Cybersecurity firm Arctic Wolf has disclosed details of an ongoing cyber campaign targeting Fortinet FortiGate firewall devices with exposed management interfaces on the public internet.
Fortinet confirmed the exploitation of this zero-day vulnerability after cybersecurity researchers from Arctic Wolf observed mass exploitation campaigns targeting publicly exposed Fortinet firewalls since November 2024.
A critical 7-Zip zero-day exploit has been allegedly leaked by a hacker who is an individual operating under the alias “NSA_Employee39” on X, which allows attackers to execute arbitrary code on a victim’s machine when opened or extracted with the latest version of 7-Zip.
This disclosure poses significant cybersecurity risks, particularly in the context of Infostealer malware proliferation and potential supply chain attack vectors.
Cybersecurity researchers have discovered several security flaws in the cloud management platform developed by Ruijie Networks that could permit an attacker to take control of the network appliances.
"These vulnerabilities affect both the Reyee platform, as well as Reyee OS network devices," Claroty researchers Noam Moshe and Tomer Goldschmidt said in a recent analysis. "The vulnerabilities, if exploited, could allow a malicious attacker to execute code on any cloud-enabled device, giving them the ability to control tens of thousands of devices."
A Serbian journalist had his phone first unlocked by a Cellebrite tool and subsequently compromised by a previously undocumented spyware codenamed NoviSpy, according to a new report published by Amnesty International.
"NoviSpy allows for capturing sensitive personal data from a target's phone after infection and provides the ability to turn on the phone's microphone or camera remotely," the company said in an 87-page technical report.
An analysis of forensic evidence points to the spyware installation occurring when the phone belonging to independent journalist Slaviša Milanov was in the hands of the Serbian police during his detention in early 2024.
Some of the other targets included youth activist Nikola Ristić, environmental activist Ivan Milosavljević Buki, and an unnamed activist from Krokodil, a Belgrade-based organization promoting dialogue and reconciliation in the Western Balkans.
The development marks one of the first known instances where two disparate highly invasive technologies were used in combination to facilitate snooping and the exfiltration of sensitive data.
NoviSpy, in particular, is engineered to harvest various kinds of information from compromised phones, including screenshots of all actions on the phone, targets' locations, audio and microphone recordings, files, and photos. It's installed using the Android Debug Bridge (adb) command-line utility and manifests in the form of two applications -
NoviSpyAdmin (com.serv.services), which requests extensive permissions to collect call logs, SMS messages, contact lists, and record audio through the microphone
NoviSpyAccess (com.accesibilityservice), which abuses Android's accessibility services to stealthily collect screenshots from email accounts and messaging apps like Signal and WhatsApp, exfiltrate files, track location, and activate camera
Exactly who developed NoviSpy is currently not known, although Amnesty told 404 Media that it could have either been built in-house by Serbian authorities or acquired from a third-party. Development of the spyware is said to have been ongoing since at least 2018.
"Together, these tools provide the state with an enormous capability to gather data both covertly, as in the case of spyware, and overtly, through the unlawful and illegitimate use of Cellebrite mobile phone extraction technology," Amnesty International noted.
The non-governmental organization further noted that the Serbian Security Information Agency (BIA) has been publicly linked to the procurement of spyware tools since at least 2014, using various offerings such as FinFisher's FinSpy, Intellexa's Predator, and NSO Group's Pegasus to covertly spy on protest organizers, journalists and civil society leaders.
In a statement shared with the Associated Press, Serbia's police characterized the report as "absolutely incorrect" and that "the forensic tool is used in the same way by other police forces around the world."
Responding to the findings, Israeli company Cellebrite said it's investigating the claims of misuse of its tools and that it would take appropriate measures, including terminating its relationship with relevant agencies, if they are found to be in violation of its end-user agreement.
In tandem, the research also uncovered a zero-day privilege escalation exploit used by Cellebrite's universal forensic extraction device (UFED) – a software/system that allows law enforcement agencies to unlock and gain access to data stored on mobile phones – to gain elevated access to a Serbian activist's device.
The vulnerability, tracked as CVE-2024-43047 (CVSS score: 7.8), is a user-after-free bug in Qualcomm's Digital Signal Processor (DSP) Service (adsprpc) that could lead to "memory corruption while maintaining memory maps of HLOS memory." It was patched by the chipmaker in October 2024.
Google, which initiated a "broader code review process" following the receipt of kernel panic logs generated by the in-the-wild (ITW) exploit earlier this year, said it discovered a total of six vulnerabilities in the adsprpc driver, including CVE-2024-43047.
"Chipset drivers for Android are a promising target for attackers, and this ITW exploit represents a meaningful real-world example of the negative ramifications that the current third-party vendor driver security posture poses to end-users," Seth Jenkins of Google Project Zero said.
"A system's cybersecurity is only as strong as its weakest link, and chipset/GPU drivers represent one of the weakest links for privilege separation on Android in 2024."
The development comes as the European arm of the Center for Democracy and Technology (CDT), alongside other civil society organizations such as Access Now and Amnesty International, sent a letter to the Polish Presidency of the Council of the European Union, calling for prioritizing action against abuse of commercial surveillance tools.
It also follows a recent report from Lookout about how law enforcement authorities in Mainland China are using a lawful intercept tool codenamed EagleMsgSpy to gather a wide range of information from mobile devices after having gained physical access to them.
Earlier this month, the Citizen Lab further revealed that the Russian government detained a man for donating money to Ukraine and implanted spyware, a trojanized version of a call recorder app, on his Android phone before releasing him.
The Russia-linked advanced persistent threat (APT) group known as Turla has been linked to a previously undocumented campaign that involved infiltrating the command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to conduct its own operations since 2022.
The activity, first observed in December 2022, is the latest instance of the nation-state adversary "embedding themselves" in another group's malicious operations to further their own objectives and cloud attribution efforts, Lumen Technologies Black Lotus Labs said.
At SC24, we got to see the newly announced Google Cloud TPU v6e Trillium board without its heatsinks. This is one of the newer chips at Google and one that is part of the ct6e-standard / v6e instances meant for AI workloads.
Proxmox has gained tremendous popularity in 2024. So many home lab enthusiasts, SMBs, and enterprise environments are looking at their options with the fallout from VMware by Broadcom. Proxmox has been introducing many new features with each release and are aggressively targeting ones looking at virtualization alternatives or looking to migrate from their existing solution. Proxmox VE 8.3 new features will help to take Proxmox VE Server functionality even further. Let’s take a look at what’s new in this release.
Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a new zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild.
To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP addresses that are accessible over the internet -
Higher speeds, more bandwidth and lower latencies – gamers can take advantage of the latest technology thanks to Intel’s new Killer Wi-Fi modules. We show the advantages of the new Wi-Fi 7 standard for your gaming experience with the Killer BE1750x module in combination with a Wi-Fi 7 router.
Often abbreviated to RHEL, Red Hat Enterprise Linux has just reached version number 9.5 after 24 years on the market. While continuing to provide fast, reliable, and affordable software services to enterprises, the latest update comes with improved file management capabilities, multiple package updates, and more.
