Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

IBM security teams have reported an ongoing credential harvesting campaign targeting vulnerable Citrix NetScaler gateways via CVE-2023-3519, exploited since June 2023, resulting in backdooring thousands of instances. The new malicious campaign is injecting scripts to steal user credentials.
Cybercriminals conducted a fraudulent campaign by compromising GitHub accounts, posing as Dependabot automated updater tool to infiltrate projects and steal passwords from developers, primarily targeting users in Indonesia. Tje attack was used to exfiltrate GitHub secrets and manipulate JavaScript files for password theft.
Google detected an exploit chain targeting Android devices in Egypt, employing iOS and Android vulnerabilities to enable remote code execution, utilizing MitM attacks, and distributing the exploit through malicious links in SMS and WhatsApp messages.
The U.S. Department of Health and Human Services warns of a significant cyber attack risk on healthcare and public health sectors by the North Korean Lazarus Group, exploiting a critical vulnerability (CVE-2022-47966) in Zoho's ManageEngine IT tools, allowing deployment of malware and emphasizing urgent software updates.
Balancer, a decentralized finance exchange and protocol on Ethereum, warns users of a recent frontend attack, prompting caution and advising against interaction with its user interface. Users report potential wallet-draining prompts and security firms estimate a theft of approximately $238,000 in cryptocurrency, making it the second attack on Balancer within a month.
Fake Android apps posing as Telegram were discovered on the Google Play Store, infecting over 60,000 users with spyware, stealing messages and personal data, especially targeting Chinese-speaking users. Kaspersky uncovered these malicious clones and reported them to Google, but some remained available for download. Google has taken steps to remove them, including implementing a business verification system to enhance security for Android users in the future.
Multiple nation-state threat actors exploited known vulnerabilities in Zoho ManageEngine and Fortinet VPN products to compromise a U.S. aeronautical organization in consecutive attacks, with the vulnerabilities being CVE-2022-47966 and CVE-2022-42475, emphasizing the need for prompt patching and account management in the face of slow company reactions.
A cyberattack campaign named "DB#JAMMER" has been discovered targeting vulnerable Microsoft SQL Server (MSSQL) databases, utilizing brute-force methods to introduce ransomware. It also employs various tools and tactics, including the deployment of a new Mimic ransomware variant called "FreeWorld," demonstrating a high level of sophistication, and it is currently ongoing with a relatively targeted focus.
The DreamBus botnet exploits a critical vulnerability (CVE-2023-33246) in Apache RocketMQ, a widely used messaging platform, to remotely execute commands and deploy a cryptocurrency miner onto compromised systems; attacks were observed in June, attributed to the DreamBus botnet, which also has the potential to execute various other malicious activities.
The Cisco Incident Response Team has alerted to the Akira ransomware gang targeting VPNs lacking MFA, with unclear methods of obtaining credentials. Potential methods include dark web purchases, zero-day exploits, and brute-force attacks. Evidence suggests brite force attempts, with some researchers pointing to Akira attempting to abuse Cisco VPN gateways based on leaked data, emphasizing the significance of MFA implementation.