The US cybersecurity agency CISA recently warned that a fresh critical-severity vulnerability in SolarWinds Web Help Desk has been exploited in attacks.  The bug is tracked as CVE-2024-28986 (CVSS score of 9.8) and is described as a Java deserialization remote code execution (RCE) issue that could allow attackers to run commands on the host machine.  This week, SolarWinds announced a hotfix addressing the vulnerability and noted that authentication is required for successful exploitation without mentioning its in-the-wild exploitation.

Researchers have discovered a sophisticated information stealer campaign that distributes "DanaBot" and "StealC" malware by impersonating legitimate brands. Russian-speaking cybercriminals, collectively codenamed "Tusk," are behind several sub-campaigns that exploit different platforms' reputation to trick users into downloading malware via fake websites and social media accounts. All of the sub-campaigns use Dropbox to host the initial downloader, which delivers additional malware samples to the victim's machine.

Palo Alto Networks found a threat actor extorting organizations after compromising their cloud environments using accidentally exposed environment variables. The researchers warn that the large-scale extortion campaign has targeted 110,000 domains using exposed .env files with sensitive data on unsecured web applications and misconfigured servers. These files enable organizations to define configuration variables for their web applications, often including hard-coded access keys for cloud services, Software-as-a-Service (SaaS) Application Programming Interface (API) keys, and more.

According to Radware, Distributed Denial-of-Service (DDoS) attacks increased by 265 percent in the first half of 2024 compared to the same period in 2023. From H2 2023 to H1 2024, application-layer Domain Name System (DNS) DDoS activity tripled, while locked network-layer DDoS attacks increased by 16 percent. The researchers cited rising global geopolitical tensions as a significant driver of this trend, with hacktivist groups claiming between 1,000 and 1,200 DDoS attacks monthly in the first half of 2024. This article continues to discuss key findings from Radware's DDoS threat review.

Cybercriminals are advertising a new macOS malware that they claim is capable of stealing a wide range of data from compromised systems.  The malware is called Banshee Stealer and is believed to have been developed by Russian threat actors.  The malware is advertised on cybercrime forums for $3,000 per month.  Researchers at Elastic Security Labs analyzed the new macOS malware.

Independent researcher Matt Burch presented findings on "financial" or "enterprise" ATMs used in banks and other large institutions at the DEF CON hacking conference. Burch highlighted six flaws in ATM-maker Diebold Nixdorf's widely used security solution, Vynamic Security Suite (VSS). The vulnerabilities, which the company says are now patched, could have enabled attackers to bypass an unpatched ATM's hard drive encryption and gain complete control of the machine.

Security experts urge Windows system administrators to patch a pre-auth Remote Code Execution (RCE) vulnerability in the Windows TCP/IP stack, warning that zero-click exploitation is highly likely. Not many technical details have been released on the vulnerability, tracked as CVE-2024-38063. However, Microsoft's documentation suggests that a worm-like attack is possible on the latest versions of its flagship operating system. According to Microsoft, an unauthenticated attacker could repeatedly send IPv6 packets, including specially crafted packets, to a Windows machine, allowing RCE.

Selections by dgoff

​Pub Crawl summarizes sets of publications that have been peer-reviewed and presented at Science of Security (SoS) conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view the corresponding list of publications. Submissions and suggestions are welcome.

A new attack vector in GitHub Actions artifacts, called "ArtiPACKED," could be used to take over repositories and access organizations' cloud environments. According to Yaron Avita, a researcher at Palo Alto Networks' Unit 42, misconfigurations, together with security vulnerabilities, can result in artifacts leaking tokens, both of third-party cloud services and GitHub tokens. Malicious actors with access to these artifacts could compromise the services to which these secrets grant access. This article continues to discuss findings regarding the GitHub vulnerability ArtiPACKED.

Researchers at FortiGuard Labs have uncovered a sophisticated "ValleyRAT" malware campaign targeting Windows users in China. The threat actors behind the campaign seek to take over compromised machines. ValleyRAT primarily targets e-commerce, finance, sales, and management companies. The campaign involves the use of heavy shellcode to directly execute its components in memory, reducing its footprint. This article continues to discuss key findings regarding the new ValleyRAT campaign.