1. Home
  2. Cybersecurity Events

Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

DeFI Exchange Balancer under active attack, asks users not to log in
published: Sept. 20, 2023
Balancer, a decentralized finance exchange and protocol on Ethereum, warns users of a recent frontend attack, prompting caution and advising against interaction with its user interface. Users report potential wallet-draining prompts and security firms estimate a theft of approximately $238,000 in cryptocurrency, making it the second attack on Balancer within a month.
Google Play fake Telegram app installs spyware
published: Sept. 10, 2023
Fake Android apps posing as Telegram were discovered on the Google Play Store, infecting over 60,000 users with spyware, stealing messages and personal data, especially targeting Chinese-speaking users. Kaspersky uncovered these malicious clones and reported them to Google, but some remained available for download. Google has taken steps to remove them, including implementing a business verification system to enhance security for Android users in the future.
Take action: Be very mindful of installing random apps from the App stores. Check the number of downloads - should be in the millions for any reasonably popular app, and the rating of the app should be very variable. Apps with very small number of downloads and high rating indicate faked rating and possibly malicious app.
Aeronautics firms attacked via Zoho and Fortinet vulnerabilities
published: Sept. 8, 2023
Multiple nation-state threat actors exploited known vulnerabilities in Zoho ManageEngine and Fortinet VPN products to compromise a U.S. aeronautical organization in consecutive attacks, with the vulnerabilities being CVE-2022-47966 and CVE-2022-42475, emphasizing the need for prompt patching and account management in the face of slow company reactions.
Take action: How long do you wait to patch your firewalls, VPNs and ticketing systems? However hard and tedious it is, the conversation about being hacked with a 9 month old vulnerability is more difficult.
Microsoft SQL servers under attack, used to deploy FreeWorld ransomware
published: Sept. 5, 2023
A cyberattack campaign named "DB#JAMMER" has been discovered targeting vulnerable Microsoft SQL Server (MSSQL) databases, utilizing brute-force methods to introduce ransomware. It also employs various tools and tactics, including the deployment of a new Mimic ransomware variant called "FreeWorld," demonstrating a high level of sophistication, and it is currently ongoing with a relatively targeted focus.
Take action: Securing MSSQL is not a new topic, so just be diligent: (1) Don't expose MSSQL to the internet; (2) Use complex account credentials and disable default account; (3) restrict the use of xp_cmdshell.
DreamBus Botnet exploits Apache RocketMQ Vulnerability to mine Cryptocurrency
published: Aug. 31, 2023
The DreamBus botnet exploits a critical vulnerability (CVE-2023-33246) in Apache RocketMQ, a widely used messaging platform, to remotely execute commands and deploy a cryptocurrency miner onto compromised systems; attacks were observed in June, attributed to the DreamBus botnet, which also has the potential to execute various other malicious activities.
Take action: Time to run an inventory on your systems and check if any are using RocketMQ. Every one of these systems that's exposed to the internet is a high priority for patching, so chase down the vendor for an updated version. Or lock down the system in an internal network until a patch is available.
Cisco VPNs not secured with MFA targeted by Akira ransomware gang
published: Aug. 30, 2023
The Cisco Incident Response Team has alerted to the Akira ransomware gang targeting VPNs lacking MFA, with unclear methods of obtaining credentials. Potential methods include dark web purchases, zero-day exploits, and brute-force attacks. Evidence suggests brite force attempts, with some researchers pointing to Akira attempting to abuse Cisco VPN gateways based on leaked data, emphasizing the significance of MFA implementation.
Take action: If you are using Cisco VPN without MFA, activate Multi Factor Authentication. For all VPN users. Because most people recycle passwords all over the place, and some passwords are already leaked.
Juniper J-Web Junos OS Vulnerabilities Combined in Cybercrime Attacks
published: Aug. 30, 2023
Threat actors are exploiting four recently patched vulnerabilities in Juniper Networks' Junos OS J-Web component after the release of proof-of-concept exploit code, allowing remote control of environment variables and arbitrary file uploads. The vulnerabilities are impacting SRX series firewalls and EX series switches using Junos OS versions before 20.4R3-S8.
Take action: The quick action became an URGENT action on your Juniper devices: Immediately disable the J-Web inteface or configure it to respond only to trusted internal IP addresses. Start patching ASAP. Or just get hacked. Automatically.
Unpatched Citrix NetScaler Systems Targeted
published: Aug. 29, 2023
Unpatched Citrix NetScaler systems accessible online are under attack by unidentified threat actors suspected of conducting a ransomware campaign, designated "STAC4663" by Sophos. The attackers are exploiting a critical code injection vulnerability (CVE-2023-3519) to execute remote code. This activity shares similarities with a prior campaign, suggesting a known ransomware threat actor's involvement.
Take action: If you haven't patched your Citrix gateways because you are optimistic, now is the time to be very pessimistic. And start patching immediately. No amount of debate "we have firewalls" and "we are low risk" is going to make it better.
FBI warns that Barracuda ESG appliances should be removed from use immediately.
published: Aug. 24, 2023
The FBI urgently warns Barracuda customers using vulnerable Email Security Gateway (ESG) appliances to remove them from operation due to a widespread zero-day attack attributed to UNC4841, a threat group suspected to have Chinese ties. Despite patches from Barracuda, the FBI asserts that risk compromise of the appliance is not removed due to multiple exploits of the same vulnerability.
Take action: Time to say goodbye to your Barracuda ESG. It's probably already compromised and it's not likely it will ever be fully trusted again.
Criminals use WinRAR vulnerability for theft of funds from broker accounts
published: Aug. 23, 2023
Hackers are exploiting a zero-day vulnerability in WinRAR to target brokerage traders, using malicious ZIP files containing harmful scripts to compromise systems and gain unauthorized access to victims' brokerage accounts, leading to unauthorized financial transactions and fund withdrawals. At least 130 traders' devices affected and the extent of financial losses remaining uncertain.
Take action: If you didn't feel enough urgency to patch your WinRAR so far, think about the possibility of a hacker stealing your money from your bank account by simply sending you a malicious ZIP or RAR file