Russian hackers hijack Pakistani hackers' servers for their own attacks The notorious Russian cyber-espionage group Turla is hacking other hackers, hijacking the Pakistani threat actor Storm-0156's infrastructure to launch their own covert attacks on already compromised networks. Using this tactic, Turla (aka "Secret Blizzard") accessed networks Storm-0156 had previously breached, like in Afghan and Indian government organizations, and deployed their malware tools. According to a report from Lumen's Black Lotus Labs, which tracked this campaign since January 2023 with the help of Microsoft's Threat Intelligence Team, the Turla operation has been underway since December 2022. Turla (aka Secret Blizzard) is a Russian state-sponsored hacking group linked to Center 16 of Russia's Federal Security Service (FSB), the unit responsible for the interception, decoding, and collection of data from foreign targets. See more:
BleepingComputer
Russian hackers hijack Pakistani hackers' servers for their own attacks
The notorious Russian cyber-espionage group Turla is hacking other hackers, hijacking the Pakistani threat actor Storm-0156's infrastructure t...
 #cybersecurity #turla #espionage
New DroidBot Android malware targets 77 banking, crypto apps A new Android banking malware named 'DroidBot' attempts to steal credentials for over 77 cryptocurrency exchanges and banking apps in the UK, Italy, France, Spain, and Portugal. According to Cleafy researchers who discovered the new Android malware, DroidBot has been active since June 2024 and operates as a malware-as-a-service (MaaS) platform, selling the tool for $3,000/month. At least 17 affiliate groups have been identified using malware builders to customize their payloads for specific targets. DroidBot's developers, who appear to be Turkish, provide affiliates with all the tools required to conduct attacks. This includes the malware builder, command and control (C2) servers, and a central administration panel from which they can control their operations, retrieve stolen data, and issue commands. See more:
BleepingComputer
New DroidBot Android malware targets 77 banking, crypto apps
A new Android banking malware named 'DroidBot' attempts to steal credentials for over 77 cryptocurrency exchanges and banking apps in the...
 #cybersecurity #android #malware
Android’s December 2024 Security Update Patches 14 Vulnerabilities Google on Tuesday announced patches for 14 high-severity vulnerabilities as part of Android’s December 2024 security update, including a remote code execution flaw in the System component. The first part of the update, which arrives on devices as the 2024-12-01 security patch level, resolves six security defects in the Framework and System components, five of which could allow attackers to elevate privileges. According to Google’s advisory, however, the sixth of these bugs, which is tracked as CVE-2024-43767 and impacts System, is the most severe issue, as it could lead to remote code execution (RCE) with no additional execution privileges needed. Fixes for these defects were included in updated Android 12, 12L, 13, 14, and 15 versions and the source code for these patches has been released to the Android Open Source Project (AOSP) repository. See more:
SecurityWeek
Android's December 2024 Security Update Patches 14 Vulnerabilities
Google has released patches for 14 high-severity vulnerabilities as part of Android’s December 2024 security update.
 #cybersecurity #android
CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks The US cybersecurity agency CISA on Tuesday warned that a path traversal vulnerability in multiple Zyxel firewall appliances has been exploited in the wild. The issue, tracked as CVE-2024-11667 (CVSS score of 7.5), is a high-severity flaw affecting the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices. Successful exploitation of the security defect could allow an attacker to download or upload files using crafted URLs, a NIST advisory reads. “An attacker may gain unauthorized access to the system, steal credentials, and create backdoor VPN connections by exploiting the vulnerability,” Qualys warned on Tuesday. See more:
SecurityWeek
CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks
A second vulnerability in Zyxel firewalls has been exploited in Helldown ransomware attacks over the past weeks.
 #cybersecurity #zyxel #exploit
Researchers Uncover Backdoor in Solana's Popular Web3[.]js npm Library Cybersecurity researchers are alerting to a software supply chain attack targeting the popular @solana/web3[.]js npm library that involved pushing two malicious versions capable of harvesting users' private keys with an aim to drain their cryptocurrency wallets. The attack has been detected in versions 1.95.6 and 1.95.7. Both these versions are no longer available for download from the npm registry. The package is widely used, attracting over 400,000 weekly downloads. "These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets," Socket said in a report. @solana/web3[.]js is an npm package that can be used to interact with the Solana JavaScript software development kit (SDK) for building Node[.]js and web apps. See more: The Hacker News:
The Hacker News
Researchers Uncover Backdoor in Solana's Popular Web3.js npm Library
Malicious web3.js npm versions exposed private keys, risking crypto wallets. Update to secure versions now.
 SecurityWeek:
SecurityWeek
Solana Web3.js Library Backdoored in Supply Chain Attack
Supply chain attack leads to decentralized application developers downloading backdoored versions of the Solana Web3.js library.
 BleepingComputer:
BleepingComputer
Solana Web3.js library backdoored to steal secret, private keys
The legitimate Solana JavaScript SDK was temporarily compromised yesterday in a supply chain attack, with the library backdoored with malicious cod...
 #cybersecurity #solana #malware #c2
Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access A critical security vulnerability has been disclosed in SailPoint's IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory. The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions. IdentityIQ "allows HTTP access to static content in the IdentityIQ application directory that should be protected," according to a description of the flaw on NIST's National Vulnerability Database (NVD). See more:
The Hacker News
Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access
Critical CVE-2024-10905 in SailPoint's IdentityIQ (CVSS 10.0) risks unauthorized file access. Update now
 #cybersecurity #identityq
With Threats to Encryption Looming, Signal’s Meredith Whittaker Says ‘We’re Not Changing’ At WIRED’s The Big Interview event, the president of the Signal Foundation talked about secure communications as critical infrastructure and the need for a new funding paradigm for tech. The secure messaging app Signal is famous for knowing as little about its users as possible. The app isn’t hoarding metadata, tracking you, or showing you ads—in other words, it’s not monetizing user data. Instead, the Signal Foundation is a nonprofit. Its president, Meredith Whittaker, sees a massive shift underway and an “invitation for action” as the monoliths of Big Tech lose popularity and the old economics of Silicon Valley become brittle. See more:
WIRED
With Threats to Encryption Looming, Signal’s Meredith Whittaker Says ‘We’re Not Changing’
At WIRED’s The Big Interview event, the president of the Signal Foundation talked about secure communications as critical infrastructure and the ...
 #signal #privacy
Veeam warns of critical RCE bug in Service Provider Console Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing. VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads. The first security flaw fixed today (tracked as CVE-2024-42448 and rated with a 9.9/10 severity score) enables attackers to execute arbitrary code on unpatched servers from the VSPC management agent machine. Veeam also patched a high-severity vulnerability (CVE-2024-42449) that can let attackers steal the NTLM hash of the VSPC server service account and use the gained access to delete files on the VSPC server. See more: BleepingComputer:
BleepingComputer
Veeam warns of critical RCE bug in Service Provider Console
​Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution...
 The Hackers News:
The Hacker News
Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console
Veeam fixes critical Service Provider Console flaws, including CVE-2024-42448 (RCE), urging immediate updates.
 #cybersecurity #rce #veeam
Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses: Cybersecurity researchers have called attention to a novel phishing campaign that leverages corrupted Microsoft Office documents and ZIP archives as a way to bypass email defenses. "The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox," ANY[.]RUN said in a series of posts on X. The malicious activity entails sending emails containing ZIP archives or Office attachments that are intentionally corrupted in such a way that they cannot be scanned by security tools. These messages aim to trick users into opening the attachments with false promises of employee benefits and bonuses. In other words, the corrupted state of the files means that they are not flagged as suspicious or malicious by email filters and antivirus software. However, the attack still works because it takes advantage of the built-in recovery mechanisms of programs like Word, Outlook, and WinRAR to relaunch such damaged files in recovery mode See more:
The Hacker News
Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses
Hackers exploit corrupted ZIPs and Office files, bypassing email filters and antivirus to launch phishing scams.
 #cybersecurity #malware
New EU Regulation Establishes European ‘Cybersecurity Shield’ The Council of the European Union on Monday announced the adoption of two new laws meant to improve the overall cybersecurity across the EU. The two new laws in the cybersecurity package establish a cybersecurity shield that calls for member states to cooperate in detecting and responding to cyberattacks, and amend the EU’s Cybersecurity Act (CSA) of 2019 to ensure adequate security standards for managed security services. The first legislative act (PDF) establishes a European Cybersecurity Alert System, a pan-European network of cyberhubs that creates “coordinated detection and situational awareness capabilities, reinforcing the Union’s threat detection and information-sharing capabilities”. See more:
SecurityWeek
New EU Regulation Establishes European 'Cybersecurity Shield'
European Union adopted new legislation to establish a cybersecurity shield and ensure adequate standards for managed security services
 #cybersecurity #eu