It is always good to see malware networks being taken down by security researchers and law enforcement. This time, it is the Glupteba botnet comprising over one million devices. While one malware bites the dust, others continue to rear their ugly heads. A new variant of Cerber was spotted targeting Atlassian Confluence and Gitlab servers, whereas the operators behind Emotet updated their tactics to directly deploy Cobalt Strike beacons on infected systems.
In the last 24 hours, the discovery of new security weaknesses in widely used applications like the call center software suite GOautodial and a USB-over-Ethernet software by Eltima raised security concerns for many organizations. Moreover, security misconfigurations led to data leaks at a French transport operator and an Asian mobile payment provider.
Top Breaches Reported in the Last 24 Hours
Hotel chain hit by ransomware
Nordic Choice Hotels, one of the largest Scandinavian hotel chains, suffered an attack on its systems by the Conti ransomware group. The incident primarily impacted the hotel chain's guest reservation and room key card systems.
Breach at French public transport operator
Régie Autonome des Transports Parisiens (RATP), a state-owned French transportation company, inadvertently leaked the data of 57,000 employees due to an unsecured HTTP server. The exposed records included employees’ full names, email addresses, logins, and MD5-hashed passwords. The server also contained source code related to RATP’s employee benefits portal.
LINE Pay leaks customer data
Mobile payment provider LINE Pay disclosed a breach wherein around 133,000 users' payment details were mistakenly published on GitHub for around three months between September and November. The leaked data included the date, time, and amount of transactions, as well as user and franchise store identification numbers.
Top Malware Reported in the Last 24 Hours
Emotet changes tactics
Researchers from Cryptolaemus recently reported a change in the tactics used by Emotet operators. The infamous malware now directly installs Cobalt Strike beacons to get access to targeted networks. The older attack chain instead would first install the TrickBot or Qbot trojans on an infected system, which, in turn, would deploy Cobalt Strike.
New Cerber ransomware
Researchers discovered a new ransomware family that has adopted the Cerber name previously used by a different ransomware dating back to 2016. The new Cerber version targets Atlassian Confluence and GitLab servers by exploiting remote code execution vulnerabilities.
Cryptominer targets NAS devices
QNAP released a security advisory warning users of a new strain of cryptomining malware, which is targeting its Network-Attached Storage (NAS) devices. Once the malware infects a NAS device, it creates a process named “[oom_reaper]” that eats up around 50% of the total CPU usage for cryptomining purposes.
Glupteba botnet taken down
Google’s TAG dismantled the Glupteba botnet, which compromised around 1 million Windows and IoT devices. The blockchain-enabled botnet is known for spreading via fake pirated software, fake YouTube videos, malicious documents, and traffic distribution systems, among others.
Top Vulnerabilities Reported in the Last 24 Hours
Critical flaws in Eltima SDK
Researchers from SentinelOne disclosed 27 vulnerabilities in a USB-over-Ethernet driver software developed by Eltima. Eltima SDK is used in many cloud desktop tools like Amazon Workspaces, Accops, and NoMachine. These vulnerabilities can allow attackers to escalate privileges, disable security products, overwrite system components, corrupt the operating system, and perform other malicious activities.
Windows 10 RCE bug
Positive Security researchers discovered a drive-by remote code execution flaw in Windows 10 via Internet Explorer 11/Edge Legacy and Microsoft Teams. Researchers said that the issue stems from an argument injection weakness in the default URI handler of Windows 10/11.
Urgent update for Grafana dashboard
The proof-of-concept code to exploit a critical path traversal vulnerability in the Grafana dashboard was released recently. The vulnerability, tracked as CVE-2021-43798, was fixed by Grafana Labs with the release of an emergency security update in versions 8.3.1, 8.2.7, 8.1.8, and 8.0.7.
Vulnerabilities in GOautodial
Synopsys released an advisory uncovering two API vulnerabilities in GOautodial, an open-source call center software suite. Among the vulnerabilities revealed by Synopsys is a broken authentication flaw (CVE-2021-43175) and a remote code execution flaw (CVE-2021-43176). The GOautodial API versions created prior to September 27 are vulnerable to these flaws.
Top Scams Reported in the Last 24 Hours
University phishing scams
Proofpoint researchers reported an uptick in phishing emails targeting U.S. universities in an attempt to steal login credentials for university networks. The emails leverage COVID-19-related themes, including lures around testing information and the new Omicron variant.