Trend Micro researchers have uncovered another campaign by Raspberry Robin operators. A major highlight of this campaign is that it comes with both real and fake payloads to evade detection. Another news-making headline involves at least five old Cisco vulnerabilities that are being exploited in the wild and the company has revised its advisory around these. Cisco IOS, NX-OS, and HyperFlex software are under surveillance of the cybercriminals.
Foxit PDF Reader and PDF Editor were found containing a critical vulnerability. Through this bug, the applications could be exposed to an out-of-bounds write vulnerability, leading to the execution of arbitrary code by a third party.
Top Breaches Reported in the Last 24 Hours
Attack on H-Hotels
The Play ransomware group claimed to have stolen an unconfirmed amount of data from H-Hotels. The group has recently listed the company as a victim on its Tor site. It allegedly pilfered private and personal data, including client documents, IDs, passport data, and more. While H-Hotels had denied the possibility of data exfiltration last week, hackers have also failed to present any proof.
Misconfigured AWS at McGraw Hill
McGraw Hill was discovered blurting out over 100,000 students' records via misconfigured AWS S3 buckets. According to vpnMentor, a single production bucket contained over 47 million files and 12TB of data whereas the other non-production bucket stored over 69 million files and 10TB of data.
A million worth of ETH swindled
Jason Brubeck, an infamous hacker, successfully exfiltrated approximately 850 ETH (~$1.04 million) worth of Bored Ape NFT collection. The hacker contacted the victim and requested to license IP rights for BAYC #2060, and proposed to make an NFT-related film. The attacker made the victim sign seaport signatures/contracts outside Opensea.
Top Malware Reported in the Last 24 Hours
Raspberry Robin’s next-level obfuscation
Trend Micro uncovered a Raspberry Robin campaign propagating to systems with worm-like capabilities, through infected USBs. In a twist, the malware can hide its payloads via multiple layers for obfuscation; it carries fake and real payloads. The real one remains obfuscated and subsequently connects to the Tor network.
Fake SentinelOne package
A cybercriminal posed a malicious package disguised as a software development kit (SDK) for SentinelOne on the PyPI repository. It was first spotted on December 11, and hackers reportedly pushed twenty versions of the malicious package in just two days. The package appears to be a fully functional SentinelOne client, however, contains a malicious backdoor.
RisePro: New information stealer
RisePro stealer malware has been found targeting sensitive information on infected systems and harvesting data in the form of logs. It may have been dropped or downloaded by the pay-per-install malware downloader service PrivateLoader, finds Flashpoint. The malware first appeared on a Russian forum.
Top Vulnerabilities Reported in the Last 24 Hours
Apple addresses Achilles bug
A vulnerability in macOS has been fixed by Apple that could be exploited by attackers to install malware on flawed devices. The bug, CVE-2022-42821, is named Achilles.
Hackers can abuse it via untrusted applications capable of bypassing Gatekeeper application execution restrictions. Gatekeeper has been found to be vulnerable to various bypass techniques in the past as well.
Old Cisco flaws on the target
Cisco has confirmed the exploitation of several old bugs—some rated ‘critical’—within its products, namely Cisco IOS, NX-OS, and HyperFlex software. It has updated multiple security advisories to assist users in applying security patches released by the company. The bugs being abused are CVE-2017-12240, CVE-2018-0125, CVE-2018-0147, CVE-2018-0171, and CVE-2021-1497.
High severity Foxit flaw
Researchers at the Renmin University of China laid bare a sensitive Foxit flaw that could enable potential RCE attacks against its flagship PDF Reader and PDF Editor products. The flaw lies within the handling of Doc objects. The security issue could be exploited when an attacker successfully manipulates its target into visiting a fake web page or accessing a malicious file.