From deceptive apps to vulnerabilities and developer-targeted tools, attackers are exploiting every corner of the digital landscape. SpyNote is posing as a fake antivirus, giving attackers full control over Android devices, stealing credentials, and targeting cryptocurrency users. 

In its November Patch Tuesday, Microsoft patched 89 security flaws, including two actively exploited vulnerabilities, urging immediate updates. 

Meanwhile, a new tool named GoIssue is being sold to attackers, allowing bulk theft of developer credentials from GitHub profiles, enabling supply chain attacks.

Top Malware Reported in the Last 24 Hours

SpyNote: Android malware evolves

CYFIRMA analyzed SpyNote, an Android malware that poses a significant threat by allowing extensive control over infected devices. The malware hides itself as a fake antivirus named Avast Mobile Security for Android to deceive users. The malware targets cryptocurrencies, steals data from other apps, and collects user credentials. It monitors network traffic to connect to a C2 server for data theft. There are over 10,000 identified samples of SpyNote, with recent infections linked to the threat actor EVLF distributing it through platforms like Telegram. 

TA455 and its Dream Job campaign

The Iranian Dream Job campaign conducted by TA455 targeted the aerospace industry by offering fake jobs and distributing the SnailResin malware. The campaign has been active since at least September 2023 and uses fake recruiting websites and LinkedIn profiles to distribute malicious files. The attackers use a detailed PDF guide to encourage victims to download a ZIP file containing the malware. The campaign is suspected to be involved in espionage targeting aerospace, aviation, and defense industries in Middle Eastern countries.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft November Patch Tuesday updates

Microsoft released fixes for 89 CVE-listed security flaws in its products, with two zero-day vulnerabilities actively under attack. One flaw, CVE-2024-49039, allows privilege escalation through Windows Task Scheduler, while the second flaw, CVE-2024-43451, impacts NTLM hashes. Azure CycleCloud users should be aware of CVE-2024-43602, which permits remote code execution. Additionally, a serious flaw, CVE-2024-43498, affects . NET and Visual Studio, and another critical vulnerability, CVE-2024-43639, involves a cryptographic protocol vulnerability in Windows Kerberos. 

Google releases Chrome 131

The Chrome team has released Chrome 131, now available for Windows, Mac, and Linux. Among the changes are 12 security fixes, including ones reported by external researchers. These fixes address issues like inappropriate implementation in Blink, Autofill, Media, Accessibility, Views, Navigation, Paint, and FileSystem. Additionally, internal security work has led to a range of fixes.

Citrix issues patches for 0-day bugs

Citrix released patches for two vulnerabilities in its Citrix Virtual Apps and Desktops technology, which could be exploited by remote attackers to elevate privileges or execute code on affected systems. The two vulnerabilities, tracked as CVE-2024-8068 and CVE-2024-8069, affect the Session Recording Manager component and stem from issues in how the data is deserialized. Citrix has refuted claims of an unauthenticated RCE exploit, stating that it is an authenticated RCE that can be carried out only as a NetworkService Account. 

Top Scams Reported in the Last 24 Hours

GoIssue facilitating GitHub phishing attacks

Researchers have discovered a tool, GoIssue, that can steal developer credentials in bulk and conduct malicious activities, including supply chain attacks. GoIssue gathers email addresses from public GitHub profiles by using automated processes and GitHub tokens, allowing attackers to send bulk emails directly to user inboxes. The tool is being marketed to potential attackers for $700 for a custom build or $3,000 for full source code access. It combines bulk email capabilities with data collection features and hides the attacker's identity through proxy networks.