• Researchers from Aqua Security discover new Matrix botnet
• The botnet runs IP cameras, DVRs, routers, and similar
• Matrix was built using off-the-shelf and open source tools

Cybersecurity researchers have spotted a new malicious botnet running distributed denial of service (DDoS) attacks against victims worldwide.

Named “Matrix” by experts at Aqua Security, the botnet was created by a lone hacker gathering up different open source and otherwise free-to-use tools to create it from scratch.

The creator scanned the internet for vulnerable Internet of Things (IoT) devices such as IP cameras, DVRs, routers, and telecom equipment - they could either have a known software flaw, or could simply have an easy-to-break password.

Script kiddie

After identifying the vulnerable endpoints, the hacker would deploy Mirai - an infamous, almost decade-old malware that was behind some of the most disruptive DDoS attacks in history. Besides Mirai, the attacker would also deploy PYbot, pynet, DiscordGo, Homo Network, and other malicious tools.

Ultimately, this led to the creation of Matrix, a widespread botnet that was later offered for other crooks as a service. The sale was being facilitated via a Telegram channel called “Kraken Autobuy”, with the attacker being paid in cryptocurrency.

Its victims are scattered all over the world - from China and Japan, to Argentina, Australia, and Brazil. Egypt, India, and the US also found themselves on the list.

However, while the threat actor seems to be of Russian origin, there is a notable absence of Ukrainian targets, as the researchers believe this is because the Matrix’s “Architect” is after money, and not political or ideological agendas.

Aqua has also made an interesting observation, calling the attacker a “script kiddie”. This is a derogatory term in the cybersecurity community, usually describing an inexperienced, or unskilled hacker. The researchers did it because the attacker used off-the-shelf solutions, rather than building custom solutions on their own.

However, they also hinted that script kiddies could become a much bigger threat in the future:

"This campaign, while not highly sophisticated, demonstrates how accessible tools and basic technical knowledge can enable individuals to execute a broad, multi-faceted attack on numerous vulnerabilities and misconfigurations in network-connected devices," they said.

"The simplicity of these methods highlights the importance of addressing fundamental security practices, such as changing default credentials, securing administrative protocols, and applying timely firmware updates, to protect against broad, opportunistic attacks like this one."

You might also like

• Zyxel VPN security flaw targeted by new ransomware attackers
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers from AmberWolf find two flaws in popular VPN products
• Flaws can be abused to get the VPNs to connect to malicious servers
• The servers can use the connection to steal login credentials, drop malware, and more

Hackers have been using compromised VPN servers to steal sensitive information from connected VPN clients, security researchers are warning.

Earlier this year, cybersecurity experts from AmberWolf discovered criminals were tricking people into connecting their SonicWall NetExtender and Palo Alto Networks GlobalProtect VPN clients to VPN servers under their control.

The criminals were using malicious websites, or documents in social engineering and phishing, to get people to connect.

Fixing the problem

Since the vulnerable VPN clients fail to properly authenticate or verify the legitimacy of the VPN server, attackers get to impersonate trusted servers, and are allowed several malicious actions, including stealing the victims’ login credentials, running arbitrary code with elevated privileges, installing malware through software updates, and more.

AmberWolf named the vulnerabilities “NachoVPN”, and reported them to the respective organizations.

On SonicWall’s side, the bug was tracked as CVE-2024-29014, and was fixed in July 2024, while on Palo Alto Networks’ side, it was tracked as CVE-2024-5921, and was addressed in November 2024.

The first clean version of NetExtender Windows is 10.2.341. For Palo Alto, users should either install GlobalProtect 6.2.6, or run their VPN client in FIPS-CC mode.

Besides reporting the bugs to SonicWall and Palo Alto Networks, AmberWolf also shared an open-source tool, also called NachoVPN, which simulates the attack, BleepingComputer has found.

"The tool is platform-agnostic, capable of identifying different VPN clients and adapting its response based on the specific client connecting to it. It is also extensible, encouraging community contributions and the addition of new vulnerabilities as they are discovered," AmberWolf said.

"It currently supports various popular corporate VPN products, such as Cisco AnyConnect, SonicWall NetExtender, Palo Alto GlobalProtect, and Ivanti Connect Secure," the company concluded in its announcement.

Via BleepingComputer

You might also like

• Zyxel VPN security flaw targeted by new ransomware attackers
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Security researchers discussed vulnerabilities in Infrastructure-as-code (IaC)
• There are a number of different ways crooks could abuse the systems
• Issues also share defense mechanisms and workarounds

Security issues with infrastructure-as-code (IaC) and policy-as-code (PaC) specialized tools could put entire platforms, everywhere, at risk, experts have warned.

A report from cybersecurity researchers at Tenable have revealed how certain tools used to help manage cloud infrastructure and policies, such as Terraform and Open Policy Agent (OPA), could be hijacked and put to malicious use.

These tools use simplified coding languages which should make them safer than regular programming languages, but they’re still not without their flaws.

How to defend

“Since these are hardened languages with limited capabilities, they’re supposed to be more secure than standard programming languages – and indeed they are. However, more secure does not mean bulletproof,” the researchers said.

Discussing OPA, Tenable explained that it is a product that allows organizations to enforce rules, or policies, for managing cloud resources. It uses a language called Rego for these rules. Should a threat actor steal an access key, they would be able to add a fake Rego policy, approving malicious activity such as stealing sensitive data.

Terraform, on the other hand, helps companies define and manage cloud setups through code. Since it processes commands during workflows, it allows hackers to inject malicious code into the processes, which the tool then runs before anyone could notice. In theory, crooks could add a fake “data source” that results in malicious activity.

To protect against these attacks, researchers suggest teams use role-based access control (RBAC) to give people the minimum permissions they need, log actions at the application and cloud level for easier detection of suspicious behavior, and limit what apps and machines can access in terms of data and networks.

Furthermore, they suggest preventing unreviewed code or changes to run automatically in workflows, and using tools like Terrascan and Checkov to scan for issues in the infrastructure code before it’s deployed.

You might also like

• How Infrastructure as Code can automate and scale security
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers found two flaws in a popular WordPress plugin
• Flaws allow threat actors to install malicious plugins and run arbitrary code
• A patch is already available, so WordPress users should update now

A major anti-spam plugin for top website builder WordPress carried a pair of critical severity vulnerabilities which allowed threat actors to install plugins at will, and even execute arbitrary code, remotely.

The bugs have since been patched, and users are advised to deploy them as soon as possible.

The vulnerable plugin is called “Spam protection, Anti-Spam, and Firewall”, and was built by CleanTalk, a company developing spam protection for WordPress, Joomla, Drupal, and other website builders.

Popular plugin

The plugin carried two flaws: one tracked as CVE-2024-10542, and one tracked as CVE-2024-10781. The first has a severity score of 9.8 - critical, while the second 8.1 - high.

The former is an unauthorized Arbitrary Plugin Installation bug, that occurs due to an authorization bypass via reverse DNS spoofing on the checkWithoutToken function. As a result, unauthenticated attackers get to install and activate arbitrary plugins which, in some scenarios, can be leveraged to achieve remote code execution.

The latter, on the other hand, is an unauthorized Arbitrary Plugin Installation that occurs due to an missing empty value check on the 'api_key' value in the 'perform' function. The results are the same - achieving remote code execution in certain scenarios (when another vulnerable plugin is installed and activated).

Spam protection, Anti-Spam, and Firewall is a major WordPress plugin, installed on more than 200,000 websites, at press time. The bug was first spotted by a researcher with the alias ‘mikemyers’ who reported their findings to WordFence, a project that researches WordPress vulnerabilities.

WordFence reached out to CleanTalk in late October 2024 who, a few days later, came forward with a patch. “We would like to commend the CleanTalk team for their prompt response and timely patch,” WordFence said.

Users are urged to update their sites with the latest patched version, which was 6.45.2 at press time.

You might also like

• Another top WordPress plugin has a major security flaw — and millions of sites could be affected
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• ESET discovers two zero-day vulnerabilities that can lead to remote code execution
• The researchers spot Russian hackers abusing the flaws to deploy backdoors
• Fixes for both flaws are already available to download

A Russian advanced persistent threat (APT) group known as RomCom has been exploiting two zero-day vulnerabilities to hit its victims with potent backdoor malware, security experts have said.

ESET said its researchers first found a use-after-free bug in the animation timeline feature in Firefox. Since the bug forces the browser to use memory that has already been freed, it can lead to all sorts of undefined behavior, including executing code in the restricted context of the browser. This bug was discovered on October 8, and was assigned CVE-2024-9680. It was fixed a day later, on October 9.

Further investigation led to the discovery of a second vulnerability, this time in Windows, tracked as CVE-2024-49039, WHICH allows previously authenticated crooks to run arbitrary code in the system. By chaining the two vulnerabilities together, the attackers were able to deploy backdoors on target devices.

Targeting Europe and North America

In practice, thIS means embedding a website with code that is capable of exploiting the vulnerabilities, redirect the victims to a server where the backdoor is hosted, and have the operating system infected. The worst part is that the attack is “zero-click” - meaning besides visiting the malicious website, the exploit requires no interaction from the victim’s side.

While ESET does not discuss how many people, or entities, fell victim to the attack, they say that the majority of victims tracked between October 10 and November 4 were located in Europe and North America.

It is also worth pointing out that patches for both flaws have been available for more than a month now, and the best way to defend against the attack is to have Firefox, Thunderbird, and the Tor Browser (which were all said to have been vulnerable) all patched, together with Windows.

You might also like

• Russian hackers are attacking innocent companies to get access to their neighbors
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Starbucks stores are using pen and paper to track employee hours after attack
• Third-party Vendor Blue Yonder hit with ransomware attack
• Retail stores in the UK and US affected

Starbucks may be the largest coffee chain in the world, but many of its stores have been forced to manually track employee’s schedules and payroll after a third party supply chain vendor was hit by a ransomware attack.

Blue Yonder confirmed it was the victim of a ransomware attack, and services are still being severely disrupted, with the company confirming it is “working around the clock to respond to this incident”.

The list of affected stores is growing, with UK retail giants Sainsbury’s and Morrisons also both reporting disruption. The stores have affirmed that backup processes and contingency plans are in place, so the impact on customers should be minimal.

Third party risks

It’s not yet clear exactly what the effects of the hack will be, and the extent of the disruption is yet to be seen. Ransomware is a costly business, with the average demand over $5 million in the first half of 2024.

Ransomware attacks are on the rise across the globe, and increasingly digital operations mean many companies are reliant on third party vendors, which can put companies at risk even if their own cybersecurity is airtight.

The risks can be mitigated by thoroughly assessing third party vendors and by ensuring contingency plans are in place, and CISOs are encouraged to collaborate with their peers in the industry to foster strong relationships.

"The Blue Yonder incident reminds all organizations that focusing only on the security and resilience of systems under your direct control is no longer an option.” said Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity.

“Dependencies run deep and broad in the supply chain, so it is essential that all suppliers are thoroughly vetted on an ongoing basis, and that contingency plans are in place before going live with any major third-party solution.“

Via CNN

You might also like

• Take a look at our pick of the best antivirus software around
• The evolution of cybercrime: How ransomware became the weapon of choice
• Check out our choices for best malware removal software

• Generative AI could save the public sector billions in the next 5 years
• More routine tasks could be automated to free up time for creatives
• More than half of public sector jobs will be changed in some way in coming years

New research has revealed the UK public sector could save billions in expenditure by fully embracing generative AI technology.

The ‘AI & The Public Sector’ commissioned by Google Cloud has highlighted the ways the public sector could save around £38bn over the next 5 years by adopting more GenAI adoption.

Perhaps unsurprisingly, the report predicts that ‘automating routine tasks’ will be the future of AI tools in the workplace, and that over a third of daily tasks in the public sector could be performed by generative AI.

A new way forward

The report rightly points out many public sector organizations are under huge pressure, with 61% of public administration workers overworked, and 70% of respondents agreeing that employee morale has decreased.

To combat this, generative AI solutions should be embraced by public organizations, the report suggests. Currently, only 12% of public administrators say they have significantly deployed AI tools.

By letting generative AI automate administrative work, the public sector could unlock an extra 3.7 million GP appointments, the equivalent of 160,000 police officers, and a 16% increase in student to teacher ratio - a cumulative value of £358bn by 2034. This would free up 8.3% of the budget for re-investment into our public services, the report says.

“Now the digital centre of government, my department is testing how we can put AI to work in the public sector, whether that’s speeding up finding information on GOV.UK or empowering teachers by reducing administrative burdens, allowing them to dedicate more time to what they do best,” said UK Technology Secretary Peter Kyle.

Job augmentation

Over half of public sector jobs (56%) are likely to be ‘augmented’ in some way by AI adoption, the report claims, optimistically predicting workers will be allowed more time for creative focus.

Even with full AI implementation, the report estimates that 38% of roles are ‘insulated’ and won’t be affected by AI adoption thanks to their inherent sensitivity. The remaining 6% of jobs will be ‘displaced’ or phased out.

However Google Cloud says the demand for public sector labour will grow, so displaced workers will simply be reallocated into new roles. This echoes other recent studies, which for example have shown IT service desks could ‘go extinct’.

Early stages of adoption

The study shows there are barriers to AI implementation that need to be addressed before the public sector is ready to embrace AI. Applicability is part of the concern, with over half of respondents (55%) agreeing they would need different or better structured data sets to use AI effectively.

Many workers are also uncertain about the security, legal liabilities, and costs of AI tools, and before workplaces take full advantage of AI, more education is needed, as over a third (34%) say they don’t have the skills to benefit from AI tech just yet.

There are significant concerns about the reliability of AI output too, but Google Cloud reassures these worries are ‘likely to fade on their own as the technology becomes more mature’.

Governments leading the way

Google Cloud has identified public sector AI adoption as a key driver to wider AI adoption across all industries. As part of Government commitments to using AI in public services, organizations should conduct AI adoption assessments in key sectors such as health, transport, and education.

This will allow agencies to identify barriers to AI deployment and address any roadblocks. Procurement teams should be 'empowered and upskilled' on the importance of AI adoption so that they can effectively assess their needs.

An overhaul of government IT systems is needed to efficiently adopt AI, says Google Cloud. Legacy IT systems, data storage capacity, and an absence of advanced cloud data analytics are all hindering the development of AI in the public sector, it says.

Untold costs

What the report doesn’t address, is the cost of generative AI adoption. The costs are multi-faceted, with AI demanding a huge amount of energy to run, and also an enormous amount of water to cool high performing hardware.

The AI industry is already in the midst of a serious sustainability crisis, so large-scale adoption in both the public and private sectors could have disastrous consequences for climate protection goals.

You might also like

• Take a look at our pick of the best AI tools
• Microsoft will let you create your own AI agents to tackle the toughest work tasks
• Check out our choices for best malware removal

• Trend Micro discovers brand new backdoor called GhostSpider
• It can exfiltrate sensitive data and tamper with the OS
• It was used by a Chinese state-sponsored threat actor known as Salt Typhoon

Infamous Chinese state-sponsored threat actor Salt Typhoon has been seen using a brand new backdoor malware to target telecommunication service providers.

A report from cybersecurity professionals Trend Micro analyzed the backdoor, called GhostSpider, noting it is used in long-term cyber-espionage operations, with its key stealth mechanisms include remaining exclusively in memory, and encrypting its communication with the C2 server.

GhostSpider is capable of a number of things, including uploading malicious modules into memory, activating the module by initializing necessary resources, executing the primary loader function (data exfiltration, or system tampering), and closing the module to free memory and remain out of sight. Finally, it can adjust its behavior to avoid getting detected, while maintaining periodic communication with the C2 server.

Abusing endpoint flaws

The Washington Post noted US authorities recently notified 150 victims, most of which were in the D.C. area, that Salt Typhoon was eavesdropping on their communications.

In its report, Trend Micro added besides telecommunications, the Chinese target government entities, technology, consulting, chemicals, and transportation sectors in the U.S., Asia-Pacific, Middle East, South Africa, and other regions. To breach the systems, Salt Typhoon would exploit a number of flaws in different endpoints, including bugs in Ivant’s Connect Secure VPN, Fortinet’s FortiClient EMS, Sophos’ Firewall, and others.

While GhostSpider took all the limelight, Salt Typhoon was also spotted using other, never-seen-before variants, including a Linux backdoor called Masol RAT, a rootkit called Demodex, and a backdoor named SnappyBee.

Known as one of the more dangerous threat actors, Salt Typhoon mostly focuses on data exfiltration and surveillance, often aimed at government agencies, political figures, and key industries in the U.S. and allied nations. Some of its notable victims include major U.S. telecommunications providers such as T-Mobile, AT&T, Verizon, and Lumen Technologies.

Via BleepingComputer

You might also like

• T-Mobile confirms its network was hit by Chinese hackers
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Blue Yonder confirmed suffering a ransomware attack
• Several of its customers came forward, saying they were affected, too
• At press time, the company was still working on restoring services

Supply chain management giant Blue Yonder has confirmed suffering a ransomware attack that greatly disrupted its services - and as a result, many of its customers have also had trouble operating.

A short announcement published on the company’s website on November 22 said a day before, it HAD “experienced disruptions to its managed services hosted environment”. Subsequent investigation confirmed that it was a ransomware attack.

“Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process. We have implemented several defensive and forensic protocols,” the announcement reads. “With respect to the Blue Yonder Azure public cloud environment, we are actively monitoring and currently do not see any suspicious activity.”

Hitting Starbucks

Newer updates do not share any meaningful information, however multiple media publications have uncovered how the attack affected the company’s clients.

Blue Yonder is a leading supply chain management, logistics, and retail software company that uses AI and machine learning to optimize operations and improve decision-making. According to BleepingComputer, it has more than 3,000 clients around the world, including some of the biggest names out there - Coca-Cola Beverages Florida, Kimberly-Clark, and Bayer.

As per a CNN report, Starbucks is one of the companies feeling the effects of the ransomware attack. Allegedly, the coffee chain uses Blue Yonder to track and manage its baristas’ schedules. Furthermore, two of the four biggest grocery chains in the UK - Morrisons, and Sainsbury, also confirmed being affected by the attack.

At press time, Blue Yonder was still working on restoring its services. So far, no threat actors have come forward to claim responsibility for the attack, so we don’t know who the attackers were, or how much money they are asking in exchange for the decryption key. Finally, we don’t know if Blue Yonder lost any company, or customer data in the process.

You might also like

• One of the nastiest ransomware groups around may have a whole new way of doing things
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• CISA adds CVE-2023-28461 to its Known Exploited Vulnerabilities catalog
• Federal agencies have until December 16 to patch up
• The bug is being abused by a Chinese group known as Earth Kasha

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new critical vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, warning federal agencies they have a three-week deadline to apply the available patch, or stop using the affected software altogether.

The agency added a missing authentication vulnerability to KEV tracked under CVE-2023-28461, which has a severity score of 9.8, and allows crooks to execute arbitrary code on remote devices.

It was discovered in Array Networks AG and vxAG secure access gateways, and was fixed in March 2023, with the first clean version of the software being version 9.4.0.484.

Earth Kasha

"Array AG/vxAG remote code execution vulnerability is a web security vulnerability that allows an attacker to browse the filesystem or execute remote code on the SSL VPN gateway using flags attribute in HTTP header without authentication," Array Networks said at the time. "The product can be exploited through a vulnerable URL."

Federal organizations have until December 16 to patch the software.

CISA did not detail the attacks, but Trend Micro claims a threat actor known as Earth Kasha was using it.

This Chinese group, also known as MirrorFace, was apparently abusing Array AG, ProSelf, and FortiNet for initial access. The group mostly targets victims in Japan, although it was observed going after organizations in Taiwan, India, and Europe. Going after US-based targets is not that common, it would seem.

Earth Kasha seems to be tied to the APT10 advanced persistent threat. The group primarily focuses on sectors like government, technology, and academia, and deploys malware such as LODEINFO, NOOPDOOR, and MirrorStealer to steal credentials, maintain persistence, and exfiltrate sensitive data. Their campaigns often involve credential dumping, DLL side-loading, and encrypted payloads.

Via The Hacker News

You might also like

• CISA flags two more major Palo Alto security issues, so patch now
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• QNAP addresses 17 vulnerabilities with a variety of patches
• Among the affected products are Notes Station 3, QuRouter, and others
• Some of the bugs are deemed critical and highly dangerous

QNAP has released fixes for a number of security vulnerabilities, including several flaws deemed “critical”.

In total, QNAP addressed 17 different vulnerabilities, and the full detailed list can be found on this link. Since many of the flaws are critical and can be used to take over endpoints, steal sensitive data, and deploy malware, users are advised to apply the patches as soon as possible.

In its security advisory, QNAP said the vulnerabilities affected Notes Station 3, QuRouter, AI Core, QuLog Center, QTS, and QuTS Hero.

Patches and fixes

The most severe of the bugs is an OS command injection flaw that allows threat actors to run arbitrary commands on the target system. It impacts QNAP’s high-speed, secure routers QuRouter 2.4.x. It is tracked as CVE-2024-48860 and has a severity score of 9.5 (critical).

The second-highest, critical vulnerability, is tracked as CVE-2024-38645, and has a score of 9.4. It was found in QNAP’s note-taking and collaboration application Notes Station 3, and is tracked as CVE-2024-38645. This one is described as a server-side request forgery (SSRF) bug that enables threat actors with authentication credentials to send custom-built requests and ultimately expose sensitive app data.

Another Notes Station 3 flaw made the top three, CVE-2024-38643, with a severity score of 9.3. This missing authentication for critical functions bug allows crooks to gain unauthorized access and run different system functions, which can lead to credential theft and system compromise.

QNAP devices are extremely popular targets for cybercriminals, and as such should be handled with care. Security experts advise these advices never be connected directly to the internet, but rather be protected behind a VPN.

Via BleepingComputer

You might also like

• QNAP patches worrying NAS security flaw, so update now
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Wirral University Teaching Hospital reports major cyber incident
• Apparent attack forces hospital to shut down its IT systems to contain the damage
• All non-emergency appointments were cancelled

A major UK hospital has suffered a cyberattack that brought most of its systems offline and severely crippled its operations.

In a statement, Wirral University Teaching Hospital (WUTH) revealed, “a major incident has been declared at the Trust for cyber security reasons.”

As a result, most appointments have been cancelled, with the statement adding, "our business continuity processes are in place, and our priority remains ensuring patient safety. All outpatient appointments scheduled today are cancelled. We apologize for any inconvenience and we will contact our patients as soon as possible to rearrange."

Attackers yet to be identified

“We urge all members of the public to attend the Emergency Department only for genuine emergencies. For non-urgent health concerns, please use NHS 111, visit a walk-in center, urgent treatment center, your GP, or pharmacist.”

Speaking to the Liverpool Echo, a staff member said “everything” went offline. “Everything is done electronically so there’s no access to records, results or anything so we are having to do everything manually, which is really difficult. The damage is huge."

WUTH is a major healthcare provider in the Wirral Peninsula, in the north-west of England. It is a National Health Service (NHS) trust that manages several healthcare facilities, with its primary site being Arrowe Park Hospital in Upton, Wirral.

The nature of the attack has not been disclosed. However, when an organization is forced to shut down parts, or the entire IT infrastructure, it is usually done to protect the systems from data theft and/or encryption. Therefore, it is safe to assume that this was either a ransomware attack, a data grab, or both.

At press time, no threat actors assumed responsibility for the attack, and we don’t know if they managed to steal the Trust’s sensitive data.

Due to the nature of the information they hold, healthcare organizations are one of the most attacked targets in the business world today.

You might also like

• Huge US healthcare payment network finally restored after ransomware attack
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now