The Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 24-01 in response to the widespread and active exploitation of vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure appliances. Ivanti recently released information about two vulnerabilities, tracked as CVE-2023-46805 and CVE-2024-21887, which enable an attacker to move laterally across a target network, exfiltrate data, and gain persistent system access.

The Russia-backed Advanced Persistent Threat (APT) group ColdRiver, also known as Blue Charlie, Callisto, Star Blizzard, or UNC4057, has unleashed custom malware called Spica. According to Google's Threat Analysis Group (TAG), Spica is the first custom malware developed and used by ColdRiver. ColdRiver typically targets Non-Governmental Organizations (NGOs), former intelligence and military officers, and NATO governments for cyber espionage.

VMware has confirmed the active exploitation of a critical vCenter Server Remote Code Execution (RCE) that was patched in October 2023. The vCenter Server management platform is for VMware vSphere environments and helps administrators manage ESX and ESXi servers, as well as Virtual Machines (VMs). The vulnerability, discovered by Trend Micro, stems from an out-of-bounds write flaw in vCenter's DCE/RPC protocol implementation.

The US government recently published new guidance aimed at helping organizations in the water and wastewater (WWS) sector improve their cyber resilience and incident response capabilities.  Released in response to an increased interest by financially and politically motivated threat actors in the United States WWS sector, the guide outlines how water utility owners and operators can interact with federal partners to prepare for, mitigate, and respond to incidents.

Protect AI has released a new report highlighting vulnerabilities recently discovered in open-source Artificial Intelligence (AI) and Machine Learning (ML) tools by its bug bounty program. The first vulnerability posed a significant risk of server takeover and the loss of sensitive data. The MLflow tool, used for storing and tracking models, was discovered to contain a critical flaw in its code that could trick users into connecting to a malicious remote data source, thus allowing attackers to run commands on a victim's system.

A novel campaign is targeting vulnerable Docker services, with threat actors deploying both the XMRig cryptocurrency miner and the 9Hits Viewer software as part of a multi-pronged monetization strategy. According to the cloud security company Cado, this is the first documented case of malware using the 9Hits application as a payload. The development further demonstrates that adversaries are constantly looking for new ways to profit from compromised hosts. This article continues to discuss findings regarding the novel campaign targeting vulnerable Docker services.

Border0 researchers warn that users who expose poorly secured PostgreSQL and MySQL servers online risk having their databases wiped by a ransomware bot. The attackers request a small sum to return and not publish the data. However, those who pay will not recover their data because the bot takes a small portion of it before wiping it all. This article continues to discuss how the ransomware bot operates. 

An analysis of Chaes version 4.1 reveals hidden ASCII art and a message to cybersecurity researchers, thanking them for their interest in the malware. The current Chaes campaign uses a Portuguese-language email regarding an important legal matter. If the user clicks the malicious link in the email, they are taken to a spoofed TotalAV website, where they are asked to enter their password to download a document. This article continues to discuss findings from the analysis of Chaes 4.1.

Have I Been Pwned has added about 71 million email addresses associated with stolen accounts listed in the Naz.API data set to its data breach notification service. The Naz.API data set contains 1 billion credentials gathered from credential stuffing lists and data stolen by information-stealing malware. Credential stuffing lists are collections of username and password pairs stolen from past data breaches. They are used to compromise accounts on other websites.

The US Department of Energy (DoE) recently announced plans to invest $30 million in projects aimed at securing the clean energy infrastructure against cyber threats.  Meant to support the research, development, and demonstration (RD&D) of innovative cybersecurity tools, the federal funding is provided as part of the Biden-Harris administration’s efforts to improve the country’s energy and national security.