11-Aug-23: In Security News Today

XWorm and Remcos RAT Exploit PDF Files to Infect Critical Infrastructure

A phishing campaign targeting victims in Europe and North America is using a malicious PDF file to deliver a Rust-based injector called Freeze[.]rs, which then loads a variety of malware infections. The campaign culminates in the installation of XWorm malware, which establishes communication with a command-and-control server and can carry out functions such as loading ransomware and acting as a persistent backdoor. The campaign also involves the use of SYK Crypter to distribute the Remcos remote access Trojan (RAT), which is capable of controlling and monitoring Windows devices.

Dell Credentials Bug Opens VMware Environments to Takeover

A bug in Dell Compellent storage array service allows attackers to take over enterprise VMware environments. The bug involves hardcoded credentials stored in the Dell software’s config files, which can be easily decoded to obtain administrator access to VMware vCenter. The vulnerability affects all organizations running Dell storage integrated with VMware environments, and a patch is expected to be released in the fall.

China-based APT Group UNC4841 Deploys ‘Whirlpool’ Backdoor on Barracuda ESG Appliances

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a backdoor called ‘Whirlpool’ that China-based APT group UNC4841 has been using in a cyber espionage campaign targeting Barracuda’s Email Security Gateway (ESG) appliances. The campaign, which has been ongoing since at least October 2022, has affected organizations in 16 countries across various industries. Whirlpool is a C-based utility that establishes a TLS reverse shell to the attacker’s command-and-control server, making it difficult to detect due to encrypted traffic.

AdLoad Malware Still Infecting Mac Systems with Proxy Application Payload

AdLoad malware, which has been infecting Mac systems since 2017, is still present and delivering a previously unreported payload. AT&T Alien Labs has observed at least 150 samples of AdLoad in the wild over the past year, indicating ongoing infections. The most common component dropped by AdLoad recently is a proxy application that turns infected Mac systems into a residential proxy botnet, potentially indicating that thousands of systems have been hijacked.

APT31’s Advanced Backdoors and Data Exfiltration Tactics

Chinese threat actor APT31 has been linked to advanced backdoors capable of exfiltrating sensitive information to Dropbox. The malware is part of a collection of over 15 implants used in attacks on industrial organizations in Eastern Europe. APT31’s tactics include a three-stage malware stack, the use of command-and-control inside the corporate perimeter, and the abuse of popular cloud-based data storage services.

New SystemBC Malware Variant Targets Southern African Power Company

A power generation company in southern Africa has been targeted by a cyber attack using a new variant of the SystemBC malware called DroxiDat. The attack, which occurred in late March 2023, involved the use of DroxiDat to profile the system and proxy network traffic using the SOCKS5 protocol. The identity of the threat actors behind the attack is currently unknown, but evidence suggests the involvement of Russian ransomware groups.

16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks

A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service attacks in operational technology (OT) environments. The vulnerabilities, which affect all versions of CODESYS V3 prior to version, could be exploited to backdoor OT devices, interfere with programmable logic controllers (PLCs), and potentially lead to information theft. While successful exploitation requires user authentication and knowledge of the proprietary protocol, the impact of these flaws could result in shutdowns and malicious tampering of critical automation processes.

CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft’s .NET and Visual Studio products to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, tracked as CVE-2023-38180, is a high-severity denial-of-service (DoS) vulnerability that affects .NET and Visual Studio. Microsoft has released patches for the vulnerability and has acknowledged the existence of a proof-of-concept (PoC) exploit code.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.