Palo Alto Networks confirms active exploitation of PAN-OS RCE flaw
Cybersecurity giant Palo Alto Networks has confirmed that it has observed exploitation attempts against a remote command execution vulnerability affecting its PAN-OS product. The company said that the flaw, which has yet to receive a CVE identifier, has been exploited “against a limited number of firewall management interfaces which are exposed to the Internet.” The vendor recommends that users ensure access to their management interface is configured correctly in accordance with recommended best practices. In particular, it is advised that access to the management interface is allowed only from trusted internal IPs and not from the internet.
Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has flagged two Palo Alto Networks Expedition flaws (CVE-2024-9463, command injection) and (CVE-2024-9465, SQL injection) as actively exploited.
Unpatched flaws in EoL D-Link devices exploited in the wild
Just days after Taiwanese networking hardware and telecoms equipment vendor D-Link confirmed that it has no intention to address a critical command injection vulnerability (CVE-2024-10914) affecting legacy D-Link DNS-320, DNS-320LW, DNS-325, and DNS-340L NAS devices reports emerged that the flaw is being exploited in the wild. According to the data from Shadowserver threat monitoring service, exploitation attempts against CVE-2024-10914 have been going on since November 12, 2024. The organization said that there are around 1100 vulnerable D-Link devices exposed on the internet.
Microsoft patches two actively exploited zero-day flaws
Microsoft’s Patch Tuesday for November 2024 addresses over 90 vulnerabilities across the company’s software products, including two actively exploited zero-day flaws. One of the zero-days, CVE-2024-43451, is a spoofing vulnerability that targets the NTLM (NT LAN Manager) authentication protocol. This flaw enables attackers to extract NTLM hashes from remote users with only minimal interaction. The vulnerability was weaponized by a suspected Russia-linked threat actor in a SparkRAT cyber campaign targeting Ukraine.
The second actively exploited vulnerability, CVE-2024-49039, is an elevation of privilege flaw within Windows Task Scheduler. Attackers exploiting this vulnerability can elevate their privileges from a low-level AppContainer environment to Medium Integrity, gaining unauthorized access to resources and RPC (Remote Procedure Call) functions normally restricted to higher privilege accounts.
Zero-days top the list of most exploited vulnerabilities in 2023
In 2023, ten of the fifteen most exploited vulnerabilities were initially zero-days, according to a new report from CISA and its counterparts in Five Eyes countries. Among the notable zero-day flaws were those impacting Barracuda’s Email Security Gateway (ESG) appliances, exploited by suspected Chinese hackers, which led the company to advise customers to replace compromised devices. Other vulnerabilities included the MOVEit zero-day, which fueled a widespread data breach, and CitrixBleed, a flaw that affected Citrix’s network perimeter devices and has been exploited in the Lockbit ransomware attacks.
Veeam issues urgent patch for Backup Enterprise Manager flaw
Veeam has issued patches to address a high-severity RCE vulnerability in its Backup Enterprise Manager, tracked as CVE-2024-40715. The flaw can be exploited through a man-in-the-middle (MiTM) attack, allowing attackers to bypass authentication and gain unauthorized access to sensitive data and potentially allow further malicious activities.
Veeam has released a hotfix for Backup Enterprise Manager version 12.2.0.334, as well as updated installation images for Veeam Backup & Replication and Veeam Data Platform, which include the necessary patch.
Of note, a critical RCE vulnerability in Veeam backup servers (CVE-2024-40711) have been observed in attacks deploying new Frag ransomware.
Remcos RAT phishing attack abuses MS Excel bug
Researchers have uncovered a sophisticated phishing campaign deploying a fileless variant of the Remcos Remote Access Trojan (RAT), a commercial malware exploited by threat actors to control victims' computers and siphon sensitive information. The attack, discovered by Fortinet's FortiGuard Labs, starts with a phishing email masquerading as a purchase order, tricking recipients into opening a Microsoft Excel attachment. The attachment exploits CVE-2017-0199, a known remote code execution vulnerability in Microsoft Office to trigger the infection process.
US authorities confirm Chinese hackers stole data from multiple telecom firms
The US has accused China-linked hackers of extensive cyber-espionage targeting multiple American telecom companies. According to a joint statement by the FBI and CISA, the attackers accessed customer call records and communications, focusing on individuals involved in government or political activities. They also intercepted surveillance data meant for US law enforcement, including information obtained through court-ordered requests.
In the meantime, Chinese state-sponsored hacking group Volt Typhoon (the same threat actor believed to be behind the telecoms providers’ hack) is reportedly rebuilding its notorious “KV-Botnet” malware network, following a disruption by US law enforcement earlier this year. Security researchers have observed the threat actor rebuilding the botnet, once again focusing on US infrastructure and targets across the globe.
Another Chinese cyber-espionage group, APT41 (aka Double Dragon, Barium, Brass Typhoon, Bronze Atlas, Wicked Panda, and Winnti), which has been linked to LightSpy iOS malware, has been observed expanding its toolset with a Windows-based surveillance framework.
According to a report by security firm Sekoia, China’s Ministry of State Security (MSS) has become the primary actor in state-sponsored cyber operations, overtaking the previously dominant People’s Liberation Army (PLA) since 2021. The shift follows PLA reforms in 2015, which led to a decline in PLA-linked cyber activity and a rise in operations attributed to MSS-backed groups like APT10, APT31, APT40, APT41, Mustang Panda, and Lucky Mouse.
The MSS and the Ministry of Public Security (MPS) leverage significant autonomy, often outsourcing offensive cyber capabilities to private firms and exploiting vulnerabilities collected from researchers and companies.
Pro-Russia hackers escalate cyberattacks on South Korea amid tensions over Russo-Ukraine war
Pro-Russia hacker groups have intensified cyberattacks on South Korean organizations after Seoul's recent decision to send observers to Ukraine in response to North Korea's deployment of troops to support Russia. South Korean officials reported a notable uptick in Russia-linked cyberattacks, mainly targeting civilian and government websites. According to the statement, some organizations experienced temporary delays and disconnections on their websites, but no severe damage has been reported.
Hive0145 targets Europe with a new Stella Stealer campaign
The cybercriminal group Hive0145 believed to be a financially motivated initial access broker (IAB) has intensified its operations across Europe, targeting Spain, Germany, and Ukraine. Using Strela Stealer malware, the group aims to steal sensitive email credentials by exploiting authentic but stolen invoices in phishing campaigns. Active since late 2022, Hive0145 specializes in credential theft, particularly from Microsoft Outlook and Mozilla Thunderbird accounts.
Iranian hackers target aerospace industry via ‘dream job’ campaign
A new report from ClearSky researchers examines a new espionage campaign targeting the aerospace industry, attributed to Iranian threat group TA455, a likely subgroup of Charming Kitten. The hackers impersonated recruiters on LinkedIn and used fake recruiting websites to distribute malicious documents embedded with SnailResin malware, enabling the SlugResin backdoor.
Vietnamese cybercrime group is targeting govt and education entities in Europe and Asia
A new information-stealing campaign has been uncovered, targeting government and education entities in Europe and Asia. The operation involves a Python-based tool named PXA Stealer, capable of extracting sensitive information such as online account credentials, VPN and FTP client data, financial details, browser cookies, and gaming-related information. Notably, PXA Stealer can decrypt browser master passwords to access stored credentials. The campaign employs advanced obfuscation techniques in its batch scripts to evade detection. The attackers have been linked to a Telegram channel used for selling stolen credentials and hacking tools. While this channel is associated with the CoralRaider adversary, it remains unclear whether the campaign is directly tied to CoralRaider or another Vietnamese-speaking cybercrime group.
Sitting Ducks DNS attack puts over 1M registered domains at risk
A recent report by Infoblox Threat Intel reveals that over 1 million domains are potentially vulnerable to the "Sitting Ducks" attack, a cyber threat exploiting DNS misconfigurations. Active since 2018, this attack enables threat actors to hijack domains and use them for malicious purposes, including malware distribution and phishing campaigns.
Separately, EclecticIQ researchers have warned of a widespread fraud campaign linked to the SilkSpecter financially motivated Chinese threat actor, targeting online shoppers in the US and Europe. Since October 2024, the group has operated thousands of fake online stores, luring victims with steep discounts ahead of the Black Friday shopping season. The fraudulent websites are designed to harvest payment card details, exploiting the surge in online shopping during this period.
IP spoofing attack targets Tor network, triggers relay shutdowns
Tor relay operators have been targeted in a large-scale IP spoofing attack aimed at disrupting the Tor network. The attack, which began on October 20, spoofed non-exit relays and other Tor-related IPs to trigger automated abuse reports resulting in the shutdown of some relays. The threat actor behind the attack reportedly deployed spoofed SYN packets, making it appear as though Tor IP addresses were responsible for port scanning. By using this tactic, the attackers aimed to manipulate the appearance of network activity to trigger abuse reports from automated systems, which were then sent to internet service providers (ISPs) and data centers. Those impacted included hosting providers like OVH and Hetzner, with some Tor relays temporarily taken offline as a result.
Free decryptor released for BitLocker-based ShrinkLocker ransomware victims
Romanian cybersecurity company Bitdefender has released a free decryptor to assist organizations hit by the ShrinkLocker ransomware. The new tool allows victims to recover files encrypted by ShrinkLocker, which utilizes Microsoft’s BitLocker for encryption instead of custom encryption methods.
US indicts two hackers behind Snowflake breach
The US authorities have indicted Alexander Connor Moucka and John Binns for their involvement in major corporate breaches. Alexander “Connor” Moucka, aka Judische and Waifu, who is suspected of conducting a series of hacks tied to a high-profile breach of the data management platform Snowflake earlier this year, was arrested in Canada on October 30 2024. His alleged accomplice, John Erin Binns (aka Irdev, IntelSecrets, V0rtex, and SubVirt), was apprehended in Turkey earlier this year.
Bitcoin Fog founder gets over 12 years for large-scale money laundering
Roman Sterlingov, a dual Russian-Swedish national and the founder of the longest-running cryptocurrency “mixer” service on the darknet, was sentenced to 12 years and six months in prison on charges related to a massive cryptocurrency money laundering operations to date. According to court documents, Bitcoin Fog processed over 1.2 million bitcoin transactions valued at approximately $400 million at the time they occurred.
In other news, Ilya Lichtenstein, 35, has been sentenced to five years in a US prison for laundering proceeds from the 2016 Bitfinex cryptocurrency hack, one of the largest crypto thefts in history involving nearly 120,000 bitcoin. Lichtenstein, who used advanced hacking techniques to breach Bitfinex’s systems, fraudulently transferred the funds and covered his tracks by deleting logs and credentials. He and his wife, Heather Morgan—who also used the alias “Razzlekhan” as a hip-hop artist—were arrested in February 2022. Morgan is set to be sentenced on November 18.
In a separate case, Robert Purbeck aka “Lifelock” and “Studmaster” was sentenced to 10 years in prison for hacking 19 computer servers across the US, stealing the personal data of 132,000 individuals. He attempted to extort an orthodontist by demanding Bitcoin in exchange for not exposing stolen patient records.
The US Justice Department has unsealed charges against two Nigerian nationals, Matthew Akande, 35, and Kehinde Oyetunji, 33, for allegedly hacking into multiple tax preparation companies. The scheme involved using the Warzone RAT malware to compromise five tax firms in Massachusetts, potentially stealing millions. Oyetunji pleaded guilty to hacking and fraud charges in late 2022 but awaits sentencing. Akande, recently arrested in the UK, faces extradition to the US.
Additionally, three Indiana residents have been arrested for their involvement in a SIM swapping scheme. Authorities allege the trio used fraudulent IDs to perform SIM swaps, gaining access to victims' two-factor authentication codes. This enabled them to steal money, data, and, in some cases, extort victims to regain access to their accounts.