Multiple reports indicate that the state of Rhode Island experienced a significant cyberattack that has compromised the personal data of hundreds of thousands of residents. The data breach targeted the state’s online portal for social services, possibly exposing Social Security numbers and bank account details. This has led to demands for ransom and a shutdown of the affected systems, leading to a potential crisis in public services.
The Winnti hacking group is using a new PHP backdoor called ‘Glutton’. This backdoor is being used in attacks targeting organizations in both China and the United States. Additionally, Winnti is also targeting other cybercriminals, indicating a shift in their focus and tactics. The use of the Glutton backdoor is a concerning development as it demonstrates the group’s ability to adapt and create new tools for their operations.
Over 300,000 Prometheus monitoring servers and exporters are exposed to various attacks, including information disclosure, denial-of-service (DoS), and potential remote code execution. These vulnerabilities stem from improper authentication and insecure configurations, allowing attackers to steal sensitive information such as credentials and API keys. The widespread exposure highlights the need for better security practices in Prometheus deployments and the critical nature of securing monitoring infrastructure.
Multiple critical vulnerabilities have been discovered in Apache Struts2 and Tomcat, including a path traversal vulnerability in Struts2 (CVE-2024-53677) that can lead to remote code execution, and two vulnerabilities in Apache Tomcat (CVE-2024-50379 and CVE-2024-54677) that can cause remote code execution and denial of service respectively. These vulnerabilities stem from issues like Time-of-check Time-of-use (TOCTOU) race conditions during JSP compilation in Tomcat and the ability to upload files into restricted directories in Struts2, allowing attackers to potentially compromise affected systems. Users are urged to apply the available patches immediately.
The Pumakit Linux rootkit employs advanced stealth techniques to evade detection. It uses a staged deployment, activating only under specific conditions, such as secure boot checks. The rootkit embeds necessary files as ELF binaries within the dropper, enhancing its ability to persist and remain undetected. This sophisticated malware poses a severe risk to Linux systems, indicating a high level of development and a need for enhanced endpoint security solutions.
The SmokeLoader malware has been observed in a new campaign targeting Taiwanese companies across various sectors, including manufacturing, healthcare, and IT. Unlike previous campaigns where SmokeLoader acted as a downloader for other malware, this campaign directly executes the attack by downloading and executing malicious plugins from its C2 server. This approach enhances its capability and evasiveness. The malware utilizes social engineering techniques, such as personalized emails with generic content, to enhance its success rate.
DroidBot, a novel Android RAT, targets 77 banks, cryptocurrency exchanges, and national organizations. It combines VNC and overlay attacks with keylogging and UI monitoring. Campaigns have been detected in Europe and potentially spreading to Latin America, highlighting the threat of advanced Android malware targeting financial institutions. DroidBot’s sophistication and wide reach make it a significant concern.
This cluster involves incidents related to the takedown of various criminal communication platforms. The MATRIX encrypted messaging service, used by criminals for illegal activities, was dismantled in an international operation involving French and Dutch authorities, supported by Eurojust and Europol. The criminals were monitored for months before the operation was conducted. This demonstrates the continued efforts to disrupt and counteract criminal activity online through international cooperation.
A critical vulnerability (CVE-2024-51378, CVSS score 10.0) affecting CyberPanel, an open-source web hosting control panel, has been actively exploited by attackers. In addition, multiple vulnerabilities impacting Zyxel firewalls (CVE-2024-11667), ProjectSend (CVE-2024-11680), and North Grid Proself (CVE-2023-45727) have also been added to CISA’s Known Exploited Vulnerabilities catalog due to active exploitation. These flaws enable various attacks, including authentication bypass, remote code execution, and data exfiltration, emphasizing the need for swift patching and proactive security measures across organizations using these products.
The Russian state-sponsored group Secret Blizzard has been found to have hijacked the infrastructure of other hacking groups for its operations, with a recent campaign targeting the Pakistan-based espionage cluster Storm-0156 (also known as SideCopy, Transparent Tribe, or APT36). Secret Blizzard’s actions involved installing backdoors, collecting intelligence, and compromising target devices in regions like South Asia and Ukraine. This sophisticated espionage operation highlights the increasing complexity of cyber threats and the ability of nation-state actors to leverage the resources of other groups for their malicious activities.
This cluster discusses the arrest of Mikhail Pavlovich Matveev, aka Wazawaka, a notorious ransomware programmer, in Russia. He is known for developing malware and having ties to various hacking groups. This arrest is significant due to his involvement in ransomware attacks. The severity of his crimes and the potential impact of his arrest on the ransomware ecosystem are still emerging.
A new cybersecurity advisory details tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group, which is suspected of targeting critical infrastructure. BianLian’s methods include data exfiltration and extortion. The advisory underscores the growing threat of ransomware attacks targeting critical infrastructure and highlights the need for proactive security measures to mitigate the impact of such incidents.
Over 2,000 Palo Alto Networks devices were compromised in a large-scale attack exploiting vulnerabilities CVE-2024-0012 and CVE-2024-9474. Attackers bypassed authentication, escalated privileges, and deployed malware. The US and India were particularly impacted.
A Chinese commercial vessel, Yi Peng 3, is suspected of intentionally dragging its anchor across the Baltic seabed, severing two critical undersea telecommunications cables between Lithuania, Sweden, Finland, and Germany. Western officials believe that Russia likely orchestrated the incident as an act of sabotage against EU maritime infrastructure. The incident disrupted communications and raised concerns about the vulnerability of undersea cables. The Chinese ship’s actions, involving extended anchor dragging while its transponder was disabled, point to deliberate actions.
The BADBOX malware campaign has compromised over 30,000 Android devices in Germany, including digital photo frames, media players and possibly smartphones. The malware is pre-installed on the devices, exploiting outdated Android versions. The German Federal Office for Information Security (BSI) has taken action to disrupt the communications between infected devices and command-and-control servers. This campaign highlights the risks associated with insecure supply chains and pre-installed malware on IoT devices, and emphasizes the need for rigorous security checks and device updates to prevent similar incidents.
Romania’s election systems faced over 85,000 cyberattacks before and during the presidential election. Login credentials for election-related websites were stolen and posted on a Russian hacker forum, suggesting potential Russian involvement aimed at disrupting the democratic process. The attacks employed various techniques including SQL injection and XSS. Although there’s no definitive proof of direct Russian meddling, the scale and timing of the attacks raise serious concerns.
The Cybersecurity and Infrastructure Security Agency (CISA) issued alerts about multiple vulnerabilities being actively exploited in the wild, affecting popular software and hardware products such as Zyxel firewalls, CyberPanel, North Grid, and ProjectSend. These vulnerabilities pose significant security risks, allowing attackers to gain unauthorized access and control of affected systems. Organizations are strongly urged to apply the necessary security updates or mitigations immediately to prevent exploitation. The vulnerabilities include CVE-2024-51378 (CyberPanel), which has a CVSS score of 10.0. Specific details on each vulnerability and remediation steps can be found in the respective security advisories issued by CISA and the affected vendors.