ChatGPT Sandbox Allows Access to Internal Environment and Playbook Data.OpenAI’s ChatGPT platform provides users with extensive access to its isolated sandbox environment, allowing actions such as uploading and executing programs, listing files, and managing file systems within restricted directories. Researchers have demonstrated that users can upload custom Python scripts, execute Linux commands, and browse directories like "/home/sandbox/.openai_internal/," which holds configuration data. While the environment ensures security by blocking access to sensitive files (e.g., /root or /etc/shadow), users can interact with accessible files and folders, including the /mnt/data directory for uploads and downloads. This level of interaction is designed to be secure within the sandbox, preventing users from escaping to the host system.However, a notable discovery was the ability to access and download the "playbook," which outlines how the model generates responses and handles user queries. This transparency can foster trust but also carries risks, as it may reveal the model’s internal structure, guardrails, or ways to bypass safety measures. Though the sandbox operates in isolation, the ability to reverse-engineer the playbook could potentially be exploited to gather proprietary insights or manipulate responses.
Hackers Use macOS Extended File Attributes to Deliver New Trojan "RustyAttr".Hackers are exploiting macOS extended file attributes (EAs) to deliver a novel Trojan dubbed "RustyAttr." The threat actor hides malicious code within custom file metadata and uses decoy PDF documents to evade detection. This technique, similar to the Bundlore adware in 2020, abuses file attributes in macOS to conceal payloads and bypass traditional security measures. Researchers at Group-IB identified the malware, attributing it with moderate confidence to the North Korean threat actor Lazarus. The attack method is highly effective, as none of the files were flagged by VirusTotal security agents. RustyAttr is delivered via a Tauri framework-based app that loads a malicious shell script stored in a hidden EA called "test." The app also launches decoy PDFs and error dialogs to divert user suspicion. Although the malware’s next stage remains unknown, researchers discovered communication with a Lazarus-controlled server to fetch the payload.
Critical Vulnerability in EoL D-Link NAS Devices Exploited in Attacks.A critical vulnerability in end-of-life (EoL) D-Link NAS devices is being actively exploited by attackers. The flaw, a command injection vulnerability, affects several models including DNS-320, DNS-320LW, DNS-325, and DNS-340L, which no longer receive security updates from D-Link. Discovered by security researcher Netsecfish, the vulnerability allows unauthenticated attackers to inject arbitrary shell commands by sending malicious HTTP GET requests to vulnerable devices exposed online. Shadowserver's monitoring has detected exploitation attempts since November 12, with over 41,000 unique IP addresses being targeted. Despite warnings from D-Link urging customers to retire these devices, attacks are ongoing, highlighting the risks of using unsupported hardware.D-Link has emphasized that these EoL devices no longer receive firmware updates or customer support, and recommends replacing them with newer models. The company also warned users to restrict Internet access to these vulnerable devices to mitigate the risk of exploitation, as they have been previously targeted in ransomware attacks. Although D-Link is not planning to issue a fix for the flaw, users are strongly advised to follow the company's guidance to avoid potential security breaches.
Critical Veeam RCE Bug Exploited in Frag Ransomware Attacks.A critical vulnerability in Veeam Backup & Replication (VBR) has been exploited by ransomware groups, including Frag, Akira, and Fog. The flaw, caused by a deserialization of untrusted data, allows unauthenticated attackers to execute remote code on Veeam servers. Researchers from Code White and WatchTowr Labs initially delayed disclosing a proof-of-concept exploit to allow admins time to patch the issue. Despite this, attackers quickly used the flaw, often in conjunction with stolen VPN credentials, to gain access to unpatched, internet-exposed servers and deploy ransomware. The Frag ransomware group, in particular, has been leveraging this vulnerability along with Living Off The Land binaries (LOLBins) to evade detection. Veeam’s products are widely used, with over 550,000 customers globally, making them a frequent target for threat actors aiming to compromise backup infrastructures.
Cisco Fixes Critical Command Injection Vulnerability in URWB Access Points. Cisco has patched a severe vulnerability that allows attackers to execute commands with root privileges on vulnerable Ultra-Reliable Wireless Backhaul (URWB) access points. These access points, used for industrial wireless automation, are impacted by a flaw in Cisco's Unified Industrial Wireless Software's web-based management interface. The vulnerability allows unauthenticated attackers to exploit the system through crafted HTTP requests, leading to arbitrary command execution on the affected device’s underlying operating system.The flaw affects specific Catalyst access points and wireless clients, but only when running vulnerable software and with URWB operating mode enabled. Cisco’s security team has not found any evidence of active exploitation or publicly available exploit code. Admins can check for vulnerability exposure by running a simple command to confirm if URWB mode is enabled on their devices.
Pygmy Goat Malware Targets Sophos Firewalls in Chinese Cyberattack Campaign.The UK's National Cyber Security Centre (NCSC) has revealed details of a custom Linux-based malware named "Pygmy Goat," used to backdoor Sophos XG firewall devices during a series of sophisticated cyberattacks attributed to Chinese threat actors. This malware, identified in attacks dating back to 2022, is a rootkit that mimics Sophos file naming conventions to evade detection. It is deployed as an ELF shared object ('libsophos.so') and uses the LD_PRELOAD environment variable to infiltrate the SSH daemon (sshd). Once active, Pygmy Goat monitors SSH traffic for a specific sequence of bytes, identifying and redirecting backdoor connections to an internal Unix socket for further communication with a Command and Control (C2) server.The malware also listens for ICMP packets containing AES-encrypted payloads that provide C2 communication details. It communicates securely over TLS, using an embedded certificate designed to mimic Fortinet's "FortiGate" CA, blending into environments where Fortinet devices are common. To maintain persistence, Pygmy Goat can execute various commands, including opening shell sessions, capturing network traffic, managing cron jobs, and deploying a SOCKS5 reverse proxy through the EarthWorm toolkit, ensuring that C2 traffic remains hidden within the compromised network.
Our approach to protecting Information has always been focused on securing the digital assets that store, process, and transfer information. With increasing breaches, it is evident that our strategy is somehow solving half a piece of the puzzle and the other half related to the human factor is not considered seriously.
This is evident from the industry reports that Human error is the cause of nearly 95% of breaches. And some of the key factors that drive Human error are negligence, and lack of awareness which lead to data breaches.
Read more insights here:
Mail bombing
The Threat of Mailbombing: Understanding, Impact, and Prevention
Mailbombing, also known as email bombing or letter bomb attack, is a malicious cyberattack in which a massive volume of emails is sent to a targeted email address or mail server with the intent to overwhelm and disrupt the recipient's inbox or the mail server itself. This inundation of emails can render the victim's email account or server inoperable, causing significant disruption and potential loss of productivity.
Read more insights here:
Cyber Security News and Trends - Top Vulnerabilities
CVE-2024-10396 affects the fileserver's StoreACL RPC by supplying a malformed ACL. This can lead to a fileserver crash, potential exposure of uninitialized memory, and the storage of incorrect data in the audit log. Additionally, malformed ACLs sent via client FetchACL RPC responses could crash client processes and potentially leak uninitialized memory into other ACLs on the server.
CVE-2024-52370 identifies a critical stack overflow vulnerability in a network acceleration module. This flaw arises due to inadequate handling of buffer sizes, allowing attackers to exploit it by sending specially crafted packets. Successful exploitation can lead to unauthorized file access, potentially exposing sensitive data or enabling further attacks on the affected system. The CVSS score for this vulnerability is 9.8, emphasizing its critical nature
CVE-2024-52370 involves an Unrestricted File Upload vulnerability in Hive Support – WordPress Help Desk. This flaw allows attackers to upload malicious files, such as web shells, to the web server without proper validation. As a result, attackers can execute arbitrary commands or gain unauthorized control over the server. The vulnerability affects all versions of Hive Support – WordPress Help Desk from its initial release up to version 1.1.1. This poses a significant threat to the confidentiality, integrity, and availability of the affected systems. Users are strongly urged to update or apply security measures to mitigate the risk.
CVE-2024-52369 refers to an Unrestricted File Upload vulnerability in Optimal Access Inc.'s KBucket. This vulnerability allows attackers to upload malicious files, such as web shells, to the server without proper security checks. Once uploaded, these files can be executed, enabling unauthorized access, remote command execution, or further compromise of the system. The issue affects all versions of KBucket from its inception up to version 4.1.6. This vulnerability poses a high risk to the security of affected systems, potentially impacting their confidentiality, integrity, and availability.
CVE-2024-52393 highlights an Improper Neutralization of Special Elements in Podlove Podcast Publisher, specifically affecting versions up to 4.1.15. This vulnerability allows attackers with sufficient access, such as contributors, to exploit improper handling of user input in the template engine. As a result, attackers could execute arbitrary template code, potentially leading to data breaches, unauthorized access, or system manipulation.
UnitedHealth: On October 24, 2024, UnitedHealth revealed that over 100 million individuals were impacted by a data breach targeting its subsidiary, Change Healthcare. The BlackCat ransomware gang exploited vulnerabilities in the company’s systems, stealing a massive trove of sensitive data, including medical records, insurance details, and financial information. This breach, one of the largest in healthcare history, highlights severe gaps in security measures such as the lack of multi-factor authentication, which enabled attackers to access and encrypt critical systems.
Cisco DevHub: On October 18, 2024, Cisco took its public-facing DevHub portal offline following a data leak by the hacker known as IntelBroker. The attacker claimed access to source code, API tokens, and other sensitive files but emphasized no personal or financial data was involved. Cisco confirmed the breach was limited to its DevHub environment, a developer resource platform, and assured that its internal systems remain uncompromised. Despite this, leaked files allegedly included hard-coded credentials and private keys, raising concerns about potential risks.
Landmark Admin: A third-party insurance administrator, disclosed a significant data breach stemming from a ransomware attack in May 2024. This incident affected the personal and financial data of approximately 806,519 individuals. The compromised data included names, Social Security numbers, health and financial records, and insurance policy details. The attack prompted Landmark to enhance its cybersecurity measures and offer identity theft protection to those impacted. While the attack’s perpetrators remain unidentified, the incident highlights the risks associated with third-party administrators handling sensitive data
Internet Archive: On October 21, 2024, a hacker linked to the breach of the Internet Archive claimed continued access to its systems. The breach impacted multiple services, including the Wayback Machine and Archive-It, temporarily disrupting these critical tools. The nonprofit organization, known for preserving digital history, confirmed restoration of key services but remains under scrutiny as antagonistic messages were sent to users seeking support. Investigations are ongoing to determine the full extent of the compromise and to bolster system security
Radiant Capital: A decentralized finance platform, reported a security breach resulting in the theft of over $50 million in various cryptocurrencies. Hackers exploited the platform’s multisignature wallet by compromising three out of eleven signers, allowing them to manipulate smart contracts and siphon funds. The stolen assets included popular tokens like Ethereum, Binance Coin, and USDC. Radiant has since paused its lending markets on affected networks and is collaborating with blockchain security firms to trace and recover the stolen assets while urging users to revoke permissions on vulnerable smart contracts
Cyber Security News and Trends - Top Malware
New Glove infostealer malware bypasses Chrome’s cookie encryption : A new malware called Glove Stealer can bypass Google Chrome's App-Bound encryption to steal browser cookies. Discovered by Gen Digital researchers during a phishing campaign, it targets both Firefox and Chromium-based browsers (Chrome, Edge, Brave, etc.), and can exfiltrate sensitive data like cryptocurrency wallets, 2FA tokens, and passwords from apps like Bitwarden and LastPass. It also targets over 280 browser extensions and more than 80 locally installed apps. The malware uses social engineering tactics similar to previous phishing attacks. Despite its capability, Glove Stealer appears to be in its early stages of development.
North Korean hackers use new macOS malware against crypto firms : A new multi-stage malware campaign called "Hidden Risk" is targeting crypto-related businesses, launched by the North Korean threat actor BlueNoroff. The attack begins with phishing emails that contain fake news about cryptocurrency developments to lure victims. The malware uses a novel persistence mechanism on macOS, allowing it to remain undetected on the latest OS versions. Researchers warn that this tactic bypasses security alerts, making it difficult to detect. As the campaign continues, crypto companies are advised to stay vigilant.
New SteelFox malware hijacks Windows PCs using vulnerable driver : A new malware campaign called "SteelFox" has been discovered, targeting Windows systems to mine cryptocurrency and steal credit card data. The malware uses the "bring your own vulnerable driver" technique to gain SYSTEM privileges, a method commonly seen in state-sponsored and ransomware attacks. Distributed through torrent sites and forums as crack tools for software like Foxit PDF Editor and AutoCAD, SteelFox has been active since February 2023. Kaspersky researchers uncovered the campaign in August, reporting an uptick in its distribution. The malware has been blocked over 11,000 times by Kaspersky products.
New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers : A new Android banking malware strain called "ToxicPanda" has infected over 1,500 devices, enabling fraudulent banking transactions via account takeover (ATO) using on-device fraud (ODF). Researchers believe it is the work of a Chinese-speaking actor, closely related to the TgToxic malware that targets crypto wallets. ToxicPanda is most active in Italy, with additional compromises in Portugal, Hong Kong, and other countries. The malware aims to bypass bank security measures and steal credentials, but is still in early stages of development. ToxicPanda shares several commands with TgToxic, suggesting it's the same threat actor or affiliates behind both campaigns.
Winos 4.0 Malware Infects Gamers Through Malicious Game Optimization Apps : Cybersecurity researchers are warning about a malicious command-and-control framework called Winos 4.0, distributed through gaming-related apps like installation tools and optimization utilities. Rebuilt from Gh0st RAT, Winos 4.0 includes modular components for controlling online endpoints and executing further actions. Attacks were first documented in June, with the malware targeting Chinese-speaking users through SEO tactics, social media, and platforms like Telegram. The infection starts with a fake BMP file that decodes into a DLL, which then downloads additional payloads. The malware’s payloads include an executable and several DLL files.
Stay updated with "Cybersecurity News and Trends from Intelliroot." For the latest stories shaping the cybersecurity landscape, follow us on LinkedIn or visit our Cybersecurity News and Trends page.
