Several critical sandbox escape disclosures have come to light in the past two weeks that allow attackers to execute malicious code beyond the limits of the sandboxed environment. Lately, a security researcher published a PoC exploit highlighting a bug that enables a similar code execution in the VM2 Javascript sandbox environment. Meanwhile, Android users in Poland and Australia are facing threats from ‘Chameleon,’ an Android malware capable of mimicking banking and crypto wallet apps. Around the beginning of 2023, it was found camouflaging as icons of different software, such as ChatGPT, Google Chrome, Bitcoin, and more to infect Android users.

Also, beware of Fake Chrome updates. In this campaign, threat actors were observed pushing Google Chrome updates to potential victims via already infect sites, which could be a news website, some adult portal, or other vulnerable websites.

Top Breaches Reported in the Last 24 Hours

Hundred Finance suffers $7 million hack

Multi-chain lending protocol Hundred Finance disclosed on Twitter that it lost $7.4 million in a security breach that occurred on the Optimism layer-2 scaling network. As per blockchain security firm Peckshield, the firm’s lending pools were drained by a hacker who utilized a technique of inflating the exchange rate for hWBTC through the donation of 200 WBTC.

Attack on U.S. network infrastructure giant

The notorious Vice Society ransomware group leaked the data it allegedly stole from North Carolina-based network infrastructure provider CommScope. The data trove, as per the claim, contains sensitive employee data, such as employee passports, as well as invoices, bank documents, and company files. Furthermore, a spokesperson from the firm stated that customer information is safe.

U.K firm discloses breach

Photo editing software provider Affinity revealed that a forum administrator’s account was compromised in a cyberattack and that the attacker may have accessed personal data such as username, reputation, join date, post count, email addresses, IP addresses, and more. Serif, the owner of Affinity, said user passwords are safe.

Capita data up for sale

The stolen data from IT outsourcing giant Capita has reportedly been put up for sale by the Black Basta extortion group. The leak includes over 100 records with bank account information, addresses, passport photos, and other types of data. While the firm is yet to confirm the hack, criminals are saying the leaked data is merely a sample of what they've stolen from Capita.

Top Malware Reported in the Last 24 Hours

Fake Chrome update spreads malware

Researcher Rintaro Koike has discovered a malicious campaign pushing fake web Google Chrome browser updates to potential victims via compromised websites. Active since November 2022, the campaign has now expanded to target users speaking Korean, Spanish, and Japanese. News websites, online stores, and adult portals are among the common source of infection.

'Chameleon' threatens Android users

Chameleon has surfaced as a new threat against Android users in Australia and Poland that aims to steal their credentials, cookies, and even OTPs that help attackers bypass 2FA protection in devices. The attack campaign, active since the offset of the year, imitates the CoinSpot cryptocurrency exchange, the IKO bank, and an Australian government agency. It is being propagated through Discord attachments, Bitbucket hosting services, and compromised websites.

QBot hijacks business emails

A new QBot campaign has surfaced to hijack business emails and send itself out as a reply to an existing email thread to deliver malware. Attackers begin with an e-mail letter with a PDF attachment that contains ??Microsoft Office 365 or Microsoft Azure alert which urge users to open the attachment. In this campaign, they have targeted e-mails written in different languages, including English, Italian, German, and French.

Top Vulnerabilities Reported in the Last 24 Hours

A POC exploit for VM2 Sandbox

Security researcher SeungHyun Lee shared details about a sandbox escape PoC exploit that allows cybercriminals to execute malicious code on a host running the VM2 sandbox. The researcher found a couple of bugs tracked as CVE-2023-29199 and CVE-2023-30547. It is, however, unclear whether the escape flaws are entirely new flaws or if they are the result of incomplete patches for the original CVE-2023-29017, reported by another researcher Seongil Wi two weeks ago.

Top Scams Reported in the Last 24 Hours

Tax-scams hit Australian users

Cofense PDC has identified a phishing email campaign wherein threat actors impersonate the Australian Tax Office (ATO) and MyGov website to steal user credentials. Scammers create a sense of urgency for the recipients by asking them to verify their account owing to unusual activity. The typosquatted domain is a major identifier of this phishing scam.