FlagThis

The US Department of Justice, with the FBI, conducted a multi-month operation to remove the PlugX malware from over 4,200 infected computers in the United States. PlugX is a remote access trojan (RAT) widely used by threat actors associated with the People’s Republic of China. This action targeted the command and control infrastructure used by these actors to compromise systems, disrupting their ability to maintain persistent access and conduct further malicious activities on affected networks. The operation underscores the US government’s proactive efforts in combating state-sponsored cyber espionage activities, aiming to neutralize threats before they can be further leveraged for malicious purposes.

North Korea’s Lazarus APT group is actively targeting software developers, especially those working in Web3 and cryptocurrency, through fake job postings on platforms like LinkedIn. The attackers lure developers into downloading malicious Git repositories that compromise their systems, which can then lead to supply chain attacks affecting downstream projects and enterprises. This campaign, known as Operation 99, showcases the evolving tactics of state-sponsored threat actors using social engineering to infiltrate software development ecosystems.

A zero-day vulnerability in Fortinet firewalls is being actively exploited by attackers. The flaw allows attackers to compromise systems with exposed interfaces. There is a mass exploitation campaign against Fortinet firewalls that peaked in December 2024. Fortinet has released a patch (CVE-2024-55591). It is suspected that the attackers may have been exploiting a zero-day vulnerability before the patch was released. Organizations using Fortinet firewalls are strongly advised to apply the patch as soon as possible.

A severe vulnerability in the W3 Total Cache plugin for WordPress has been identified, impacting over one million websites. This flaw enables attackers to gain unauthorized access to sensitive data, including metadata on cloud-based apps. The vulnerability, allowing subscriber-level access, poses a substantial risk to WordPress sites using the plugin, potentially exposing user data and compromising site security.

Hackers are utilizing the FastHTTP library in Go to perform high-speed brute-force password attacks against Microsoft 365 accounts globally. The attacks are characterized by generating a large volume of HTTP requests, focusing on Azure Active Directory endpoints. This technique demonstrates how high-performance libraries can be exploited to conduct rapid credential-based attacks.

A sophisticated botnet is exploiting misconfigured DNS records on approximately 13,000 MikroTik routers to bypass email protection systems and deliver malware through spam campaigns. This botnet operation leverages a simple DNS misconfiguration to send malicious emails that appear to come from legitimate domains, distributing trojan malware and other malicious content.

The Russian threat actor Star Blizzard has shifted its tactics, now targeting WhatsApp accounts via spear-phishing. The campaign involves messages that prompt victims to join a WhatsApp group, where their credentials can be harvested. This marks a departure from their previous methods, likely to evade detection. The primary targets are individuals involved in government, diplomacy, defense, and international relations, indicating an espionage-focused campaign. The use of social engineering via WhatsApp is a notable shift for this APT group.

A critical command injection vulnerability, CVE-2024-50603, in the Aviatrix Network Controller allows unauthenticated remote attackers to execute arbitrary code. This vulnerability, with a CVSS score of 10.0, stems from improper input handling within the Aviatrix Controller’s API. Exploitation could lead to full system compromise, data theft, and network breaches. There are hundreds of publicly exposed Aviatrix Controllers accessible via the Shodan search engine.

A newly discovered vulnerability, CVE-2024-7344, in the UEFI Secure Boot mechanism allows attackers to bypass Secure Boot protections and execute unsigned code during the boot process. This flaw, located in a signed UEFI application, enables the deployment of malicious UEFI bootkits, potentially impacting a wide range of UEFI-based systems. This highlights the need to fix and patch UEFI bootloaders urgently.

Multiple vulnerabilities have been discovered in rsync, a widely used file transfer program. Six vulnerabilities have been identified, including a critical remote code execution (RCE) vulnerability (CVE-2024-12084) that allows attackers with anonymous read access to an rsync server to execute arbitrary code on the machine. Other vulnerabilities include information leaks and symlink issues. Users are advised to upgrade to rsync version 3.4.0, released on January 14th, to patch these issues and ensure system security. This highlights the importance of timely patching and update process for critical network utilities.

The Russia-linked APT group UAC-0063 is conducting a cyber espionage campaign targeting Kazakhstan and other Central Asian countries to gather economic and political intelligence. They are using spear-phishing tactics with weaponized Microsoft Office documents to deploy the HATVIBE malware and CHERRYSPY. The group has connections to APT28 and Russian GRU cyber activities.

A confusion between two similar NPM commands, ‘npm add user’ and ‘npm adduser,’ has led to a significant number of developers inadvertently installing a benign ‘user’ package. This typo, exploited by the similarities in commands, highlights a potential supply chain risk. The package, currently benign, could be updated with malicious code, exposing developers who have made this common error.

A new ransomware campaign is exploiting Amazon Web Services’ (AWS) Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt S3 buckets. The attackers use encryption keys unknown to the victims and demand ransoms for the decryption keys. This attack abuses a legitimate AWS feature, creating a very difficult situation for its victims who cannot recover their data without the decryption key. The ransomware crew has been dubbed ‘Codefinger’.

Multiple critical vulnerabilities have been discovered in SimpleHelp remote support software. These flaws include unauthorized file access, privilege escalation, and remote code execution. These vulnerabilities are trivial to exploit, making them a serious risk for both SimpleHelp servers and the client machines that the software is used to manage. Patches are available, and users are advised to upgrade immediately.

A recent cyberattack on PowerSchool has resulted in the compromise of all historical student and teacher data. The breach has affected multiple US school districts, exposing highly sensitive personal information. The impacted data includes all student and teacher records stored within PowerSchool’s systems. This breach represents a significant risk to the privacy and security of student and teacher information.

Microsoft has analyzed CVE-2024-44243, a macOS vulnerability that allows attackers to bypass System Integrity Protection (SIP) by loading malicious kernel extensions. This can lead to the installation of rootkits, creation of persistent malware, and circumvention of Transparency, Consent, and Control (TCC) mechanisms, enabling further unauthorized operations on affected systems. The discovery of this vulnerability underscores the importance of robust security measures across all platforms and the potential impacts of vulnerabilities in kernel extensions. This research also highlights that Microsoft is actively involved in securing non-windows platforms.