Researchers believe the RansomHub ransomware-as-a-service is a rebranded version of the Knight ransomware operation.

Cybersecurity experts who analyzed the recently emerged ransomware operation RansomHub speculate that is is a rebranded version of Knight ransomware.

Knight, also known as Cyclops 2.0, appeared in the threat landscape in May 2023. The malware targets multiple platforms, including Windows, Linux, macOS, ESXi, and Android. The operators used a double extortion model for their RaaS operation.

Knight ransomware-as-a-service operation shut down in February 2024, and the malware’s source code was likely sold to the threat actor who relaunched the RansomHub operation. RansomHub claimed responsibility for attacks against multiple organizations, including Change Healthcare, Christie’s, and Frontier Communications.

Researchers at Symantec, part of Broadcom, discovered multiple similarities between the RansomHub and Knight ransomware families, suggesting a common origin:

• Both are written in Go and use Gobfuscate for obfuscation.
• They share extensive code overlaps.
• The command-line help menus used by the two malware are identical, except for a ‘sleep’ command on RansomHub.
• Both employ a unique obfuscation technique with uniquely encoded important strings.
• The ransom notes from both Knight and RansomHub show significant similarities, with many phrases from Knight’s note appearing verbatim in RansomHub’s, indicating that the developers likely edited and updated the original note.
• Both payloads restart endpoints in safe mode before encryption.
• The sequence and method of command execution are the same, though RansomHub now uses cmd.exe for execution.

However, despite the two malware share origins, it is unlikely that the authors of Knight are now operating RansomHub. 

“One main difference between the two ransomware families is the commands run through cmd.exe. While the specific commands may vary, they can be configured either when the payload is built or during configuration. Despite the differences in commands, the sequence and method of their execution relative to other operations remain the same.” states the report published by Symantec.

Although RansomHub only emerged in February 2024, it has rapidly grown and, over the past three months, has become the fourth most prolific ransomware operator based on the number of publicly claimed attacks.

“One factor contributing to RansomHub’s growth may be the group’s success in attracting some large former affiliates of the Noberus (aka ALPHV, Blackcat) ransomware group, which closed earlier this year. One former Noberus affiliate known as Notchy is now reportedly working with RansomHub. In addition to this, tools previously associated with another Noberus affiliate known as Scattered Spider, were used in a recent RansomHub attack.” concludes the report that also provides Indicators of Compromise. “The speed at which RansomHub has established its business suggests that the group may consist of veteran operators with experience and contacts in the cyber underground.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

Google has announced plans to store Maps Timeline data locally on users' devices instead of their Google account effective December 1, 2024. The changes were originally announced by the tech giant in December 2023, alongside changes to the auto-delete control when enabling Location History by setting it to three months by default, down from the previous limit of 18 months. Google Maps Timeline,

Cybersecurity researchers have discovered a malicious Python package uploaded to the Python Package Index (PyPI) repository that's designed to deliver an information stealer called Lumma (aka LummaC2). The package in question is crytic-compilers, a typosquatted version of a legitimate library named crytic-compile. The rogue package was downloaded 441 times before it was taken down by PyPI

Cybersecurity researchers demonstrated how malware could potentially steal data collected by the new Windows Recall tool.

The Recall feature of Microsoft Copilot+ is an AI-powered tool designed to help users search for past activities on their PC. The data collected by the tool is stored and processed locally. After its presentation, it raised security and privacy concerns among cybersecurity experts because it scans and saves periodic screenshots of the computer screen, potentially exposing sensitive data, like passwords or financial information.

Microsoft attempted to downplay the risks for the users, the company pointed out that an attacker would need physical access to obtain data collected by the Recall tool.

However, multiple researchers have demonstrated that a malicious code could steal data collected by the Recall feature.

The popular cybersecurity expert Kevin Beaumont explained that an attacker can gain remote access to a device running Recall using a malware.

“When you’re logged into a PC and run software, things are decrypted for you. Encryption at rest only helps if somebody comes to your house and physically steals your laptop — that isn’t what criminal hackers do.” reads a post published by Beaumont. “For example, InfoStealer trojans, which automatically steal usernames and passwords, are a major problem for well over a decade — now these can just be easily modified to support Recall.”

Microsoft told media outlets a hacker cannot exfiltrate Copilot+ Recall activity remotely.

Reality: how do you think hackers will exfiltrate this plain text database of everything the user has ever viewed on their PC? Very easily, I have it automated.

HT detective pic.twitter.com/Njv2C9myxQ

— Kevin Beaumont (@GossiTheDog) May 30, 2024

Re the second paragraph in this BBC News piece about Copilot+ Recall – I don’t know if it’s a BBC error or a Microsoft misstatement, but the line is not true.

If you gain remote access to a device running Recall (eg a trojan) you can access Recall.https://t.co/ebGjiVyVsI pic.twitter.com/QDMRC0xuud

— Kevin Beaumont (@GossiTheDog) May 23, 2024

Microsoft pointed out that information captured by their tool is highly encrypted and nobody can access them, but Beaumont said it is false and published a video of two Microsoft engineers accessing the folder containing the images.

Watch as Microsoft staff gain access to the Recall database files at the 24 second mark here, you'll be shocked by their elite hacking skills. pic.twitter.com/RxBQ8iTixw

— Kevin Beaumont (@GossiTheDog) May 30, 2024

The cybersecurity researcher Alex Hagenah has released a PoC tool, named TotalRecall, that can automatically extract and display the snapshots captured by Recall on a laptop and saved into its database.

“The database is unencrypted. It’s all plain text,” Hagenah says.⁩” told Wired.

“Windows Recall stores everything locally in an unencrypted SQLite database, and the screenshots are simply saved in a folder on your PC.” Hagenah explained “Here’s where you can find them:

C:\Users\$USER\AppData\Local\CoreAIPlatform.00\UKP\{GUID}

The images are all stored in the following subfolder

.\ImageStore\

The IT researcher Marc-André Moreau explained that an info-stealing malware can easily steal temporarily visible passwords from Remote Desktop Manager, which are captured by the Recall tool, from a local SQLite database.

The full OCR text with the temporarily visible password is available in the %LocalAppData%CoreAIPlatform.00UKP{<UUID>}ukg.db SQLite database, nicely gift wrapped for infostealer malware to exfiltrate: pic.twitter.com/UKRjSPdUNs

— Marc-André Moreau (@awakecoding) June 3, 2024

While Recall remains as a “preview” feature and, according to Microsoft’s small print, could change before it launches, Beaumont writes in his research that the company “should recall Recall and rework it to be the feature it deserves to be, delivered at a later date.” concludes Wired.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, AI)

Cisco addressed vulnerabilities that were exploited to compromise the Webex meetings of the German government.

In early May, German media outlet Zeit Online revealed that threat actors exploited vulnerabilities in the German government’s implementation of the Cisco Webex software to access internal meetings.  

In March, the German authorities admitted the hack by Russia-linked actors of a military meeting where participants discussed giving military support to Ukraine.

“In early May 2024, Cisco identified bugs in Cisco Webex Meetings that we now believe were leveraged in targeted security research activity allowing unauthorized access to meeting information and metadata in Cisco Webex deployments for certain customers hosted in our Frankfurt data center.” reads the advisory published by the company.

Experts believe threat actors exploited an insecure direct object reference (IDOR) vulnerability to access internal Webex meetings. Threat actors gained access to information about the meeting, such as topics and participants, and spied on sensitive meetings, despite the German government decided to use an on-premises version of Webex.

The experts also discovered that some meeting rooms of high-ranking officials were not password-protected.

The IT giant now confirmed that the vulnerability exploited by the nation-state actors has been addressed.

“These bugs have been addressed and a fix has been fully implemented worldwide as of May 28, 2024.” continues the advisory.

Cisco notified customers who experienced observable attempts to access meeting information and metadata. Since the flaws were addressed, the company hasn’t observed any other attempts to exploit the vulnerabilities. The company added that the investigation is still ongoing and that they continuing to monitor for unauthorized activity, providing updates as needed through regular channels.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Germany)

An unnamed high-profile government organization in Southeast Asia emerged as the target of a "complex, long-running" Chinese state-sponsored cyber espionage operation codenamed Crimson Palace. "The overall goal behind the campaign was to maintain access to the target network for cyberespionage in support of Chinese state interests," Sophos researchers Paul Jaramillo, Morgan Demboski, Sean

A vulnerability in the popular video-sharing platform TikTok allowed threat actors to take over the accounts of celebrities.

Threat actors exploited a zero-day vulnerability in the video-sharing platform TikTok to hijack high-profile accounts. The vulnerability resides in the direct messages feature implemented by the platform, reported Forbes.

The malware spreads through direct messages within the app and only requires the user to open a message. The compromised accounts did not post content, and the extent of the impact is unclear. TikTok spokesperson Alex Haurek stated that their security team is aware of the exploit and has taken measures to stop the attack and prevent future incidents. The company is also working with affected account owners to restore access.

The list of compromised accounts includes CNN, Paris Hilton, and Sony, however, it’s still unclear how many accounts have been impacted.

The company did not share technical details about the vulnerability exploited by the attackers.

“Our security team is aware of a potential exploit targeting a number of brand and celebrity accounts. We have taken measures to stop this attack and prevent it from happening in the future. We’re working directly with affected account owners to restore access, if needed.” TikTok spokesperson Alex Haurek told Forbes.

Haurek pointed out that the attacks compromised a very small number of accounts.

Semafor first reported that CNN’s TikTok account had been hacked, forcing the broadcaster to take down its account for several days.

The TikTok spokesperson also added that their security team was recently alerted of malicious actors targeting CNN’s account.

TikTok remarked that it is committed to maintaining the platform’s integrity and will continue to monitor for any further fraudulent activity.

In August 2022, Microsoft researchers discovered a high-severity flaw (CVE-2022-28799) in the TikTok Android app, which could have allowed attackers to hijack users’ accounts with a single click. The experts stated that the vulnerability would have required the chaining with other flaws to hijack an account. Microsoft reported the issue to TikTok in February 2022, and the company quickly addressed it. Microsoft confirmed that it is not aware of attacks in the wild exploiting the bug.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, zero-day)

Early in 2024, Wing Security released its State of SaaS Security report, offering surprising insights into emerging threats and best practices in the SaaS domain. Now, halfway through the year, several SaaS threat predictions from the report have already proven accurate. Fortunately, SaaS Security Posture Management (SSPM) solutions have prioritized mitigation capabilities to address many of

An analysis of a nascent ransomware strain called RansomHub has revealed it to be an updated and rebranded version of Knight ransomware, itself an evolution of another ransomware known as Cyclops. Knight (aka Cyclops 2.0) ransomware first arrived in May 2023, employing double extortion tactics to steal and encrypt victims' data for financial gain. It's operational across multiple platforms,

Zyxel Networks released an emergency security update to address critical vulnerabilities in end-of-life NAS devices.

Zyxel Networks released an emergency security update to address three critical flaws in some of its NAS devices that have reached end-of-life.

An attacker can exploit the vulnerabilities to perform command injection attacks and achieve remote code execution. Two flaws can also allow attackers to elevate privileges.

The Outpost24 researcher Timothy Hjort reported the flaw to the manufacturer and published a detailed analysis and PoC exploit codes for the flaws.

Below is the list impacting the Zyxel NAS devices:

• CVE-2024-29972: This command injection vulnerability in the CGI program “remote_help-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some operating system (OS) commands by sending a crafted HTTP POST request.
• CVE-2024-29973: This command injection vulnerability in the “setCookie” parameter in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute some OS commands by sending a crafted HTTP POST request.
• CVE-2024-29974: This remote code execution vulnerability in the CGI program “file_upload-cgi” in Zyxel NAS326 and NAS542 devices could allow an unauthenticated attacker to execute arbitrary code by uploading a crafted configuration file to a vulnerable device.
• CVE-2024-29975: This improper privilege management vulnerability in the SUID executable binary in Zyxel NAS326 and NAS542 devices could allow an authenticated local attacker with administrator privileges to execute some system commands as the “root” user on a vulnerable device.
• CVE-2024-29976:This improper privilege management vulnerability in the command “show_allsessions” in Zyxel NAS326 and NAS542 devices could allow an authenticated attacker to obtain a logged-in administrator’s session information containing cookies on an affected device.

The vulnerabilities affect NAS326 running firmware versions 5.21(AAZF.16)C0 and earlier, and NAS542 running firmware versions 5.21(ABAG.13)C0 and older.

The vendor did not address CVE-2024-29975 and CVE-2024-29976 in its end-of-life products.

“Due to the critical severity of vulnerabilities CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, Zyxel has made patches available to customers with extended support as outlined in the table below, despite the products already having reached end-of-vulnerability-support.” reads the advisory published by the company. “Both NAS326 and NAS542 reached end-of-vulnerability-support on Dec. 31, 2023.”

Zyxel is not aware of attacks in the wild exploiting these vulnerabilities.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, RCE)

Zyxel has released security updates to address critical flaws impacting two of its network-attached storage (NAS) devices that have currently reached end-of-life (EoL) status. Successful exploitation of three of the five vulnerabilities could permit an unauthenticated attacker to execute operating system (OS) commands and arbitrary code on affected installations. Impacted models include NAS326

Popular video-sharing platform TikTok has acknowledged a security issue that has been exploited by threat actors to take control of high-profile accounts on the platform. The development was first reported by Semafor and Forbes, which detailed a zero-click account takeover campaign that allows malware propagated via direct messages to compromise brand and celebrity accounts without having to

A ransomware attack that hit the provider of pathology and diagnostic services Synnovis severely impacted the operations of several London hospitals.

A ransomware attack on pathology and diagnostic services provider Synnovis has severely impacted the operations at several major NHS hospitals in London. The attack forced the impacted hospitals to cancel some healthcare procedures, in some cases patients were redirected to other hospitals.

Synnovis is a pathology partnership between Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospitals NHS Trust, and SYNLAB, Europe’s largest provider of medical testing and diagnostics.

In a post published on its website, Synnovis disclosed it was the victim of a ransomware attack.

“On Monday 3 June, Synnovis – a partnership between two London-based hospital Trusts and SYNLAB – was the victim of a ransomware cyberattack. This has affected all Synnovis IT systems, resulting in interruptions to many of our pathology services.” reads the statement published by the company. “Regrettably this is affecting patients, with some activity already cancelled or redirected to other providers as urgent work is prioritised.”

The pathology and diagnostic services provider has launched an investigation into the security breach with the help of experts from the NHS. The experts are working to fully assess the impact of the attack and to take the appropriate action to contain the incident. The company also announced they are working closely with NHS Trust partners to minimise the impact on patients and other service users.

NEW: Operations across 2 major London hospitals @GSTTnhs & @KingsCollegeNHS have been cancelled due to a cyber attack, with all transplant surgery at @RBandH axed. Problem is affecting pathology labs incl blood transfusions. Trauma cases at Kings being sent to other sites: pic.twitter.com/zmtsq6c0zL

— Shaun Lintern (@ShaunLintern) June 4, 2024

Below is the message sent by Professor Ian Abbs, Chief Executive Officer Guy’s and St Thomas’ NHS Foundation Trust:Dear Colleague

"I am writing to update you about the ongoing critical incident that is currently affecting our pathology services. I can confirm that our pathology partner  Synnovis experienced a major IT incident earlier
today, which is ongoing and means that we are not currently connected to the Synnovis IT
servers. This incident is also affecting King’s College Hospital NHS Foundation Trust and primary care across south east London. 
This is having a major impact on the delivery of our services, with blood transfusions being particularly affected. Some activity has already been cancelled or redirected to other providers at short notice as we prioritise the clinical work that we are able to safely carry out.
I recognise how upsetting this is for patients and families whose care has been affected, and how difficult and frustrating this is for you all. I am very sorry for the disruption this is causing. An incident response structure has been stood up, with colleagues from across the Trust meeting regularly to assess the situation and put contingency plans into place. All clinical groups are represented on this, so please do direct any clinical or operational questions to your clinical group or directorate leadership as your clinical group or directorate leadership as appropriate. While we do not yet know all the details or how long this issue will take to resolve we will keep you updated through the usual routes, including through the clinical alert system."

The NHS London published a statement on Synnovis ransomware attack confirming that the incident is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London.

“On Monday 3 June Synnovis, a provider of lab services, was the victim of a ransomware cyber attack. This is having a significant impact on the delivery of services at Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts and primary care services in south east London and we apologise for the inconvenience this is causing to patients and their families.” reads the statement.

“Emergency care continues to be available, so patients should access services in the normal way by dialling 999 in an emergency and otherwise using 111, and patients should continue to attend appointments unless they are told otherwise. We will continue to provide updates for local patients and the public about the impact on services and how they can continue to get the care they need.”

At this time, the company has yet to provide details on the attack, such as the malware family that infected its systems and if it has suffered a data breach.

In April, Synlab Italia, the Italian branch of the SYNLAB group, experienced disruptions due to a Blackbasta cyber attack. The company suspended all activities at sampling points, medical centers, and laboratories in Italy.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

The RansomHub ransomware group added the American telecommunications company Frontier Comunications to the list of victims on its Tor leak site.

The RansomHub ransomware group claimed to have stolen the information of over 2 million customers from the American telecommunications company Frontier Communications. The RansomHub group claims to have stolen 5GB of data from the telecommunications giant.

Stolen data include names, email addresses, SSNs, credits, scores, dates of birth, and phone numbers.

“Data is more than 2 million customer with address name email ssn credit score date of birth and phone number. We gave frontier 2 months to contact us but they don’t care about clients data. Below is screenshot of some of the data.” reads the message published by the group. “Now anyone who wants to buy this data can contact our blog support, we only sell it once.”

In April, Frontier Communications notified the Securities and Exchange Commission (SEC) that it had to shut down certain systems following a cyberattack. The incident was identified on April 14 after that an unauthorized threat actor gained unauthorized access to parts of its IT environment.

The company launched an investigation into the security breach and started operations to contain the incident.

“Based on our investigation, we have determined that the third party was likely a cybercrime group, which gained access to, among other information, personally identifiable information.” reads the Form 10-Q (quarterly report of financial performance) filed by the company with the SEC in May. “While we do not believe the incident is reasonably likely to materially impact our financial condition or results of operations, we continue to investigate the incident, have engaged cybersecurity experts, and have notified law enforcement authorities.”

The company did not provide details about the attack and has yet to disclose the number of the impacted people.

RansomHub has published an image of the stolen records as proof of the data breach and threatens to publish the stolen data if the victim will not pay the ransom within nine days.

At the end of May, Auction house Christie disclosed a data breach following a RansomHub cyber attack that occurred in the same month.

The extortion group said they had stolen 2GB of sensitive information, including personal information belonging to at least 500,000 Christie’s clients.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)

Resecurity uncovered a cybercriminal group that is providing a sophisticated phishing kit, named V3B, to target banking customers in the EU.

Resecurity has uncovered a new cybercriminal group providing Phishing-as-a-Service (PhaaS) platform that is equipping fraudsters with sophisticated kit (known as “V3B”) to target banking customers in the EU.

“Currently, it is estimated that hundreds of cybercriminals are using this kit to commit fraud, leaving victims with empty bank accounts. Their Telegram channel has over 1,255 members, a significant indicator of the scale and scope of the malicious activity being promoted by the group.” reads the report published Resecurity. “The majority of members on this Telegram channel are skilled cybercriminals who specialize in various forms of fraud. These include:

• Social engineering tactics
• SIM swapping schemes
• Banking and credit card fraud”

The attackers use various social engineering and spoofing tactics to trick victims into revealing their sensitive information, which supports real-time interaction to abuse and bypass MFA (Multi-Factor Authentication).

The kit is designed to intercept sensitive information, including banking credentials, credit card and personal information, and OTP/TAN codes. Besides traditional tokens (such as SMS code), the kit supports QR Codes and PhotoTAN method (widely used in Germany and Switzerland), which may indicate that fraudsters are monitoring the latest MFA/2FA technologies implemented by banks and seeking to exploit possible bypass methods to defraud their customers.

V3B phishing kit supports over 54 financial institutions (based in Austria, Belgium, France, Finland, Greece, Germany, Italy, Netherlands, Norway, Poland, Spain), featuring customized and localized templates to mimic authentication and verification processes of major online banking, e-commerce, cryptocurrency providers and payment systems in the EU.

Technical details about the phishing kit are included in the report published by Resecurity: https://www.resecurity.com/blog/article/cybercriminals-attack-banking-customers-in-eu-with-v3b-phishing-kit

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, V3B)

Russian organizations are at the receiving end of cyber attacks that have been found to deliver a Windows version of a malware called Decoy Dog. Cybersecurity company Positive Technologies is tracking the activity cluster under the name Operation Lahat, attributing it to an advanced persistent threat (APT) group called HellHounds. "The Hellhounds group compromises organizations they select and

Progress Software has rolled out updates to address a critical security flaw impacting the Telerik Report Server that could be potentially exploited by a remote attacker to bypass authentication and create rogue administrator users. The issue, tracked as CVE-2024-4358, carries a CVSS score of 9.8 out of a maximum of 10.0. "In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or

The landscape of browser security has undergone significant changes over the past decade. While Browser Isolation was once considered the gold standard for protecting against browser exploits and malware downloads, it has become increasingly inadequate and insecure in today's SaaS-centric world. The limitations of Browser Isolation, such as degraded browser performance and inability to tackle

A new sophisticated cyber attack has been observed targeting endpoints geolocated to Ukraine with an aim to deploy Cobalt Strike and seize control of the compromised hosts. The attack chain, per Fortinet FortiGuard Labs, involves a Microsoft Excel file that carries an embedded VBA macro to initiate the infection, "The attacker uses a multi-stage malware strategy to deliver the notorious 'Cobalt

Researchers published a PoC exploit code for an authentication bypass vulnerability on Progress Telerik Report Servers.

Researchers published a proof-of-concept (PoC) exploit code for an authentication bypass vulnerability on Progress Telerik Report Servers. Telerik Report Server is an end-to-end report management solution developed by Progress® Telerik.

Cybersecurity researcher Sina Kheirkha started his research from an advisory published by Progress for a deserialization issue tracked as CVE-2024-4358 (CVSS score: 9.8). The experts noticed that the exploitation required authentication, so shortly after the release of the patch, he managed to find an authentication bypass. With the help of Soroush Dalili (@irsdl), the expert chained the deserialization issue with an auth bypass to achieve full unauthenticated RCE.

The researchers chained the issue with the deserialization flaw CVE-2024-1800 (CVSS score: 8.8) to execute arbitrary code on vulnerable servers.

Here is the Exploit Chain targeting Telerik Report Server CVE-2024-4358/CVE-2024-1800 that allows pre-authenticated Remote Code Execution by chaining a deserialization and an interesting authentication bypass https://t.co/ZkPL8vggcH pic.twitter.com/Og7n4qRoXN

— SinSinology (@SinSinology) June 3, 2024

An unauthenticated attacker can exploit the flaw to gain access Telerik Report Server restricted functionality via an authentication bypass vulnerability.

The researchers demonstrated how to create an admin account by exploiting the bypass flaw CVE-2024-4358.

“The vulnerability is very simple, the endpoint which is responsible for setting up the server for the first time is accessible unauthenticated even after the admin has finished the setup process.” wrote the expert. “The following method is where the vulnerability occurs Telerik.ReportServer.Web.dll!Telerik.ReportServer.Web.Controllers.StartupController.Register”

An unauthenticated attacker can invoke the Register method and use the received parameters to create a user with the “System Administrator” role.

“This method is available unauthenticated and will use the received parameters to create a user first, and then it will assign the “System Administrator” role to the user, this allows a remote unauthenticated attacker to create an administrator user and login :))))))” continues the expert.

The vulnerability impacts Telerik Report Server 2024 Q1 (10.0.24.305) and earlier and Progress addressed it with the release of Telerik Report Server 2024 Q2 10.1.24.514 on May 15.

“Updating to Report Server 2024 Q2 (10.1.24.514) or later is the only way to remove this vulnerability. The Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.” states the vendor.

The experts urge organizations to update their installs as soon as possible due to the availability of PoC exploit code.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, RCE)

Cloud computing and analytics company Snowflake said a "limited number" of its customers have been singled out as part of a targeted campaign. "We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform," the company said in a joint statement along with CrowdStrike and Google-owned Mandiant. "We have not identified

Researcher discovered several authorization bypass vulnerabilities in Cox modems that potentially impacted millions of devices.

The security researcher Sam Curry discovered multiple issues in Cox modems that could have been exploited to modify the settings of the vulnerable modem and run malicious commands on them.

Cox is the largest private broadband provider in the United States, the third-largest cable television provider, and the seventh-largest telephone carrier in the country. The company has millions of customers.

“This series of vulnerabilities demonstrated a way in which a fully external attacker with no prerequisites could’ve executed commands and modified the settings of millions of modems, accessed any business customer’s PII, and gained essentially the same permissions of an ISP support team.” wrote Curry.

Curry described a potential attack scenario where a threat actor could exploit exposed APIs to target Cox business customers.

The attack involves searching for a specific target using their identifiable information, such as name, phone number, email address, or account number. Upon finding a match, the attacker uses the returned UUID to query the API for the target’s full PII, including device MAC addresses, email, phone number, and physical address. With the hardware MAC address, the attacker can retrieve the WiFi password and a list of connected devices, allowing them to execute arbitrary commands, update device properties, and ultimately take over the victim’s account. This compromises the security of the target’s network and endangers their personal and business data.

The researchers reported the flaws on March 4, 2024, via the company’s responsible disclosure program. Cox addressed the vulnerabilities within 24 hours.

The company also investigated if the vulnerabilities had ever been exploited in attacks in the wild, however, they found no evidence of previous abuses.

“They had also informed me that they had no affiliation with the DigitalOcean IP address, meaning that the device had definitely been hacked, just not using the method disclosed in this blog post.” added Curry.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Cox modems)

Cyber attacks involving the DarkGate malware-as-a-service (MaaS) operation have shifted away from AutoIt scripts to an AutoHotkey mechanism to deliver the last stages, underscoring continued efforts on the part of the threat actors to continuously stay ahead of the detection curve. The updates have been observed in version 6 of DarkGate released in March 2024 by its developer RastaFarEye, who

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a security flaw impacting the Oracle WebLogic Server to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2017-3506 (CVSS score: 7.4), the issue concerns an operating system (OS) command injection vulnerability that could be exploited to obtain unauthorized

CISA adds Oracle WebLogic Server OS command injection vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Oracle WebLogic Server vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2017-3506 (CVSS score 7.4), is an OS command injection.

The vulnerability resides in the Oracle WebLogic Server component of Oracle Fusion Middleware. The flaw impacts versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 and 12.2.1.2. An unauthenticated attacker with network access can exploit the flaw via HTTP to compromise Oracle WebLogic Server.

Successful exploitation of this vulnerability can lead to unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to all data accessible by the Oracle WebLogic Server.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix these vulnerabilities by June 24, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Known Exploited Vulnerabilities catalog)

Cybersecurity researchers have uncovered a new suspicious package uploaded to the npm package registry that's designed to drop a remote access trojan (RAT) on compromised systems. The package in question is glup-debugger-log, which targets users of the gulp toolkit by masquerading as a "logger for gulp and gulp plugins." It has been downloaded 175 times to date. Software supply chain security

Law enforcement authorities behind Operation Endgame are seeking information related to an individual who goes by the name Odd and is allegedly the mastermind behind the Emotet malware.  Odd is also said to go by the nicknames Aron, C700, Cbd748, Ivanov Odd, Mors, Morse, and Veron over the past few years, according to a video released by the agencies. "Who is he working with? What is his

Spanish police dismantled a pirated TV streaming network that allowed its operators to earn over 5,300,000 euros since 2015.

The Spanish National Police dismantled a network that illicitly distributed audiovisual content, earning over 5,300,000 euros since 2015. The police arrested eight individuals in Las Palmas de Gran Canaria, Madrid, Oviedo, and Málaga, and searched two homes. The police also blocked 16 IPTV content distribution websites. According to the announcement, the investigation began in November 2022, following a complaint by the Alliance for Creativity and Entertainment against those responsible for two websites allegedly marketing videographic content that violated intellectual property rights.

The international criminal organization was using advanced technology to capture and decrypt satellite signals to distribute over 130 international TV channels and thousands of movies and series illegally. The illicitly distributed the content to over 14,000 subscribers. The authorities arrested the key members of the organization and seized two computers, a vehicle, and 80,000 euros in bank accounts. The police identified servers used by the gang and blocked 16 web pages, redirecting users to a National Police website informing them of the law enforcement operation.

“This international criminal organization used the latest technology and the most advanced technical devices to capture signals emitted via satellite in many countries. They subsequently amplified them and decrypted the multimedia content they transported, content that they then distributed publicly and illegally.” reads the press release published by the Spanish Police. “In total, more than 130 international television channels and thousands of movies and series that they made available to citizens around the world, a service for which they charged each of their more than 14,000 subscribers between 10 and 19 euros per month, or between 90 and 169 euros per year – depending on the type of subscription -, with the consequent damage to the rights of the authors, producers and distributors of these artistic works.”

The Alliance for Creativity and Entertainment (ACE), the world’s leading anti-piracy coalition, applauded the Spanish National Police for the operation against the large-scale illegal IPTV service TVMucho (also known as Teeveeing). This is the first criminal action in Spain against an operation of this size and scope.

TVMucho/Teeveeing had more than 4 million visits in 2023 and offered more than 125 channels, including major networks like BBC, ITV, Sky, and RTL.

“We commend the Spanish National Police for protecting the intellectual property rights of dozens of ACE members through this successful raid,” said Karyn Temple, Senior Executive Vice President and Global General Counsel for the Motion Picture Association (MPA). “The operation reinforces ACE’s commitment to partnering with regional authorities in identifying and confronting digital copyright infringement. We look forward to continuing our joint mission to protect the creative economy in Spain and beyond.”

Let me remind you that also subscribers to illegal streaming services could be investigated and fined by law enforcement.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Spanish police)

Threat actors are evolving, yet Cyber Threat Intelligence (CTI) remains confined to each isolated point solution. Organizations require a holistic analysis across external data, inbound and outbound threats and network activity. This will enable evaluating the true state of cybersecurity in the enterprise. Cato’s Cyber Threat Research Lab (Cato CTRL, see more details below) has recently released