Researchers have discovered that hackers can manipulate the Windows Container Isolation Framework to bypass endpoint security solutions. By leveraging the Windows Container Isolation FS minifilter driver, attackers can obfuscate file system operations and confuse security products. However, this attack requires administrative permissions and cannot be used to override files on the host system.
A cyberespionage group known as Earth Estries has been targeting government-related organizations and technology companies globally. While the group’s origin has not been directly attributed, there are similarities in tactics with the China-linked APT group FamousSparrow. Earth Estries compromises admin accounts, deploys backdoors, and exfiltrates valuable data, using tools such as HemiGate and Zingdoor backdoors and the TrillClient information stealer. The group’s command and control infrastructure relies on the Fastly CDN service and they utilize PowerShell downgrade attacks and abuse public services for command and data exchange.
Cybercriminals are increasingly targeting Airbnb accounts on the Dark Web, with thousands of accounts being sold for as low as one dollar. These cybercriminals are using phishing, stealer malware, and stolen cookies to gain unauthorized access to accounts, allowing them to book properties or perform other unauthorized actions without raising any alerts. The researchers found a bustling market for Airbnb-related offerings on cybercrime stores, including automated programs to test Airbnb accounts and vacation services at discounted rates.
Law enforcement agencies from multiple countries have taken down the infrastructure behind the Qakbot malware, which has infected over 700,000 computers worldwide. The operation, code-named ‘Duck Hunt,’ involved redirecting Qakbot traffic to controlled servers that instructed infected computers to download an uninstaller file, effectively removing the malware and preventing the installation of additional malware. While the takedown is a significant effort, experts warn that similar disruptions in the past have not had a long-term impact, and the operators behind Qakbot may reconstitute the botnet in the future.
Rackspace, a cloud hosting services company, is dealing with over $10 million in remediation costs and legal fees following a ransomware attack by the Play ransomware gang. The attack, which exploited a vulnerability in the Microsoft Exchange server, disrupted email service for thousands of Rackspace’s small-to-midsize business customers. The company expects some of the costs to be reimbursed by cyber-insurance companies and has not disclosed whether it paid the initial ransom request.
Researchers have discovered malicious Android apps for Signal and Telegram that distribute the BadBazaar spyware. The campaign, attributed to a China-linked actor called GREF, has been active since July 2020 and July 2022, targeting users primarily in Germany, Poland, and the U.S. The spyware collects sensitive user data and can secretly link the victim’s smartphone to the attacker’s device, allowing them to spy on Signal communications without the victim’s knowledge.
A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service attacks in operational technology (OT) environments. The vulnerabilities, known as CoDe16, affect all versions of CODESYS V3 prior to version 184.108.40.206 and could lead to shutdowns and malicious tampering of critical automation processes. Exploiting the flaws requires user authentication and knowledge of the proprietary protocol of CODESYS V3, but the impact could be serious, including information theft and backdooring of OT devices.
Threat actors have started exploiting four recently patched vulnerabilities in the J-Web component of Juniper Networks’ Junos OS after proof-of-concept (PoC) exploit code was published online. The vulnerabilities, rated as medium-severity, allow for remote code execution and file uploads without authentication. The attacks began on the same day the PoC exploit code was published, and cybersecurity experts warn that large-scale exploitation is likely due to the simplicity of the exploits and the privileged position of JunOS devices in a network.
An unknown threat actor has been using malicious npm packages to target developers and steal source code and configuration files. The actor has been linked to malicious activity since 2021 and has continuously published malicious packages. The packages are designed to execute post-installation and capture system metadata, source code, and secrets, which are then transmitted to a predefined FTP server. The campaign appears to be focused on the cryptocurrency sector.
VMware has released software updates to address two critical vulnerabilities in Aria Operations for Networks that could allow remote attackers to bypass authentication and execute remote code. The most severe vulnerability (CVE-2023-34039) allows an attacker to bypass SSH authentication and gain access to the Aria Operations for Networks CLI. The second vulnerability (CVE-2023-20890) enables an adversary with administrative access to write files to arbitrary locations and achieve remote code execution. Users are advised to update to version 6.11.0 to mitigate these vulnerabilities.
Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.