Nastiest Malware 2023
News, Announcements, Tech Discussions
An academic researcher has devised a new method of exfiltrating data from air-gapped systems using radio signals from memory buses. September 9, 2024 By Ionut Arghire An academic researcher has devised a new attack technique that relies on radio signals from memory buses to exfiltrate data from air-gapped systems.According to Mordechai Guri from Ben-Gurion University of the Negev in Israel, malware can be used to encode sensitive data that can be captured from a distance using software-defined radio (SDR) hardware and an off-the-shelf antenna.The attack, named RAMBO (PDF), allows attackers to exfiltrate encoded files, encryption keys, images, keystrokes, and biometric information at a rate of 1,000 bits per second. Tests were conducted over distances of up to 7 meters (23 feet). >>Full Article<<
September 9, 2024 By Bill Toulas Payment gateway provider Slim CD has disclosed a data breach that compromised credit card and personal data belonging to almost 1.7 million individuals.In the notification sent to impacted clients, the company says that hackers had access to its network for nearly a year, between August 2023 and June 2024.Slim CD is a provider of payment processing solutions that enables businesses to access electronic and card payments via web-based terminals, mobile, or desktop apps.The firm first detected suspicious activity on its systems this year on June 15. During the investigation, the company discovered that hackers had gained access to its network since August 17, 2023. “The investigation identified unauthorized system access between August 17, 2023, and June 15, 2024,” reads the notification to impacted individuals. >>Full Article<<
The 'security issue' was caused by a 9.8-rated Magento flaw Adobe patched back in June September 6, 2024 By Jessica Lyons Bad news for anyone who purchased a Cisco hoodie earlier this month: Suspected Russia-based attackers injected data-stealing JavaScript into the networking giant's online store selling Cisco-branded merch.Cisco has since fixed the issue caused by a flaw in Adobe's Magento platform, which could have allowed crooks to steal shoppers' credit card details and other sensitive information at checkout."A Cisco-branded merchandise website that's hosted and administered by a third-party supplier was temporarily taken offline while a security issue was addressed," a Cisco spokesperson told The Register. >>Full Article<<
September 6, 2024 By Jonathan Greig Sensitive information belonging to nearly one million Wisconsin residents was breached during the cybercriminal campaign last year that targeted the popular MOVEit file transfer service.The Centers for Medicare & Medicaid Services (CMS) — the federal agency that manages the Medicare program — and the Wisconsin Physicians Service Insurance Corporation (WPS) said on Friday that they have begun notifying people whose personal information leaked after hackers exploited a vulnerability in the MOVEit software.According to the release, 946,801 people are being sent notices explaining that their names, Social Security numbers, birthdays, addresses, Medicare account numbers, health insurance information and more were leaked.CMS said it will send victims new Medicare cards in the coming weeks. After getting the new card, those affected were asked to destroy their old ones and inform their providers that they have a new Medicare number. >>Full Articl
Optical Character Recognition converts passwords shown in images to machine-readable text.Dan Goodin - 9/6/2024 Researchers have discovered more than 280 malicious apps for Android that use optical character recognition to steal cryptocurrency wallet credentials from infected devices.The apps masquerade as official ones from banks, government services, TV streaming services, and utilities. In fact, they scour infected phones for text messages, contacts, and all stored images and surreptitiously send them to remote servers controlled by the app developers. The apps are available from malicious sites and are distributed in phishing messages sent to targets. There’s no indication that any of the apps were available through Google Play.A high level of sophisticationThe most notable thing about the newly discovered malware campaign is that the threat actors behind it are employing optical character recognition software in an attempt to extract cryptocurrency wallet credentials that are show
September 6, 2024 By Bill Toulas A new Android malware named SpyAgent uses optical character recognition (OCR) technology to steal cryptocurrency wallet recovery phrases from screenshots stored on the mobile device.A cryptocurrency recovery phrase, or seed phrase, is a series of 12-24 words that acts as a backup key for a cryptocurrency wallet. These phrases are used to restore access to your cryptocurrency wallet and all of its funds in the event you lose a device, data is corrupted, or you wish to transfer your wallet to a new device.These secret phrases are highly sought after by threat actors, as if they can gain access to it, they can use it to restore your wallet on their own devices and steal all of the funds stored within it.As recovery phrases are 12-24 words, they are hard to remember, so cryptocurrency wallets tell people to save or print the words and store them in a safe place. To make it easier, some people take a screenshot of the recovery phrase and save it as an image
September 6, 2024 By Jeffrey Burt Hackers are abusing a legitimate tool used by organizations’ red teams to deliver malicious payloads, including a new variant of the remote access trojan (RAT) PhantomCore, which was created by a Ukrainian hacktivist group called Head Mare to run cyberespionage campaigns against government offices and businesses in Russia.Red teams use the MacroPack payload generator framework in simulated cyberattacks to test the security of their organizations’ IT systems. However, threat actors also are using it for their nefarious operations, according to a researcher with Cisco’s Talos threat intelligence unit.MacroPack was developed by French developer Emeric Nasi.Talos detected several Microsoft Office documents that were uploaded to VirusTotal by multiple bad actors between May and July that were created by a version of MacroPack. The latest documents were uploaded from different sources from the United States, China, Russia, and Pakistan, among other countrie
Researchers and the TSA have different views on the impact of vulnerabilities in an airport security application that could allegedly allow the bypass of certain airport security systems. September 6, 2024 By Eduard Kovacs The cybersecurity agency CISA has issued a response following the disclosure of a controversial vulnerability in an application related to airport security systems.In late August, researchers Ian Carroll and Sam Curry disclosed the details of an SQL injection vulnerability that could allegedly allow threat actors to bypass certain airport security systems. The security hole was discovered in FlyCASS, a third-party service for airlines participating in the Cockpit Access Security System (CASS) and Known Crewmember (KCM) programs. >>Full Article<<
September 6, 2024 By Pierluigi Paganini Recently fixed access control SonicOS vulnerability, tracked as CVE-2024-40766, is potentially exploited in attacks in the wild, SonicWall warns.SonicWall warns that a recently fixed access control flaw, tracked as CVE-2024-40766 (CVSS v3 score: 9.3), in SonicOS is now potentially exploited in attacks.“An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.” reads the SonicWall’s advisory.“This issue affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions. This vulnerability is potentially being exploited in the wild. Please apply the patch as soon as possible for affected products. The latest patch builds are available for download on mysonicwall.com““This vulnerability is potentially being exploited in the wild. Please
September 6, 2024 By Sergiu Gatlan Image: Midjourney American car rental giant Avis notified customers that unknown attackers breached one of its business applications last month and stole some of their personal information.According to data breach notification letters sent to impacted customers on Wednesday and filed with California's Office of the Attorney General, the company took action to stop the unauthorized access, launched an investigation with the help of external cybersecurity experts, and reported the incident to relevant authorities after learning of the breach on August 5.This investigation revealed that the attacker had access to its business application from August 3 until August 6, when the company evicted the malicious actor from its systems and blocked its access. On August 14, it also found that the attacker stole some customers' personal information, including their names and other undisclosed sensitive data. >>Full Article<<
'Potential issue' in infrastructure of network monitoring tool results in lengthy, ongoing downtime Thu 5 Sep 2024 // 16:35 UTC Today's the day. Maybe. Kaseya's Traverse platform is scheduled to finally be up and running again after a lengthy period of "maintenance."Traverse abruptly went down on August 23, and despite the company hoping to have things operational within a week, it has remained down for many customers. Kaseya has also been tight-lipped regarding what has happened, saying: "Our internal teams are making necessary updates to Traverse. These teams are working around the clock to complete these updates."Users are understandably concerned about the lengthy outage, with some claiming to have received some distinctly ominous emails from the company, including the text: "We have nothing to indicate that your data has been compromised."The Register asked Kaseya what was going on and was told by a spokesperson: "The Kaseya team identified a potential issue in a portion of our T
September 5, 2024 By Sergiu Gatlan Apache has fixed a critical security vulnerability in its open-source OFBiz (Open For Business) software, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers.OFBiz is a suite of customer relationship management (CRM) and enterprise resource planning (ERP) business applications that can also be used as a Java-based web framework for developing web applications.Tracked as CVE-2024-45195 and discovered by Rapid7 security researchers, this remote code execution flaw is caused by a forced browsing weakness that exposes restricted paths to unauthenticated direct request attacks."An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server," security researcher Ryan Emmons explained on Thursday in a report containing proof-of-concept exploit code.The Apache security team patched the vulnerability in version 18.12.16 by adding autho
September 5, 2024 By Efosa Udinmwen (Image credit: Shutterstock / song_about_summer) A new critical cybersecurity threat has been discovered by CYFIRMA Research, involving a severe remote code execution (RCE) vulnerability identified as CVE-2024-30078.This flaw affects the Wi-Fi drivers in multiple versions of Microsoft Windows, posing a potential risk to over 1.6 billion active devices worldwide.The vulnerability could allow malicious actors within the Wi-Fi range to execute unauthorized code on affected systems.How the exploit worksCVE-2024-30078 affects multiple versions of the Microsoft Windows operating system, including Windows 10, Windows 11, and several versions of Windows Server. The flaw resides in the Dot11Translate80211ToEthernetNdisPacket() function within the native Wi-Fi driver (nwifi.sys).The exploitation of CVE-2024-30078 has been reported in the wild in the United States, China, and parts of Europe. It poses significant risks to industries heavily reliant on Wi-Fi an