Qakbot’s replacement may have arrived. Security researchers spotted cybercriminals increasingly propagating Pikabot loader malware after Qakbot’s takedown last year. Like Qakbot, Pikabot attempts initial access via spam emails.

After the active scanning of a critical bug in Apache RocketMQ services by cyber adversaries, fresh attacks have been discovered targeting Apache Hadoop and Flink applications. Google's January 2024 Android update is here. It addressed 58 security vulnerabilities, including 10 in Framework and System components rated as high-severity flaws. Microsoft’s Patch Tuesday update resolves 48 security issues.

Top Breaches Reported in the Last 24 Hours

Paraguay military issues warning

The Paraguay Military issued an alert on Black Hunt ransomware attacks after Tigo Business, the enterprise-focused division of Paraguay's largest mobile carrier, suffered a cyberattack impacting cloud and hosting services. Reports suggest that the Black Hunt ransomware was behind the attack, encrypting over 330 servers and compromising backups. The operation typically targets South American companies.

SEC Twitter account compromised

The SEC confirmed that its X account was compromised, leading to a false tweet about approving Bitcoin ETFs. The tweet, later deleted, caused a spike in Bitcoin's price before the SEC clarified that it had not granted any approval. SEC Chairman Gary Gensler emphasized caution in crypto investments. The social media platform reported that the account was hijacked due to unauthorized access to a phone number associated with the SEC's account, suggesting a possible SIM-swap attack.

U.S. DOT breached

The U.S. Department of Transportation (DOT) is reported to have suffered a major data breach, with a threat actor named IntelBroker claiming the attack. The breach allegedly compromised a database containing 5.8 million flight logs from the year 2015. The exposed data may include critical aviation details that could have severe implications for national security and air travel safety. The motive behind the attack remains unclear so far.

Massive data leak hit Brazil

A significant data leak has been reported in Brazil, exposing the personal information of over 223 million citizens. The leaked data, stored in a publicly accessible Elasticsearch instance on a cloud server, included full names, dates of birth, sex, and Cadastro de Pessoas Físicas (CPF) numbers - an 11-digit identifier for individual taxpayers in Brazil. Although the source of the leak remains unidentified, the sheer volume of records suggests that the entire Brazilian population may be affected.

Top Malware Reported in the Last 24 Hours

Pikabot distribution via phishing

Threat group Water Curupira, known for its Cobalt Strike backdoors, recently transitioned to using Pikabot malware in phishing campaigns. Pikabot witnessed a surge in activity in Q4 2023, potentially serving as a replacement for Qakbot after its takedown. Water Curupira's phishing tactics involve using loader and core module components within Pikabot to gain unauthorized remote access. The malware is delivered through spam emails with password-protected ZIP or PDF attachments.

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds actively exploited flaws to KEV

The CISA included six actively exploited security vulnerabilities in its KEV catalog. Notable among them is CVE-2023-27524, a high-severity flaw in Apache Superset, which allows unauthenticated attackers to achieve remote code execution, potentially compromising data and harvesting credentials. The agency also highlighted vulnerabilities in Adobe ColdFusion, Apple products, D-Link devices, and Joomla! FCEB agencies are urged to apply fixes by January 29 to mitigate the risks posed by these.

Critical flaws in Bosch wrenches

Researchers at Nozomi Networks discovered multiple vulnerabilities in Bosch Rexroth NXA015S-36V-B pneumatic torque wrenches, commonly used in safety-critical tightening tasks in automotive production lines. Unexploited yet, the flaws could allow ransomware attacks on the device, leading to production stoppage and financial loss. The vulnerabilities also enable unauthorized access, compromising tightening programs and potentially causing safety issues due to sub-optimal or excessive tightening.

Information disclosure and RCE bug in Cacti

A blind SQL injection vulnerability (CVE-2023-51448) has been discovered in the widely used Cacti network monitoring framework's SNMP Notification Receivers feature. This could potentially lead to information disclosure and RCE attacks. The flaw allows an authenticated attacker with specific permissions to send a crafted HTTP GET request and exploit the bug. There is currently no evidence of exploitation in the wild; users are advised to upgrade to Cacti version 1.2.26.

New attack against Apache Hadoop and Flink apps

Researchers at Aqua Nautilus have identified a new attack targeting Apache Hadoop and Flink applications. The attack exploits misconfigurations, particularly in the ResourceManager of Hadoop YARN, allowing unauthenticated remote attackers to execute arbitrary code. The simplicity of the attack involves the dropping and execution of a binary named ‘dca’ that further downloads two rootkits and a Monero cryptominer. The attackers use packers and rootkits to conceal the malware.

Google issues Android security update

Google released the January 2024 Android security update, addressing multiple security vulnerabilities in the Framework, System, and various components from Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm. The update includes two patch levels: the 2024-01-01 level addresses ten high-severity issues in the Framework and System components, while the 2024-01-05 level resolves 48 vulnerabilities, including three critical ones in Qualcomm components. The update covers Pixel devices and Wear OS.

Microsoft fixes 48 flaws

Microsoft addressed a total of 48 security vulnerabilities on the first Patch Tuesday of 2024. Of these, two are rated ‘Critical’ and 46 as ‘Important.’ The two critical flaws include a Windows Kerberos security feature bypass vulnerability (CVE-2024-20674) with a CVSS score of 9.0 and a Windows Hyper-V remote code execution vulnerability (CVE-2024-20700) with a CVSS score of 7.5. While there is no evidence of active exploitation at the time of release, Microsoft recommends users apply the patches.