Cybersecurity Weekly: Cisco VPN flaws, Chrome zero-day fix, new DDoS botnet
Critical flaws are reported in Cisco VPN routers for businesses. Google fixes Chrome zero-day actively exploited in the wild. The new Matryosh DDoS botnet has been targeting Android-based devices. All this, and more, in this week’s edition of Cybersecurity Weekly.
1. Critical flaws reported in Cisco VPN routers for businesses
Cisco rolled out fixes for multiple critical vulnerabilities in the web-based management interface of small business routers that could potentially allow an unauthenticated, remote attacker to execute arbitrary code as the root user on an affected device. The flaws impact routers running a firmware release earlier than Release 1.0.01.02.
2. Google fixes Chrome zero-day actively exploited in the wild
Google addressed an actively exploited Chrome zero-day vulnerability in Windows, Mac and Linux operating systems. The zero-day is described as a heap buffer overflow bug in Google's open-source WebAssembly and JavaScript engine. It can be exploited by attackers to execute arbitrary code on systems running vulnerable software.
3. New Matryosh DDoS botnet targeting Android-based devices
A new malware campaign is co-opting Android devices into a botnet with the primary purpose of carrying out distributed denial-of-service attacks. The threat has been reusing the Mirai botnet framework and propagates through exposed Android Debug Bridge interfaces to infect Android devices and ensnare them into its network.
4. Critical bugs found in Realtek Wi-Fi module for embedded devices
Major vulnerabilities have been discovered in the Realtek RTL8195A Wi-Fi module that could have been exploited to gain root access and take complete control of a device's wireless communications. The flaws concern a mix of stack overflow and out-of-bounds reads that stem from the device’s authentication process.
5. Eletrobras, Copel energy companies hit by ransomware attacks
Two major electric utilities companies in Brazil suffered ransomware attacks over the past week. Operations at the two plants are disconnected from the administrative network, for obvious security reasons, so the electricity supply to the National Interconnected System remained unaffected.
6. Hackers steal StormShield firewall source code in data breach
StormShield disclosed that their systems were hacked, allowing a threat actor to access the company's support ticket system and steal source code for Stormshield Network Security firewall software. The company’s investigations do not indicate that the source code has been modified.
7. Hacking group used an IE zero-day against security researchers
Last month, Google disclosed that the hacking group known as Lazarus was conducting social engineering attacks against security researchers. To perform their attacks, the threat actors created elaborate online security researcher personas that would then use social media to contact well-known security researchers to collaborate on vulnerability and exploit development.
8. Plex Media servers actively abused to amplify DDoS attacks
Plex Media Server systems are actively being abused by DDoS-for-hire services as a UDP reflection/amplification vector in distributed denial-of-service attacks. This junk traffic reflected onto victims' servers is sourced from Simple Service Discovery Protocol probes sent by Plex through the G’Day Mate protocol for local network service discovery.
9. Three more vulnerabilities found in SolarWinds products
Security researchers have discovered three more vulnerabilities in SolarWinds products, including a critical remote code execution bug. The most critical vulnerability relates to the legacy Microsoft Message Queue technology, which is set up on installation and could allow any remote unprivileged user to execute any arbitrary code with the highest privileges.
10. Social media platforms target resellers of hacked accounts
Last week, Facebook, Instagram, TikTok and Twitter all took steps to crack down on users involved in trafficking hijacked user accounts across their platforms. The coordinated action seized hundreds of accounts the companies say have played a major role in facilitating the trade and often lucrative resale of compromised, highly sought-after usernames.