Here are the most relevant headlines of the week:
A new malware that is being used to implement backdoors and exfiltrate information on macOS devices has been discovered by ESET researchers. It has been named CloudMensis and one of its most notable features is the use of cloud storage services such as DropBox, Yandex Disk, or pCloud to communicate with its command and control (C2) servers.
This malware also executes code on the target system and obtains administrator privileges to execute a second phase that collects information: screenshots, email attachments, document exfiltration, keystrokes, and other sensitive data.
A new ransomware family based on the Rust programming language, named Luna, has been discovered by Kaspersky security researchers. It can encrypt devices running various operating systems, including Windows, Linux, and ESXi systems.
At this stage, Luna appears to be simple ransomware in development and, for the time being, limited to command-line options only, according to Kaspersky experts. However, its encryption scheme is unusual.
A new type of malware targeting Linux environments has been found by researchers at Intezer. They have named it Lightning Framework. Some details of the malware are still unknown but some of its characteristics have been analyzed. The malware installs itself on the victim’s system via a downloader that will download all its modules and plugins. It also includes the manipulation of timestamps and process IDs, the creation of a script with the name “elastisearch” to create persistence, and the implementation of a backdoor by creating its own SSH server.
Cisco releases security patches for 45 vulnerabilities (3 critical, 1 high, and 41 medium) which affect various products.
Atlassian has released a security update that fixes a critical encrypted credential vulnerability in Confluence Server and Data Center that could allow unauthenticated remote attackers to log into vulnerable servers.
The encrypted password is specifically added after installation of the Questions for Confluence application (versions 2.7.34, 2.7.35 and 3.0.2) for an account with the username disabledsystemuser.
The exploitation of this vulnerability, classified as CVE-2022-26138, allows an attacker to log in and access any page to which the confluence-users group has access.