The exploitation of a critical vulnerability in Citrix ShareFile, tracked as CVE-2023-24489, has seen a significant increase after the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities Catalog. The vulnerability allows unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution. The spike in exploitation attempts occurred after CISA’s warning, with a large number of attacks coming from 72 unique IP addresses.
Threat actors are using malware-infected Windows and macOS systems to deploy a proxy application, creating a botnet of over 400,000 proxy exit nodes. The malware, known as AdLoad, may be running a pay-per-install campaign by monetizing access to infected macOS systems. The proxy application is signed and goes undetected by antivirus software, allowing it to collect information from infected systems and communicate with its command-and-control server.
Cisco has released security updates to address high-severity vulnerabilities in several enterprise applications. The most severe vulnerability affects the web management interface of Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition, allowing for SQL injection attacks. Other vulnerabilities include an elevation of privilege bug in ThousandEyes Enterprise Agent and directory traversal attacks in the Duo Device Health Application. Cisco advises users to update their installations promptly to mitigate the risk of exploitation.
Google Chrome is introducing a new feature in its upcoming version that will alert users when an extension they have installed has been removed from the Chrome Web Store. The feature will notify users when an add-on has been unpublished, taken down for policy violations, or marked as malware. Additionally, Google plans to automatically upgrade all URL navigations to HTTPS, show warnings when downloading high-risk files on insecure connections, and enable HTTPS-First Mode by default in Incognito Mode for a more secure browsing experience.
The National Credit Union Administration (NCUA) has updated its cyberattack reporting rules, mandating that all federally insured credit unions report incidents within 72 hours of discovery. The new policy, effective September 1, covers incidents that impact information systems or the integrity, confidentiality, or availability of data. Credit unions must report substantial cyber incidents, including network compromise, unauthorized access to sensitive information, disruption of services, and data breaches resulting from cyberattacks on third-party service providers.
Israel and the US government agencies are planning to invest $3.85 million in projects aimed at improving the security of critical infrastructure systems. The investment will be made through the BIRD Cyber Program, a joint initiative between the Israel National Cyber Directorate, the Israel-US Binational Industrial Research and Development Foundation, and the US Department of Homeland Security Science and Technology Directorate. The projects will focus on enhancing security in the maritime sectors, airport and air traffic, industrial control systems, and developing a comprehensive cyber protection solution for airports.
Microsoft has discovered a new version of the BlackCat ransomware that incorporates tools like Impacket and RemCom to aid in lateral movement and remote code execution. The BlackCat ransomware sample functions as a ‘toolkit’ and is constantly evolving, with the latest version being observed in attacks by a BlackCat affiliate in July 2023. Ransomware attacks continue to grow in sophistication and quantity, with threat actors adopting new tactics such as targeting managed service providers (MSPs) and resorting to triple extortion.
Several major companies, including OpenSSL, AWS, Microsoft Azure, Google Cloud, Cisco, Citrix, Dell, HP, Lenovo, NetApp, OVH, SuperMicro, VMware, Xen, and various Linux distributions, have published security advisories in response to the recently disclosed Intel CPU vulnerability named Downfall. Downfall is a side-channel attack method that allows a local attacker or malware to obtain potentially sensitive information from targeted devices, including passwords and encryption keys. The vulnerability affects Intel Core and Xeon processors released over the past decade, and firmware updates and mitigations are being released by Intel and other companies to address the issue.
A new social engineering campaign is targeting users of the Zimbra Collaboration email server to collect their login credentials. The campaign, active since April 2023, is primarily targeting small and medium businesses and governmental entities in Poland, Ecuador, Mexico, Italy, and Russia. The attackers send phishing emails with HTML attachments that contain a Zimbra login page tailored to the targeted organization, and once the credentials are entered, they are collected and sent to an actor-controlled server.
A coordinated law enforcement operation across 25 African countries has led to the arrest of 14 suspected cybercriminals. The operation, conducted in partnership with AFRIPOL, identified 20,674 cyber networks linked to financial losses of over $40 million. The operation resulted in the arrest of suspects involved in online scams, fraud, and money laundering, as well as the takedown of darknet sites and malicious infrastructure.
A financially motivated operation known as LabRat has been discovered using signature-based tools and stealthy cross-platform malware to evade detection. The campaign, focused on cryptomining and proxyjacking, exploits the CVE-2021-22205 vulnerability to achieve persistence, evade defenses, and perform lateral movement. The attackers utilize TryCloudflare and a compromised Solr server to obfuscate their infrastructure, while also employing the open source tool Global Socket (GSocket) for persistent access. The LabRat operation poses a significant challenge for defense and detection due to its stealthy and evasive techniques.
Jenkins has released patches for high- and medium-severity vulnerabilities in several of its plugins. The high-severity vulnerabilities include cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins. The patches address these vulnerabilities, but a high-severity XSS flaw in the Docker Swarm plugin remains unpatched.
LinkedIn has experienced a surge in account hacks, with users being pressured to pay a ransom to regain access or face permanent deletion. The attacks have affected users worldwide and have been monetized by hackers. LinkedIn has not yet commented publicly on the campaign, but reports indicate that the company is aware of the suspicious activity.
The Play ransomware group, known for targeting the City of Oakland, is now attacking managed service providers (MSPs) globally. The group gains access to MSP systems and uses their remote monitoring and management (RMM) tools to infiltrate the networks of their customers. Play’s targets include midsized businesses in various sectors and state, local, and tribal entities in multiple countries.
Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.