Researchers have blogged about a Chinese hacking group called Storm-0940 who is building a substantial small office and home office (SOHO) botnet using malware known as Quad7 (aka CovertNetwork-1658 or xlogin). An interesting feature of the attacks by this group is their use of low rate password spraying, where a targeted machine or account is hit with a password spray attack around once a day, a level that is unlikely to trigger any alarms.

However, despite the lethargic rate of initial activity, should the attack result in successful entry, the attacker wastes little time in entering into the device and exploring the network to see what’s available inside. They also perform other activities, which include establishing a better foothold within the network by installing additional malware, opening up a command shell on TCP port 7777, and downloading and installing a SOCKS5 server to operate on TCP port 11288.

The attackers have been known to target devices from various companies including those from TP-Link, ASUS, Ruckus, Axentra, and Zyxel but are particularly successful with TP-Link devices, which provide the bulk of hacked routers in the network of compromised devices.

Chinese hackers are known for targeting internet-connected devices for building botnets. In September 2024, the Federal Bureau of Investigation (FBI) and partner agencies detailed their work against another Chinese threat actor known as Flax Typhoon, which resulted in the demise of a 260,000-device-strong botnet.

German police shut down the Dstat[.]cc distributed denial-of-service (DDoS) review platform and arrested two suspects who allegedly operated the site.

The now-shuttered site provided information about so-called stresser and booter services, which are tools used to carry out DDoS attacks. It also provided reviews and contact information for the services, allowing potential subscribers to compare and find the best service for their malicious needs.

Law enforcement seized infrastructure tied to Dstat[.]cc, as well as Flight RCS — a clear web marketplace for synthetic drugs.

The two unnamed defendants, aged 19 and 28, are accused of “having provided and administered various criminal infrastructures on the Internet” both for selling narcotics and for “computer sabotage.”

The operation was conducted by the Central Office for Combating Internet Crime in Frankfurt, the Hessian State Criminal Police Office and the Federal Criminal Police Office.

Ahold Delhaize, the Dutch parent company of several U.S. supermarket brands that include Stop & Shop, Hannaford, Food Lion, and Giant Food, has announced that it had “detected a cybersecurity issue within its U.S. network.” The firm added that it immediately took steps to limit damage and investigate the attack with external security experts and law enforcement.

The announcement mentioned that “mitigating actions have affected” some operations and services. This is backed up by reports in the media that customers have been unable to order online for delivery and some websites were taken offline. However, physical stores are still able to provide service for those who can visit them.

At this time, few details have been shared about the nature of the attack. Ransomware groups have been highly active in targeting U.S. businesses and organizations in recent times, but no ransomware group has yet claimed responsibility for this attack.

Forth and Centrex, a provider of cloud-based CRM systems for debt relief based in Illinois, has filed a breach report with the Maine Attorney General’s Office. The report states that it has suffered a data breach that was discovered in May 2024 that impacted around 1.5 million individuals whose details are held by the Set Forth system.

The system is used by many businesses to manage their customer relationships and the data breach at Forth has led to an attacker gaining access to documents and files containing details of customers of the businesses that use the system. Data affected in the breach is said to include personal information such as names, addresses, dates of birth, and Social Security numbers.

The company is sending notifications to affected individuals informing them of the incident and offering 12 months of identity theft protection for their troubles.

Amazon has confirmed that employee data was compromised after a “security event” at a third-party vendor.

The disclosure comes after data allegedly stolen during the May 2023 MOVEit attacks was leaked online last week. A threat actor known as Nam3L3ss published over 2.8 million lines of Amazon employee data, including names, contact information, building locations, email addresses, and more.

An Amazon spokesperson confirmed Nam3L3ss’ claims, stating that the data was stolen from systems belonging to a third-party service provider. “Amazon and AWS systems remain secure, and we have not experienced a security event. We were notified about a security event at one of our property management vendors that impacted several of its customers including Amazon,” the spokesperson said.

Nam3L3ss also leaked the data from twenty-five other companies; however, the hacker said that not all the leaked data was stolen in MOVEit attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday (November 14) added two more Palo Alto Networks Expedition migration tool vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.

The vulnerabilities are as follows:

• CVE-2024-9463 (CVSS score: 9.9) – Palo Alto Networks Expedition OS Command Injection Vulnerability

• CVE-2024-9465 (CVSS score: 9.3) – Palo Alto Networks Expedition SQL Injection Vulnerability

Exploiting the flaws can allow an unauthenticated attacker to run arbitrary OS commands as root in the Expedition migration tool or reveal its database contents. A successful attack could pave the way for disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls, or create and read arbitrary files on the vulnerable system.

Palo Alto Networks patched the flaws in October but has since revised its original advisory to acknowledge that it is “aware of reports from CISA that there is evidence of active exploitation for CVE-2024-9463 and CVE-2024-9465.” No further details have been issued about how the bugs are exploited in the wild.

The news comes after CISA last week warned of another critical vulnerability in the Palo Alto Networks Expedition tool being actively exploited in attacks.

Protection
For the latest protection updates, please visit the Symantec Protection Bulletin.

Cisco is investigating claims that it suffered a breach after data allegedly stolen from the tech giant was offered for sale on a hacking forum.

“Cisco is aware of reports that an actor is alleging to have gained access to certain Cisco-related files,” a Cisco spokesperson told BleepingComputer. “We have launched an investigation to assess this claim, and our investigation is ongoing.”

The news follows claims made by the threat actor known as IntelBroker who said that they and two others called EnergyWeaponUser and zjj breached Cisco on October 6 and stole a large amount of developer data.

According to IntelBroker, the stolen data includes GitHub and GitLab projects, SonarQube projects, source code, hardcoded credentials, confidential documents, Jira tickets, API tokens, AWS private buckets, Docker builds, Azure storage buckets, private and public keys, SSL certificates, and product information. IntelBroker claims that dozens of high-profile companies were affected by the breach.

Palo Alto Networks is warning customers about a critical zero-day vulnerability on Next-Generation Firewalls (NGFW) management interfaces that it says is actively being exploited in attacks.

Palo Alto Networks initially disclosed the flaw on November 8, warning customers to restrict access to their next-generation firewalls because of a “potential” remote code execution (RCE) vulnerability. Now the company has updated its advisory, stating that it has observed threat activity exploiting the bug against a limited number of internet-exposed firewall management interfaces.

“At this time, we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk,” warned the vendor.

The vulnerability, currently tracked as PAN-SA-2024-0015, received a CVSS severity score of 9.3. The flaw is remotely exploitable and requires no authentication or user interaction. An attacker can exploit the vulnerability by simply sending a specially crafted request.

“At this time, securing access to the management interface is the best recommended action,” said Palo Alto Networks. “As we investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible.”

Users of Facebook are advised to be wary of fake ads for Bitwarden, a popular password management tool with a free use option.

Interestingly, the fake ads appear to be designed for those who already use Bitwarden since it warns users that their Bitwarden version is outdated and needs updating for “safe browsing.” Should the user interact with the ads, they end up at a fake page at the domain of chromewebstoredownload[.]com. The page masquerades as a Chrome Web Store page offering the Bitwarden Password Manager as a Chrome browser extension to install.

Perhaps the dead giveaway for its fakeness is the detailed instructions on how to manually download and extract the extensions via a ZIP file and then install it with Developer Mode on. Real approved Chrome extensions from the Chrome Web Store naturally do not require all the convoluted steps to be installed but this may catch out inexperienced users.

Should the user follow all the steps, then they would be landed with a malicious web extension that can monitor activity in the browser and steal data including cookies as well as manipulate content displayed in the browser.