Cyber ​​Security Bulletin: Critical Threats and Rising Vulnerabilities

In this week's report, a recent analysis by Trend Micro has raised alarm bells in Latin America due to a new wave of attacks carried out by the Mekotio banking Trojan. This malware, active since 2015, has renewed its activity targeting mainly Brazil, Chile and Mexico. Using phishing emails posing as urgent tax notices, Mekotio tricks victims into interacting with malicious attachments or links, allowing them to infiltrate systems and send sensitive data.

El Dorado ransomware has intensified its activity with new attacks targeting companies, operating under the Ransomware-as-a-Service (RaaS) model. This cybercriminal business has evolved into a sophisticated company-like operation, where partners recruit affiliates to execute specific roles in cybercriminal networks. Between 2022 and 2023, IB Group intelligence analysts identified a significant increase in advertisements for RaaS programs on dark web forums.

Hackers are exploiting a critical vulnerability in Microsoft SmartScreen, a tool that protects users from malicious websites and harmful downloads. Cyble researchers have discovered that cybercriminals are using the CVE-2024-21412 vulnerability to deploy malware. Even though Microsoft patched this vulnerability in February 2024, groups like Water Hydra continue to exploit it to evade SmartScreen and spread malware like DarkMe RAT and Meduza Stealer.

A serious vulnerability, identified as CVE-2024-36401, has been discovered in GeoServer, an open source platform used to manage and share geospatial data. This flaw allows attackers to execute arbitrary code on affected servers, compromising mapping and location data. The issue arises from unsafe evaluation of property name expressions within the GeoTools library API, specifically when processing multiple OGC request parameters.

Two critical vulnerabilities, CVE-2024-38080 and CVE-2024-38112, have been identified and are being actively exploited. CVE-2024-38080 is an integer overflow in Hyper-V, the native Windows hypervisor, that allows attackers to gain system privileges on the host machine with initial local access. On the other hand, CVE-2024-38112 is a spoofing vulnerability in the Windows MSHTML platform, activated by a specially crafted HTML file, allowing the execution of arbitrary code.

For more details of the weekly newsletter: Click here