Share Blog Post
Immediate action has been called for LG Smart TV owners as approximately 91,000 devices were found exposed to multiple vulnerabilities in LG webOS. While a complete device takeover is possible, some users owning vulnerable devices may need to update their software manually. A new ransomware group, derived from Conti's leaked code, is targeting Russian businesses. Using VPN access, they encrypt systems, posing as antivirus software, showing enhanced functionality compared to Conti.
Achieving a new feat for fixes, Microsoft patched hundreds of security flaws, including a couple of actively exploited ones. One of them is a Windows proxy driver spoofing vulnerability that could be exploited via a digitally signed executable to deploy a backdoor, enabling network traffic monitoring by adversaries. Meanwhile, a new ransomware group has been discovered hounding Russian businesses.
Top Malware Reported in the Last 24 Hours
Attackers deploy crypto-mining tools
Researchers from Sysdig have unveiled the decade-long operations of RUBYCARP, a possibly Romanian cyber threat group known for employing sophisticated techniques such as cryptocurrency mining and phishing. The group utilizes a script capable of deploying multiple cryptocurrency miners simultaneously, reducing attack time and chances of detection. Further investigation laid bare various tools and methods, including the utilization of particular commands within shell bot code for sending phishing emails.
Malvertising campaign targets IT admins
An ongoing malvertising campaign was discovered targeting IT administrators searching for system utilities like PuTTY and FileZilla. Malicious ads, often served via reputable platforms like Google and Bing, led unsuspecting victims to cloaking pages before redirecting them to copycat sites impersonating legitimate software download pages. Upon downloading, victims unknowingly install Nitrogen malware, facilitating threat actors in gaining network access, data theft, and ransomware deployment.
Ransomware group strikes Russian businesses
Cybersecurity researchers at F.A.C.C.T. took the wraps off of a new ransomware group dubbed Muliaka. Operating since at least December 2023, Muliaka targets Russian businesses, utilizing tactics like disguising ransomware as corporate antivirus software and exploiting VPN services for remote access. Unlike its predecessor, Muliaka's malware terminates processes and system services before encryption, marking a notable evolution in malicious tools post-Conti leak.
Malware distribution via GitHub search
Cybercriminals were observed manipulating GitHub's search functionality to distribute malware through meticulously crafted repositories. Attackers’ key tactics included GitHub search manipulation, automatic updates, and faking popularity to deceive unsuspecting users. The malware, hidden within Visual Studio project files, targeted cryptocurrency wallets and established persistence on Windows machines. Developers have been warned to exercise caution when using code from public repositories.
German firms bombarded with Rhadamanthys stealer
Proofpoint discovered TA547 targeting German firms with Rhadamanthys malware using emails impersonating Metro. These emails contained password-protected ZIP attachments with LNK files triggering PowerShell scripts, possibly generated by LLMs. TA547 is typically known for deploying NetSupport RAT but recently switched to Rhadamanthys. This marks a shift from zipped JavaScript payloads to compressed LNKs.
Raspberry Robin now spreads via Windows script files
Evolving its infection methods, Raspberry Robin’s recent campaigns since March showed a shift towards Windows Script Files files to distribute malware. These scripts, disguised as legitimate automation tools, can evade detection with anti-analysis techniques. Communicating with C2 servers over Tor, Raspberry Robin serves as a gateway for deploying additional malicious payloads like SocGholish and Cobalt Strike.
Top Vulnerabilities Reported in the Last 24 Hours
Fortinet addressed critical security gaps
Fortinet released patches for a critical RCE flaw (CVE-2023-45590) in FortiClientLinux, allowing unauthenticated attackers to execute arbitrary code via a malicious website. Additionally, high-severity vulnerabilities affecting FortiOS, FortiProxy, FortiClientMac, and FortiSandbox, were fixed in this round of patches. While no active exploits are reported, users are urged to update affected products promptly.
Microsoft security updates unveil active exploitations
Microsoft's April 2024 security updates addressed 149 flaws, including two actively exploited vulnerabilities: CVE-2024-26234 (Proxy Driver Spoofing) and CVE-2024-29988 (SmartScreen Bypass). The vulnerabilities pose risks ranging from backdoor access to credential theft. There were as many as 68 RCE, 31 privilege escalation, 26 security feature bypass, and six DoS bugs. Notably, 24 of the 26 security bypass flaws were related to Secure Boot.
Bugs in LG smart TVs leave thousands exposed
Bitdefender researchers uncovered four vulnerabilities in LG webOS, affecting various smart TV models. Despite the intended local network use, around 91,000 devices are reportedly vulnerable. The bugs, including command injection and privilege escalation issues, are tracked as CVE-2023-6317 to CVE-2023-6320. Exploitation could lead to unauthorized user additions and complete device takeover. The affected models range from webOS 4.9.7 to 7.3.1. Users unaware of the risks have been advised to manually check for updates via TV settings.
SAP resolves high-severity vulnerabilities
SAP unveiled 10 new and two updated security notes in its April 2024 release, tackling three high-severity vulnerabilities. The most critical flaw (CVE-2024-27899) affects NetWeaver AS Java User Management Engine, allowing simple passwords despite existing requirements. While labeled as a configuration issue, it stems from a program logic gap. Besides, SAP also fixed high-severity flaws in BusinessObjects Web Intelligence and Asset Accounting, alongside eight medium-severity issues.
Critical BatBadBut flaw discovered in Rust library
Security engineer RyotaK uncovered BatBadBut (CVE-2024-24576), a critical vulnerability in Rust's standard library allowing command injection on Windows systems. The flaw arose from improper escaping of arguments when invoking batch files. Although assigned a CVSS score of 10.0, RyotaK suggests real-world exploitability is limited to specific conditions and versions (pre-1.77.2). The Rust Security Response Working Group advised users to update to patched versions to mitigate risks posed by BatBadBut.
Tags
Posted on: April 10, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
