In the ever-changing theater of cyber warfare, new threats emerge with alarming creativity. A crafty new variant of the Agent Tesla RAT is targeting Spanish-speaking individuals with phishing emails. This malware exploits MS Office vulnerabilities, steals sensitive information, and evades detection, making it a stealthy menace.

Meanwhile, researchers have identified over 1,000 malicious extensions in the VSCode Marketplace, downloaded millions of times, including those mimicking popular themes to gather system information from high-profile users.

On another front, researchers uncovered 15 high and critical severity vulnerabilities in AutomationDirect's PLCs, which could be exploited for remote code execution or DoS attacks, threatening production in industrial environments.

Top Malware Reported in the Last 24 Hours

Agent Tesla targets Spanish speakers

A new Agent Tesla RAT variant is targeting Spanish-speaking individuals through phishing emails posing as SWIFT transfer notifications from financial institutions. The malware can exploit MS Office vulnerabilities, steal sensitive information from various applications, and evade detection using fileless modules and the FTP protocol for data submission. It also employs a fileless module downloaded by a malicious JavaScript code, making it difficult to detect.

Fake KMSpico activator deploys Vidar stealer

Researchers spotted a cybersecurity incident involving the delivery of the Vidar Stealer malware through a fake KMSPico activator tool. The attack used Java dependencies and a malicious AutoIt script to disable Windows Defender and deliver the malware. The malware used Telegram for C2 communication.

Malicious VSCode extension affects millions

Researchers identified over 1,000 extensions with millions of downloads, containing malicious code in the VSCode Marketplace, along with thousands more exhibiting suspicious behavior like hardcoded IP addresses or execution of unknown files. The researchers used a typosquatting technique, creating an extension mimicking the popular "Dracula Official" theme to collect system information from unsuspecting users, including those in high-profile organizations. While Microsoft was notified about these vulnerabilities, many extensions remain available on the Marketplace.

Top Vulnerabilities Reported in the Last 24 Hours

Critical RCE bug in PHP

A critical security flaw in PHP, tracked as CVE-2024-4577, has been discovered, allowing attackers to perform remote code execution on Windows PHP servers. The vulnerability bypasses previous protections and affects all PHP versions. A fix has been released in PHP versions 8.3.8, 8.2.20, and 8.1.29. Exploitation attempts have already been detected, prompting users to apply the latest patches quickly.

SolarWinds patches high-severity vulnerability

SolarWinds has recently released patches for high-severity vulnerabilities in Serv-U and the SolarWinds Platform, including a bug reported by a penetration tester working with NATO. The latest update, version 2024.2, includes fixes for three new security defects as well as multiple bugs in third-party components. The vulnerabilities impact SolarWinds Platform 2024.1 SR 1 and earlier versions. One of the vulnerabilities, CVE-2024-28996, is described as a SWQL injection flaw, allowing users to query the SolarWinds database for network information. The update also includes fixes for a medium-severity flaw in Angular and several high- and medium-severity issues in OpenSSL, some of which were disclosed seven years ago.

Security bugs in WZone plugin

The WooCommerce Amazon Affiliates (WZone) plugin has multiple serious security vulnerabilities, including an authenticated arbitrary option update flaw and two types of SQL injection vulnerabilities. The vulnerabilities impact all tested versions, including version 14.0.10 and potentially those from version 14.0.20 onward. These flaws could lead to privilege escalation, data breaches, and manipulation of the WordPress database. Site administrators using the WZone plugin are advised to deactivate and delete it immediately due to the absence of a patched version.

Multiple vulnerabilities in AutomationDirect PLCs

Cisco Talos discovered 15 high and critical severity vulnerabilities in PLCs made by AutomationDirect, impacting their Productivity series. These vulnerabilities could be exploited for remote code execution or DoS attacks, potentially causing production disruptions in industrial environments. While the PLCs are typically not directly connected to the internet, there are still around 50 potential devices that may be exposed. The vulnerabilities could allow attackers to execute arbitrary code, manipulate logic, shut down devices, or extract information.