WEEKLY TOP TEN: November 11, 2024, 16:00 GMT
- Veeam Backup Exploit Used by Frag Ransomware
Popular backup service Veaam has long been a target of ransomware groups. A deserialization vulnerability that can lead to remote code execution was discovered in September of this year, increasing the number of attacks targeting Veeam instances. Most recently, this exploit has been used by the Frag ransomware group. - Hacked Police Emails Used to Send Fake Subpoenas and Steal Data
The FBI has warned that there has been an increase in cybercriminals using compromised police emails to send fake legal requests and subpoenas, fooling victims into sending sensitive information to the threat actors, which can be used for further crime or sold on hacker forums. - Remcos RAT Variant Distributed in Malicious Excel Documents
GreyNoise researchers discovered an exploit attempt in April 2024 after their AI-powered threat detection tool spotted unusual activity in their honeypot network that did not match any known threats. This attack is not attributed to two CVE entries, CVE-2024-8956 and CVE-2024-8957; the former exploits the weak authentication problem in the camera’s lighthttpd web server, allowing for unauthorized access to the CGI API. CVE-2024-8957 is caused by improper input sanitization in the ntp.addr field, allowing for an attacker remote code execution. - North Korean Hackers Use macOS Malware to Steal Crypto
North Korean threat actors such as the Lazarus group are infamous for stealing cryptocurrency which funds the DRPK government. Recently a campaign targeting cryptocurrency-centric companies has been observed using customized macOS malware meant to steal large amounts of cryto. - Palo Alto PAN-OS May be Vulnerable to RCE
Palo Alto has issued a warning to their customers, recommending that they verify that there has been no unauthorized access to their PAN-OS devices. They state that there is an unconfirmed possibility that the management interface is vulnerable to an RCE vulnerability. Management interfaces should not be externally facing as it increases possibility of compromise. - Bitcoin Fog Founder Sentenced to 12 Years in Prison
Bitcoin Fog a cryptocurrency mixer, a tool which is used to launder stolen crypto via mixing dirty coins with clean ones in a complex series of transactions, making it much more difficult for authorities to trace. The founder of Bitcoin Fog is a dual Russian and Swedish citizen who has plead guilty to the US DoJ’s charges of money laundering and sentenced to 12 years in prison. - FakeBat Loader Returns after Months of Inactivity
FakeBat is a popular loader malware, used to download and execute other malicious payloads such as ransomware, trojans or infostealers. After months with little to no activity, a new campaign has been discovered using malicious Google ads posing as the popular note taking app Notion to spread. - Vulnerability in D-Link NAS Devices Will Not be Patched
A critical command injection vulnerability has been discovered in D-Link NAS devices, which have reached end-of-life. Due to the EOL status of these devices D-Link has asserted that they will not patch this vulnerability, leaving over sixty-thousand devices vulnerable permanently. - iPhones Seized by Law Enforcement are Mysteriously Rebooting
Researchers from ACROS Security discovered a security flaw allowing attackers to capture NTLM authentication hashes from users that affects all version of Windows clients from Windows 7 to the current Windows 11 version. They discovered this vulnerability while writing a patch for a related vulnerability tracked as CVE-2024-38030 intended for older Windows systems. With this new discovered vulnerability, it marks the third flaw found related to Windows themes spoofing with the other one being CVE-2024-21320. - Scattered Spider and BlackCat/ALPHV Return from the Shadows
Both BlackCat and ALPHV are notorious cybercrime groups. ALPV being responsible for the massive breach of Change Healthcare, which took down medical systems across the United States and Scattered Spider gaining notoriety for their attack on Caesars Entertainment and MGM Resorts. Both groups went into a sort of stasis following their large attacks and have now resurfaced within the past few months.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: