Nov 04, 2024The Hacker NewsWeekly Recap / Cybersecurity

This week was a total digital dumpster fire! Hackers were like, “Let’s cause some chaos!” and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? 🕵️‍♀️)

We’re talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas! 🥷 It’s enough to make you want to chuck your phone in the ocean. (But don’t do that, you need it to read this newsletter!)

The good news? We’ve got the inside scoop on all the latest drama. Think of this newsletter as your cheat sheet for surviving the digital apocalypse. We’ll break down the biggest threats and give you the knowledge to outsmart those pesky hackers. Let’s go!

⚡ Threat of the Week

North Korean Hackers Deploy Play Ransomware: In what’s a sign of blurring boundaries between nation-state groups and cybercrime actors, it has emerged that the North Korean state-sponsored hacking crew called Andariel likely collaborated with the Play ransomware actors in a digital extortion attack that took place in September 2024. The initial compromise occurred in May 2024. The incident overlaps with an intrusion set that involved targeting three different organizations in the U.S. in August 2024 as part of a likely financially motivated attack.

Upgrade Your Cybersecurity Skills with SANS at CDI 2024 + Get a $1,950 Bonus!

Unlock top-tier cybersecurity training at SANS CDI 2024, December 13-18 in Washington, DC. With over 40 expert-led courses, you’ll gain practical skills and a $1,950 bonus, including extended lab access and a GIAC certification attempt when you train in-person! Offer ends November 11.

Boost Your Skills Now!

🔔 Top News

• Chinese Threat Actor Uses Quad7 Botnet for Password Spraying: A Chinese threat actor tracked by Microsoft as Storm-0940 is leveraging a botnet called Quad7 (aka CovertNetwork-1658) to orchestrate highly evasive password spray attacks. The attacks pave the way for the theft of credentials from multiple Microsoft customers, which are then used for infiltrating networks and conducting post-exploitation activities.
• Opera Fixed Bug That Could Have Exposed Sensitive Data: A fresh browser attack named CrossBarking has been disclosed in the Opera web browser that compromises private application programming interfaces (APIs) to allow unauthorized access to sensitive data. The attack works by using a malicious browser extension to run malicious code in the context of sites with access to those private APIs. These sites include Opera’s own sub-domains as well as third-party domains such as Instagram, VK, and Yandex.
• Evasive Panda Uses New Tool for Exfiltrating Cloud Data: The China-linked threat actor known as Evasive Panda infected a government entity and a religious organization in Taiwan with a new post-compromise toolset codenamed CloudScout that allows for stealing data from Google Drive, Gmail, and Outlook. The activity was detected between May 2022 and February 2023.
• Operation Magnus Disrupts RedLine and MetaStealer: A coordinated law enforcement operation led by the Dutch National Police led to the disruption of infrastructure associated with RedLine and MetaStealer malware. The effort led to the shut down of three servers in the Netherlands and the confiscation of two domains. In tandem, one unnamed individual has been arrested and a Russian named Maxim Rudometov has been charged for acting as one of RedLine Stealer’s developers and administrators.
• Windows Downgrade Allows for Kernel-Level Code Execution: New research has found that a tool that could be used to rollback an up-to-date Windows software to an older version could also be weaponized to revert a patch for a Driver Signature Enforcement (DSE) bypass and load unsigned kernel drivers, leading to arbitrary code execution at a privileged level. Microsoft said it’s developing a security update to mitigate this threat.

‎️‍🔥 Trending CVEs

CVE-2024-50550, CVE-2024-7474, CVE-2024-7475, CVE-2024-5982, CVE-2024-10386, CVE-2023-6943, CVE-2023-2060, CVE-2024-45274, CVE-2024-45275, CVE-2024-51774

📰 Around the Cyber World

• Security Flaws in PTZ Cameras: Threat actors are attempting to exploit two zero-day vulnerabilities in pan-tilt-zoom (PTZ) live streaming cameras used in industrial, healthcare, business conferences, government, religious places, and courtroom settings. Affected cameras use VHD PTZ camera firmware < 6.3.40, which is found in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. The vulnerabilities, tracked as CVE-2024-8956 and CVE-2024-8957, enable threat actors to crack passwords and execute arbitrary operating system commands, leading to device takeover. “An attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information,” GreyNoise said. “Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks.” PTZOptics has issued firmware updates addressing these flaws.
• Multiple Vulnerabilities in OpenText NetIQ iManager: Nearly a dozen flaws have been disclosed in OpenText NetIQ iManager, an enterprise directory management tool, some of which could be chained together by an attacker to achieve pre-authentication remote code execution, or allow an adversary with valid credentials to escalate their privileges within the platform and ultimately achieve post-authenticated code execution. The shortcomings were addressed in version 3.2.6.0300 released in April 2024.
• Phish ‘n’ Ships Uses Fake Shops to Steal Credit Card Info: A “sprawling” fraud scheme dubbed Phish ‘n’ Ships has been found to drive traffic to a network of fake web shops by infecting legitimate websites with a malicious payload that’s responsible for creating bogus product listings and serving these pages in search engine results. Users who click on these phony product links are redirected to a rogue website under the attacker’s control, where they are asked to enter their credit card information to complete the purchase. The activity, ongoing since 2019, is said to have infected more than 1,000 websites and built 121 fake web stores in order to deceive consumers. “The threat actors used multiple well-known vulnerabilities to infect a wide variety of websites and stage fake product listings that rose to the top of search results,” HUMAN said. “The checkout process then runs through a different web store, which integrates with one of four payment processors to complete the checkout. And though the consumer’s money will move to the threat actor, the item will never arrive.” Phish ‘n’ Ships has some elements in common with BogusBazaar, another criminal e-commerce network that came to light earlier this year.
• Funnull Behind Scam Campaigns and Gambling Sites: Funnull, the Chinese company that acquired Polyfill[.]io JavaScript library earlier this year, has been linked to investment scams, fake trading apps, and suspect gambling networks. The malicious infrastructure cluster has been codenamed Triad Nexus. In July, the company was caught inserting malware into polyfill.js that redirected users to gambling websites. “Prior to the polyfill[.]io supply chain campaign, ACB Group – the parent company that owns Funnull’s CDN – had a public webpage at ‘acb[.]bet,’ which is currently offline,” Silent Push said. “ACB Group claims to own Funnull[.]io and several other sports and betting brands.”
• Security Flaws Fixed in AC charging controllers: Cybersecurity researchers have discovered multiple security shortcomings in the firmware of Phoenix Contact CHARX SEC-3100 AC charging controllers that could allow a remote unauthenticated attacker to reset the user-app account’s password to the default value, upload arbitrary script files, escalate privileges, and execute arbitrary code in the context of root. The

🔥 Resources, Guides & Insights

🎥 Expert Webinar

Learn LUCR-3’s Identity Exploitation Tactics and How to Stop Them — Join our exclusive webinar with Ian Ahl to uncover LUCR-3’s advanced identity-based attack tactics targeting cloud and SaaS environments.

Learn practical strategies to detect and prevent breaches, and protect your organization from these sophisticated threats. Don’t miss out—register now and strengthen your defenses.

🔧 Cybersecurity Tools

• SAIF Risk Assessment — Google introduces the SAIF Risk Assessment, an essential tool for cybersecurity professionals to enhance AI security practices. With tailored checklists for risks such as Data Poisoning and Prompt Injection, this tool translates complex frameworks into actionable insights and generates instant reports on vulnerabilities in your AI systems, helping you address issues like Model Source Tampering.
• CVEMap — A new user-friendly tool for navigating the complex world of Common Vulnerabilities and Exposures (CVE). This command-line interface (CLI) tool simplifies the process of exploring various vulnerability databases, allowing you to easily access and manage information about security vulnerabilities.

🔒 Tip of the Week

Essential Mobile Security Practices You Need — To ensure robust mobile security, prioritize using open-source apps that have been vetted by cybersecurity experts to mitigate hidden threats. Utilize network monitoring tools such as NetGuard or AFWall+ to create custom firewall rules that restrict which apps can access the internet, ensuring only trusted ones are connected. Audit app permissions with advanced permission manager tools that reveal both background and foreground access levels. Set up a DNS resolver like NextDNS or Quad9 to block malicious sites and phishing attempts before they reach your device. For secure browsing, use privacy-centric browsers like Firefox Focus or Brave, which block trackers and ads by default. Monitor device activity logs with tools like Syslog Viewer to identify unauthorized processes or potential data exfiltration. Employ secure app sandboxes, such as Island or Shelter, to isolate apps that require risky permissions. Opt for apps that have undergone independent security audits and use VPNs configured with WireGuard for low-latency, encrypted network connections. Regularly update your firmware to patch vulnerabilities and consider using a mobile OS with security-hardening features, such as GrapheneOS or LineageOS, to limit your attack surface and guard against common exploits.

Conclusion

And that’s a wrap on this week’s cyber-adventures! Crazy, right? But here’s a mind-blowing fact: Did you know that every 39 seconds, there’s a new cyberattack somewhere in the world? Stay sharp out there! And if you want to become a true cyber-ninja, check out our website for the latest hacker news. See you next week! 👋