Cybersecurity Weekly: SonicWall zero-day, Experian leak, Python vulnerability
Hackers exploit a SonicWall zero-day bug in ransomware attacks. An Experian API exposed the credit scores of most Americans. Python was impacted by a critical IP address validation vulnerability. All this, and more, in this week’s edition of Cybersecurity Weekly.
1. Hackers exploit SonicWall zero-day bug in ransomware attacks
A financially motivated threat group tapped into a zero-day flaw in SonicWall VPN appliances to deploy a new strain of ransomware called FIVEHANDS. The group took advantage of an improper SQL command neutralization flaw that allows an unauthenticated attacker to achieve remote code execution.
2. Experian API exposed credit scores of most Americans
Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address. Experian says it plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.
3. Python impacted by critical IP address validation vulnerability
Python’s ipaddress standard library also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the netmask library earlier this year. The module provides developers with functions to easily create IP addresses and to parse and normalize IP addresses inputted in different formats.
4. Task force seeks to disrupt ransomware payments
In an 81-page report from last week, top executives from several security firms joined the U.S. Department of Justice, Europol and the U.K. National Crime Agency in calling for an international coalition to combat ransomware criminals, and for a global network of ransomware investigation hubs.
5. Passwordstate warns of ongoing phishing attacks following data breach
Last week, Click Studios warned customers of an ongoing phishing attack by an unknown threat actor. Attackers employed sophisticated techniques to compromise Passwordstate's update mechanism, using it to drop malware on user computers. Only customers who performed in-place upgrades between April 20 and April 22 are said to be affected.
6. New PHP composer bug could enable supply-chain attacks
The maintainers of Composer shipped an update to address a critical vulnerability that could have allowed an attacker to execute arbitrary commands and backdoor every PHP package, resulting in a supply-chain attack. The security issue was discovered and reported on April 22, and a hotfix was deployed less than 12 hours later.
7. LuckyMouse hackers target banks, companies and governments
An adversary known for its watering hole attacks against government entities was linked to a slew of newly detected intrusions targeting various organizations in Central Asia and the Middle East. The malicious activity, collectively named EmissarySoldier, is said to have happened in 2020 with the goal of obtaining geopolitical insights in the region.
8. Stolen ParkMobile data is now free for scammers
Account information of almost 22 million ParkMobile customers is now in the hands of hackers and scammers after the data was released for free on a hacking forum. After a threat actor is unable to sell a stolen database or buyers begin to show little interest, it is common for the stolen data to be released on hacker forums for free.
9. Hotbit cryptocurrency exchange down after hackers targeted wallets
Cryptocurrency trading platform Hotbit shut down all services for at least a week after a cyberattack that took down several of its services last Thursday evening. Hotbit assured its roughly 2 million registered users from over 210 countries that their cryptocurrency assets were safe and secure.
10. Rust-based Buer malware variant spotted in the wild
Cybersecurity researchers disclosed a new malspam campaign distributing a fresh variant of a malware loader called Buer written in Rust. Dubbed RustyBuer, the malware is propagated via emails masquerading as shipping notices from DHL Support, and is said to have affected more than 200 organizations across more than 50 verticals since early April.