WEEKLY TOP TEN: September 9, 2024, 16:00 GMT
- Command Injection Vulnerability Discovered in Zyxel Routers
A new command injection vulnerability has been discovered, and subsequently patched in Zyxel routers and access points. Using a specially crafted cookie, attackers can exploit this vulnerability to run commands on the operating system, which could lead to a full device takeover. This issue is the result of improper input handling. - New Android Trojan Poses as Banking Applications
The Google’s Threat Analysis Group (TAG) discovered that the Russian sponsored threat group named APT29 (AKA Midnight Blizzard) was conducting a series of attacks between November 2023 and July 2024. Their initial target was the multiple Mongolian government websites, in an effort to conduct a watering hole attack by using a malicious Iframe exploiting CVE-2023-41993 to steal IOS WebKit cookies. Later, they used one site they compromised to exploit CVE-2024-5274 and CVE-2024-4671 to steal sensitive information from Google Chrome on Android devices. - Cicada Ransomware is a Possible Rebrand of the Infamous BlackCat/ALPHV Group
A new ransomware group named Cicada3301, after the famous internet puzzles, was discovered in June, and is now speculated to be a possible rebrand of the infamous BlackCat ransomware group. Researchers have discovered similarities between the two malware strains in several tactics, such as their method of shadow volume copy deletion. - Rage Stealer Rebranded to Angry Stealer
Rage Stealer is, as the name implies, an infostealer which has now been rebranded to Angry Stealer, using telegram bots as a new method of exfiltration. The infected device will connect to the bot and send all collected data back to a private Telegram channel under the attacker’s control. This method evades typical exfiltration defenses by masking the traffic as legitimate messaging. - Eucleak Vulnerability Leaves YubiKeys Open to Cloning
Yubico’s Yubikeys are popular MFA devices, allowing second-factor codes to be stored on a separate hardware device. This is important for high-security applications, as a bad actor would need physical access to the key in order to breach an MFA-enabled account.
Recently, a new vulnerability has been discovered in the microcontroller used in the Yubikey 5 series, allowing attackers to extract the cryptographic key that typically prevents these devices from being cloned. However, physical access to the device is still necessary to perform this attack. - Revival Hijack Supply Chain Attack Used to Create Malicious PYPI Packages
PYPI is the Python Package Index, a repository of libraries that python developers can use in their code. Researchers have discovered a new supply chain attack which can be used to create malicious PYPI packages, which will have the name of legitimate packages. This happens due to the removal and re-instatement of several packages, which leaves the name open for use, meaning developers do not need to make a spelling mistake as in the case of typosquatting for their machine to be infected. - MacroPack Framework Used to Distribute Malware
MacroPack is a Pentesting framework which generates a multitude of Windows specific attack tools, such as malicious macro documents, visual basic scripts, etc. This tool has now been observed being used by bad actors in the wild. The observed campaign utilizes malicious office documents created with MacroPack to spread malware such as Havoc C2, and PhantomCore RAT. - DrayTek Vulnerability Added to CISA’s KEV List
Two vulnerabilities in DrayTek VigorConnect, a remote management tool for DrayTek network equipment, have been added to the KEV, a list of vulnerabilities that are known to be used by threat actors in the wild. Both of these vulnerabilities were discovered and patched in 2021, however, their appearance on the KEV list indicates that they are still being used by bad actors. Any system administrators that are using DrayTek VigorConnect should ensure that all instances are up-to-date. - Chinese Based APT Earth Lusca Utilizes New Multiplatform Malware
The Chinese threat actor group Earth Lusca has been observed using a new backdoor dubbed KTLVDoor to target governmental organizations. This new backdoor is multiplatform, allowing a single payload to be used for infection of any device type. The payload masquerades as legitimate system utilities such as SSH and even EDR Agents. - LiteSpeed Cache WordPress Plugin Leaves Six Million Sites Vulnerable
LiteSpeed Cache is a plugin which is used on over six million WordPress sites to improve loading times and other performance metrics. A newly discovered vulnerability in this plugin has been discovered, which can lead to unauthenticated account takeover. This is the third impactful vulnerability discovered in LiteSpeed Cache this year.
Our Threat Operations and Intelligence team compiles a daily digest of the most recent online cybersecurity risks. The following top 10 stories were selected from the 40+ original ones we determined to be most significant during the course of the week, ranking by highest risk and using multiple sources when available: