WEEKLY TOP TEN: April 11, 2024, 19:04 GMT
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available:
- Backdoor Found in Open-Source Project Liblzma
An open-source library, liblzma also known as XZ Utils, was discovered to contain a heavily obfuscated backdoor within the tarball release files for version 5.6.x and has been assigned CVE-2024-3094 with a CVSS score of 10/10. The attacker, Jia Tan, managed to insert this backdoor into this project by gaining the trust of the original maintainer, Lasse Collin, through offering help. Over a span of 2 years, they gradually assumed control of the project, ultimately becoming a co-maintainer through the creation of feature requests and issue reports using alternate GitHub accounts to gain trust from both Lasse Collin and the community. - New Variant of Vultur Banking Trojan
A new variant of the Vultur banking trojan has been discovered for Android. This new version includes a set of new obfuscation and detection evasion techniques. Additionally, this variant introduces more features such as remote control, lock screen bypass, custom notifications, prevention of app launches, as well as capabilities for downloading, uploading, deleting, installing, and finding files. The attackers have relied on the Brunhilda dropper, which is spread using both SMS and a phone call. - Google’s New Security Feature
Google announced a new feature in Chrome called “Device Bound Session Credentials” that will link the browsers session cookies to the device. This new security feature was unveiled to aid in reducing session hijacking attacks. This new feature is still in the prototyping phase of development but is available to be used by enabling “enable-bound-session-credentials” in the chrome://flags/ - SurveyLama data breach
On August 2, 2024, the owner of a data breach alerting service, Have I Been Pwned (HIBP), Troy Hunt, added a dataset of about 4.4 million accounts that were leaked from a data breach at SurveyLama in February 2024. The leak included email addresses, full names, addresses, phone numbers, and passwords of user accounts. Fortunately, the passwords that were leaked are not in clear text but are protected with a salted SHA-1 hashing algorithm, which carries known vulnerabilities, making it susceptible to collision attacks. - Malvertising Campaign That Utilizes the Google Ads Tracking Feature
Researchers from AhnLab Security Intelligence Center (ASEC) have discovered a new malvertising campaign that utilizes the Google Ads tracking feature to propagate the Rhadamanthys stealer. These ads are disguised as installers for Notion, Trello, Slack, and other popular groupware tools. When a user clicks on the banner ad, it directs them to a copy of the actual installer site hosted on an attacker-controlled server, tricking the user into downloading the Rhadamanthys stealer. - Security Flaw in LayerSlider WordPress Plugin
A security vulnerability was discovered in the LayerSlider WordPress plugin. When exploited, it allows an attacker to exfiltrate information from databases, such as password hashes. This vulnerability was assigned CVE-2024-2879, carrying a CVSS score of 9.8/10. A patch for this vulnerability was released in version 7.10.1 on March 27, 2024. - New Ransomware Gang SEXi Attacks Hosting Firm
IxMetro Powerhost a Chilean data center and hosting provider fell victim to a new ransomware gang “SEXi”. This group encrypted not only the company’s Vmware ESXi servers that they use to host virtual servers for their customers, they also encrypted the company’s backups making the recovery effort challenging. - JSOutProx attack framework New Version Discovered
A new version of JSOutProx, a sophisticated attack framework utilizing both JavaScript and .NET, was discovered by security researchers at Resecurity. This new version has been targeting financial organizations in the MENA and APAC regions. In the most recent attack on April 2, 2024, multiple banking customers were targeted through an impersonation attack that employed a fake SWIFT payment notification (Enterprise) or a Moneygram template (private) to confuse the victims and trick them into executing the malicious code. - Alleged Exfiltration of Government Documents
A threat actor called IntelBroker claims to have stolen classified information from the Five Eyes intelligence alliance, comprising of Australia, Canada, New Zealand, the United Kingdom, and the United States intelligence agencies, obtained through the federal consulting firm Acuity. According to IntelBroker, the data contains identifying information for government, military, and Pentagon employees, such as full names, emails, office numbers, and personal cell numbers. - New Denial of Service Attack was Discovered
A new Denial of Service (DoS) attack was discovered, utilizing the HTTP/2 CONTINUATION frame (type=0x9) without the end flag set. An attacker can initiate a new HTTP/2 stream against a target server that fails to handle the HEADERS and multiple CONTINUATION frames of packets correctly. This DoS attack possesses a unique capability in that it does not get logged within the HTTP logs.