after a threat actor put allegedly stolen data up for sale on a hacking forum, claiming it contains AMD employee information, financial documents, and confidential information.

The threat actor, IntelBroker, shared screenshots of some of the supposedly stolen AMD credentials but has yet to disclose how much they are selling it for or how it was obtained.

“Today, I’m selling the data breach. Thanks for reading and enjoy!,” the threat actor says in a post on the hacking forum. The threat actor also said that the data includes an employee database that contains user IDs, first and last names, job functions, business phone numbers, email addresses, and employment status.


Alleged Scattered Spider sim-swapper arrested in Spain

A 22-year-old British national allegedly linked to the Scattered Spider hacking group and responsible for attacks on 45 U.S. companies has been arrested in Palma de Mallorca, Spain. The suspect is suspected of being a leader of a cybercrime gang dedicated to stealing data and cryptocurrencies from organizations and then extorting them for not publishing sensitive data.

According to the investigators, the particular threat group stole $27,000,000 worth of cryptocurrencies using the above scheme. The arrest of the threat group leader resulted from an investigation that started following a tip from the FBI that the individual was in Spain.

After the FBI received an International Arrest Warrant (OID), the Spanish police arrested the cybercriminal on May 31, 2024, at the Palma airport, as he was about to leave for Naples, Italy.



Contact Us

The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.

    Copyright Smarttech247 - 2021