Uncovering a months-long malvertising campaign, which originally began in March, security researchers warn against the distribution of the DarkGate malware. The malware deployment technique—via malicious ads and SEO poisoning—highlights the threat actor’s advanced skills. In another headline, a researcher group stumbled upon a new exploit abusing a security hole in Openfire servers, allowing attackers to execute arbitrary commands and access server data through a webshell. What’s concerning is that the activity has been ongoing for the past two months.

Continuing on vulnerability threats, three vulnerabilities were reported in the NVIDIA graphics driver leading to memory corruption. Web browsers using WebGL and WebAssembly could also be exploited through the flaw. Patch asap!

Top Breaches Reported in the Last 24 Hours

Millions exposed by French employment agency

France's national employment agency, Pôle emploi, has suffered a cyberattack potentially affecting the personal information of up to 10 million individuals. Security experts have linked the breach to the Cl0p ransomware gang's MOVEit campaign that has impacted numerous organizations and individuals globally. The attack is believed to have exposed the data of both current and former registrants, including names, employment statuses, and Social Security numbers.

U.S. university probes alumni data breach

The University of Minnesota may have exposed the Social Security numbers of seven million alumni, though not officially confirmed. A dark web repository unveiled details of the breach dating back to 1989, spanning five presidential tenures. However, a cybersecurity expert mentioned that he has not been able to locate student SNNs or any associated information on typical clandestine marketplaces.

Attack on U.K local authority

U.K local authority St Helens Borough Council has issued a warning to citizens about potential follow-on scams following a ransomware attack discovered recently. While it's maintaining services through its website, some internal systems have been affected. There are concerns about citizens' personal information being compromised. The council advises residents to remain cautious online and to be wary of any communications from the council.

Multi-million dollar stolen from crypto platforms

Two DeFi platforms, Exactly and Harbor, fell victim to cyberattacks resulting in the theft of millions of dollars' worth of cryptocurrency. Exactly Protocol confirmed an ongoing security investigation and paused operations after reportedly suffering a loss of around $7.3 million worth of ETH. Harbor Protocol also revealed experiencing a breach, admitting funds were drained without specifying the exact amount stolen.

Top Malware Reported in the Last 24 Hours

Malware evolves to remain among top threats

EclecticIQ analysts have detected the resurgence of the RedLine Stealer malware, focusing on financial data theft and reconnaissance functions. Security experts analyzed a RedLine stealer spam campaign between April and August. The new campaigns exhibit core information gathering techniques, registry manipulation for persistence, WMI utilization, and file deletion to mask attacks. Furthermore, recent iterations target specific browsers, log keystrokes, and access crypto wallets like Coinomi.

DarkGate’s new delivery tactics

A malvertising campaign unveiled an updated version of the DarkGate malware. This iteration employs a distinct MSI installer containing an obfuscated AutoIT script to conceal its payload. DarkGate's web delivery methods have evolved, focusing on malicious ads and search engine poisoning. The new version boasts evasion features and limited availability, attracting the attention of cybersecurity researchers and threat actors alike.

Lazarus Group deploys QuiteRAT

Cisco Talos has uncovered a recent campaign by the Lazarus Group, targeting internet backbone infrastructure and healthcare organizations in Europe and the U.S. The group exploited a ManageEngine ServiceDesk vulnerability, CVE-2022-47966, to deliver QuiteRAT, an evolved version of MagicRAT. While smaller in size than MagicRAT, QuiteRAT shares similar capabilities, including arbitrary command execution. Unlike MagicRAT, QuiteRAT does not have a persistence capability.

New Wi-Fi scanning malware

A new strain of malware called Whiffy Recon is being delivered by the SmokeLoader malware. The malware strain focuses on Wi-Fi scanning and geolocation tracking. It triangulates the infected system's position by scanning nearby Wi-Fi access points and using Google's geolocation API. The purpose of this operation remains unclear, raising questions about the motivations behind tracking the physical location of infected devices.

Top Vulnerabilities Reported in the Last 24 Hours

Thousands of Openfire servers vulnerable

Vulncheck researchers have uncovered over 3,000 Openfire servers susceptible to the CVE-2023-32315 bug, which is being exploited through a new exploit. The open-source chat server was found to be at risk from an unauthenticated path traversal flaw in its admin console. This vulnerability grants unauthorized access to restricted admin console pages, even allowing for the creation of new admin accounts. The flaw has been exploited for over two months.

Critical bugs discovered in NVIDIA D3D10 Driver

Cisco Talos researchers have unveiled three critical vulnerabilities in NVIDIA's D3D10 driver used for its graphics cards. These vulnerabilities stem from memory corruption when a specially crafted shader packer is delivered by an attacker. The flaws could enable memory corruption within the driver, potentially allowing for a guest-to-host escape in virtualization environments like VMware, QEMU, and VirtualBox.

Top Scams Reported in the Last 24 Hours

New financial scam via Telegram bot

A financially motivated cybercrime operation named Telekopye has emerged, using a malicious Telegram bot to facilitate phishing scams. The toolkit automates the creation of phishing web pages and sends the URLs to potential victims, referred to as Mammoths. The operation, attributed to a group known as Neanderthals, seems to originate from Russia due to the use of Russian SMS templates and the targeting of popular online marketplaces in the country.