The AVRecon botnet has been using compromised small office/home office (SOHO) routers to fuel an illegal proxy service. The botnet, which has been active since at least May 2021, has infiltrated over 41,000 nodes across 20 countries. It has been used to create residential proxy services for malicious activities such as password spraying, web-traffic proxying, and ad fraud.
Threat actors are using fake websites and trojanized software installers to distribute the Fruity trojan, which then installs remote trojan tools like Remcos RAT. The trojanized installers contain both the desired software and the trojan itself. The initial access vector is unclear, but it could involve phishing, drive-by downloads, or malicious ads.
Multiple security vulnerabilities have been discovered in the Ninja Forms plugin for WordPress, affecting versions 3.6.25 and below. These vulnerabilities, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, could allow threat actors to escalate privileges and steal sensitive data. The flaws include a reflected cross-site scripting (XSS) vulnerability and broken access control flaws, which could be exploited by unauthenticated users and bad actors with Subscriber and Contributor roles, respectively. Users are advised to update to version 3.6.26 to mitigate these risks.
A new Android malware strain called CherryBlos is using optical character recognition (OCR) techniques to collect sensitive data stored in pictures. The malware is distributed through fake posts on social media platforms and can steal cryptocurrency wallet credentials and act as a clipper to replace wallet addresses. CherryBlos also utilizes OCR to recognize mnemonic phrases from images and photos on the device, which are then uploaded to a remote server.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has uncovered a novel and persistent backdoor named “SUBMARINE” used by threat actors in attacks targeting Barracuda Email Security Gateway (ESG) appliances. The backdoor, part of the UNC4841 cyber espionage campaign, exploits a critical flaw in the ESG devices and grants attackers root privileges, enabling execution, persistence, command and control, and cleanup capabilities. The sophisticated nature of the attack and the threat actor’s ability to alter malware quickly make it a severe threat for lateral movement and demand heightened vigilance from cybersecurity professionals.
Ivanti has disclosed a security flaw in Endpoint Manager Mobile (EPMM) that is being actively exploited by malicious actors. The vulnerability, tracked as CVE-2023-35081, allows an authenticated administrator to perform arbitrary file writes to the EPMM server, potentially enabling the execution of OS commands. This vulnerability can be used in conjunction with CVE-2023-35078, which is a critical remote unauthenticated API access vulnerability that allows attackers to obtain sensitive information and bypass authentication.
NATO is investigating claims made by hacktivist group SiegedSec that they have stolen NATO documents containing information from 31 nations. The group leaked unclassified documents and personal records, including names, email addresses, and home addresses. NATO officials have stated that their classified networks are not affected and there is no impact on NATO operations.
The use of digital twins, AI assistants that mimic and learn from users, opens up new opportunities for cyber attackers to exploit individuals. Large language models (LLMs) can be used to write convincing phishing emails and vishing calls, but the real concern lies in the ability of AI to manipulate individuals by mimicking their preferences and thoughts. Defending against LLM compromise is difficult, and there is no way to know if a digital twin has been compromised, making them a trusted but opaque threat.
Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.