Exploitation of routers could lead to various threats, including malware deployment, espionage, and service disruption. Recently, security experts uncovered multiple vulnerabilities in industrial routers, which pose significant risks ranging from cross-site scripting and denial of service to remote code execution and unauthorized access.

Furthermore, a high severity OS command injection bug in the FortiSIEM report server allows unauthenticated executions through API requests. It’s reportedly a variant of a security issue addressed by Fortinet last month, affecting FortiSIEM releases from 4.7 through 5.4. In a separate report, threat actors have been discovered using manipulated search results and fake Google ads, employing Google's Dynamic Search Ads, to distribute malware disguised as legitimate WinSCP software downloads, primarily targeting users in the U.S.

Top Breaches Reported in the Last 24 Hours

TBs of sensitive data exposed

Cybernews discovered an unprotected database at Vietnam Post Corporation, a government-owned postal service in Vietnam, containing 1.2TB of data. The database—related to cybersecurity tools like XDR and SIEM—included 226 million logged events and employee names with emails. It was left accessible for nearly 3 months.

MeridianLink confirms cyberattack

MeridianLink, a financial software firm, confirmed a cyberattack after being targeted by the AlphV/BlackCat ransomware group. The group reportedly reported the incident to the SEC and pressured the company to begin a negotiation for ransom. AlphV's attempt to leverage the incident for a ransom included sending a photo of an SEC complaint form.

Black Basta attack strikes tech firm

Maytec.de, a subsidiary of Maytec GmbH specializing in technological solutions and industrial components, has reportedly been targeted by the Black Basta ransomware gang. The company name has appeared on the leak site of the threat group. The group appears to have stolen sensitive data while causing operational disruption.

Telecom monitoring centre attacked

The National Telecommunication Monitoring Centre (NTMC) in Bangladesh unintentionally exposed a vast array of data, including names, professions, blood groups, phone numbers, vehicle registrations, passport details, and fingerprint photos, through an unsecured database. Anonymous criminals may have targeted the exposed database and wiped off details from the system after stealing it.

Top Malware Reported in the Last 24 Hours

8Base expands operations

Cisco Talos observed an increase in activity by the 8Base ransomware group, known for employing a variant of the Phobos ransomware. The group primarily distributes Phobos variants through the SmokeLoader backdoor trojan, embedding the ransomware component within encrypted payloads. Talos researchers conducted an in-depth analysis of Phobos' configuration, revealing capabilities such as a user access control (UAC) bypass technique and victim infection reporting to an external URL.

Manipulating Google Ads to distribute malware

Threat actors are utilizing manipulated search results and fake Google ads to deceive users seeking legitimate software, such as WinSCP, into downloading malware. The campaign tracked as SEO#LURKER leverages Google's Dynamic Search Ads (DSAs) to automatically generate malicious ads that redirect victims to compromised websites. The complex multi-stage attack aims to trick users into downloading malware from a fake WinSCP website. The geoblocking used on the malware-hosting site suggests that U.S. users are among the victims.

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds actively exploited flaws to catalog

The CISA added three actively exploited vulnerabilities to its KEV catalog. The flaws include a Microsoft Windows Mark-of-the-Web (MotW) Security Feature Bypass (CVE-2023-36584), Sophos Web Appliance Command Injection (CVE-2023-1671), and Oracle Fusion Middleware Unspecified Vulnerability (CVE-2023-2551). CVE-2023-36584 was used by a pro-Russian APT group targeting supporters of Ukraine's NATO admission. The CISA urged federal agencies to apply fixes by December 7, 2023.

Zero-day exploits target Zimbra Collaboration tool

A zero-day flaw (CVE-2023-37580) in Zimbra Collaboration email software was exploited by four threat groups in real-world attacks to steal email data, user credentials, and authentication tokens. According to Google TAG, the vulnerability is a reflected cross-site scripting (XSS) flaw affecting Zimbra versions prior to 8.8.15 Patch 41. Multiple campaigns targeting government organizations in Greece, Moldova, Tunisia, Vietnam, and Pakistan were detected.

Critical vulnerability in FortiSIEM

Fortinet warned customers about a critical OS command injection vulnerability (CVE-2023-36553) in the FortiSIEM report server. A remote, unauthenticated attacker can abuse the flaw (assigned a severity score of 9.3 by Fortinet and 9.8 by NIST) through specially crafted API requests. It is identified as a variant of another critical vulnerability (CVE-2023-34992) fixed in early October. Organizations are urged to upgrade to FortiSIEM versions 6.4.3, 6.5.2, 6.6.4, 6.7.6, 7.0.1, or 7.1.0 and later, to mitigate the risk.

Researchers uncover 21 flaws in industrial routers

Researchers have identified 21 vulnerabilities, including one with a "Critical" severity rating, in a widely used brand of industrial routers commonly found in critical sectors such as medical and manufacturing. These OT and IoT routers are crucial for bridging internal networks with the wider Internet, often relying on 3G and 4G cellular networks. The vulnerabilities include flaws in internal components, hardcoded credentials, SSL certificate issues, and more.

Top Scams Reported in the Last 24 Hours

Hundreds of cloned websites found

Swedish digital rights organization Qurium uncovered approximately 250 cloned websites allegedly directing users to China-linked gambling sites. Created in September 2021, these include various organizations such as private businesses, universities, and public libraries. It includes a website accused of breaching anti-money laundering requirements according to the UK Gambling Commission. The cloned sites were registered by Gname[.]com Pte. Ltd, known for registering domains resembling other brands for gambling purposes.