Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

Balancer, a decentralized finance exchange and protocol on Ethereum, warns users of a recent frontend attack, prompting caution and advising against interaction with its user interface. Users report potential wallet-draining prompts and security firms estimate a theft of approximately $238,000 in cryptocurrency, making it the second attack on Balancer within a month.
Fake Android apps posing as Telegram were discovered on the Google Play Store, infecting over 60,000 users with spyware, stealing messages and personal data, especially targeting Chinese-speaking users. Kaspersky uncovered these malicious clones and reported them to Google, but some remained available for download. Google has taken steps to remove them, including implementing a business verification system to enhance security for Android users in the future.
Multiple nation-state threat actors exploited known vulnerabilities in Zoho ManageEngine and Fortinet VPN products to compromise a U.S. aeronautical organization in consecutive attacks, with the vulnerabilities being CVE-2022-47966 and CVE-2022-42475, emphasizing the need for prompt patching and account management in the face of slow company reactions.
A cyberattack campaign named "DB#JAMMER" has been discovered targeting vulnerable Microsoft SQL Server (MSSQL) databases, utilizing brute-force methods to introduce ransomware. It also employs various tools and tactics, including the deployment of a new Mimic ransomware variant called "FreeWorld," demonstrating a high level of sophistication, and it is currently ongoing with a relatively targeted focus.
The DreamBus botnet exploits a critical vulnerability (CVE-2023-33246) in Apache RocketMQ, a widely used messaging platform, to remotely execute commands and deploy a cryptocurrency miner onto compromised systems; attacks were observed in June, attributed to the DreamBus botnet, which also has the potential to execute various other malicious activities.
The Cisco Incident Response Team has alerted to the Akira ransomware gang targeting VPNs lacking MFA, with unclear methods of obtaining credentials. Potential methods include dark web purchases, zero-day exploits, and brute-force attacks. Evidence suggests brite force attempts, with some researchers pointing to Akira attempting to abuse Cisco VPN gateways based on leaked data, emphasizing the significance of MFA implementation.
Threat actors are exploiting four recently patched vulnerabilities in Juniper Networks' Junos OS J-Web component after the release of proof-of-concept exploit code, allowing remote control of environment variables and arbitrary file uploads. The vulnerabilities are impacting SRX series firewalls and EX series switches using Junos OS versions before 20.4R3-S8.
Unpatched Citrix NetScaler systems accessible online are under attack by unidentified threat actors suspected of conducting a ransomware campaign, designated "STAC4663" by Sophos. The attackers are exploiting a critical code injection vulnerability (CVE-2023-3519) to execute remote code. This activity shares similarities with a prior campaign, suggesting a known ransomware threat actor's involvement.
The FBI urgently warns Barracuda customers using vulnerable Email Security Gateway (ESG) appliances to remove them from operation due to a widespread zero-day attack attributed to UNC4841, a threat group suspected to have Chinese ties. Despite patches from Barracuda, the FBI asserts that risk compromise of the appliance is not removed due to multiple exploits of the same vulnerability.
Hackers are exploiting a zero-day vulnerability in WinRAR to target brokerage traders, using malicious ZIP files containing harmful scripts to compromise systems and gain unauthorized access to victims' brokerage accounts, leading to unauthorized financial transactions and fund withdrawals. At least 130 traders' devices affected and the extent of financial losses remaining uncertain.