A new Mirai-based botnet has emerged in the cyber landscape, which threat actors have been using in cryptocurrency mining campaigns at least since early 2023. Dubbed NoaBot, the botnet has targeted SSH servers globally, with high concentrations in China. A subsequent malvertising campaign—observed this month—targeted Mac users through Google search ads, delivering Atomic Stealer. The updated version of Atomic Stealer collects passwords, crypto wallets, and cookies.

The vulnerability chapter for today discusses a high-severity bug in the free version of the AI Engine plugin for WordPress, two critical zero-days in Ivanti VPN, and a sensitive bug in Cisco Unity Connection. Moreover, the CISA warns about patching Ivanti flaws.

Top Breaches Reported in the Last 24 Hours

HMG Healthcare discloses data breach

Healthcare organization HMG Healthcare disclosed a security incident that occurred in August 2023. The breach involved hackers gaining unauthorized access to a server and stealing unencrypted files. The compromised information possibly includes names, contact details, dates of birth, health information, medical treatment details, SSNs, and employee records. The organization did not disclose the number of individuals impacted.

'dawnofdevil' claims four million user data

A hacker operating under the alias 'dawnofdevil' leaked a database associated with Hathway, a prominent Indian ISP and cable television service operator. The breach involved exploiting a security vulnerability in Hathway's Laravel framework application. The leaked data initially claimed to include over 41 million users, was later analyzed to reveal around four million impacted accounts, including personal details and KYC data.

Top Malware Reported in the Last 24 Hours

Balada Injector abuses WordPress plugin

A Balada Injector campaign, which began in December 2023, was found exploiting a stored XSS vulnerability in the Popup Builder plugin for WordPress, affecting over 6,200 sites. The attack used a recently registered domain, specialcraftbox[.]com, to inject malicious scripts into the Popup Builder's ‘Custom JS or CSS’ section. The attackers go further by attempting to plant a backdoor and executing a series of actions for potential malicious redirects and push notification scams.

Atomic Stealer updated with payload encryption

A malvertising campaign was observed distributing Atomic Stealer via Google search ads. The malware has been updated with payload encryption to evade detection. The threat actors lure victims by impersonating Slack and redirecting them to a decoy website with a payload for both Windows (FakeBat) and Mac (Atomic Stealer). The update includes a feature to steal browser cookies in addition to passwords.

New Mirai-based botnet mines crypto

A new Mirai-based botnet, NoaBot, has been spotted in a cryptomining campaign targeting SSH servers since the beginning of 2023. The botnet utilizes a wormable self-spreader with an SSH key backdoor to download and execute additional binaries or spread itself to new victims. NoaBot is compiled with uClibc, which changes the way antivirus engines detect malware. It incorporates obfuscation tactics and ultimately deploys a modified version of the XMRig coinminer.

Top Vulnerabilities Reported in the Last 24 Hours

Cisco flaw allows root access

Cisco has addressed a critical security flaw in Unity Connection, a virtualized messaging and voicemail solution. The vulnerability (CVE-2024-20272) exists in the web-based management interface, allowing unauthenticated attackers to gain root privileges on vulnerable devices remotely. Attackers could exploit this flaw by uploading arbitrary files, leading to executing arbitrary commands on the underlying operating system. Additionally, Cisco patched 10 medium-severity vulnerabilities.

Zero-day flaws exploited Ivanti VPN

Ivanti revealed that two zero-day vulnerabilities discovered in its Connect Secure VPN are being exploited in the wild probably by Chinese nation-state threat actor UTA0178. The first is an authentication bypass vulnerability (CVE-2023-46805), while the second is a command injection vulnerability (CVE-2024-21887), enabling unauthenticated RCE attacks. Ivanti said it knows less than 10 impacted customers and has shared mitigation measures, with patches expected to be released soon.

Critical flaw in AI Engine plugin

A critical vulnerability has been discovered in the free version of the AI Engine plugin for WordPress, impacting over 50,000 active installations. The vulnerability is an unauthenticated arbitrary file upload flaw in the plugin's rest_upload function within the files.php module, allowing any unauthenticated user to upload arbitrary files. This potentially leads to RCE. Users are strongly advised to update to at least version 1.9.99 to mitigate the vulnerability.

Top Scams Reported in the Last 24 Hours

Scammers exploit Jeffrey Epstein news

Cybercriminals are using Jeffrey Epstein's life story and his court release documents related to sending out phishing emails. They are impersonating Epstein's investment manager and personal financial advisor. The scam aims to defraud individuals through a classic advance fee scheme, with scammers likely to request personal information and payments in exchange for the promised funds.

Year-end employee phishing lures

Threat actors have been leveraging year-end tasks and responsibilities, such as open enrollment, 401k updates, salary adjustments, and employee satisfaction surveys, as lures in phishing campaigns. As these tasks are typically anticipated by employees and involve emotional responses, attackers are attempting to trick individuals into extracting sensitive details by sending phishing emails to potential victims.