U.S. Telecom Giant T-Mobile Detects Network Intrusion Attempts from Wireline Provider U.S. telecom service provider T-Mobile said it recently detected attempts made by bad actors to infiltrate its systems in recent weeks but noted that no sensitive data was accessed. These intrusion attempts "originated from a wireline provider's network that was connected to ours," Jeff Simon, chief security officer at T-Mobile, said in a statement. "We see no instances of prior attempts like this." The company further said its security defenses prevented the threat actors from disrupting its services or obtaining customer information. It has since confirmed that it cut off connectivity to the unnamed provider's network. It did not explicitly attribute the activity to any known threat actor or group, but noted that it has shared its findings with the U.S. government. See more The Hacker News:
The Hacker News
U.S. Telecom Giant T-Mobile Detects Network Intrusion Attempts from Wireline Provider
T-Mobile thwarts cyber intrusion from wireline provider’s network, ensuring no data breach or service disruption.
 Bleeping Computer:
BleepingComputer
Chinese hackers breached T-Mobile's routers to scope out network
T-Mobile says the Chinese "Salt Typhoon" hackers who recently compromised its systems as part of a series of telecom breaches first hacked into som...
 SecurityWeek:
SecurityWeek
T-Mobile Shares More Information on China-Linked Cyberattack
T-Mobile has confirmed being targeted by hackers, likely China’s Salt Typhoon, but reiterated that the attack was blocked.
 #cybersecurity
Tor needs 200 new WebTunnel bridges to fight censorship The Tor Project has put out an urgent call to the privacy community asking volunteers to help deploy 200 new WebTunnel bridges by the end of the year to fight government censorship. Currently, the Tor Project operates 143 WebTunnel bridges, which help users in heavily censored regions bypass internet access restrictions and website blocks. This comes in response to increasing censorship in Russia, which Tor says currently impacts the browser's built-in censorship circumvention mechanisms, including obfs4 connections and Snowflake. The Tor Project believes that setting up more WebTunnel bridges is the best response to this censorship escalation, as analyzing new tactics and developing workarounds takes time, leaving users vulnerable and isolated from the free internet. See more:
BleepingComputer
Tor needs 200 new WebTunnel bridges to fight censorship
The Tor Project has put out an urgent call to the privacy community asking volunteers to help deploy 200 new WebTunnel bridges by the end of the ye...
 #tor #privacy #censorship
Police bust pirate streaming service making €250 million per month An international law enforcement operation has dismantled a pirate streaming service that served over 22 million users worldwide and made €250 million ($263M) per month. Italy's Postal and Cybersecurity Police Service announced the action, codenamed "Taken Down," stating they worked with Eurojust, Europol, and many other European countries, making this the largest takedown of its kind in Italy and internationally. "More than 270 Postal Police officers, in collaboration with foreign law enforcement, carried out 89 searches in 15 Italian regions and 14 additional searches in the United Kingdom, the Netherlands, Sweden, Switzerland, Romania, Croatia, and China, involving 102 individuals," reads the announcement. See more:
BleepingComputer
Police bust pirate streaming service making €250 million per month
An international law enforcement operation has dismantled a pirate streaming service that served over 22 million users worldwide and made €250...
 #pirate #streaming
ProjectSend Vulnerability Exploited in the Wild Threat actors are likely exploiting ProjectSend servers unpatched against a vulnerability that was publicly disclosed roughly a year and a half ago, VulnCheck warns. An open source application written in PHP, ProjectSend is designed for file sharing, enabling users to create client groups, assign user roles, and access statistics, detailed logs, notifications, and more. The exploited issue, tracked as CVE-2024-11680 (CVSS score of 9.8), is described as an improper authentication vulnerability that could allow remote, unauthenticated attackers to modify the application’s configuration. Attackers could send crafted HTTP requests to the options[.]php endpoint to create rogue accounts, upload webshells, and potentially embed malicious JavaScript code, a NIST advisory reads. See more:
SecurityWeek
ProjectSend Vulnerability Exploited in the Wild
VulnCheck warns of widespread exploitation of a year-and-a-half-old ProjectSend vulnerability for which multiple public exploits exist.
 #cybersecurity #php
APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign The threat actor known as APT-C-60 has been linked to a cyber attack targeting an unnamed organization in Japan that used a job application-themed lure to deliver the SpyGlace backdoor. That's according to findings from JPCERT/CC, which said the intrusion leveraged legitimate services like Google Drive, Bitbucket, and StatCounter. The attack was carried out around August 2024. "In this attack, an email purporting to be from a prospective employee was sent to the organization's recruiting contact, infecting the contact with malware," the agency said. See more:
The Hacker News
APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign
APT-C-60 exploits WPS Office flaw to deliver SpyGlace malware via phishing, targeting Japan with advanced techniques.
 #cybersecurity #malware
New NachoVPN attack uses rogue VPN servers to install malicious updates A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN clients connect to them. AmberWolf security researchers found that threat actors can trick potential targets into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to attacker-controlled VPN servers using malicious websites or documents in social engineering or phishing attacks. Threat actors can use the rogue VPN endpoints to steal the victims' login credentials, execute arbitrary code with elevated privileges, install malicious software via updates, and launch code-signing forgery or man-in-the-middle attacks by installing malicious root certificates. See more: Bleeping Computer:
BleepingComputer
New NachoVPN attack uses rogue VPN servers to install malicious updates
A set of vulnerabilities dubbed "NachoVPN" allows rogue VPN servers to install malicious updates when unpatched Palo Alto and SonicWall SSL-VPN cli...
 SecurityWeek:
SecurityWeek
New VPN Attack Demonstrated Against Palo Alto Networks, SonicWall Products
Palo Alto Networks and SonicWall VPNs affected by vulnerabilities allowing remote code execution and privilege escalation.
 #cybersecurity
Firefox and Windows zero-days exploited by Russian RomCom hackers Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Europe and North America. The first flaw (CVE-2024-9680) is a use-after-free bug in Firefox's animation timeline feature that allows code execution in the web browser's sandbox. Mozilla patched this vulnerability on October 9, 2024, one day after ESET reported it. The second zero-day exploited in this campaign is a privilege escalation flaw (CVE-2024-49039) in the Windows Task Scheduler service, allowing attackers to execute code outside the Firefox sandbox. Microsoft addressed this security vulnerability earlier this month, on November 12. RomCom abused the two vulnerabilities as a zero-day chain exploit, which helped them gain remote code execution without requiring user interaction. Their targets only had to visit an attacker-controlled and maliciously crafted website that downloaded and executed the RomCom backdoor on their system. See more: Bleeping Computer:
BleepingComputer
Firefox and Windows zero-days exploited by Russian RomCom hackers
​Russian-based RomCom cybercrime group chained two zero-day vulnerabilities in recent attacks targeting Firefox and Tor Browser users across Euro...
 The Hackers News:
The Hacker News
RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks
RomCom exploits Firefox and Windows zero-day flaws to deliver malware via fake websites in Europe and North America.
 SecurityWeek:
SecurityWeek
Russian APT Chained Firefox and Windows Zero-Days Against US and European Targets
The Russia-linked RomCom APT has been observed chaining two zero-days in Firefox and Windows for backdoor delivery.
 #cybersecurity #zeroday #firefox
Researchers Discover "Bootkitty" – First UEFI Bootkit Targeting Linux Kernels Cybersecurity researchers have shed light on what has been described as the first Unified Extensible Firmware Interface (UEFI) bootkit designed for Linux systems. Dubbed Bootkitty by its creators who go by the name BlackCat, the bootkit is assessed to be a proof-of-concept (PoC) and there is no evidence that it has been put to use in real-world attacks. Also tracked as IranuKit, it was uploaded to the VirusTotal platform on November 5, 2024. "The bootkit's main goal is to disable the kernel's signature verification feature and to preload two as yet unknown ELF binaries via the Linux init process (which is the first process executed by the Linux kernel during system startup)," ESET researchers Martin Smolár and Peter Strýček said. The development is significant as it heralds a shift in the cyber threat landscape where UEFI bootkits are no longer confined to Windows systems alone. See more The Hackers News:
The Hacker News
Researchers Discover
First Linux UEFI bootkit discovered: Bootkitty bypasses Secure Boot to exploit kernel integrity checks.
 BleepingComputer:
BleepingComputer
Researchers discover first UEFI bootkit malware for Linux
The first UEFI bootkit specifically targeting Linux systems has been discovered, marking a shift in stealthy and hard-to-remove bootkit threats tha...
 SecurityWeek:
SecurityWeek
ESET Flags Prototype UEFI Bootkit Targeting Linux
ESET researchers have uncovered a prototype UEFI bootkit targeting Ubuntu Linux, marking an expansion of bootkit attacks beyond Windows.
 #cybersecurity #uefi #bootkit
Hackers abuse popular Godot game engine to infect thousands of PCs Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,000 systems in just three months. As Check Point Research found while investigating the attacks, threat actors can use this malware loader to target gamers across all major platforms, including Windows, macOS, Linux, Android, and iOS. It's also used to leverage Godot's flexibility and its GDScript scripting language capabilities to execute arbitrary code and bypass detection systems using the game engine .pck files, which package game assets, to embed harmful scripts. Once loaded, the maliciously crafted files trigger malicious code on the victims' devices, enabling attackers to steal credentials or download additional payloads, including the XMRig crypto miner. This miner malware's configuration was hosted on a private Pastebin file uploaded in May, which was visited 206,913 times throughout the campaign. See more:
BleepingComputer
Hackers abuse popular Godot game engine to infect thousands of PCs
​Hackers have used new GodLoader malware exploiting the capabilities of the widely used Godot game engine to evade detection and infect over 17,0...
 #cybersecurity #godot #malware
IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR IBM on Monday announced patches for multiple vulnerabilities across its products, including two high-severity remote code execution (RCE) issues in Data Virtualization Manager and Security SOAR. Tracked as CVE-2024-52899 (CVSS score of 8.5), the flaw in Data Virtualization Manager for z/OS could allow a remote, authenticated attacker to inject malicious JDBC URL parameters, which could lead to arbitrary code execution on the server. IBM has released fix packs for Data Virtualization Manager for z/OS versions 1.1 and 1.2, and has included instructions on how to download them in its advisory. See more:
SecurityWeek
IBM Patches RCE Vulnerabilities in Data Virtualization Manager, Security SOAR
IBM has released patches for two high-severity remote code execution vulnerabilities in Data Virtualization Manager and Security SOAR.
 #cybersecurity #ibm #rce