Weekly summary Cyberattacks - January 3rd to 8th

New variants of Eagerbee malware detected targeting governments and ISPs in the Middle East   

Cybersecurity researchers have identified new variants of the Eagerbee malware, used in attacks against government organizations and internet service providers (ISPs) in the Middle East. Previously linked to Chinese-backed actors, such as the 'Crimson Palace' group, a possible connection to the 'CoughingDown' group is now being pointed out, due to similarities in code and IP address matches. Although the initial method of access in these attacks is unclear, in previous cases the ProxyLogon vulnerability in Microsoft Exchange was used. The malware loads a backdoor that operates persistently, running 24/7 on compromised systems. It communicates with command and control (C2) servers to receive extensions and perform activities such as file management, remote access, service manipulation and network monitoring. Experts recommend updating vulnerable systems and employing indicators of compromise to mitigate the threat.  

Vulnerabilities in DNA sequencers put biomedical security at risk

Researchers at Eclypsium have discovered serious vulnerabilities in the BIOS/UEFI of Illumina's iSeq 100 DNA sequencer, a leader in genomic technology. This device uses outdated firmware without basic protections such as Secure Boot, which would allow attackers to modify or disable the system. These problems are compounded by the use of generic hardware in the supply chain, exposing medical devices to similar risks. The iSeq 100, running an older version of Windows 10, is vulnerable to privilege escalation and firmware attacks, a common technique among malicious actors to maintain persistent access or cause critical damage. Although Illumina fixed a previous remote code execution vulnerability, firmware protections remain weak, increasing the risk of disruptions to critical services such as vaccine production and genetic disease detection.

More than 3 million email servers without TLS encryption exposed to cyber-attacks 

More than 3 million email servers using the POP3 and IMAP protocols are exposed to cyber-attacks due to the absence of TLS encryption. These protocols allow access to emails from different devices but should ensure the protection of information through encryption to prevent sensitive data, such as passwords and messages, from being intercepted. However, many servers continue to transmit this information in clear text, making them vulnerable to cyber-attacks. The security platform ShadowServer has identified this vulnerability and has begun alerting administrators of affected servers, recommending enabling TLS encryption. The lack of this security measure puts users at risk, exposing them to password theft and other cyber-attacks.  

U.S. Army soldier arrested for Verizon and AT&T hacks   

On December 20, a U.S. Army soldier, Cameron John Wagenius, 20, was arrested in Texas on charges of illegal transfer of confidential phone records. He is accused of leaking call records of former President Donald Trump and Vice President Kamala Harris after operating under the alias “Kiberphant0m” on platforms such as Telegram. Wagenius was allegedly involved in the “Snowflake” hacking campaign alongside Connor Riley Moucka, arrested last October. In addition, he is linked to the sale and distribution of confidential telecommunications data, including U.S. government agency records and NSA data schematics. He is also accused of maintaining a botnet to conduct denial-of-service computer attacks. The indictment does not provide further details about his connection to the attacks on Snowflake accounts.  

Serious vulnerabilities in WordPress VibeBP plugin put websites at risk   

CERT-In has warned about critical security flaws in the WordPress VibeBP plugin that expose sites to remote code execution (RCE), privilege escalation and SQL injection attacks. These vulnerabilities allow unauthenticated or low-level users to gain administrator access, compromising the integrity of affected sites. Attackers could execute malicious code, manipulate databases and steal sensitive data, causing significant damage. The agency recommends upgrading to version 1.9.9.7.7.7 or later, which includes measures such as stricter file upload controls, privilege management improvements and ticket validation. WordPress administrators should implement these updates immediately to mitigate risks of attacks that could lead to data loss and irreversible damage.