WEEKLY TOP TEN: December 30, 2024, 16:00 GMT
- Honey’s Deal-Hunting Browser Extension Is Accused of Ripping off Customers and YouTubers
Popular browser extension Honey, which was acquired by PayPal for 4 billion dollars, has been accused of malicious behavior. YouTuber MegaLag discovered that the extension injects its own affiliate codes into browser cookies, overwriting existing ones – a technique commonly used by malware to steal revenue. The massive acquisition price for a free browser extension raises questions about its true business model. While MegaLag has already hinted at part two, looking into the extension’s source code already raises additional red flags. This highlights the overall risk of the browser extension ecosystem; high ratings or millions of downloads do not indicate a safe extension. - Cybersecurity Firm’s Chrome Extension Hijacked to Steal Users’ Data
Continuing with browser extensions, Cyberhaven, a cybersecurity firm, had its extension hijacked. Attackers compromised the Google account that published the extension and pushed a malicious version to the store. The capabilities include data exfiltration, cookie stealing, and persistence mechanisms. Four other browser extensions unrelated to Cyberhaven were hijacked similarly. Users of these extensions are urged to rotate all passwords and cookies. - Apache Warns of Critical Flaws in MINA, Hugegraph, Traffic Control
Apache has released security updates for three of its products: MINA, HugeGraph-Server, and Traffic Control. MINA has received a severity score of 10, the highest possible. The vulnerability exploits the IoBuffer#getOjbect() method and has been patched as of versions 2.0.27, 2.1.10, and 2.2.4. Once patched, users also need to configure additional settings to secure their environment. HugeGraph-Server had an authentication bypass vulnerability (CVE-2024-43441) that was fixed in version 1.5.0. Due to insufficient input sanitization, Traffic Control suffered from SQL injection (CVE-2024-45387). It was fixed in version 8.0.2. - New ‘Ottercookie’ Malware Used to Backdoor Devs in Fake Job Offers
A Japanese security firm NTT report reveals that North Korean threat actors are using a new malware, OtterCookie. The malware campaign, Contagious Interview, is targeting software developers. Malware is delivered by a loader that fetches JSON data and executes the cookie property as JavaScript code. Initial access is obtained when developers download malicious npm packages or through code repos hosted on GitHub or BitBucket. OtterCookie can exfiltrate clipboard data, conduct reconnaissance, and steal info. - Windows 11 Installation Media Bug Causes Security Update Failures
The US authorities have unsealed charges against a dual Russian-Israeli national for their work on the infamous LockBit ransomware. The individual, Rostislav Panev, was arrested in Israel in August and is pending extradition to the US, where he will face trial for charges related to creating and distributing ransomware. - New Botnet Exploits Vulnerabilities in NVRs, TP-Link Routers
Mirai botnet activity has been observed exploiting a remote code execution vulnerability affecting DigiEver DS-2105 Pro NVRs. This flaw was reported last year at the DefCamp security conference; researchers from Akami noticed the Mirai attack pattern is very similar to what was shown at the presentation. Akami also states that the botnet uses XOR and ChaCha20 encryption, an evolution of tactics, techniques, and procedures. - Premium WPLMS WordPress Plugins Address Seven Critical Flaws
Security researchers at Patchstack have found 18 vulnerabilities in the Premium WordPress theme WPLMS. These vulnerabilities include remote code execution, privilege escalation, arbitrary file upload, and SQL injection. Significantly, most of these vulnerabilities hold a CVSS score of 8 or higher. Patchstack has worked with the theme developers to fix these issues, and users of WPLMS should be on version 1.9.9.5.3 or later. - European Space Agency’s Official Store Hacked to Steal Payment Cards
Malicious JavaScript code was found in the official ESA (European Space Agency) online store, which has since suspended its storefront. Security researchers found that hackers were exfiltrating payment information using a fake Stripe payment page. The fake page used code from Stripe’s SDK, making it look 100% authentic, leaving normal end-users with no way of knowing the page was hacked. - White House Links Ninth Telecom Breach to Chinese Hackers
White House officials have confirmed that the Chinese APT Salt Typhoon has breached the ninth U.S. telecommunications company. While we reported on this earlier in December, a new company breach shows the APT continues its operation. Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technologies, made a statement criticizing the security posture of private-sector telecommunication companies.
While the White House has not named the companies most recently affected, we know Verizon and AT&T are among them. The CISA has continued to urge government officials to use end-to-end encryption applications for sensitive information. - Adobe Warns of Critical Coldfusion Bug With Poc Exploit Code
Adobe has released an emergency patch for a critical vulnerability affecting ColdFusion 2021 and 2023. The vulnerability (CVE-2024-53961) allows for path traversal, allowing attackers to read arbitrary files on vulnerable servers. Adobe has released an emergency out-of-band security update due to an existing proof of concept. Administrators are urged to update within 72 hours.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: