Sansec reports that multiple threat actors compromised over 4,000 online stores through the exploitation of a critical Adobe Commerce vulnerability named "CosmicSting." The vulnerability is an improper restriction of XML external entity reference (XXE). Adobe released a hotfix for the bug in July, warning of its exploitation in limited attacks, and the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) list.

Security researchers at Group-IB have discovered fake trading apps on Google Play and Apple's App Store that lure victims into "pig butchering" scams.  After being reported, the apps have been removed from the official Android and iOS stores after accumulating several thousand downloads.  Pig butchering is a scam where a victim is led to believe they are getting high investment returns on a fake trading platform that displays fabricated information.

Security researchers at Patchstack discovered a new vulnerability in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated attackers to inject malicious code into websites. The flaw impacts the plugin’s CSS queue generation process and affects over six million active installations. The vulnerability, tracked as CVE-2024-47374, is an unauthenticated stored XSS issue that could lead to privilege escalation or data theft. The researchers noted that it exploits the plugin’s “Vary Group” functionality, which controls cache variations based on user roles.

According to security researchers at Socura, cybersecurity is now the fastest-growing IT role in the UK, but the share of women in such positions has fallen dramatically since 2021.  The researchers claimed the number of security professionals has more than doubled since Jan-Dec 2021, from 28,500 to 65,000 in March 2024.  An increase of 128% makes it the fastest-growing of any IT-related profession over that period, followed by IT support (42%), IT trainers (33%), and IT business analysts, architects, and systems designers (33%).

Security researchers at ESET have recently identified a new China-aligned threat group named CeranaKeeper, which is targeting governmental institutions in Thailand.  This group has been active since early 2022 and leverages an evolving toolset to exfiltrate sensitive data by abusing legitimate cloud services such as Dropbox, OneDrive, and GitHub.  While some of CeranaKeeper's tools were previously attributed to the Mustang Panda group, the researchers' new analysis revealed technical differences, suggesting these are distinct entities.

Security researchers at Netcraft have warned of a new wave of investment scams attempting to cash in on public awareness of the presidential debate last month. The researchers found 24 such domains related to the debate, including 14 phishing sites using the word “debate” in their domain. Many of the websites exploit the image of Republican presidential nominee Donald Trump, tech entrepreneur and billionaire Elon Musk, or a blend of both. The researchers noted that criminals likely use these personas to add legitimacy to their crypto investment theme.

Independent security researchers found a flaw in a web portal operated by the carmaker Kia that allowed them to track millions of cars, unlock doors, and start engines. The flaw discovered in the web portal enabled them to reassign control of most modern Kia vehicles' Internet-connected features, from the car owner's smartphone to their own phone or computer.