Share Blog Post
It’s a patch mistake! A security patch—made half a decade back for a Lighttpd web server vulnerability—has been found impacting thousands of servers from major brands like Intel and Lenovo. Although it poses a significant threat, the vulnerability affects only EOL servers. Search result poisoning is never out of vogue. Security researchers warned of threat actors manipulating GitHub search results to distribute persistent malware, targeting cryptocurrency wallets. Security analysts discovered a credit card skimmer cleverly hidden within a counterfeit Meta Pixel tracker script to bypass security.
Caution: Web3 gaming scams carry cybersecurity risks. A recent investigation uncovered a Russian cybercrime operation targeting users with fake Web3 gaming projects to distribute info-stealer malware across macOS and Windows systems, highlighting the evolving threat landscape.
Top Malware Reported in the Last 24 Hours
Credit card skimmer disguised as Meta Pixel tracker
Cybersecurity experts uncovered a credit card skimmer camouflaged within a counterfeit Meta Pixel tracker script to evade security checks. It is injected into websites via tools that allow users to input custom code, like WordPress plugins and Magento admin panels. The malware mimics authentic scripts while incorporating JavaScript code to pilfer payment card details during checkout. Utilizing a substituted domain, the skimmer deploys a deceptive overlay to capture data, forwarding it to compromised sites for exfiltration.
Attackers infect GitHub search results
Threat actors are manipulating GitHub search results to distribute persistent malware to developers, noted Checkmarx. Attackers create malicious repositories with popular names, boost their rankings with automated updates and fake stars, and hide malware within Visual Studio project files. The malware, similar to Keyzetsu clipper, targets cryptocurrency wallets and achieves persistence on Windows machines. The campaign utilizes GitHub Actions for automated repository updates.
Iranian APTs return with DarkBeatC2 and FalseFont
Iranian threat actor MuddyWater introduced DarkBeatC2, a new C2 infrastructure, along with the FalseFont backdoor by another Iranian group APT33 targeting aerospace and defense sectors. DarkBeatC2 manipulates GitHub search results to infect developers with potential malware, while FalseFont employs deceptive job recruitment processes to trick victims. Known for spear-phishing attacks, MuddyWater targets high-value entities using deceptive techniques.
Top Vulnerabilities Reported in the Last 24 Hours
Silent patch exposes EOL servers
A discreetly patched vulnerability in Lighttpd, an open-source web server, remains unaddressed in end-of-life servers from major brands, according to cybersecurity firm Binarly. Termed forever bugs, these vulnerabilities could lead to severe buffer overflow attacks when exploited. Despite Lighttpd developers fixing the bug in 2018 without public announcement, firmware like AMI MegaRAC used by Intel and Lenovo, still contain the flaw. Thousands of affected EOL products remain exposed to cyber threats.
The U.S. confirms exploitation of D-Link devices
The CISA warned that threat actors are exploiting older D-Link devices, prompting the addition of CVE-2024-3273 and CVE-2024-3272 to its KEV list. With models such as DNS-320L, DNS-325, DNS-327L, and DNS-340L at risk, security experts reported that over 92,000 devices were vulnerable. D-Link acknowledged the vulnerabilities and advised retiring and replacing the affected devices that have reached EOL as they’ll no longer receive updates.
Critical zero-day exploit hits Palo Alto
Palo Alto Networks alerted users to a zero-day vulnerability, CVE-2024-3400, in PAN-OS software's GlobalProtect feature. It allowed unauthenticated attackers to execute code with root privileges. Versions PAN-OS < 11.1.2-h3, < 11.0.4-h1, < 10.2.9-h1 are affected. Mitigation recommendations include applying security profiles and enabling Threat ID 95187. Fixes for the same are scheduled for April 14.
Top Scams Reported in the Last 24 Hours
Russian operation targets Web3 gamers
A Russian-language cybercrime operation has been uncovered, distributing malware under the guise of Web3 gaming projects. Insikt Group's investigation revealed the operation's focus on macOS and Windows users, leveraging people’s interest in blockchain-based gaming. The campaign involves creating fake gaming projects and social media accounts to deceive victims. Installation of the fake projects leads to the deployment of AMOS and Stealc malware, stealing sensitive information.
Tags
Posted on: April 12, 2024
More from Cyware
Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.
The Virtual Cyber Fusion Suite
