The notorious Lazarus is back with its latest espionage act against the users of MagicLine4NX, a security authentication software. The attack is widespread in South Korea and globally, wherein cybercriminals abuse a zero-day bug to gain unauthorized access to targeted organizations' networks and information. Continuing on what’s bugging us, a set of three critical flaws has been discovered in open-source file-sharing software ownCloud. These security issues could enable attackers to access sensitive information and modify files.

Meanwhile, the use of web shells continues to amplify in cyberspace. Recently, an unidentified government entity in Afghanistan faced an espionage attack that utilized a web shell named HrServ. The newly discovered web shell features sophisticated traits like custom encoding methods and in-memory execution, with variants dating back to early 2021.

Top Breaches Reported in the Last 24 Hours

Sensitive data from 600 schools exposed

IT company Appscook, which develops applications used by over 600 schools in India and Sri Lanka for education management, reportedly exposed a massive amount of sensitive data due to a misconfiguration of its systems. The exposed DigitalOcean storage bucket, left open without authentication, contained nearly a million files, including photos of minors, home addresses, birth certificates, and other personal information.

Iranian Group targets water authority

The Municipal Water Authority of Aliquippa, Pennsylvania, reported a cyberattack by the Iranian-backed group CyberAv3ngers that took control of one of its booster stations. The affected station, responsible for monitoring and regulating pressure in specific townships, triggered an alarm upon the hack. The system, which uses Israeli-owned Unitronics software or components, was disabled. Officials emphasized that there’s no known risk to drinking water.

General Electric investigates breach

General Electric is investigating a cyberattack after a threat actor named IntelBroker claimed to have breached the company's development environment. The attacker also attempted to sell access to its "development and software pipelines." The threat actor allegedly stole both network access and data, including DARPA-related military information.

Ransomware attack cripples healthcare provider

Vanderbilt University Medical Center (VUMC) reported a breach following claims by the Meow ransomware group that it compromised one of its databases. The hospital system was added to the Meow ransomware gang's leak site on Thanksgiving. While VUMC confirmed the cyber incident, details such as the nature of the attack and the potential use of ransomware remain undisclosed. Preliminary findings suggest no harm to any personal or protected information about patients or employees.

$54 million stolen in DeFi exploit

Cryptocurrency platform KyberSwap fell victim to a cyberattack, with criminals stealing approximately $54.7 million worth of cryptocurrency. The incident, described as one of the most sophisticated in DeFi history, occurred when attackers executed complex actions to exploit swaps and withdraw users' funds into their wallets. KyberSwap has paused deposits and is negotiating with the attackers to recover the funds.

Chinese energy firm held at ransom

The Rhysida ransomware group has targeted the China Energy Engineering Corporation, a state-owned entity in China specializing in energy and infrastructure projects. The ransomware operators claim to have stolen a substantial amount of data and are auctioning it in exchange for cryptocurrency. They intend to sell this stolen data to a single buyer. A seven-day ultimatum was given to prevent the leak of stolen data.

Top Malware Reported in the Last 24 Hours

Advanced web shell ‘HrServ’ emerges

A sophisticated web shell was found being used in a suspected APT attack targeting an unspecified government entity in Afghanistan. The web shell, identified as a DLL named ‘hrserv.dll’ exhibited advanced features such as custom encoding methods and in-memory execution. The attack involves using the PAExec RAT and employs various evasion techniques, including mimicking Google services in network traffic. While the threat actor behind the web shell remains unidentified, the campaign is suspected to have been ongoing since early 2021.

Top Vulnerabilities Reported in the Last 24 Hours

ownCloud flaws could lead to data exposure

ownCloud, an open-source file-sharing software, has disclosed three critical security vulnerabilities that could potentially lead to the exposure of sensitive information and unauthorized modification of files. The vulnerabilities include issues in the graphapi app, an authentication bypass flaw affecting core versions, and a subdomain validation bypass bug in the oauth2 library. These flaws could pose serious risks, including the disclosure of credentials and configuration details, unauthorized file access, and potential subdomain-based attacks.

Privilege escalation threat in Dell systems

Dell Command Configure, a software package enabling the configuration of BIOS on Dell client systems, has been found to have a high-severity vulnerability. CVE-2023-43086 is categorized as an improper access control issue and could potentially be exploited by local malicious users during an application upgrade to modify files within the installation folder, leading to privilege escalation.

Lazarus abuses zero-day in MagicLine4NX

The NCSC and South Korea’s NIS issued a joint warning against the Lazarus hacking group leveraging a zero-day flaw in the MagicLine4NX software. MagicLine4NX is a joint certificate program used for security authentication and digital transaction signing. The zero-day exploit allowed Lazarus to conduct a series of supply-chain attacks, starting with a watering hole attack on a media outlet's website.

Top Scams Reported in the Last 24 Hours

$1 million rug pull scam uncovered

Check Point identified a new cryptocurrency scam involving rug pull tactics, resulting in nearly $1 million in losses for investors. The scam utilized counterfeit tokens like GROK 2.0 to attract unsuspecting buyers. It involved creating tokens, injecting funds into the token pool to create the appearance of legitimacy and simulating trading activities. Investors were drawn in by the inflated demand, and when a critical mass was reached, the scammer withdrew liquidity, causing significant financial losses.