Critical Vulnerability Discovered in SailPoint IdentityIQ SailPoint this week warned that a critical-severity vulnerability in the identity and access management (IAM) platform IdentityIQ could allow attackers to access restricted files. SailPoint’s IdentityIQ IAM platform provides full lifecycle and compliance management capabilities covering provisioning, access requests, certifications, and segregation of duties. The critical issue, tracked as CVE-2024-10905, has a CVSS score of 10/10 and is described as an improper access control flaw. The bug is, essentially, a directory traversal flaw that affects all IdentityIQ versions up to patch levels 8.4p2, 8.3p5, and 8.2p8. See more:

SecurityWeek

Critical Vulnerability Discovered in SailPoint IdentityIQ

A critical directory traversal vulnerability in the SailPoint IdentityIQ IAM platform exposes restricted files to attackers.

#cybersecurity #identityiq

U.S. org suffered four month intrusion by Chinese hackers A large U.S. organization with significant presence in China has been reportedly breached by China-based threat actors who persisted on its networks from April to August 2024. According to Symantec’s threat researchers, the operation appeared to focus on intelligence gathering, involving multiple compromised machines and targeting Exchange Servers, likely for email and data exfiltration. The researchers did not explicitly name the breached U.S. organization but mentioned that the same entity was targeted by the China-based ‘Daggerfly’ threat group in 2023. See more BleepingComputer:

BleepingComputer

U.S. org suffered four month intrusion by Chinese hackers

A large U.S. organization with significant presence in China has been reportedly breached by China-based threat actors who persisted on its network...

The Hackers News:

The Hacker News

Researchers Uncover 4-Month Cyberattack on U.S. Firm Linked to Chinese Hackers

Chinese hackers targeted a U.S. firm in a four-month cyberattack, harvesting emails and stealing data.

#cybersecurity #cyberattack #breach

I-O Data Confirms Zero-Day Attacks on Routers, Full Patches Pending Japanese device maker I-O Data this week confirmed zero-day exploitation of critical flaws in multiple routers and warned that full patches won’t be available for a few weeks. According to a warning from incident responders at JPCERT/CC, the most serious flaw opens the door for a remote attacker to disable the router’s firewall, execute commands, or alter configurations. “The developer states that attacks exploiting these vulnerabilities have been observed,” according to the JPCERT/CC alert. A separate bulletin from IO-Data documents three separate defects — CVE-2024-45841, CVE-2024-47133 and CVE-2024-52564 — and warns of additional information disclosure and command execution risks. See more:

SecurityWeek

I-O Data Confirms Zero-Day Attacks on Routers, Full Patches Pending

Japanese device maker confirms zero-day router exploitation and warn that full patches won’t be available for a few weeks.

#cybersecurity #zeroday #iodata

Europol Shuts Down Manson Market Fraud Marketplace, Seizes 50 Servers Europol on Thursday announced the shutdown of a clearnet marketplace called Manson Market that facilitated online fraud on a large scale. The operation, led by German authorities, has resulted in the seizure of more than 50 servers associated with the service and the arrest of two suspects. More than 200 terabytes of digital evidence have been collected. In addition, over 80 data storage devices, cell phones, computers, as well as cash and crypto assets worth more than €63,000 ($66,500) have been confiscated. Manson Market ("manson-market[.]pw") is believed to have launched in 2022 as a way to peddle sensitive information that was illegally obtained from victims as part of phishing and vishing (voice phishing) schemes. See more: The Hacker News:

The Hacker News

Europol Shuts Down Manson Market Fraud Marketplace, Seizes 50 Servers

Europol shuts down Manson Market, a fraud hub, seizes 50 servers, and arrests two suspects.

BleepingComputer:

BleepingComputer

Police shuts down Manson cybercrime market, arrests key suspects

German law enforcement has seized over 50 servers that hosted the Manson Market cybercrime marketplace and fake online shops used in phishing opera...

#cybercrime #mansonmarket

Mitel MiCollab zero-day flaw gets proof-of-concept exploit Researchers have uncovered an arbitrary file read zero-day in the Mitel MiCollab collaboration platform, allowing attackers to access files on a server's filesystem. Mitel MiCollab is an enterprise collaboration platform that consolidates various communication tools into a single application, offering voice and video calling, messaging, presence information, audio conferencing, mobility support, and team collaboration functionalities. It's utilized by various organizations, including large corporations, small to medium-sized enterprises, and companies operating on a remote or hybrid workforce model. The latest vulnerability in the product was discovered by researchers at watchTowr, who, despite having reported to the vendor since August, it remains unfixed after 90 days of being disclosed and waiting for a patch. See more: BleepingComputer:

BleepingComputer

Mitel MiCollab zero-day flaw gets proof-of-concept exploit

Researchers have uncovered an arbitrary file read zero-day in the Mitel MiCollab collaboration platform, allowing attackers to access files on a se...

The Hacker News:

The Hacker News

Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin Access

Critical Mitel MiCollab exploit CVE-2024-41713 patched; update to prevent file access and admin misuse.

#cybersecurity #micollab #zeroday

Security Risks Persist in Open Source Ecosystem Significant security risks continue to be prevalent in open source software practices, a new report by the Linux Foundation, OpenSSF and Harvard University has found. The CENSUS III project was based on 12 million observations of free and open source software (FOSS) libraries used in production apps at over 10,000 companies. It highlighted a number of concerning cybersecurity practices relating to open source software, which is widely used across all industries. The project aims to provide a clearer picture of the structural issues that threaten the FOSS ecosystem. - Ongoing Reliance on Outdated Python 2 Language - Lack of Standardized Naming for Software Components - Open Source Security Dependent on Handful of Contributors - Heavy Reliance on Individual Developer Accounts - Legacy Software Remains Prevalent See more:

Infosecurity Magazine

Security Risks Persist in Open Source Ecosystem

An analysis by the Linux Foundation, OpenSSF and Harvard University found that there continues to be significant cybersecurity risks in open source...

#opensource #cybersecurity

Pegasus Spyware Infections Proliferate Across iOS, Android Devices Researchers have discovered seven new Pegasus spyware infections targeting journalists, government officials, and corporate executives that started several years ago and span both iPhone and Android devices, demonstrating that the range of the notorious spyware may be even greater than once thought. Researchers from iVerify discovered multiple devices compromised by Israeli company NSO Group's spyware via attacks initiated between 2021 and 2023 that affect Apple iPhone iOS versions 14, 15, and 16.6, as well as Android, they revealed in a blog post published on Dec. 4. The infections were discovered in May during a threat-hunting scan of 3,500 devices from iVerify users who opted in to the checks. Specifically, the investigation uncovered multiple Pegasus variants in five unique malware types across iOS and Android. The researchers detected forensic artifacts in diagnostic data, shutdown logs, and crash logs found on the devices. See more:

Dark Reading

Pegasus Spyware Proliferates Across iOS, Android Devices

The notorious spyware from Israel

#cybersecurity #pegasus #spyware

Europol Dismantles Criminal Messaging Service MATRIX in Major Global Takedown Europol on Tuesday announced the takedown of an invite-only encrypted messaging service called MATRIX that's created by criminals for criminal purposes. The joint operation, conducted by French and Dutch authorities under the moniker Passionflower, comes in the aftermath of an investigation that was launched in 2021 after the messaging service was discovered on the phone of a criminal convicted for the murder of a Dutch journalist Peter R. de Vries. This allowed authorities to intercept messages being sent via the service for a period of three months, amassing a total of more than 2.3 million messages in 33 languages. The messages, Europol said, are associated with serious crimes such as international drug trafficking, arms trafficking, and money laundering. It's worth noting at this stage that MATRIX is different from the open-source, decentralized messaging app of the same name ("matrix[.]org"). Also known by other names such as Mactrix, Totalsec, X-quantum, and Q-safe, it had at least 8,000 user accounts globally, who paid anywhere between $1,360 and $1,700 in cryptocurrency for a Google Pixel phone and a six-month subscription to the service installed on it. See more:

The Hacker News

Europol Dismantles Criminal Messaging Service MATRIX in Major Global Takedown

Europol shuts down MATRIX, a criminal messaging service, seizing servers and €500K in cryptocurrency.

#cybersecurity #matrix

How to Plan a New (and Improved!) Password Policy for Real-World Security Challenges Many organizations struggle with password policies that look strong on paper but fail in practice because they're too rigid to follow, too vague to enforce, or disconnected from real security needs. Password policy must be strict enough to protect your systems, flexible enough for daily work, and precise enough to be enforced consistently. Let's explore five strategies for building a password policy that works in the real world. 1. Build compliant password practices 2. Review your existing password obligations 3. Create a policy based on real data 4. Put some muscle in your password policy 5. Create password standards that stick See more:

The Hacker News

How to Plan a New (and Improved!) Password Policy for Real-World Security Challenges

Learn 5 proven strategies to create effective, enforceable password policies that strengthen real-world security.

#cybersecurity #password #passwordpolicy

Russian hackers hijack Pakistani hackers' servers for their own attacks The notorious Russian cyber-espionage group Turla is hacking other hackers, hijacking the Pakistani threat actor Storm-0156's infrastructure to launch their own covert attacks on already compromised networks. Using this tactic, Turla (aka "Secret Blizzard") accessed networks Storm-0156 had previously breached, like in Afghan and Indian government organizations, and deployed their malware tools. According to a report from Lumen's Black Lotus Labs, which tracked this campaign since January 2023 with the help of Microsoft's Threat Intelligence Team, the Turla operation has been underway since December 2022. Turla (aka Secret Blizzard) is a Russian state-sponsored hacking group linked to Center 16 of Russia's Federal Security Service (FSB), the unit responsible for the interception, decoding, and collection of data from foreign targets. See more:

BleepingComputer

Russian hackers hijack Pakistani hackers' servers for their own attacks

The notorious Russian cyber-espionage group Turla is hacking other hackers, hijacking the Pakistani threat actor Storm-0156's infrastructure t...

#cybersecurity #turla #espionage

New DroidBot Android malware targets 77 banking, crypto apps A new Android banking malware named 'DroidBot' attempts to steal credentials for over 77 cryptocurrency exchanges and banking apps in the UK, Italy, France, Spain, and Portugal. According to Cleafy researchers who discovered the new Android malware, DroidBot has been active since June 2024 and operates as a malware-as-a-service (MaaS) platform, selling the tool for $3,000/month. At least 17 affiliate groups have been identified using malware builders to customize their payloads for specific targets. DroidBot's developers, who appear to be Turkish, provide affiliates with all the tools required to conduct attacks. This includes the malware builder, command and control (C2) servers, and a central administration panel from which they can control their operations, retrieve stolen data, and issue commands. See more:

BleepingComputer

New DroidBot Android malware targets 77 banking, crypto apps

A new Android banking malware named 'DroidBot' attempts to steal credentials for over 77 cryptocurrency exchanges and banking apps in the...

#cybersecurity #android #malware

Android’s December 2024 Security Update Patches 14 Vulnerabilities Google on Tuesday announced patches for 14 high-severity vulnerabilities as part of Android’s December 2024 security update, including a remote code execution flaw in the System component. The first part of the update, which arrives on devices as the 2024-12-01 security patch level, resolves six security defects in the Framework and System components, five of which could allow attackers to elevate privileges. According to Google’s advisory, however, the sixth of these bugs, which is tracked as CVE-2024-43767 and impacts System, is the most severe issue, as it could lead to remote code execution (RCE) with no additional execution privileges needed. Fixes for these defects were included in updated Android 12, 12L, 13, 14, and 15 versions and the source code for these patches has been released to the Android Open Source Project (AOSP) repository. See more:

SecurityWeek

Android's December 2024 Security Update Patches 14 Vulnerabilities

Google has released patches for 14 high-severity vulnerabilities as part of Android’s December 2024 security update.

#cybersecurity #android

CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks The US cybersecurity agency CISA on Tuesday warned that a path traversal vulnerability in multiple Zyxel firewall appliances has been exploited in the wild. The issue, tracked as CVE-2024-11667 (CVSS score of 7.5), is a high-severity flaw affecting the web management interface of Zyxel ATP, USG FLEX, and USG20(W)-VPN series devices. Successful exploitation of the security defect could allow an attacker to download or upload files using crafted URLs, a NIST advisory reads. “An attacker may gain unauthorized access to the system, steal credentials, and create backdoor VPN connections by exploiting the vulnerability,” Qualys warned on Tuesday. See more:

SecurityWeek

CISA Warns of Zyxel Firewall Vulnerability Exploited in Attacks

A second vulnerability in Zyxel firewalls has been exploited in Helldown ransomware attacks over the past weeks.

#cybersecurity #zyxel #exploit

Researchers Uncover Backdoor in Solana's Popular Web3[.]js npm Library Cybersecurity researchers are alerting to a software supply chain attack targeting the popular @solana/web3[.]js npm library that involved pushing two malicious versions capable of harvesting users' private keys with an aim to drain their cryptocurrency wallets. The attack has been detected in versions 1.95.6 and 1.95.7. Both these versions are no longer available for download from the npm registry. The package is widely used, attracting over 400,000 weekly downloads. "These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets," Socket said in a report. @solana/web3[.]js is an npm package that can be used to interact with the Solana JavaScript software development kit (SDK) for building Node[.]js and web apps. See more: The Hacker News:

The Hacker News

Researchers Uncover Backdoor in Solana's Popular Web3.js npm Library

Malicious web3.js npm versions exposed private keys, risking crypto wallets. Update to secure versions now.

SecurityWeek:

SecurityWeek

Solana Web3.js Library Backdoored in Supply Chain Attack

Supply chain attack leads to decentralized application developers downloading backdoored versions of the Solana Web3.js library.

BleepingComputer:

BleepingComputer

Solana Web3.js library backdoored to steal secret, private keys

The legitimate Solana JavaScript SDK was temporarily compromised yesterday in a supply chain attack, with the library backdoored with malicious cod...

#cybersecurity #solana #malware #c2

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access A critical security vulnerability has been disclosed in SailPoint's IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory. The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions. IdentityIQ "allows HTTP access to static content in the IdentityIQ application directory that should be protected," according to a description of the flaw on NIST's National Vulnerability Database (NVD). See more:

The Hacker News

Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized Access

Critical CVE-2024-10905 in SailPoint's IdentityIQ (CVSS 10.0) risks unauthorized file access. Update now

#cybersecurity #identityq

With Threats to Encryption Looming, Signal’s Meredith Whittaker Says ‘We’re Not Changing’ At WIRED’s The Big Interview event, the president of the Signal Foundation talked about secure communications as critical infrastructure and the need for a new funding paradigm for tech. The secure messaging app Signal is famous for knowing as little about its users as possible. The app isn’t hoarding metadata, tracking you, or showing you ads—in other words, it’s not monetizing user data. Instead, the Signal Foundation is a nonprofit. Its president, Meredith Whittaker, sees a massive shift underway and an “invitation for action” as the monoliths of Big Tech lose popularity and the old economics of Silicon Valley become brittle. See more:

WIRED

With Threats to Encryption Looming, Signal’s Meredith Whittaker Says ‘We’re Not Changing’

At WIRED’s The Big Interview event, the president of the Signal Foundation talked about secure communications as critical infrastructure and the ...

#signal #privacy

Veeam warns of critical RCE bug in Service Provider Console Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing. VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads. The first security flaw fixed today (tracked as CVE-2024-42448 and rated with a 9.9/10 severity score) enables attackers to execute arbitrary code on unpatched servers from the VSPC management agent machine. Veeam also patched a high-severity vulnerability (CVE-2024-42449) that can let attackers steal the NTLM hash of the VSPC server service account and use the gained access to delete files on the VSPC server. See more: BleepingComputer:

BleepingComputer

Veeam warns of critical RCE bug in Service Provider Console

​Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution...

The Hackers News:

The Hacker News

Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console

Veeam fixes critical Service Provider Console flaws, including CVE-2024-42448 (RCE), urging immediate updates.

#cybersecurity #rce #veeam

Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses: Cybersecurity researchers have called attention to a novel phishing campaign that leverages corrupted Microsoft Office documents and ZIP archives as a way to bypass email defenses. "The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook's spam filters, allowing the malicious emails to reach your inbox," ANY[.]RUN said in a series of posts on X. The malicious activity entails sending emails containing ZIP archives or Office attachments that are intentionally corrupted in such a way that they cannot be scanned by security tools. These messages aim to trick users into opening the attachments with false promises of employee benefits and bonuses. In other words, the corrupted state of the files means that they are not flagged as suspicious or malicious by email filters and antivirus software. However, the attack still works because it takes advantage of the built-in recovery mechanisms of programs like Word, Outlook, and WinRAR to relaunch such damaged files in recovery mode See more:

The Hacker News

Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email Defenses

Hackers exploit corrupted ZIPs and Office files, bypassing email filters and antivirus to launch phishing scams.

#cybersecurity #malware

New EU Regulation Establishes European ‘Cybersecurity Shield’ The Council of the European Union on Monday announced the adoption of two new laws meant to improve the overall cybersecurity across the EU. The two new laws in the cybersecurity package establish a cybersecurity shield that calls for member states to cooperate in detecting and responding to cyberattacks, and amend the EU’s Cybersecurity Act (CSA) of 2019 to ensure adequate security standards for managed security services. The first legislative act (PDF) establishes a European Cybersecurity Alert System, a pan-European network of cyberhubs that creates “coordinated detection and situational awareness capabilities, reinforcing the Union’s threat detection and information-sharing capabilities”. See more:

SecurityWeek

New EU Regulation Establishes European 'Cybersecurity Shield'

European Union adopted new legislation to establish a cybersecurity shield and ensure adequate standards for managed security services

#cybersecurity #eu

Cloudflare’s developer domains increasingly abused by threat actors Cloudflare's 'pages.dev' and 'workers.dev' domains, used for deploying web pages and facilitating serverless computing, are being increasingly abused by cybercriminals for phishing and other malicious activities. According to cybersecurity firm Fortra, the abuse of these domains has risen between 100% and 250% compared to 2023. The researchers believe the use of these domains is aimed at improving the legitimacy and effectiveness of these malicious campaigns, taking advantage of Cloudflare's trusted branding, service reliability, low usage costs, and reverse proxying options that complicate detection. Cloudflare Pages is a platform designed for front-end developers to build, deploy, and host fast, scalable websites directly on Cloudflare's global Content Delivery Network (CDN). See more:

BleepingComputer

Cloudflare’s developer domains increasingly abused by threat actors

Cloudflare's 'pages.dev' and 'workers.dev' domains, used for deploying web pages and facilitating serverless computing, ar...

#cybersecurity #phishing #cloudflare