A report from CISA confirmed adding an actively exploited security flaw tagged CVE-2017-3506with CVSS score of 7.4 affecting the Oracle WebLogic Server to the Known Exploited Vulnerabilities (KEV) catalog due to active exploitation to obtain unauthorized access and obtain unrestricted control. The official statement by the agency reads;
“Oracle WebLogic Server, a product within the Fusion Middleware suite, contains an OS command injection vulnerability that allows an attacker to execute arbitrary code via a specially crafted HTTP request that includes a malicious XML document.”
Trend Micro also confirmed the 8220’s active exploitation of the flaw for cryptocurrency mining in memory using a PowerShell script. At the same time, a cybersecurity researcher reported, “The gang employed obfuscation techniques, such as hexadecimal encoding of URLs and using HTTP over port 443, allowing for stealthy payload delivery.”
Multiple Russian Firms Hit By Decoy Dog Trojan
Reports from cybersecurity researchers indicate that the following sectors (Power companies, IT Firms, and Government Agencies) are currently under cyber attack involving the delivery of the Windows version of Decoy Dog malware. A report by Aleksandr Grigorian and Stanislav Pyzhov indicates that “The Hellhounds group compromises organizations they select and gains a foothold on their networks, remaining undetected for years.”
Positive Technologies, a reputable cybersecurity company conducting Operation Lahat, is currently investigating the activities of the advanced persistent threat (APT) group HellHounds.
Recent Cyber Attack Results in Replacement of AutoIt with AutoHotkey
Evidence gathered from the cyber attack involving the DarkGate malware-as-a-service takes a significant step by moving beyond using AutoIt scripts to an AutoHotkey mechanism to remain undetected during cyber attacks. The development became evident in DarkGate version 6, which is sold on subscription and currently has over 30 subscribers.
Further details about DarkGate revealed that the remote access trojan (RAT) is equipped with command-and-control (C2) and rootkit capabilities, with incorporated modules that promote credential exfiltration, screen capturing, keylogging, and remote desktop. A researcher from Trellix security researcher, Ernesto Fernandex Provecho, gave more insight into the malware activities when he said, “DarkGate campaigns tend to adapt fast, modifying different components to try to stay off security solutions.”
Telerik Warns Server Flaw Could Aid Rogue Admin Accounts Creation
Following the discovery of an exploitable flaw impacting the Telerik Report Server that could aid the creation of rogue administrator accounts, Progress Software has rolled out updates tailored to address the security concern tagged CVE-2024-4358, which has a CVSS score of 9.8. The company released a statement about the situation and urged customers to review their Report Server’s users list and ensure they carry out updates without delay.
“In Progress Telerik Report Server, version 2024 Q1 (10.0.24.305) or earlier, on IIS, an unauthenticated attacker can gain access to Telerik Report Server restricted functionality via an authentication bypass vulnerability.” The company addressed the flaw in Report Server 2024 Q2 (10.1.24.514).
Cloud Customers At Risk of Targeted Credential Theft Campaign Warned Snowflake.
A joint statement by Snowflake, CrowdStrike, and Google-owned Mandiant “We have not identified evidence suggesting this activity was caused by a vulnerability, misconfiguration, or breach of Snowflake’s platform,” gave insight into an activity that could affect the cloud computing and analytics company Snowflakes’ customers after the company revealed some customers were singled out as part of a targeted campaign.
However, Charles Carmakal, the Mandiant CTO, explained to LinkedIn, “Threat actors are actively compromising organizations’ Snowflake customer tenants by using stolen credentials obtained by info stealing malware and logging into databases configured with single-factor authentication.”
As part of security measures to control the situation, Snowflake urges organizations to enable multi-factor authentication and permit only traffic from trusted locations.
