Security News

Cisco warned customers today of a critical authentication bypass vulnerability with public exploit code affecting multiple end-of-life VPN routers. The security flaw was found in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 routers by Hou Liuyang of Qihoo 360 Netlab.

Six malicious packages on PyPI, the Python Package Index, were found installing information-stealing and RAT malware while using Cloudflare Tunnel to bypass firewall restrictions for remote access. The malicious packages attempt to steal sensitive user information stored in browsers, run shell commands, and use keyloggers to steal typed secrets.

A South Africa-based threat actor known as Automated Libra has been observed employing CAPTCHA bypass techniques to create GitHub accounts in a programmatic fashion as part of a freejacking campaign dubbed PURPLEURCHIN. The group "Primarily targets cloud platforms offering limited-time trials of cloud resources in order to perform their crypto mining operations," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said. PURPLEURCHIN first came to light in October 2022 when Sysdig disclosed that the adversary created as many as 30 GitHub accounts, 2,000 Heroku accounts, and 900 Buddy accounts to scale its operation.

Popular instant messaging service WhatsApp has launched support for proxy servers in the latest version of its Android and iOS apps, letting users circumvent government-imposed censorship and internet shutdowns. "Choosing a proxy enables you to connect to WhatsApp through servers set up by volunteers and organizations around the world dedicated to helping people communicate freely," the Meta-owned company said.

Starting today, WhatsApp allows users to connect via proxy servers due to Internet shutdowns or if their governments block the service in their country. The new proxy support option is available to all users running the latest WhatsApp iOS and Android applications.

According to Palo Alto Networks Unit 42, the threat actors use a new CAPTCHA solving system, follow a more aggressive use of CPU resources for mining, and mixe 'freejacking' with the "Play and Run" technique to abuse free cloud resources. Whereas Sysdig identified 3,200 malicious accounts belonging to 'PurpleUrchin,' Unit 42 now reports that the threat actor has created and used over 130,000 accounts on the platforms since August 2019, when the first signs of its activities can be traced.

BlueNoroff, a subcluster of the notorious Lazarus Group, has been observed adopting new techniques into its playbook that enable it to bypass Windows Mark of the Web protections. "BlueNoroff created numerous fake domains impersonating venture capital companies and banks," security researcher Seongsu Park said, adding the new attack procedure was flagged in its telemetry in September 2022.

A critical vulnerability in the Ghost CMS newsletter subscription system could allow external users to create newsletters or modify existing ones so that they contain malicious JavaScript. [...]

Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. Similar to Gmail, Xfinity allows customers to configure a secondary email address to be used for account notifications and password resets in the event they lose access to their Xfinity account.

Threat actors affiliated with a ransomware strain known as Play are leveraging a never-before-seen exploit chain that bypasses blocking rules for ProxyNotShell flaws in Microsoft Exchange Server to achieve remote code execution through Outlook Web Access. "The new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint," CrowdStrike researchers Brian Pitchford, Erik Iker, and Nicolas Zilio said in a technical write-up published Tuesday.