Russian hacker Dmitry Khoroshev unmasked as LockBit ransomware administrator

The UK’s National Crime Agency (NCA) has revealed the administrator and developer of the LockBit ransomware. He is a 31-year-old Russian citizen named Dmitry Yuryevich Khoroshev.

Europol said in a press release that authorities have more than 2,500 decryption keys and are continuing to contact victims of the LockBit ransomware to offer support.

Khoroshev, who went by the aliases LockBitSupp and putinkrab, has also been subject to an asset freeze and travel ban, with the US State Department offering a reward of up to $10 million for information leading to his arrest and/or conviction.

For all charges, Khoroshev faces a sentence of 185 years in prison. He also faces a $250,000 fine for each of the charges.

“Today’s announcement is another big nail in LockBit’s coffin and our investigation into the company continues,” said NCA CEO Graeme Biggar.

Security vulnerabilities in the popular PostgreSQL database management tool pgAdmin

The pgAdmin tool, recently addressed two significant security vulnerabilities. These vulnerabilities, identified up to and including version 8.5, posed a serious risk to users by potentially allowing unauthorized actions and script execution

The vulnerabilities, tracked as CVE-2024-4215 and CVE-2024-4216, had a CVSS severity rating of 7.4.

CVE-2024-4215: Authentication Bypass Error

Attackers could exploit this vulnerability to completely bypass multi-factor authentication (MFA). Even if you have carefully implemented MFA, older versions of pgAdmin were at risk. With just a user’s login credentials, attackers could gain control of a pgAdmin instance, manipulate data, exfiltrate sensitive information, and potentially conduct other attacks.

CVE-2024-4216: Cross-Site Scripting (XSS) vulnerability

This vulnerability is located in the pgAdmin application setup API. If exploited, an attacker could inject malicious code that would execute in the victim’s browser.

Both vulnerabilities have been resolved with the release of version 8.6 of pgAdmin. Users of pgAdmin are strongly advised to update to the latest version.

Security vulnerability found in popular Yoast SEO plugin

A security vulnerability identified as CVE-2024-4041 with a score of 6.1 has been discovered in Yoast SEO, the most popular search engine optimization plugin in WordPress

The XSS (Cross-Site Scripting) issue stems from insufficient input sanitization and output escaping mechanisms within the plugin, particularly in the way URLs are handled. The vulnerability is localized in the add_premium_link() function of the WPSEO_Admin_Bar_Menu class, which adds a promotional link to the WordPress admin panel.

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into a site. A malicious script could potentially allow an attacker to create new admin users, inject backdoors, or redirect visitors to malicious websites.

All versions of Yoast SEO up to version 22.5 are vulnerable.

A DHCP vulnerability called “TunnelVision” allows attackers to bypass the VPN and redirect traffic

A new technique called “TunnelVision” that exploits a design flaw in DHCP allows attackers to manipulate routing tables so that they can completely bypass traffic destined for a VPN and then redirect it to their own network.

“VPN users who expect VPNs to protect them on untrusted networks are just as susceptible to attacks as if they were not using a VPN,” wrote researchers at the Leviathan Security Group

The researchers explained that TunnelVision exploits CVE-2024-3661, a high-severity flaw in the DHCP design where messages such as a static route with no class – Option 121 – are not authenticated, exposing them to tampering.

FIN7 hackers use signed malware and fake Google ads

Researchers at eSentire’s Threat Response Unit have uncovered a disturbing trend in attacks by the FIN7 group. The FIN7 group’s campaign targets users using malicious websites masquerading as legitimate brands to spread NetSupport RAT and the powerful DiceLoader malware.

In a series of incidents recorded in April 2024, the FIN7 group created malicious websites that convincingly impersonated reputable companies such as AnyDesk, WinSCP, BlackRock, Asana, Concur, The Wall Street Journal, Workable, and Google Meet.

Visitors to these sites encountered pop-up notifications urging them to download seemingly innocuous browser extensions. However, these pop-ups were a cover for initiating the download of MSIX files, a package format used by Windows applications that appeared legitimate but contained a malicious payload.

When visiting malicious sites through sponsored Google ads, users unknowingly triggered the download of these MSIX files, which were cleverly crafted to deploy the NetSupport Remote Access Trojan (RAT) and subsequently DiceLoader

The MSIX files used in these attacks were found to be signed by “SOFTWARE SP Z O O” and “SOFTWARE BYTES LTD”, giving them the appearance of legitimacy. eSentire has contacted GlobalSign to revoke these certificates to mitigate the risks associated with these files.