WEEKLY TOP TEN | January 22, 2024, 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Three Zero-Day Vulnerabilities in Chrome Exploited in the Wild
Google has just released a patch for a group of three vulnerabilities, one of which is being exploited in the wild. The particular vulnerability that is being exploited is known as CVE-2024-0519, and it corresponds to an out-of-bounds memory access vulnerability that exists in the JavaScript Engine that Chrome utilizes. The other two vulnerabilities patched in this update are similar bugs in the V8 JS engine. - Finnish Organizations Targeted by Akira Ransomware
The Finnish NCSC-FI (National Cybersecurity Center) has warned that Akira ransomware attacks have been on the rise within Finland. These ransomware deployments target weak corporate VPN connections with known vulnerabilities or improper implementation, especially on CISCO devices. Akira has been noted for wiping NAS (network attached storage) and tape backups, leaving defenders with no way to restore from backup. - Balada Injector Compromises Thousands of WordPress Sites
The Balada Injector is a long-running malware campaign targeting WordPress sites. Recently, a vulnerability in the Popup Builder plugin has been the target of these infections. This vulnerability, CVE-2023-6000, is an XSS (cross-site scripting) bug, which is the number three vulnerability in the OWASP top-ten. - Critical Confluence Vulnerability Allows for Unauthenticated RCE
Atlassian has published an advisory on a new critical vulnerability impacting all Confluence deployments. This vulnerability, CVE-2023-22527, has the maximum CVSS score of 10/10 and allows for unauthenticated remote code execution via template injection. While this vulnerability did impact Confluence deployments hosted on Atlassian servers, they have been patched via routine maintenance. Administrators should immediately patch on-premises instances. - Key Member of the Shiny Hunters Cybercrime Group Arrested
Shiny Hunters is a prolific cybercrime gang that has stolen amounts estimated to be nearly six million dollars from over sixty organizations. The US Department of Justice has released information regarding the arrest and conviction of a French citizen by the name of Sebastien Raoult. According to the DOJ, Sebastien was a key member of the Shiny Hunters group, and he has been ordered to pay over five million dollars in restitution and complete a prison sentence of three years. - X Account of Security Firm Mandiant Hacked in Brute Force Campaign
A brute-force campaign led to the compromise of Mandiant’s X (previously Twitter) account, a security company that Google owns. Attackers took control of the account and changed the account name, profile picture, and banner to promote a cryptocurrency scam. It has been stated that the MFA was not enabled on the account. - Medusa Ransomware Begins to Use Double-Extorsion Tactics
Medusa Ransomware was first discovered in February 2023 and has compromised several organizations since then. Recently, this group has begun to leverage double-extortion tactics, meaning that along with the standard deployment of ransomware, the group downloads sensitive data that is held on threat of release unless the ransom is paid. These threat actors primarily target internet-facing applications and servers to gain a foothold in victim networks. - Androxghost Botnet Targets Cloud and Microsoft Credentials
In a joint press release, the FBI and CISA issued warnings concerning the Androxghost botnet. The malware collects credentials from cloud services and other such accounts for use in its expanding botnet. According to Fortigaurd, this botnet controls over forty thousand devices as of 2022. Malware is delivered via several targeted vulnerabilities impacting PHP and Apache web servers. - Dump of 71 Million Credentials Discovered by Researchers
The creator of Have I Been Pwned (Troy Hunt), a service that stores known data breaches and allows users to check if their information is present, has discovered a massive data breach floating around on popular darknet markets. This breach contains seventy-one million unique credentials from a plethora of different social media, online shopping, and gaming sites. - PixieFail UEFI Vulnerability Opens Up Millions of Computers to Attacks
A new set of vulnerabilities in UEFI, the pre-operating system boot process, have been discovered. These vulnerabilities lie in the TCP/IP implementation of UEFI and have been dubbed PixieFail. All modern computers leverage UEFI for boot, making the scope of this vulnerability massive. The vulnerabilities discovered have several different outcomes, including remote code execution, denial of service, and information leakage.
