Today’s Cybersecurity Threats and Trends - 10/02/2024

The Golden Chicken that keeps laying More_Eggs.

Author

J.W. Croley
October 02, 2024

1. Zimbra Remote Code Zero-Day

Primary Threat: A recent Remote Code Execution (RCE) vulnerability in Zimbra Collaboration Suite (CVE-2024-45519) is actively being exploited in the wild. According to Zimbra's advisory, the flaw allows unauthenticated attackers to execute arbitrary commands, making it critical for users to patch immediately. Exploited servers can be used for data exfiltration and other malicious activities.

  • MITRE Tactics: Initial Access, Execution

  • Risk: High – Critical servers exposed to the internet are at severe risk.

2. More_Eggs. More Problems.

Primary Threat: Cybercriminals have launched a spear-phishing campaign against recruiters, delivering the More_Eggs backdoor via fake resumes. This Trend Micro analysis reveals how the backdoor, part of the Golden Chickens malware-as-a-service toolkit, is capable of downloading additional payloads like ransomware and infostealers. It leverages phishing lures disguised as job applications to infiltrate organizations.

  • MITRE Tactics: Initial Access, Persistence

  • Risk: High – The backdoor enables attackers to deploy further malware undetected.

Did you know?

The concept of Malware-as-a-Service (MaaS) dates back to the mid-2000s, when cybercriminals began renting out malware like Zeus, one of the first banking trojans to be sold as a service. This allowed less tech-savvy criminals to launch sophisticated attacks without having to write the malware themselves. Over time, MaaS platforms evolved, leading to the rise of advanced tools like Golden Chickens, which includes the More_Eggs backdoor being used today to target recruiters and corporations worldwide.

3. E-Commerce Exploit: Adobe Assaulted

Primary Threat: Thousands of Adobe Commerce and Magento stores have been compromised through the CosmicSting exploit, which is leveraging the CVE-2024-34102 vulnerability. According to Sansec research, multiple hacking groups are vying for control of compromised stores, injecting payment skimmers into checkout pages. This has resulted in the theft of cryptographic keys and unauthorized access to customer data.

  • MITRE Tactics: Persistence, Collection

  • Risk: High – Widespread exploitation of e-commerce platforms could lead to significant financial losses.

4. PyPI Packages Pilfer Crypto

Primary Threat: A malicious actor uploaded fake PyPI packages targeting cryptocurrency wallets like Metamask and Trust Wallet. According to Checkmarx research, these packages exploited dependencies to steal mnemonic phrases and private keys, granting full access to users' wallets. The attack was carefully crafted, using misleading names and README files to appear legitimate and evade detection.

  • MITRE Tactics: Initial Access, Exfiltration

  • Risk: High – Users of cryptocurrency wallets are at risk of having their funds stolen.

5. Rackspace Third Party Risk Exposed

Primary Threat: In a recently disclosed attack, Rackspace experienced a data breach due to a zero-day vulnerability in the ScienceLogic SL1 platform. Attackers exploited the flaw to steal limited monitoring data, including IP addresses, customer usernames, and encrypted device credentials. Rackspace has since patched the vulnerability and rotated credentials to protect affected customers. More details are available in Rackspace’s statement to bleeping computer.

  • MITRE Tactics: Persistence, Exfiltration

  • Risk: Medium – While limited data was exposed, attackers could exploit leaked IP addresses.

IN SUMMARY:

Today’s cybersecurity roundup highlights several critical issues, including a Zimbra RCE vulnerability under active attack and More_Eggs backdoor campaigns targeting recruiters.

We also covered CosmicSting exploits in Adobe Commerce and Magento stores, and how malicious PyPI packages are stealing crypto from unsuspecting users.

Finally, Rackspace was hit by a ScienceLogic zero-day that exposed sensitive monitoring data.

With multiple severe vulnerabilities and targeted attacks in the wild, organizations must act swiftly to patch and monitor systems.

So remember: Stay vigilant, patch promptly, and ‘its better to be paranoid than to be pwnd!’

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)