Hackers linked to Chinese intelligence services have penetrated several US telecommunications companies.
According to a Wall Street Journal report, the hacking group exploited vulnerabilities in Cisco routers.
U.S. officials have called the spying campaign, which they blame on a Chinese hacking group known as Salt Typhoon, “historic” and “catastrophic” in scope and severity. The security breach affected major US telecommunications firms such as T-Mobile, AT&T and Verizon.
The attack, which lasted more than eight months, gave hackers access to sensitive information, including call logs and unencrypted text messages. The targets were mostly senior national security and US government officials.
The security breach, which investigators are still piecing together, represents one of the most significant cyber espionage campaigns in recent years, and its full national security implications are not yet fully understood.
High severity bug in PostgreSQL
Cybersecurity researchers have uncovered a highly serious security flaw in the PostgreSQL database system that could allow unprivileged users to modify environment variables potentially leading to code execution or information disclosure.
The vulnerability, tracked as CVE-2024-10979, has a CVSS score of 8.8.
Improper control of environment variables in PostgreSQL allows an unprivileged user to change variables (e.g. PATH). This is often enough to execute arbitrary code, even if the attacker does not have sufficient privileges.
The bug has been fixed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17 and 12.21.
The Varonis researchers who discovered the problem said that depending on the attack scenario, it could lead to “serious security issues”.
Further details of the vulnerability are currently being kept under wraps to give users enough time to apply the fixes.
Russian hackers exploit new vulnerability in NTLM
The vulnerability, tracked as CVE-2024-43451 (CVSS score: 6.5), relates to an NTLM hash disclosure spoofing vulnerability that could be exploited to steal the NTLMv2 hash.
“The attack could be triggered by minimal user interaction with the malicious file. A single click or right-click on the file is all it takes.” Microsoft said
The Ukrainian CERT-UA team linked the attacks to a Russian threat actor they are tracking as UAC-0194.
Israeli company ClearSky, which discovered the vulnerability in June 2024, said the vulnerability was exploited as part of the Spark RAT malware attack chain. The company added that the malicious files were placed on an official Ukrainian site that allows users to download academic certificates.
Thus, the attack chain involves sending fraudulent emails from a compromised Ukrainian government server (“doc.osvita-kp.gov[.]ua”). The sent file is designed to establish a connection to a remote server (“92.42.96[.]30”) and download other useful files, including Spark RAT.
Earlier this week, Microsoft issued a patch. It is recommended that you update your systems as soon as possible.
North Korean hackers target macOS
North Korea-linked attackers have been found to insert malware into Flutter apps, the first time this tactic has been used by an adversary to infect Apple devices running macOS.
Jamf Threat Labs, which reported the discovery based on artifacts uploaded to the VirusTotal platform, said the apps created in Flutter are part of a broader activity that includes malware written in Golang and Python.
“We suspect that these particular examples are test examples and it is possible that they have not yet been distributed,” Jaron Bradley, director of Jamf Threat Labs, told The Hacker News.
Jamf did not attribute the malicious activity to a specific hacking group, but it is likely that it may have been the work of a subgroup of Lazarus known as BlueNoroff. This connection stems from the overlap between infrastructure malware known as KANDYKORN and the Hidden Risk campaign recently highlighted by SentinelOne
The new malware stands out because it uses the Flutter app to insert a primary payload while masquerading as a fully functional Minesweeper game.
Additionally, the game appears to be a clone of an iOS game that is publicly available on GitHub.
Vietnamese hacking group deploys new PXA Stealer targeting Europe and Asia
A Vietnamese-speaking hacking group targeting government and educational entities in Europe and Asia is attacking using a new Python-based malware called PXA Stealer.
“This malware targets sensitive information including access to various online accounts, VPN and FTP clients, financial information, and cookies.” Cisco Talos researchers said.
The connection to Vietnam is evident from the presence of Vietnamese comments and a hard-coded Telegram account called “Lone None” in the attacker’s program.
The attack spreading PXA Stealer begins with a fraudulent email containing a ZIP file containing a Rust-based bootloader and a hidden folder that includes several Windows scripts and a fraudulent PDF file.
Once the ZIP file is unzipped, the scripts responsible for opening the document are executed. The document contains a job application form on Glassdoor. At the same time, PowerShell commands are run to download and run additional tools capable of disabling antivirus programs running on the host, followed by deployment of the stealer itself.
A notable feature of the PXA Stealer is the emphasis on stealing Facebook cookies, using them to interact with the Ads Manager and Graph API to collect additional account details and related ad information.
Targeting business and advertising accounts on Facebook is a recurring phenomenon among Vietnamese threat actors.