🚨 RomCom Exploits Firefox & Windows Zero-Days to Spread Malware 👾

Nov 29 2024

.bh__table, .bh__table_header, .bh__table_cell { border: 1px solid #C0C0C0; }
.bh__table_cell { padding: 5px; background-color: #FFFFFF; }
.bh__table_cell p { color: #2D2D2D; font-family: ‘Helvetica’,Arial,sans-serif !important; overflow-wrap: break-word; }
.bh__table_header { padding: 5px; background-color:#F1F1F1; }
.bh__table_header p { color: #2A2A2A; font-family:’Trebuchet MS’,’Lucida Grande’,Tahoma,sans-serif !important; overflow-wrap: break-word; }

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s as popular with hackers as Keir Starmer is with the British public 🙈🙈🙈 

Patch of the Week! 🩹

First thing’s first, folks. Our weekly segment goes by many names. Patch of the Week, Tweak of the week. Okay, that’s it… 😳 

Congrats to WordPress, the cybercriminals are no match… for your patch! 🩹

Check out this freshly hatched patch 🐣

Stop the WordPresses 📰 

🚨 WordPress Security Alert! ⚠️ 

Two critical vulnerabilities (CVSS 9.8) in the Spam protection, Anti-Spam, and FireWall plugin by CleanTalk could let attackers install malicious plugins and even achieve remote code execution 💥.

🔓 Vulnerabilities:

  • CVE-2024-10542: Authorization bypass via DNS spoofing 🌐

  • CVE-2024-10781: API key bypass, allowing unauthorized plugin installations 🔑

These flaws affect versions up to 6.44. The plugin is installed on 200,000+ WordPress sites 📊.

💡 Threats:

Install/activate vulnerable plugins

Execute malicious code 🐍

Redirect visitors, steal admin credentials, and inject malware 🛡️

🔥 Action Required:

Update to version 6.45 or later immediately to secure your site and block potential attacks! 🚀

Stay safe! 🌐✨

Now, on to this week’s hottest cybersecurity news stories: 

  • 💔 RomCom breaks the hearts of Firefox & Windows users 👾

  • 🌉 GLASSBRIDGE is a pro-China fake news network, says Google 🌐

  • 🦹‍♂️ Introducing HATVIBE & CHERRYSPY, the latest in Russian hackery 👨🏻‍💻

Hugh Grants them these names? 🍿🎥💘👀😉

🚨 RomCom Exploits Firefox & Windows Zero-Days to Spread Malware 👾

The Russia-linked hacker group RomCom has been caught exploiting two critical zero-day vulnerabilities to sneak its RomCom RAT backdoor into victims' systems without any clicks or interaction.

💥 The Vulnerabilities:

  • CVE-2024-9680 (🔥 9.8 CVSS) – A Firefox bug that lets hackers execute code remotely.

  • CVE-2024-49039 (⚡ 8.8 CVSS) – A flaw in Windows Task Scheduler that grants admin privileges.

🕵️ How It Works:

Hackers set up a fake website, economistjournal[.]cloud. Victims using outdated Firefox versions are automatically hit by the exploit, leading to a chain reaction:

💣 Firefox sandbox escape ➡️ Windows privilege escalation ➡️ RomCom RAT installed.

🌍 Who’s Affected? 

Mostly users in Europe and North America who unknowingly visited the booby-trapped site. 

🔐 Stay Safe:

✔️ Update Firefox & Windows now!

✔️ Watch out for suspicious websites or links.

✔️ Use strong security tools to spot weird activity.

"This zero-click exploit shows RomCom’s skill and determination to stay hidden and strike hard," warns cybersecurity experts.

Stay alert! 🛡️

The gold standard of business news

Morning Brew is transforming the way working professionals consume business news.

They skip the jargon and lengthy stories, and instead serve up the news impacting your life and career with a hint of wit and humor. This way, you’ll actually enjoy reading the news—and the information sticks.

Best part? Morning Brew’s newsletter is completely free. Sign up in just 10 seconds and if you realize that you prefer long, dense, and boring business news—you can always go back to it.

Join 4.3 Million Readers Now

Those in GLASSBRIDGEs… 😏

🚨 China-Backed Hacker Group Storm-2077 Targets U.S. Agencies 🎯

A newly identified Chinese state-sponsored threat actor, Storm-2077, is targeting U.S. government agencies and NGOs, with global attacks extending to industries like defense, aviation, telecom, and finance.

🎯 How They Attack:

💥 Exploit internet-facing devices using public vulnerabilities.

💻 Deploy Cobalt Strike and open-source malware like Pantegana and Spark RAT.

✉️ Use phishing emails to steal credentials and access sensitive data, including emails via cloud environments.

🔍 Why It Matters:

Storm-2077 isn’t just after data—it’s targeting critical infrastructure and sensitive communications that could advance espionage and sabotage efforts.

📰 Fake News Sites & Influence Operations

Meanwhile, Google flagged a pro-China propaganda network called GLASSBRIDGE, using fake news sites to spread pro-Beijing narratives.

🕵️ Fake PR firms like Shanghai Haixun Technology and Shenzhen Bowen Media disguise themselves as independent media outlets, planting content across subdomains of legitimate news sites.

⚠️ What You Can Do:

✔️ Update and secure internet-facing devices.

✔️ Be vigilant about phishing emails and suspicious links.

✔️ Verify news sources, especially content on unfamiliar subdomains. 

"Storm-2077 is the latest in a long line of advanced Chinese threat actors using evolving tactics to remain undetected," warns Microsoft. Stay alert and secure! 🔐

Why struggle with file uploads? Pinata’s File API is your fix

Simplify your development workflow with Pinata’s File API. Add file uploads and retrieval to your app in minutes, without the need for complicated configurations. Pinata provides simple file management so you can focus on creating great features.

Build now!

It’s the CHERRY 🍒 on the HAT 🎩 #hatvibes 💀

🚨 Russian-Linked Hackers Launch Espionage Campaign 🌍

Threat actors tied to Russia, tracked as TAG-110, are targeting government agencies, human rights organizations, and educational institutions in Central Asia, East Asia, and Europe. This group overlaps with Ukraine's UAC-0063, linked to APT28 (Fancy Bear), a notorious Russian cyber-espionage crew.

🛠️ Tools of the Trade:

🎩 HATVIBE: A custom loader that delivers… 

🍒 CHERRYSPY: A Python-based backdoor used for data theft and espionage.

🎯 Target Regions:

  • Central Asia: Tajikistan, Kyrgyzstan, Kazakhstan, Turkmenistan, Uzbekistan. 

  • Other Hotspots: Armenia, China, Hungary, India, Greece, and Ukraine. 

📊 Over 62 victims across 11 countries have been identified, with a primary focus on Central Asia—likely to gather intel that supports Russia’s geopolitical ambitions.

🔍 How They Attack: 

⚙️ Exploit vulnerabilities in public-facing web apps like Rejetto HTTP File Server.

✉️ Use phishing emails to deploy HATVIBE, which then loads CHERRYSPY for spying.

🛡️ Broader Objectives:

TAG-110's actions align with Russia's ongoing strategy to:

🕵️ Gather intelligence on geopolitical developments.

🔌 Sabotage European critical infrastructure in NATO countries like Estonia, Finland, and Poland to destabilize Western alliances.

💣 Complement cyberattacks with physical sabotage as part of Russia's hybrid warfare doctrine, without directly provoking war with NATO. 

"These calculated attacks are designed to weaken NATO and maintain Russian influence in post-Soviet states," says Recorded Future. Expect increased aggression as tensions between Russia and the West continue to escalate. 🚨

🗞️ Extra, Extra! Read all about it! 🗞️

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • 🛡️ Tl;dr sec: Join 30,000+ security professionals getting the best tools, blog posts, talks, and resources right in their inbox for free every Thursday 📅

  • 💵Crypto Pragmatist: Crypto made simple. Actionable alpha in 5 minutes, 3x a week. Join 47,000+ investors and insiders, for 🆓

  • 📈Bitcoin Breakdown: The best in Bitcoin, carefully curated by an alien from the future 👾

Let us know what you think.

So long and thanks for reading all the phish!

footer graphic cyber security newsletter

Recent articles