WEEKLY TOP TEN | February 12, 2024, 15:00 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Linux Bootloader Vulnerability Impacts All Distributions
Nearly all distributions use Linux Shim as a component of the secure boot process. Analysts uncovered a spate of new vulnerabilities in this software, including a 9.8/10 CVSS score bug labeled CVE-2023-40547, which provides an attacker with remote code execution capabilities via a specially crafted HTTP request.
- Vulnerability in TeamCity Leads to Complete Server Takeover
JetBrains TeamCity is a popular CI/CD (continuous integration and deployment) service that allows for the streamlining of the development and deployment of applications. JetBrains has identified and patched a new vulnerability (CVE-2024-23917 CVSS score 9.8). This bug is an authentication bypass with the possibility of remote code execution, leading to a complete takeover of the server by threat actors.
- XLoader Android Malware Executes Automatically After Install
XLoader is an Android malware tied to the Roaming Mantis threat actor group. A recent update to this malware family allows it to install and execute without end-user interaction. The initial infection is attempted through a shortened link sent in an SMS message, which provides a download for the APK file, typically posing as a new version of Google Chrome.
- Windows BitLocker Encryption Broken Using a Raspberry Pi Pico
The Raspberry Pi Pico is the smaller and less powerful version of the popular credit-card-sized Raspberry Pi computers, mainly meant for integrated devices and robotics. Youtuber and security professional StackSmashing has recently published his research on breaking BitLocker encryption on Windows devices, which is meant to protect against data theft if a laptop or other device is physically stolen. This attack allows the small computer to read the encryption key during communication between the CPU and TPM, where it is sent in plain text. Allowing for the decryption of the device.
- AnyDesk Production Servers Breached
AnyDesk is a popular remote administration or access tool. The developers of this tool have recently released information about a breach on their production servers. The attackers were able to steal source code and private keys. This may lead to new zero-day exploits being discovered or trojanized versions being distributed.
- Developers of Raspberry Robin Malware are Buying New Exploits to Enhance Infection Rate
The developers of Raspberry Robin, an initial-access malware, have been observed purchasing exploit code for several vulnerabilities to increase infection rates and speed of attacks. These exploits have been added to Raspberry Robin sometimes weeks before public exploit code becomes available on GitHub, which also adds to the difficulty of creating detection rules for defenders.
- Ov3r_Stealer Malware Distributed via Facebook
Ov3r_Stealer is an info-stealer malware; recently, it has been observed being distributed via Facebook job ads. Once infected, this malware exfiltrates stolen data, such as account credentials and browser cookies, via a telegram bot. Once downloaded, the malware is installed using a PowerShell script, masquerading as a Windows control panel.
- Critical Vulnerability Discovered in Cisco Expressway Gateway Devices
Cisco Expressway gateway devices are used for communications with devices outside an organization’s firewall, specifically chat and video conferencing. A new vulnerability has been discovered in these devices and allows for unauthenticated Cross-Site Request Forgery (CSRF) via the SOAP API, causing denial of service.
- Coyote Banking Trojan Impacts Several Brazilian Banks
Coyote is a new banking trojan that leverages the squirrel installer and the Nim programming language to become cross-compatible on as many systems as possible, regardless of the operating system and installed software. This malware has been seen infecting devices across 61 Brazilian-based banks.
- North Korean-Backed APT Kimsuky Releases New Trojans
The APT, labeled Kimsuky, is a North Korean-affiliated cybercrime group. This group has released new info-stealer and trojan malware targeting South Korean organizations, attempting to steal all information on system drives and network shares. This malware is written in Golang, an infamous programming language due to its widespread use in malware development.