Share Blog Post
The RansomHub ransomware collective has taken its malevolent craft to new heights, unveiling an encryptor explicitly tailored for VMware ESXi environments. This specialized ESXi encryptor boasts unique capabilities aimed at virtual machines, including an intriguing feature to selectively exclude certain VMs from its encryption grasp and a self-deletion mechanism post-execution.
Meanwhile, the digital landscape suffers under the weight of CosmicSting, a grave vulnerability plaguing approximately 75% of Adobe Commerce and Magento e-commerce platforms, leaving millions of sites perilously exposed to XML external entity injection and remote code execution. In response, Adobe has issued critical patches across several versions.
On another front, a newly surfaced botnet, christened Zergeca, is redefining the boundaries of cyber threats with its advanced capabilities surpassing conventional DDoS attacks. Zergeca supports an arsenal of six distinct attack vectors, including the formidable ackFlood DDoS assault. Its repertoire extends beyond mere attacks, featuring proxying, scanning, self-upgrading, persistence, file transfer, reverse shell access, and the harvesting of sensitive device information.
Top Malware Reported in the Last 24 Hours
RansomHub ransomware targets VMware ESXi
The RansomHub ransomware operation has developed a specialized encryptor for VMware ESXi environments, in addition to its Windows and Linux versions. This ESXi encryptor includes specific features for targeting virtual machines, such as the ability to exclude certain VMs from encryption and delete itself after execution. The encryption scheme involves partial encryption to improve performance, and the ransom note is placed in visible locations within the ESXi environment. Additionally, a bug has been found in the ESXi variant that organizations can exploit to put the ransomware into an endless loop, providing a temporary defense until the bug is fixed in updated versions.
Chinese APTs target telcos with custom malware
Chinese state-linked espionage groups have been conducting a sustained hacking campaign targeting telecommunications operators in an unnamed Asian country since at least 2021. The attackers used custom malware variants including Coolclient, Quickheal, and Rainyday, along with various tactics and procedures to compromise targets, suggesting Chinese state sponsorship. The motives behind the campaign remain uncertain, but potential objectives include intelligence gathering and developing disruptive capabilities against critical infrastructure.
New botnet in threat landscape
A recently discovered botnet, named Zergeca, is a sophisticated malware that exhibits advanced capabilities beyond typical DDoS attacks. Zergeca is a Golang-based botnet that supports six different attack methods, including the ackFlood (atk_4) DDoS attack. It has additional features such as proxying, scanning, self-upgrading, persistence, file transfer, reverse shell, and collecting sensitive device information. The botnet's C2 IP address has been serving at least two Mirai botnets since September 2023, suggesting the author's prior experience with Mirai. Zergeca primarily propagates by exploiting weak Telnet passwords and specific known vulnerabilities such as CVE-2022-35733 and CVE-2018-10562.
Top Vulnerabilities Reported in the Last 24 Hours
CosmicSting bug stings E-commerce platforms
A critical vulnerability called CosmicSting has been found impacting around 75% of Adobe Commerce and Magento e-commerce sites, leaving millions of websites vulnerable to XML external entity injection and remote code execution. The bug is tracked as CVE-2024-34102 and has a CVSS score of 9.8. Adobe has released fixes for the vulnerability in versions: Adobe Commerce 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9; Adobe Commerce Extended Support 2.4.3-ext-8 and earlier; Magento Open Source 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9; and Adobe Commerce Webhooks Plugin version 1.5.0.
UEFI flaw impacts multiple Intel PCs
Eclypsium detailed a security flaw, tracked as CVE-2024-0762, in Phoenix SecureCore UEFI firmware that affects PCs running various Intel Core processor families. The vulnerability, known as ‘UEFIcanhazbufferoverflow’, could allow local attackers to escalate privileges and execute malicious code within the firmware. This type of exploitation is characteristic of firmware backdoors and poses a significant supply chain risk.
Atlassian patches high-severity vulnerabilities
Atlassian has released updates to address multiple high-severity vulnerabilities in its Confluence, Crucible, and Jira products, including broken access control, server-side request forgery, and deserialization of untrusted data issues. The updates patch multiple security flaws in dependencies, such as the Spring Framework and Apache Commons Configuration, to prevent unauthenticated attackers from causing denial-of-service conditions. Atlassian has not reported any known exploitation of these vulnerabilities in the wild.
Tags
Posted on: June 21, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
