08-Oct-24: In Security News Today

Zero-Day Alert: Three Critical Ivanti CSA Vulnerabilities Actively Exploited

Ivanti has disclosed active exploitation of three critical vulnerabilities (CVE-2024-9379, CVE-2024-9380, CVE-2024-9381) in its Cloud Service Appliance (CSA), which allow authenticated attackers to execute arbitrary SQL commands, bypass restrictions, or obtain remote code execution. These flaws are being exploited alongside a previously patched path traversal vulnerability (CVE-2024-8963), enabling remote unauthorized access to restricted functions. Ivanti urges immediate patching and system reviews for potential compromise, particularly for customers running outdated versions (4.6 or earlier) of CSA.

Gamers Tricked Into Downloading Lua-Based Malware Via Fake Cheating Script Engines

Cybercriminals are exploiting the popularity of Lua-based game cheating script engines to distribute malware, targeting users searching for cheats through fake websites. This Lua-based malware uses obfuscated scripts to avoid detection, establishes persistence, and communicates with a command-and-control server to deliver additional payloads like RedLine Stealer. The malware campaign, spreading across multiple regions, highlights the growing trend of infostealers and crypto-miners distributed through compromised GitHub repositories and social platforms.

American Water Hit By Cyber-Attack, Billing Systems Disrupted

American Water, the largest water utility in the US, has suffered a cyber-attack, disrupting its billing systems but not affecting water and wastewater operations. The company quickly isolated systems and is investigating the breach with law enforcement, though details on the type of attack remain undisclosed. The incident highlights growing cybersecurity concerns in critical infrastructure, with experts emphasizing the need for better funding and protection of identity management systems against increasingly sophisticated threats.

European Govt Air-Gapped Systems Breached Using Custom Malware

The APT group GoldenJackal successfully breached air-gapped government systems in Europe, using custom malware spread via USB drives to steal sensitive data like encryption keys, emails, and documents. They employed two toolsets, with the older attacks involving malware called GoldenDealer, which infiltrated air-gapped systems via infected USB drives, installing backdoors and file stealers to exfiltrate data when the drive reconnected to internet-accessible machines. In 2022, GoldenJackal developed a more sophisticated Go-based toolset, allowing attackers to task machines with different espionage roles and exfiltrate targeted data, demonstrating their adaptability in covert cyber-espionage.

Microsoft, DOJ Dismantle Russian Hacker Group Star Blizzard

Microsoft and the US Department of Justice dismantled over 100 domains linked to the Russian state-sponsored hacker group Star Blizzard, known for targeting NGOs, journalists, and government agencies through phishing campaigns and custom backdoors. The takedown aims to delay the group’s operations, particularly ahead of the upcoming US presidential election, a key target for foreign interference. Despite this success, cybersecurity experts warn that nation-state groups like Star Blizzard will likely continue to evolve their tactics, emphasizing the need for proactive threat hunting and enhanced security measures.

North Korea’s Apt37 Targets Cambodia With Khmer, ‘VeilShell’ Backdoor

APT37, a North Korean state-sponsored group, has launched a new cyber campaign targeting Cambodian organizations using a backdoor called “VeilShell.” This attack relies on phishing emails with malicious shortcut (.LNK) files disguised as PDF or Excel documents to establish persistence on compromised systems, using a PowerShell-based RAT for long-term access. APT37 employs advanced evasion techniques such as AppDomainManager injection and long sleep timers between attack stages, ensuring stealth and making the campaign harder to detect and mitigate.

Scammer Rings Costing Victims Millions Busted By International Efforts

International cooperation led by Interpol has successfully dismantled two major criminal organizations involved in phishing and romance scams, resulting in millions of dollars in losses for victims. The initiative, known as ‘The Contender 2.0,’ targets cybercrime in West Africa, leveraging intelligence sharing with private cybersecurity firms like Group IB to identify and apprehend perpetrators. Key arrests were made in Côte d’Ivoire and Nigeria, with ongoing investigations aiming to recover stolen funds and uncover additional victims of these sophisticated scams.

31 New Ransomware Groups Join The Ecosystem In 12 Months

Secureworks’ 2024 State of the Threat Report highlights a 30% increase in active ransomware groups, with 31 new players joining the ecosystem over the past year, despite law enforcement efforts. Established groups like LockBit, PLAY, and RansomHub continue to dominate, but the ecosystem is increasingly fragmented, adding complexity for defenders. The report also flags the growing threat of AI-driven attacks and Adversary-in-the-Middle (AiTM) campaigns, while state-sponsored cyber activities from Russia, China, Iran, and North Korea remain a significant concern.

Cyberattack Group ‘Awaken Likho’ Targets Russian Government With Advanced Tools

Awaken Likho, also known as Core Werewolf and PseudoGamaredon, is a cyberattack group actively targeting Russian government agencies and industrial sectors using sophisticated tools, particularly since June 2024. Their latest tactics involve leveraging the legitimate MeshCentral platform for remote access, replacing the previously used UltraVNC module, and employing spear-phishing techniques with malicious executables disguised as legitimate document files to compromise systems. The group has demonstrated adaptability in their attack methods, including the use of self-extracting archives to facilitate covert installations, thereby enhancing their persistence and control over compromised hosts.

Moneygram Says Personal Information Stolen In Recent Cyberattack

MoneyGram announced a data breach resulting from a cyberattack that occurred from September 20 to 22, 2024, during which hackers accessed and exfiltrated personal information from customer systems. The breach led to a temporary worldwide outage of their money transfer services, impacting various types of sensitive data, including national ID numbers, bank account details, and copies of government-issued IDs. In response, MoneyGram has implemented containment measures, restored services, and is offering affected customers two years of free identity monitoring and credit monitoring for U.S. clients.

Adobe Patches Critical Bugs In Commerce And Magento Products

Adobe has released urgent patches addressing 25 vulnerabilities across its Adobe Commerce and Magento Open Source products, which pose significant risks including code execution and privilege escalation. Two of these vulnerabilities have a critical CVSS score of 9.8, underscoring the urgency for businesses to update impacted versions, specifically Adobe Commerce 2.4.7-p2 and earlier, and Magento Open Source 2.4.7-p2 and earlier. Additionally, Adobe addressed critical flaws in other products, including Adobe Dimension and Adobe Animate, although no active exploitation of these vulnerabilities has been reported at this time.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.