Apple recently released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation according to Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG) who discovered the flaws.

Earth Kasha, a cyber threat group tracked by Trend Micro, has been active since 2019, leveraging the LODEINFO malware to target organizations in Japan.

The NSOCKS botnet, underpinned by the ngioweb malware, has emerged as a major player in the cybercrime ecosystem, driving criminal proxy services like VN5Socks and Shopsocks5.

CrowdStrike has identified a previously unknown Chinese cyber espionage group, Liminal Panda, which has been active since at least 2020 and is believed to be behind cyber intrusions targeting telecom providers.

According to Semperis' new report, 2024 Ransomware Holiday Risk, ransomware gangs often strike when defenses are the weakest. Semperis conducted a global study of 900 IT and security professionals.

Helldown, a ransomware strain derived from the leaked LockBit 3.0 codebase, has been expanding its operations, with researchers recently identifying a Linux variant. This development indicates the group's growing focus on targeting virtualized infrastructures, such as VMware. First documented in August 2024, Helldown has been described as an aggressive ransomware group targeting sectors like IT services, telecommunications, manufacturing, and healthcare.

Proofpoint has observed a significant rise in the use of the ClickFix social engineering technique, a deceptive method that tricks users into executing malicious PowerShell commands. Initially linked to campaigns by TA571 and the ClearFake threat cluster, the technique has now become a favorite across multiple financially motivated and espionage-focused threat actors.

In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt energy infrastructure for over 600 apartment buildings, leaving people without heat for 2 days in Lviv in April 2024 due to an ICS attack on a municipal energy company.

Between November 13 and 14, 2023, researchers at Cyberint observed a significant increase in activity from the Akira ransomware group, which listed over 30 victims on its data leak site.

Today, as part of National Critical Infrastructure Security and Resilience Month, the National Counterintelligence and Security Center (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA) released new guidance to help detect and mitigate efforts by foreign intelligence entities to harm or disrupt U.S. critical infrastructure.

According to a blog post by Istvan Marton from Wordfence, over 4 million WordPress sites are exposed to a critical authentication bypass vulnerability in the Really Simple Security plugin for WordPress that can be leveraged to grant an unauthenticated adversary remote administrative access to vulnerable sites.

Palo Alto Networks is aware of active exploitation attempts in the wild leveraging an authentication bypass vulnerability impacting its PAN-OS firewall management interface.

In a recent analysis by Palo Alto Networks' Unit 42, a North Korean hacker group identified as CL-STA-0237 has been connected to a series of phishing attacks using the BeaverTail malware.

Over 1 million domains have been identified as potentially vulnerable to "Sitting Ducks" attacks, a cyber threat that exploits DNS misconfigurations, particularly lame delegation. This misconfiguration occurs when domains mistakenly point to incorrect authoritative name servers, allowing attackers to hijack domains.

Cisco Talos uncovered a new information-stealing campaign orchestrated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. The campaign leverages a novel Python-based malware dubbed PXA Stealer, designed to exfiltrate sensitive data from victims' systems.

SentinelOne's recent report, The State of Cloud Ransomware in 2024, highlights an increasing trend in ransomware actors exploiting cloud services to directly compromise their victims or exfiltrate sensitive data.

Modern communications networks, particularly those driven by 5G technology, are increasingly relying on Artificial Intelligence (AI) to boost performance, improve reliability, and ensure security. As these networks evolve, AI plays an essential role in real-time data processing, predictive maintenance, and optimizing traffic management.

Global Navigation Satellite Systems (GNSS), which include the U.S. GPS, Russian GLONASS, European Galileo, Chinese BeiDou, Indian NavIC, and Japanese Quazi-Zenith, serve as critical infrastructure providing essential positioning, navigation, and timing (PNT) services for a wide array of industries such as telecommunications, agriculture, finance, banking, transportation, and mobile communications.

On November 14, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of two critical vulnerabilities in Palo Alto Networks' Expedition firewall configuration migration tool: CVE-2024-9463 and CVE-2024-9465. These vulnerabilities, with CVSS scores of 9.9 and 9.3 respectively, pose significant risks to affected systems.

On Tuesday, Microsoft released a security patch for a NTLM hash disclosure spoofing vulnerability (CVE-2024-43451) that could exploited to steal a user's NTLMv2 hash. The vulnerability requires minimal user interaction and is exploited by generating a malicious URL file that can be activated through seemingly harmless actions.

The Hamas-affiliated threat group WIRTE, part of the Gaza Cyber Gang, has escalated its cyber operations, moving from espionage to destructive attacks aimed at Israeli entities. According to Check Point, this shift reflects WIRTE's use of recent geopolitical events, specifically the Israel-Hamas conflict, to craft targeted cyber campaigns.

In November 2024, IBM X-Force observed an ongoing Hive0145 campaign targeting Europe, specifically Spain, Germany, and Ukraine using Strela Stealer malware, a credential-theft tool delivered through highly tailored phishing emails. These emails, posing as legitimate invoice notifications, utilize previously compromised email credentials to blend seamlessly into legitimate email traffic.

CISA and the FBI released a joint statement on November 13, 2024, confirming that PRC-affiliated threat actors have compromised the "private communications" of a "limited number" of government officials after breaching multiple U.S. broadband providers in a broad and significant cyber espionage campaign.

SlashNext researchers recently uncovered a new phishing tool called GoIssue, which allows threat actors to extract email addresses from GitHub profiles and send bulk emails to users. Advertised on cybercriminal forums, GoIssue is priced at $700 for a custom build or $3,000 for full source code access.

Iranian threat actor TA455, affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been conducting a sophisticated cyber espionage campaign that mirrors North Korea's “Dream Job” tactic.

Romanian cybersecurity company Bitdefender has developed a free decryptor for ShrinkLocker ransomware victims, offering a way to recover data encrypted by the malware. This decryptor was created after Bitdefender analyzed ShrinkLocker's mechanisms and identified a recovery opportunity right after the removal of BitLocker protectors.

Perception Point researchers published a blog post on November 11, 2024, regarding an observed dramatic increase in two-step phishing attacks targeting hundreds of organizations by leveraging Microsoft Visio's .vsdx files. By weaponizing .vsdx files rarely used in phishing attacks, the adversary exploits user trust in the reputation of Microsoft and concurrently adds a new layer of deception designed to evade detection.

According to a recent report by Group-IB, the Lazarus APT group has started attempting to smuggle code utilizing custom extended attributes, which are metadata associated with files and folders in various file systems. Extended attributes allow users to store additional information beyond standard metadata like file size, timestamps, and permissions.

The US government's Consumer Financial Protection Bureau (CFPB) has advised employees to avoid using cellphones for work after China-linked APT group Salt Typhoon breached major telecom providers. The CFPB, established in 2011 to protect consumers in the financial sector and promote fair, transparent markets, issued a directive urging employees to limit phone use and rely on Microsoft Teams and Cisco WebEx for meetings involving nonpublic data.

Researchers at WatchTowr have disclosed new vulnerabilities in Citrix Virtual Apps and Desktops, particularly affecting the Session Recording component, which administrators use to monitor and record user sessions. These security flaws could potentially allow unauthenticated remote code execution, presenting a serious threat to affected systems.

Ymir, a relatively new ransomware family, has been observed by researchers at Kaspersky encrypting systems that were previously compromised by RustyStealer, an infostealer malware first documented in 2021. Ymir ransomware initiated operations in July 2024 and is known for its in-memory execution, use of PDF files as ransom notes, and extension configuration options.

North Korean-linked threat actors have started embedding malware in applications built using Flutter, a cross-platform development framework, specifically to target Apple macOS devices—a first for this adversary.

AndroxGh0st, a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services, is being utilized in a campaign exploiting a larger set of security flaws only impacting internet-facing applications.

Cybersecurity firm Malwarebytes is warning of hackers using stolen session cookies to bypass multi-factor authentication (MFA) and take over email accounts. “When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID.

Fortinet's FortiGuard Labs recently identified a phishing campaign delivering a new Remcos RAT variant through a malicious Excel document attached to a phishing email. The attack starts with a convincing email that includes the Excel file, disguised as an order form to lure the recipient into opening it.

CosmicBeetle, also known as NoName, is a ransomware-as-a-service (RaaS) operation that has been active since 2020. This group is known for exploiting known vulnerabilities, such as EternalBlue (CVE-2017-0144), and the Zerologon vulnerability (CVE-2020-1472) to infiltrate systems.

In November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading the financial sanctions against North Korea (DPRK).

On October 31, 2024, telematics provider Microlise disclosed it suffered from a cyberattack that disrupted tracking services for clients like DHL, a global logistics and shipping company, and Serco, a company that manages the transport of prisoners for the Ministry of Justice in the United Kingdom.

Since July 2024, the "CopyRightadamantys" phishing campaign has been exploiting copyright infringement themes to trick victims into downloading a new version of the Rhadamanthys information stealer. Tracked by cybersecurity firm Check Point, this large-scale operation spans the U.S., Europe, East Asia, and South America.

Cybersecurity experts recently uncovered a malicious package on PyPI, "fabrice," which has been secretly stealing AWS credentials from developers since its launch in March 2021.

SentinelLabs has identified a new multi-stage malware campaign, named "Hidden Risk", attributed to the North Korean state-backed threat actor BlueNoroff, which targets businesses in the cryptocurrency industry.

Cleafy's Threat Intelligence team witnessed a significant spike in malicious activity utilizing a new Android malware sample in late October 2024. Initially classified as TgToxic malware, this malware sample was further analyzed and although it has similar bot commands with TgToxic, the code differs greatly in that many TgToxic capabilities are absent and some commands act as placeholders for unimplemented modules, leading Cleafy to classify this malware as a new family called ToxicPanda.

The GoZone ransomware, a new strain identified by SonicWall researchers, targets victims with a relatively low ransom demand of $1,000 in Bitcoin for file decryption. Written in Go, it employs Chacha20 and RSA algorithms to encrypt files, appending a ".d3prU" extension to signal compromise.

Summary: On Tuesday, Interpol announced the takedown of more than 22,000 malicious IP addresses or servers linked to cyber threats, as part of a coordinated operation involving private sector partners and law enforcement agencies from 95 INTERPOL member countries.

ClickFix is a new social engineering tactic that uses deceptive error messages to prompt users into executing malicious code, allowing attackers to infiltrate their devices.

In the first half of 2024, ransomware activity continued to surge, with 75 active ransomware groups and 2,260 organizations falling victim—marking a 24.5% increase compared to H1 2023. LockBit's resurgence in May, following Operation CRONOS, was a significant contributor to this spike.

As part of the November Security updates, Google addressed a total of 51 vulnerabilities, two of which are actively being exploited in attacks in the wild.

Canadian authorities have detained Alexander "Connor" Moucka in connection with an extensive data breach campaign that compromised sensitive information from hundreds of millions of individuals.

Pakistan's APT36 threat group has been observed by Check Point Research utilizing a new and improved ElizaRAT malware in a growing number of successful attacks against Indian government agencies and military entities in the past year.

Researchers at Securonix recently uncovered a sophisticated phishing campaign where attackers trick Windows users into launching a custom Linux virtual machine (VM) with a pre-configured backdoor.

“In 2023, organizations were hit hard by cyberattacks, many of which exposed serious weaknesses in security practices. One of the biggest issues was how patching and vulnerability management was handled. I

LastPass, a popular password manager software, is currently facing an ongoing phishing campaign targeting its users. Cybercriminals are writing fake reviews on the Chrome Web Store for the LastPass extension, promoting a fraudulent customer support phone number: 805-206-2892.

Cybersecurity firm Rapid7 recently shed light on a Microsoft SharePoint remote code execution vulnerability (CVE-2024-38094) which is actively being exploited in attacks in the wild to gain initial access to corporate networks.

Cybercriminals have adopted a sophisticated approach by exploiting DocuSign's API capabilities to send convincing fake invoices that appear to come from reputable companies like Norton Antivirus.

The Interlock ransomware, a relatively new threat that emerged in late September 2024, has been targeting organizations worldwide with a distinctive tactic: it uses an encryptor specifically designed for FreeBSD servers.

The Passion group, which has established connections with notorious hacktivist collectives such as Killnet and Anonymous Russia, has recently emerged as a significant player in the cyber threat landscape by offering DDoS-as-a-Service specifically tailored for pro-Russian hacktivists.

Cisco Talos has identified an ongoing phishing campaign targeting Facebook business and advertising account users in Taiwan since at least July 2024. The campaign leverages social engineering tactics to deceive victims into downloading and executing malware.

The landscape of autonomous systems, particularly in the realms of drones and robotics, has undergone transformative advancements in recent years. These technologies have enhanced operational efficiency and capability across a multitude of sectors, ranging from agriculture and logistics to national defense and emergency response.

U.S. and Israeli cybersecurity agencies have recently linked the Iranian cyber group Emennet Pasargad, now operating under the alias Aria Sepehr Ayandehsazan, to sophisticated cyber operations targeting the 2024 Summer Olympics.

Microsoft has shed light on a botnet dubbed CovertNetwork-1658, aka xlogin and Quad7 (7777), which has enabled Chinese threat actors to steal credentials in highly evasive password spray attacks.

Researchers recently disclosed the Xiū gǒu phishing kit, which has been operational since at least September 2024 in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. Xiū gǒu is a sophisticated phishing toolkit responsible for over 2,000 phishing websites aimed at various industries, including government, postal services, digital services, and banking.

Trend Micro researchers identified a complex attack exploiting the Atlassian Confluence vulnerability CVE-2023-22527, allowing attackers to achieve remote code execution (RCE) to install cryptomining software on compromised systems using the Titan Network.

QNAP recently published security updates to address two critical zero-day flaws impacting its network-attached storage (NAS) devices, which were exploited by security researchers during the Pwn2Own hacking contest in Ireland last week.

French internet service provider Free has publicly disclosed a significant cyber attack that has compromised certain personal information of its customers. As the second-largest ISP in France, with over 22.9 million mobile and fixed subscribers, Free plays a crucial role in the country's telecommunications landscape.

Strela Stealer, a malware originally identified by the German cybersecurity organization DCSO in late 2022, is an information stealer primarily designed to exfiltrate email account credentials from email clients like Microsoft Outlook.

A critical Remote Code Execution vulnerability in CyberPanel exposed over 22,000 instances online, leading to a large-scale PSAUX ransomware attack that took most affected servers offline. This vulnerability affects CyberPanel versions 2.3.6 and likely 2.3.7 and includes three significant flaws: defective authentication, command injection, and a security filter bypass.

The North Korean APT group Andariel, linked to the Reconnaissance General Bureau, was found to be associated with the Play ransomware operation, likely acting as an affiliate or initial access broker. In May 2024,

Yesterday, the FBI issued an advisory warning about scammers exploiting the 2024 US General election to scam individuals across the United States. The agency has identified four different schemes employed by these fraudsters.

This is a sophisticated campaign with a large scope and it utilizes the commonly used Facebook software as an avenue for initial access. The TA has the infrastructure to impersonate ads for essentially any commonly used software. This malware has the capability to evade AV detection. The possibility of legitimate business accounts being utilized to propagate the malware further, highlights the severity of the threat.

The "EmeraldWhale" campaign, a large-scale malicious operation, has reportedly scanned for exposed Git configuration files, compromising over 15,000 cloud account credentials across thousands of private repositories.

Cybersecurity experts at Proofpoint have reported a concerning rise in online job scams targeting financially vulnerable individuals, especially those seeking remote or flexible work.

Russian threat group UNC5812 has launched a complex espionage and influence campaign targeting Ukrainian military recruits, deploying malware for both Windows and Android devices.

The Canadian Centre for Cyber Security (Cyber Centre) recently stated that a sophisticated Chinese state-sponsored threat actor has performed reconnaissance scanning against numerous domains in Canada.

Evasive Panda, a China-aligned APT group, has been observed utilizing a post-compromise toolset named CloudScout to target government and religious institutions in Taiwan between 2022 and 2023.

Several vulnerabilities have been identified in the Realtek SD card reader driver, RtsPer[.]sys, impacting a broad range of laptops from major brands.

Researchers at ReliaQuest have uncovered a new social engineering technique employed by Black Basta ransomware actors to gain an initial foothold into victim environments. Previously, these actors would overwhelm users with email spam, prompting recipients to create a legitimate help-desk ticket to resolve the issue. From here, Black Basta operators would then contact the end user, posing as the help desk to respond to the ticket. I

The notorious cryptojacking group TeamTNT is gearing up for a large-scale attack campaign targeting cloud-native environments. This new effort focuses on exploiting exposed Docker daemons to deploy the Sliver malware, cryptominers, and a cyber worm. TeamTNT uses compromised Docker servers and Docker Hub as their infrastructure to spread the malware.

Fog and Akira ransomware groups are actively exploiting a critical vulnerability, CVE-2024-40766, in SonicWall SSL VPNs to gain unauthorized access to corporate networks. This flaw, found in SonicOS, affects access controls within SSL VPNs, allowing attackers to bypass security and compromise networks remotely.

A recent surge in phishing activity has been identified by Netskope Threat Labs, with a 10-fold increase in traffic directed towards phishing pages built using Webflow. These campaigns target a range of information, including login credentials for various crypto wallets (Coinbase, MetaMask, Phantom, Trezor, Bitbuy), company webmail platforms, and even Microsoft365 credentials.

The Dutch National Police, in coordination with the FBI and other international agencies, have dismantled the network infrastructure supporting the Redline and Meta infostealer malware operations in an effort known as "Operation Magnus." This disruption serves as a direct warning to cybercriminals that their data is now in the hands of law enforcement.

LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."

In June 2024, Aqua Security discovered a security vulnerability in the AWS Cloud Development Kit (CDK), an open-source tool for building cloud infrastructure. This vulnerability could potentially allow attackers to gain administrative access to a target AWS account, allowing account hijacking for executing malicious code.

Amazon recently seized domains used by APT 29, a Russian state-backed actor, in a mass email phishing campaign targeting government agencies, enterprises, and militaries. The campaign which was initially identified and disclosed by Ukraine's Computer Emergency Team (CERT-UA),

LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."

UnitedHealth has confirmed that over 100 million individuals had their personal and healthcare data stolen in the Change Healthcare ransomware attack, marking it as the largest healthcare data breach in recent years. CEO Andrew Witty previously warned that "maybe a third" of all Americans' health data was compromised.

A newly enhanced version of the Qilin (Agenda) ransomware, dubbed 'Qilin.B,' has been detected in cyberattacks, showcasing stronger encryption techniques, improved evasion from security tools, and sophisticated methods to disrupt data recovery processes.

Summary: A new vulnerability in Fortinet's FortiManager, known as "FortiJump" and tracked as CVE-2024-47575, has been actively exploited in zero-day attacks since June 2024. The flaw has affected over 50 servers and was first revealed in a report by Mandiant.

Cisco has released security updates to address an actively exploited flaw impacting the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Tracked as CVE-2024-20481, a successful exploitation could enable an unauthenticated, remote attacker to cause a denial of service of the RAVPN service.

In October 2024, a significant cybersecurity event involving a manufacturing firm was analyzed by ReliaQuest. The investigation attributed the breach to a group called "Scattered Spider," a collective of English-speaking cybercriminals connected to the ransomware organization "RansomHub."

In June 2024, ESET researchers identified a new ransomware group, Embargo, utilizing a Rust-based toolkit for its operations. The toolkit consists of MDeployer, a loader, and MS4Killer, an EDR killer. Both tools are designed to facilitate the deployment and execution of the Embargo ransomware.

A new blog post by Cisco Talos shed light on the activities of Akira ransomware, noting that the group is actively creating new variants of its encryptor and refining its TTPs to adapt to shifts in the threat landscape. In 2023 Akira typically employed a double-extortion tactic where victim data was exfiltrated before encryption.

Cisco Talos recently uncovered a phishing campaign leveraging the open-source Gophish toolkit, executed by an unknown threat actor. The campaign utilizes modular infection chains, either via malicious documents (Maldoc) or HTML files containing JavaScript, which lead to the deployment of two Remote Access Trojans (RATs): PowerRAT, a newly identified PowerShell-based RAT, and DCRAT, a widely recognized malware.

Cybercriminals have compromised a third-party provider linked to Verizon's Push-to-Talk systems, a service used by government agencies, first responders, and enterprises for secure internal communication. This breach, advertised on a Russian-language cybercrime forum, does not impact Verizon's core consumer network but reveals significant vulnerabilities in telecoms' security practices.

A high-severity vulnerability (CVE-2024-38094) impacting Microsoft SharePoint has been identified following the release of a public PoC and subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog. This deserialization vulnerability allows an authenticated attacker with Site Owner permissions to inject and execute arbitrary code on the SharePoint server.

In a report from ANY.RUN, DarkComet is highlighted as a highly versatile and dangerous Remote Access Trojan (RAT) that has been a persistent threat since its creation by Jean-Pierre Lesueur in 2008.

ForcePoint has observed an increase in the use of Latrodectus malware by cybercriminals in attacks targeting the financial, automotive, and healthcare sectors. For its part, Latrodectus is a malware downloader that has been around since October 2023. The strain is believed to be developed by LunarSpider, a threat actor who developed the notorious IceID trojan, which has been used by dozens of malware families for distribution purposes.

Two Russian pro-hacker groups, NoName057 and the Russian Cyber Army Team, launched coordinated DDoS attacks against Japanese logistics, shipbuilding companies, and government agencies starting on October 14, 2024.

Attackers are exploiting exposed Docker Remote API servers to deploy the perfctl malware, utilizing a structured attack flow that begins with probing the vulnerable server and ends with payload execution and persistence. The attack starts with the attacker identifying an exposed Docker Remote API server through a ping request. Once the server is located, the attacker creates a Docker container using the ubuntu image.

On Monday, October 21, 2024, the Biden administration officially announced new proposed rules related to a February executive order designed to prevent foreign adversaries such as China and Russia from exploiting easily obtained American financial, biometric, precise geolocation, health, genomic, and other data to carry out future cyberattacks or continue to spy on Americans.

Threat groups are exploiting a critical vulnerability (CVE-2024-40711) in Veeam Backup and Replication software for ransomware attacks, according to researchers and federal authorities. This vulnerability, with a CVSS score of 9.8, was disclosed by Veeam in a security bulletin on September 4.

VMware has released a new security update for CVE-2024-38812, a critical remote code execution (RCE) vulnerability in VMware vCenter Server that wasn't fully addressed by the initial patch in September 2024. The flaw, with a CVSS score of 9.8, stems from a heap overflow issue in the DCE/RPC protocol, affecting vCenter Server and related products like vSphere and Cloud Foundation. It can be exploited without user interaction through specially crafted network packets.

APT41 (also known as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) launched a sophisticated cyberattack on the gambling and gaming industry. Over a span of six to nine months, the attackers gathered sensitive information such as network configurations, passwords, and data from the LSASS process.

The Bumblebee malware loader appears to have resurfaced after being disrupted by Europol's Operation Endgame in May 2024. A new infection chain deploying Bumblebee has been detected by Netskope Threat Labs, marking its first reappearance since the Europol-led takedown.

Last Friday, ESET announced on X (formerly known as Twitter) that it is aware of a security incident that affected its partner company in Israel. Notably, a phishing campaign initiating on October 8th was observed, where emails branded with ESET's logo were sent from eset[.]co[.]il, a legitimate domain that is operated by ESET's Israel distributor, Comsecure.

In a recent cyberattack, the North Korea-backed advanced persistent threat (APT) group known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer (IE) web browser to launch a zero-click supply chain campaign targeting South Korean entities.

Microsoft has urged all macOS users to update their systems due to a vulnerability (CVE-2024-44133, CVSS 5.5) patched in the September macOS Sequoia updates. The flaw may be exploited by the Adloader macOS malware family. It targets Apple's Transparency, Consent, and Control (TCC) protections, potentially allowing unauthorized access to a device's camera, microphone, and location.

Researchers at Sekoia have shed light on a new social engineering tactic called ClickFix, which involves displaying fake error messages in web browsers to trick users into copying and executing malicious PowerShell code to infect targeted systems. In the last couple of months, ClickFix has been used to distribute Windows and macOS infostealers, botnets, and remote access tools.

Microsoft has identified a vulnerability in macOS, named "HM Surf," that enables attackers to bypass the system's Transparency, Consent, and Control technology, which is responsible for managing user permissions for accessing sensitive data. This flaw, tracked as CVE-2024-44133, allows attackers to gain unauthorized access to user data, including browsing history, camera, microphone, and location.

Group-IB researchers successfully infiltrated the Cicada3301 ransomware-as-a-service group, uncovering significant details about its operations and affiliate panel. Cicada3301, which started recruiting affiliates in June 2024, has targeted approximately 30 victims, primarily in the U.S. and U.K.

The pentester encountered a session fixation vulnerability in a PHP web application, but knew it might not be taken seriously on its own. To demonstrate its severity, they combined it with an existing XSS vulnerability and a lesser-known technique called the Cookie Jar Overflow Attack. This combination allowed them to show how an attacker could bypass security measures and hijack user sessions.

In December, a new ransomware group targeting Russian businesses and government agencies was identified, dubbed “Crypt Ghouls.” Investigation revealed connections to other cybercriminal groups through shared tactics, tools, and infrastructure. The group employs a variety of utilities, including Mimikatz and LockBit 3.0 for ransomware attacks, utilizing compromised contractor credentials to gain access via VPN.

Iranian hackers are increasingly breaching critical infrastructure organizations to steal credentials and network data, which they sell on cybercriminal forums, enabling further cyberattacks by other threat actors.

Secureworks Counter Threat Unit researchers have identified evolving tactics in fraudulent employment schemes involving North Korean IT workers, linked to the NICKEL TAPESTRY threat group. These schemes involve North Korean nationals using stolen or falsified identities to secure employment at Western companies, including those in the U.S., UK, and Australia.

According to Symantec's new report, Ransomware: Threat Level Remains High in Third Quarter, ransomware continues to be a growing threat in the cyber landscape, with Symantec observing 1,255 ransomware attacks in the third quarter of 2024. One of the biggest developments observed by Symantec in Q3 of 2024 was a decline in LockBit activity, a previously dominant player in the ransomware ecosystem.

Cronus is a sophisticated ransomware strain developed using .NET technology, first reported by Seqrite. This analysis arose from the discovery of a malicious document presented as a PayPal invoice, which was submitted to VirusTotal. The investigation outlines the ransomware's method of file encryption, its persistence mechanisms, and a detailed examination of its ransom note.

North Korean threat actor ScarCruft, also known as TA-RedAnt, APT37, and several other aliases, has been linked to the exploitation of a now-patched zero-day vulnerability in Windows, identified as CVE-2024-38178 (CVSS score: 7.5). This flaw, a memory corruption issue in the Windows Scripting Engine, allowed remote code execution when using Microsoft Edge in Internet Explorer Mode. Microsoft patched the vulnerability as part of its August 2024 Patch Tuesday updates.

Fortinet FortiGuard Labs has uncovered a suspected nation-state actor exploiting a chain of three vulnerabilities impacting Ivanti Cloud Service Appliance to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and further attempt to access the credentials of those users.

A newly discovered Golang ransomware variant has been found to abuse Amazon S3's Transfer Acceleration feature to exfiltrate data from victim machines to attacker-controlled S3 buckets. The ransomware samples analyzed contained hardcoded AWS credentials, which were used to create S3 buckets and enable faster data transfers through Amazon's globally distributed CloudFront edge locations.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors' use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

Security teams are increasingly recognizing large language models (LLMs) as vital business tools capable of automating various tasks, thereby allowing employees to focus on more strategic functions and potentially providing a competitive advantage.

Cofense has shared insights on a phishing campaign it detected earlier this year, where actors were observed using GitHub links to bypass email security gateways and distribute malware. These links were generated through the submission of GitHub comments, which can be added to the source code repository and may include but are not limited to proposed changes, more information from a user on an issue, or documentation.

Threat actors are exploiting the open-source EDRSilencer tool to bypass endpoint detection and response systems, according to Trend Micro researchers. Originally designed for red teaming, EDRSilencer leverages the Windows Filtering Platform to block EDR communications by identifying and filtering EDR processes, preventing them from sending alerts or telemetry.

The recent activities of Iranian state-sponsored hacking group APT34, also known as OilRig, have focused on government and critical infrastructure entities in the UAE and Gulf region. Trend Micro researchers identified a new campaign in which OilRig deployed a novel backdoor to target Microsoft Exchange servers for credential theft.

OzarksGo, a fiber ISP based in Fayetteville, Arkansas, experienced a cyber incident on October 7 that specifically targeted the servers responsible for providing linear TV service to approximately 4,500 customers in northwest Arkansas and northeast Oklahoma. Upon discovering the potential issue, the company acted promptly by deactivating the affected equipment and bringing in external experts to assess the situation and mitigate further impact.

Amateur ham radio operators have long served as vital communication links during disasters, providing essential support when conventional systems fail. Despite advancements in technology, these skilled volunteers remain prepared through training and drills, such as the Amateur Radio Emergency Service (ARES) Field Day.

Recently, Tend Micro has been tracking Earth Simnavaz (also known as APT34 and OilRig), a cyber espionage group believed to be linked to Iranian interests. This group primarily targets organizations in the energy sector, particularly those involved in oil and gas, as well as other critical infrastructure.

The FBI, NSA, CNMF, and NCSC-UK have released a joint advisory highlighting the tactics, techniques, and procedures (TTPs) employed by actors associated with the Russian Federation Foreign Intelligence Service (SVR), including APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes.

CISA has issued a warning that threat actors are exploiting unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager module. These cookies are being leveraged to conduct reconnaissance on target networks, allowing attackers to map out and enumerate non-internet-facing devices.

Ransomware gangs are actively exploiting a critical vulnerability in Veeam Backup & Replication servers, designated as CVE-2024-40711, which allows attackers to achieve remote code execution. This vulnerability was discovered by Florian Hauser, a security researcher at Code White.

Resecurity has reported a growing trend of attacks on AI conversational platforms, particularly those using Natural Language Processing and Machine Learning to simulate human-like interactions. These platforms, commonly used in industries such as finance, e-commerce, and customer support, enable personalized, automated responses to consumers.

The Internet Archive, a nonprofit digital library known for providing free access to archived websites and digital materials, has been facing a distributed denial-of-service attack for three consecutive days, severely limiting users' ability to access the site. Alongside this DDoS attack, a data breach was discovered, exposing 31 million user accounts, including email addresses, screen names, and bcrypt-hashed passwords.

A new, previously undetected loader builder, dubbed "MisterioLNK," has been identified by Cyble Research and Intelligence Labs (CRIL). This versatile tool, publicly accessible on GitHub, poses a significant threat to security defenses due to its ability to generate loader files that largely evade detection by conventional security systems.

There has been a recent increase in actors employing callback phishing to infect unsuspecting victims with malware. Callback phishing, otherwise known as telephone-oriented attack delivery (TOAD), is a hybrid phishing model (a combination of voice and phishing) that aims to take advantage of the trust people often assign to strangers who assume authority over the phone.

Mamba 2FA is an emerging phishing-as-a-service platform that targets Microsoft 365 accounts through adversary-in-the-middle attacks. It uses highly convincing phishing login pages to steal authentication tokens, bypassing multi-factor authentication protections. Priced at $250 per month, Mamba 2FA is gaining popularity due to its accessibility and effectiveness, positioning it as one of the fastest-growing phishing platforms in the market.

In the wake of Hurricane Helene and the impending arrival of Hurricane Milton on October 9th, 2024, Florida faces another threat: a myriad of cyberattacks targeting vulnerable individuals and organizations. Veriti, a cybersecurity research firm based in Israel, identified three key emerging threats exploiting the chaos and urgency surrounding hurricane relief efforts.

Summary: Barracuda threat analysts have identified a new wave of QR code phishing attacks, known as "quishing," that employ sophisticated techniques to bypass traditional security measures. These phishing attempts use QR codes generated from text-based ASCII/Unicode characters instead of conventional static images, making them difficult for optical character recognition systems to interpret.

Actors are increasingly misusing legitimate file hosting services in campaigns intended to conduct identity phishing, commonly leading to business email compromise attacks. SharePoint, OneDrive, and Dropbox are some of the common services being exploited.

Ivanti, a prominent U.S.-based IT software company, has issued critical security updates to fix three newly discovered zero-day vulnerabilities in its Cloud Services Appliance (CSA), which are being actively exploited in ongoing attacks.

Security giant ADT disclosed it suffered a breach after actors gained access to its systems using stolen credentials and exfiltrated employee account data. On Monday, ADT filed a 8-K filing with the SEC, noting that the credentials were stolen from a third-party business partner, thus enabling the actors to breach ADT systems.

Qualcomm has recently issued security updates that address nearly two dozen vulnerabilities in proprietary and open-source components within their systems. Among these vulnerabilities, one of particular concern is a high-severity flaw, identified as CVE-2024-43047, which has been actively exploited in the wild.

Secureworks' 2024 State of the Threat Report highlights a significant 30% rise in active ransomware groups over the past year, despite extensive law enforcement actions aimed at disrupting these operations. In the last 12 months, 31 new ransomware groups have emerged, shifting the landscape from a few dominant players to a more fragmented ecosystem.

Japanese tech giant Casio has recently experienced a significant cyberattack, with unauthorized access to its networks reported on October 5. This incident has led to notable disruptions in its systems, affecting various services that the company offers.

Last week, Microsoft and the U.S. Department of Justice (DOJ) announced that they seized 107 internet domains that were being used by Star Blizzard, a Russian nation-state actor. 66 of these domains were used by Star Blizzard to target over 30 civil society organizations including journalists, think tanks, and non-governmental organizations (NGOs), between January 2023 and August 2024.

A new China-aligned threat actor, dubbed CeranaKeeper, has been identified targeting governmental institutions in Southeast Asia, primarily Thailand. The group has been active since at least early 2022 and is characterized by its relentless pursuit of data exfiltration. CeranaKeeper leverages a variety of techniques and tools, including custom backdoors, exfiltration tools, and the abuse of legitimate cloud and file-sharing services like DropBox and OneDrive, to achieve its objectives.

ESET researchers uncovered a sophisticated cyberespionage campaign by the GoldenJackal APT group, targeting governmental and diplomatic entities across Europe and South Asia from 2019 to 2024. The group primarily focused on breaching air-gapped systems—networks isolated from the internet to protect highly sensitive data—using custom tools delivered via USB drives.

Researchers have identified a new botnet malware family called Gorilla or GorillaBot, which is a variant of the Mirai botnet source code. Discovered by NSFOCUS, this malware has shown significant activity between September 4 and September 27, 2024, during which it executed over 300,000 attack commands, with an average of 20,000 DDoS commands per day.

CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency's ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors.

A cybersecurity campaign targeting organizations in mid-September, in the U.K. and the U.S., employed Prince Ransomware, a freely available variant advertised on GitHub for educational purposes by developer “SecDbg”. The connection to Prince Ransomware was identified due to the observed sample downloading the same PNG from Imgur, and setting the PNG as the background, exactly as Prince Ransomware does in the configuration example on GitHub.

A sophisticated cyberattack targeting organizations worldwide has been uncovered by Cyble Research and Intelligence Labs (CRIL). The threat actor (TA) employed a multi-stage attack, utilizing legitimate tools such as Visual Studio Code (VS Code) and GitHub to gain unauthorized remote access to victims' machines. The attack chain's initial access is achieved through a malicious .LNK file, disguised as a legitimate setup file, which is potentially delivered to victims through spam or phishing emails.

Researchers at Cisco Talos have uncovered a financially motivated threat actor deploying a new MedusaLocker ransomware variant, dubbed “BabyLockerKZ.” First observed in late 2023, this variant distinguishes itself from the original MedusaLocker by using unique autorun keys and an additional public-private key set stored in the registry. Despite these differences, BabyLockerKZ utilizes the same chat and leak site URLs as its predecessor, marking its first identification as a MedusaLocker variant.

Check Point Research uncovered a recent mobile malware campaign exclusively targeting cryptocurrency users through a malicious Android app disguised as the legitimate WalletConnect protocol, taking advantage of its trusted name. This fake app, identified by Check Point, employed various evasion techniques including BASE64 encoding and encryption to avoid detection, deceive users, and steal their crypto assets. It achieved high visibility in Google Play Store search results through fake reviews and consistent branding, leading to over 10,000 downloads. Another malware app identified by Check Point exhibits similar features and achieved more than 5,000 downloads. Once the fake app is installed, it checks if the user isn't on a desktop, taking users to a legitimate website if they are, and then drops the MS Drainer and prompts the user to sign several transactions. The information is transmitted to a C2 server and it sends commands to MS Drainer to transfer funds to the attacker's wallet. This campaign is notable because it represents the first instance of a cryptocurrency drainer focusing exclusively on mobile device users. While the exact number of victims is unknown, over 150 users are estimated to have lost funds.

In a recent development, researchers identified significant security vulnerabilities within the OpenPrinting Common Unix Printing System (CUPS), which is a crucial component in many Linux environments. These vulnerabilities could enable attackers to execute arbitrary code remotely, potentially compromising the integrity of affected systems. Given the widespread use of CUPS in personal and enterprise settings, this poses a substantial threat to printing and document-handling workflows, highlighting the need for immediate attention from cybersecurity professionals.

A recent discovery by Datadog Security Research has unveiled a new cryptojacking campaign targeting Docker and Kubernetes, two widely used platforms for containerized development. The attackers exploit vulnerable Docker Engine APIs exposed to the internet to deploy a cryptocurrency miner on compromised containers. The campaign then utilizes additional malicious scripts to achieve lateral movement across the network, compromising other Docker hosts, Kubernetes deployments, and even SSH servers.

Law enforcement from 12 countries arrested four suspects tied to the LockBit ransomware gang, including a developer, a bulletproof hosting administrator, and two individuals linked to LockBit activities. These arrests were part of Operation Cronos, a global crackdown led by the UK National Crime Agency (NCA), which began in April 2022. A suspected LockBit developer was arrested in August 2024 at the request of French authorities, while two other individuals were arrested in the UK, one for LockBit affiliation and the other for money laundering. Additionally, Spain arrested a bulletproof hosting service administrator used by LockBit.

Last week, Texas healthcare provider UMC Health System disclosed that it detected unusual activity within its IT systems and took steps to proactively disconnect systems to contain the incident. Due to the outage, medical prescription lists are unavailable at UMC clinics. As such, patients have been advised to bring their prescriptions with them when visiting. As a precaution, UMC decided to temporarily divert incoming emergency and non-emergency patients to nearby health facilities. In an update on Monday, the healthcare giant stated that it will start accepting patients via ambulance. However, a select number of patients will still be diverted until all UMC resources are fully functional. As of writing, the investigation is still ongoing, with UMC working with third parties to determine the full scope of the incident and recover systems as soon as possible.

A critical XML external entity reference (XXE) vulnerability, tracked as CVE-2024-34102, has been exploited to compromise five percent of Adobe Commerce and Magento stores. This vulnerability, dubbed CosmicSting, has been exploited by malicious actors to gain remote code execution on vulnerable systems. The flaw was patched by Adobe on June 27th, 2024, but widespread exploitation has continued. Sansec research discovered seven different groups running large-scale campaigns utilizing this CosmicSting vulnerability.

An IT-ISAC member shared some indicators related to Lumma Stealer and it's use of Steam Workshop for C2 communications. Lumma Stealer, a subscription-based malware active since 2022, is believed to be developed by the threat actor "Shamel" under the alias "Lumma." It is promoted on dark web forums and a Telegram channel with over a thousand subscribers, and sold for as little as $250 USD. Lumma Stealer collects system data, sensitive information like cookies, passwords, credit card details, and cryptocurrency wallet data from compromised devices. The malware is typically delivered by users downloading trojanized software or opening malicious emails containing Lumma payloads.

Cloudflare has shared significant insights regarding a notable increase in the frequency and severity of Distributed Denial of Service (DDoS) attacks, particularly starting from early September. During this period, the company successfully neutralized over 100 hyper-volumetric Layer 3 and Layer 4 DDoS attacks. Many of these incidents surpassed critical benchmarks, with some exceeding 2 billion packets per second (Bpps) and reaching impressive peaks of 3 terabits per second (Tbps). One of the most alarming attacks peaked at an extraordinary 3.8 Tbps, which stands as the largest DDoS attack ever made public by any organization.

In May 2024, Ivanti released patches to address a SQL injection vulnerability in its Endpoint Manager. Tracked as CVE-2024-29824, the flaw impacts the Core server of Ivanti EPM 2022 SU5 and prior, and can be exploited by an unauthenticated attacker within the same network to execute arbitrary code. In its initial advisory, Ivanti did not have evidence to suggest that the flaw was exploited in attacks in the wild. However, the vendor recently updated the advisory stating that it is aware of in-the-wild exploitation. According to Ivanti, CVE-2024-29824 has been used against “a limited number of customers.” Details of these attacks have not been disclosed at this time. CISA recently added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, advising organizations to apply patches by October 23.

On July 25, 2024, Rim Jong Hyok, an alleged member of the North Korean threat group Stonefly (aka Andariel, APT45, Silent Chollima, Onyx Sleet), was indicted by the U.S. Justice Department for his involvement in extorting U.S. hospitals and other healthcare providers between 2021 and 2023, laundering the ransom proceeds, and then using these proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide.

Linux servers are under threat from a stealthy malware known as "perfctl," aimed at running cryptocurrency mining and proxyjacking software. This malware employs advanced evasion tactics, remaining inactive during user activity and deleting its own files to avoid detection. It exploits a vulnerability in Polkit (CVE-2021-4043) to gain root access and install the miner. The name "perfctl" is a deliberate attempt to mimic legitimate system processes. The attack typically involves exploiting vulnerable Apache RocketMQ instances to deliver the malware. Once activated, perfctl hides itself by copying to different locations and may also download additional proxyjacking tools from remote servers.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have released a joint advisory warning against a group of Iran-based cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. and foreign organizations since 2017 and as recently as August 2024, including schools, municipal governments, financial institutions, and healthcare facilities.

A critical security vulnerability tracked as CVE-2024-6386 has been disclosed in the WPML WordPress multilingual plugin. WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations. This vulnerability could allow authenticated users with Contributor-level access or higher to execute arbitrary code remotely under certain circumstances.

ESET researchers discovered a remote code execution vulnerability (CVE-2024-7262) in WPS Office for Windows, which was actively exploited by the South Korea-aligned cyberespionage group APT-C-60. This group targeted users in East Asian countries, leveraging the vulnerability to deploy a custom backdoor named "SpyGlace" by ESET, designed for cyberespionage purposes.

The BlackByte ransomware group has been observed likely exploiting a newly patched vulnerability (CVE-2024-37085) in VMware ESXi hypervisors, while simultaneously leveraging various vulnerable drivers to bypass security protections.

Volt Typhoon is a Chinese state-sponsored hacker group known by various aliases such as Vanguard Panda and Bronze Silhouette. Recent developments reveal that these hackers have exploited a high-severity zero-day vulnerability in the Versa Director platform, which is used by ISPs to manage complex networks.

Volt Typhoon is a Chinese state-sponsored hacker group known by various aliases such as Vanguard Panda and Bronze Silhouette. Recent developments reveal that these hackers have exploited a high-severity zero-day vulnerability in the Versa Director platform, which is used by ISPs to manage complex networks.

A significant phishing campaign has leveraged Microsoft Sway, a cloud-based platform for creating online presentations, to host malicious landing pages designed to steal Microsoft 365 credentials.

A sophisticated cyber campaign is currently targeting high-profile organizations in Southeast Asia, employing two advanced and under-the-radar techniques to infiltrate their systems.

The National Cyber Security Centre (NCSC) of Ireland is warning of a growing trend in WhatsApp verification code scams targeting users. These scams initiate with the actors obtaining the victim's phone number and entering the number into WhatsApp's login screen.

A recent discovery by Kaspersky researchers revealed a new macOS version of the HZ RAT backdoor. This backdoor specifically targets users of DingTalk, an enterprise messaging platform, and WeChat, a popular social media app, both widely used and essentially required in China.

Malicious hackers, likely backed by the Chinese government, have exploited a critical zero-day vulnerability in the Versa Director virtualization platform used by ISPs. This vulnerability, tracked as CVE-2024-39717, allowed attackers to infect at least four US-based ISPs with malware named "VersaMem," which steals customer credentials before they are encrypted.

Cybercriminals have expanded the scope of so-called highway toll text scams in recent months, targeting people across multiple states with malicious SMS messages demanding payment for fictitious charges.

Recent research has revealed critical vulnerabilities in several widely-used Python applications for Windows. These vulnerabilities could allow attackers to steal NTLM credentials, which are essential for authenticating users within Windows environments.

A previously undiscovered group, dubbed "Greasy Opal," has been found aiding cyber attackers by providing CAPTCHA-solving services and other tools to bypass security measures. This group, based in the Czech Republic and active since 2009, was recently identified by Arkose Cyber Threat Intelligence Research after its tools were used in attacks on Arkose Labs' customers.

A complex multi-stage malware campaign utilizing a newly documented memory-only dropper has been observed by Mandiant in recent investigations and published on August 22, 2024. This dropper serves as a conduit for launching subsequent-stage malware.

Meta shared insights on a small cluster of likely social engineering activity on WhatsApp that its security team was able to block after investigating user reports. This activity which originated from Iran attempted to target individuals in Israel, Palestine, Iran, the United States and the UK, focusing on political and diplomatic officials, and other public figures, including some associated with administrations of President Biden and former President Trump.

Unit 42's recent investigation uncovered a shift in strategy by the Bling Libra group, which is known for its ShinyHunters ransomware. Instead of just selling stolen data as they have in the past, they've now turned to extorting their victims. This new approach involves using legitimate credentials they found in public repositories to break into and compromise Amazon Web Services (AWS) environments.

A critical security vulnerability (CVE-2024-28000) has been identified in the LiteSpeed Cache plugin for WordPress, a widely used caching plugin with over five million active installations. This vulnerability, discovered by John Blackburn and submitted via the Patchstack Zero Day bug bounty program for WordPress, could allow unauthenticated attackers to gain administrator privileges on vulnerable WordPress websites.

Aqua Security's threat research team, Nautilus, has uncovered PG_MEM, a sophisticated new malware designed to target PostgreSQL databases. This malware exploits weak passwords by launching brute force attacks, gaining unauthorized access to databases, and delivering malicious payloads, including cryptocurrency mining software.

Chinese-language hackers are increasingly leveraging the Windows Installer MSI file format to bypass conventional security measures, marking a shift in how malware is delivered.

Ukraine's Computer Emergency Response (CERT-UA) is warning of a new phishing campaign distributing emails on the subject of ‘prisoners of war' to infect end users with malware. In this case, these emails contain photos of alleged prisoners of war from the Kursk region, urging recipients to click on a link designed to download a malicious Zip archive.

Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability tagged as exploited in attacks. "Google is aware that an exploit for CVE-2024-7971 exists in the wild," the company said in an advisory published on Wednesday.

A critical vulnerability, CVE-2024-6800, was discovered in GitHub Enterprise Server by “ahacker1” through GitHub's Bug Bounty Program. This vulnerability could be exploited by an attacker with network access to bypass authentication and gain administrator privileges on the affected machine.

Based on research conducted by Barracuda Networks, which analyzed 200 reported ransomware incidents from August 2023 to July 2024, more than a fifth of these attacks targeted the healthcare sector, highlighting an 18% increase from the previous year.

A report from Malwarebytes reveals that most ransomware attacks now occur between 1 a.m. and 5 a.m., aiming to catch cybersecurity teams off guard. The 2024 State of Ransomware Report, based on threat intelligence from Malwarebytes' ThreatDown unit, indicates that a majority of incidents happen in the early morning,

A new remote access trojan called MoonPeak has been discovered, being used by a state-sponsored North Korean threat group in a recent cyber campaign. Cisco Talos has attributed this campaign to a hacking group they track as UAT-5394.

A Taiwanese university has recently been targeted by a sophisticated cyberattack involving a previously undocumented Windows backdoor named Msupedge. This malware is distinctive for its use of DNS tunneling—a technique where data is transmitted through DNS queries—to communicate with its command-and-control (C&C) server.

Yesterday, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement, highlighting Iran's longstanding interest in exploiting societal tensions, including the use of cyber operations to attempt to gain access to sensitive information related to U.S. elections.

The North Korean Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems. Microsoft addressed this flaw, identified as CVE-2024-38193, during its August 2024 Patch Tuesday, along with seven other zero-day vulnerabilities.

A newly discovered backdoor named Msupedge has been deployed in a cyberattack against an unnamed university in Taiwan. The backdoor stands out due to its unconventional method of communicating with its command-and-control server via DNS traffic, which is a relatively rare and stealthy technique. The origins and objectives behind the Msupedge attack remain unknown.

A recent report by Kaspersky details the activities of BlindEagle, an APT group targeting Latin American entities and individuals since at least 2018. The group employs a variety of tactics, techniques, and procedures (TTPs) to achieve its objectives, which fluctuate between financial gain and espionage. BlindEagle primarily leverages phishing campaigns, often impersonating government or financial institutions, to deliver malicious payloads.

A recent ValleyRAT malware campaign targeting Chinese speakers has been identified by FortiGuard Labs. This multi-stage malware employs sophisticated evasion techniques to establish persistent control over compromised systems. Key characteristics include heavy reliance on shellcode for in-memory execution, reducing file footprint, and the use of legitimate application icons to deceive victims.

Researchers from Check Point have uncovered significant details about Styx Stealer, a new malware strain, due to a major operational security blunder by its developer. The developer leaked sensitive information from their computer, including client data and earnings, which Check Point used to gain insight into the malware's operation.

Researchers have uncovered new infrastructure linked to the financially motivated cybercrime group FIN7. This discovery, detailed in a report by Team Cymru in collaboration with Silent Push and Stark Industries Solutions, reveals two clusters of FIN7 activity connected to IP addresses from Post Ltd in Russia and SmartApe in Estonia.

Sophos uncovered details on a new ransomware operation dubbed Mad Liberator, which uses social engineering to obtain access to victim environments, targeting users who use remote access tools installed on endpoints and servers. Since initiating operations in mid-July, 2024. Mad Liberator has been observed targeting users of Anydesk, a popular software used by IT teams to manage their environments, particularly when working with remote users and devices.

Malicious actors are increasingly using a cloud-based attack tool called Xeon Sender to conduct widespread smishing and spam campaigns by abusing legitimate software-as-a-service (SaaS) platforms. The tool, as noted by SentinelOne security researcher Alex Delamotte, allows attackers to send bulk SMS messages through multiple SaaS providers by using valid credentials for those services. Importantly, Xeon Sender doesn't exploit any inherent vulnerabilities in these providers but instead uses their legitimate APIs to carry out large-scale SMS spam attacks.

A recent surge in malware infections has been attributed to malvertising campaigns targeting users seeking popular business software such as Brave, KeePass, Notion, Steam, and Zoom. The attack vector involves trojanized MSIX installers, which execute PowerShell scripts upon installation of the booby-trapped software to download secondary payloads.

Elastic Security Labs has uncovered a new stealer malware dubbed Banshee Stealer designed to target Apple macOS systems. Banshee Stealer is currently advertised on cybercriminals forums for a price tag of $3,000 per month. The stealer is capable of targeting a wide range of browsers, cryptocurrency wallets, and approximately 100 browser extensions.

Researchers have exposed a sophisticated cybercrime campaign, codenamed "Tusk," orchestrated by Russian-speaking cybercriminals. This campaign is notable for its strategic impersonation of legitimate brands to distribute various forms of malware, including DanaBot and StealC, through a series of interconnected sub-campaigns.

Unit 42 researchers uncovered a highly sophisticated extortion campaign that specifically targeted cloud environments by exploiting exposed environment variable files, commonly referred to as .env files. These files, which are often used to store sensitive information such as cloud service keys, API tokens, and database credentials, were inadvertently exposed due to misconfigurations in web servers and applications.

A recent ransomware attack targeting India's National Payments Corporation (NPCI) has been linked to a flaw in Jenkins, a popular automation tool. The security weakness, known as CVE-2024-23897, was found in Jenkins' Command Line Interface, enabling unauthorized access to sensitive data on servers that hadn't been updated with the latest security patches.

A recent discovery by security researchers at Sonatype, published on August 7th, 2024, highlights a new malicious package on the Python Package Index (PyPI) masquerading as a legitimate Solana blockchain library, "solana-py". This fake package leverages a typosquat technique, exploiting the slight naming discrepancy between the genuine "solana-py" project on GitHub and its simplified name "solana" on PyPI.

On August 8, 2024, Evolution Mining, a prominent Australian gold mining firm, experienced a ransomware attack that impacted its IT systems. The company has engaged external cyber forensic experts to investigate the incident, which is currently believed to be contained. While the attack disrupted IT operations, it is not anticipated to significantly impact overall mining operations.

HUSKY, a products filter plugin for the e-commerce product plugin WooCommerce, developed by “realmag777” which enhances the functionality of the base WooCommerce product for WordPress. Around 478 million websites are built on WordPress. It empowers your website visitors to easily search and filter WooCommerce products based on: categories, attributes, tags, taxonomies, meta fields, and product prices.

In this report, they delve into WormGPT—a Dark Web counterpart to ChatGPT, which is designed to quickly generate phishing emails, malware, and harmful recommendations for hackers. Despite its alarming reputation, many of the concerns surrounding WormGPT are rooted in misunderstandings and exaggerations about AI-based hacking applications.

The Inc ransomware group recently carried out a significant cyberattack on McLaren Health Care, a multibillion-dollar healthcare network operating across Michigan, Indiana, and Ohio. The attack severely disrupted McLaren's IT and phone systems, forcing hospitals and outpatient clinics to implement "downtime procedures."

The China-backed cyber espionage group known as Earth Baku, associated with APT41, has significantly expanded its scope of operations beyond its traditional focus on the Indo-Pacific region.

Wiz Threat Research has shed light on a new phishing campaign targeting AWS accounts. The campaign was spotted after an employee at Wiz received a phishing email containing a PNG image. The email was sent from an AWS account (likely compromised) using a spoofed email address -admin@alchemistdigital[.]ae.

On August 14, 2024, Microsoft issued patches for six actively exploited vulnerabilities as part of its regular Patch Tuesday updates. These flaws affect Microsoft Project, various Windows products, and the Windows Scripting Engine. Notably, one high-severity vulnerability in Microsoft Project (CVE-2024-38189) could allow remote code execution if a victim opens a malicious file.

X (formerly Twitter) and Elon Musk's xAI are facing criticism for allegedly using the personal data of over 60 million EU users without consent to train the conversational AI chatbot, Grok. The European privacy group NOYB has filed GDPR complaints in nine countries, claiming X's practices violate EU data protection laws.

Non-profit organization MITRE announced a call for intelligence contributions for ATT&CK evaluations addressing ICS (industrial control systems) to enrich its emulation. The enhanced insight from contributors enables a more holistic emulation approach that reflects the breadth of adversary behaviors.

Researchers at ReasonLabs have uncovered details of a ongoing widespread malware campaign that is forcefully installing malicious browser extensions on targeted endpoints. To date, ReasonLabs has observed atleast 300,000 impacted users across Google Chrome and Microsoft Edge.

Attackers can leverage a critical flaw associated with the 0.0.0.0 IP address to remotely execute code on major web browsers, including Chrome, Safari, and Firefox. This vulnerability exposes users to risks such as data theft, malware installation, and other malicious activities.

Microsoft has revealed a critical, unpatched zero-day vulnerability in Office that could lead to the unauthorized disclosure of sensitive information if successfully exploited.

A co-founder of transparency activism organization Distributed of Denial of Secrets (DDoSecrets) was a dark web drug kingpin who ran the successor to the infamous Silk Road marketplace and was later convicted of child abuse imagery crimes.

Data exfiltration has become a key component in double extortion ransomware attacks, which are now a prevalent method used by cybercriminals. According to a new report by ReliaQuest, the top three tools used for data exfiltration between September 2023 and July 2024 are Rclone, WinSCP, and cURL.

Iran-linked threat actors are accelerating their malicious online activity intending to influence the United States presidential election by capitalizing on political polarization via TTPs such as creating fake news websites that target extremists, impersonating U.S. political activists, performing email phishing attacks from former political advisors, and making attempts to successfully log into an account belonging to a former presidential candidate, all to stoke division and political tension, especially in swing states where they potentially have the most influence.

Security giant ADT has confirmed that it suffered a data breach after actors allegedly leaked stolen customer data on Breached Forums, a popular cybercriminal platform. In a form 8-K filing with the Securities and Exchange Commission (SEC), ADT stated that it recently “experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information.”

The U.S. Justice Department arrested Matthew Isaac Knoot, a 38-year-old Nashville man, for aiding North Korean IT workers in obtaining remote work at U.S. companies by posing as U.S.-based individuals. Knoot operated a "laptop farm," using stolen identities, including that of "Andrew M.," to deceive companies into sending laptops to his residence.

The CrowdStrike update from July, which caused significant disruptions across industries, has led to a flurry of lawsuits from investors and affected companies. This update, known as "Channel File 291," resulted in major operational issues, including crashes on 8.5 million computers, with damages estimated at $5.4 billion.

CISA and the FBI have updated a joint advisory released back in March 2023 on the Royal ransomware group, highlighting that the gang has now rebranded into the BlackSuit operation. BlackSuit which is an evolution of the Royal ransomware, has been observed in attacks from September 2022 through June 2023 and shares numerous code similarities with Royal ransomware while exhibiting improved capabilities.

Previous analyses of ICS exposure have focused on the automation protocols themselves, recent research explored the exposure of HMIs and web administration interfaces, which often reveal location information and other identifying details.

Researchers have detailed activities of the North Korean APT group Kimsuky, which has been targeting universities globally for espionage. Active since 2012, Kimsuky primarily targets South Korean entities but has extended its reach to the US, the UK, and Europe. The group specializes in sophisticated phishing campaigns, often impersonating academics or journalists to steal sensitive information.

A phishing campaign leveraging Google Drawings and WhatsApp URL shorteners to evade detection and compromise user accounts has been identified by security researchers at Menlo Security. The attack commences with a phishing email directing recipients to a seemingly legitimate Amazon account verification link hosted on Google Drawings.

In April, FortiGuard Labs uncovered a sophisticated attack using multiple layers of obfuscation and evasion techniques to distribute VenomRAT via ScrubCrypt. This campaign extended beyond VenomRAT, deploying additional malware through a plugin.

Researchers have discovered critical flaws in software that manages 20% of the world's solar electricity, posing significant risks of grid overloads and blackouts. Although solar power currently represents a minor share of U.S. electricity generation, it is projected to grow exponentially and potentially make up half of domestic electricity generation by 2050.

Reputation-based security controls may not be as effective as commonly assumed in protecting organizations against unsafe web applications and content, according to a new study by Elastic Security. Researchers have identified several techniques attackers use to bypass these mechanisms, which rely on the reputation and trustworthiness of applications and content.

A path traversal vulnerability that leads to a critical and unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2024-4885 reported on April 24th, 2024, affecting Progress WhatsUp Gold versions 23.1.2 and earlier has been actively exploited by threat actors since August 1, 2024. Zero Day Initiative (ZDI) publish a related advisory on July 3rd, 2024.

In the past year, there has been an increase in the number of threat actors leveraging legitimate cloud services in attacks. According to researchers at Symantec, trusted services like Microsoft OneDrive or Google Drive are frequently being abused given that traffic to and from such services is less likely to raise red flags than communications with attack-controlled infrastructure.

CrowdStrike has released a root cause analysis for the Falcon Sensor software update crash, which impacted millions of Windows devices globally. The incident, identified as "Channel File 291," was caused by a content validation issue linked to a new Template Type designed to enhance visibility into novel attack techniques.

Qualys' new 2024 Midyear Threat Landscape Review highlights a growing number of reported Common Vulnerabilities and Exposures (CVEs). From January to mid-July 2023-2024, the annual count of reported CVEs increased by 30%, from 17,114 in 2023 to 22,254 in 2024.

Cybersecurity researchers at Aqua Nautilus have identified a new Distributed Denial of Service attack called “Panamorfi,” which exploits misconfigured Jupyter Notebooks. This attack targets data scientists and engineers using these notebooks, which are widely employed for data analysis and visualization.

Evasive Panda, also known as Bronze Highland, Daggerfly, and StormBamboo, is a China-linked cyber espionage group active since at least 2012. In mid-2023, they compromised an unnamed ISP to deliver malicious software updates to target companies, showcasing their sophisticated tactics.

A sophisticated phishing campaign, linked to the Russian state-sponsored threat actor Fighting Ursa (APT28), targeted diplomatic personnel earlier this year was reported by Palo Alto Network's Unit 42. This operation employed a deceptive lure centered around a purported car sale that often resonates with diplomats, designed to entice victims into downloading a malicious ZIP archive.

Millions of nearly undetectable phishing emails impersonating well-known companies spread daily in the first half of 2024 due to certain features in Microsoft 365 and Proofpoint's email protection service.

Enterprise Resource Planning (ERP) software is crucial for managing human resources, accounting, shipping, and manufacturing within enterprises. These systems often become complex and difficult to maintain due to extensive customization, complicating the patching process.

Proofpoint is warning of an increase in malware infections delivered through Cloudflare's TryCloudflare, a feature that allows an actor to create a one-time tunnel without creating a Cloudflare account.

Researchers at Infoblox and Eclypsium have collaborated to uncover a sophisticated new attack vector within the Domain Name System (DNS), dubbed the Sitting Ducks attack. This discovery came while studying the infrastructure used by 404TDS, a Russian-hosted traffic distribution system, indicating the involvement of Russian-nexus cybercriminals.

OneBlood, the not-for-profit blood center serving much of the southeastern United States, stated that it is experiencing a ransomware event impacting its software system. While OneBlood remains operational and continues to collect, test, and distribute blood, the non-profit noted that it is operating at a significantly reduced capacity.

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning of Denial of Service (DDoS) attacks on election infrastructure, or adjacent infrastructure that support election operations, as the 2024 U.S. general election approaches closer.

Security researchers have identified a sophisticated information-stealing fraud network, dubbed “Eriakos,” that lures victims to fake web shops through malicious Facebook ads. According to Recorded Future, this campaign exclusively targets mobile devices and users, making the scam websites accessible only via malvertising to evade security scanners.

DigiCert, a certificate authority, has announced that it will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in verifying domain ownership. The affected certificates lack proper Domain Control Validation. DigiCert validates domain control by methods approved by the CA/Browser Forum, one of which involves setting up a DNS CNAME record with a random value provided by DigiCert.

A new malicious campaign has been observed utilizing Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale operation. These malicious apps, numbering over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification, leading to identity fraud.

The ongoing malware campaign targeting software developers has expanded its focus to Windows, Linux, and macOS systems. Known as DEV#POPPER and linked to North Korea, the campaign targets victims in South Korea, North America, Europe, and the Middle East.

On July 30th, 2024, a distributed denial-of-service (DDoS) attack triggered a service disruption impacting a subset of Microsoft 365 and Azure customers globally. The outage, lasting approximately eight hours between 11:45 UTC and 19:43 UTC, resulted in intermittent errors, timeouts, and latency spikes for affected users.

Black Basta is a ransomware-as-a-service (RaaS) operation that has been active since April 2022. To date, the ransomware gang has been attributed to over 500 attacks targeting organizations across the world. Just this year, the group claimed responsibility for attacks against a couple of notable victims including Veolia North America, Hyundai Motor Europe, and Keytronic.

Ukraine's Computer Emergency Response Team (CERT-UA) in a new alert stated that it recorded a surge in activity of the UAC-0057 (Aka GhostWriter) group between July 12 to 18, 2024.

Walmart's Cyber Intelligence Team has discovered an unknown PowerShell backdoor alongside a new variant of the Zloader/SilentNight malware. The PowerShell backdoor is designed to provide actors further access through reconnaissance activities and deploy additional malware.

A recent cyberattack targeting Israeli companies has been attributed to the Iranian threat actor, Handala. The campaign leveraged the CrowdStrike outage as a pretext to distribute malicious software.

Cybersecurity experts are warning about an ongoing campaign exploiting internet-exposed Selenium Grid services for unauthorized cryptocurrency mining. Wiz, a cloud security firm, is tracking this activity as SeleniumGreed, which has been targeting outdated Selenium versions (3.141.59 and earlier) since April 2023.

A hacktivist group, USDoD, has claimed to have leaked CrowdStrike's internal threat actor list, including indicators of compromise (IoCs). CrowdStrike acknowledged these claims in a blog post on July 25, 2024, noting that USDoD provided a download link for the alleged list and shared sample data on BreachForums.

A targeted cyberattack from an unfamiliar threat actor leveraging the recent CrowdStrike Falcon Sensor update incident has been identified. This threat actor is distributing malicious installers disguised as legitimate CrowdStrike software to targeted German-based organizations.

According to Cisco Talos's new Quarterly Trends report, business email compromise (BEC) and ransomware were the top threats in the second quarter of 2024, accounting for 60 percent of security incidents. Notably, technology was the most targeted vertical in Q2 2024, accounting for 24 percent of engagements, highlighting a 30 percent increase compared to Q1.

French authorities launched a major operation to clean the country's computer systems of malware believed to have affected several thousand users, “particularly for espionage purposes,” Paris's top prosecutor announced shortly before the start of the Olympics.

Researchers at Trend Micro have uncovered a new Linux variant of the Play ransomware that is specially designed to target VMWare ESXi environments. Based on a sample submitted to VirusTotal, the Linux variant is compressed in an RAR file with its Windows variant and is hosted in the URL hxxp://108.[BLOCKED].190/FX300.rar, a domain that has been used to host tools like PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor, which have been used by Play actors in previous attacks.

A now-patched Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) has been exploited to deliver information stealers like ACR Stealer, Lumma Stealer, and Meduza Stealer. This vulnerability allowed attackers to bypass SmartScreen warnings and deliver malicious payloads. The stealer campaign is targeting Spain, Thailand, and the US. The attack chain involves a series of intricately crafted files.

The Department of Homeland Security (DHS) has acquired a dog-like robot called NEO that can overload people's home networks in an attempt to disable any internet of things (IoT) devices they have.

A financially motivated threat actor based in Latin America (LATAM), codenamed FLUXROOT, has been leveraging Google Cloud serverless projects to conduct credential phishing campaigns, underscoring the misuse of cloud computing for nefarious activities.

Last Friday, at 04:09 UTC, CrowdStrike automatically pushed out a configuration update (Channel File) to Windows systems for its endpoint detection and response solution, Falcon sensor.

ESET researchers discovered a critical zero-day vulnerability on June 26th, 2024 named EvilVideo in Telegram for Android versions up to 10.14.4 being sold on an underground cybercriminal forum.

A recent discovery by security researchers at PayPal revealed multiple vulnerabilities in numerous email-hosting platforms that attackers are exploiting to forge emails from trusted organizations.

CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes.

Researchers have identified a cybercriminal group known as Revolver Rabbit, which has registered over 500,000 domain names for infostealer campaigns targeting Windows and macOS systems. This operation relies on registered domain generation algorithms, enabling the automated registration of numerous domain names quickly.

CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes.

A new report by the Identity Theft Resource Center (ITRC), H1 2024 Data Breach Analysis, highlights a 1000% increase in the number U.S. data breach victims in Q2 2024, despite an overall 12% decrease in the actual number of incidents in those three months.

Security researchers have uncovered a new variant of BeaverTail, an infostealer malware that has been associated with the Democratic People's Republic of Korea (DPRK). BeaverTail was first documented by Palo Alto Networks Unit 42 in November 2023.

Unknown threat actors, tracked by Recorded Future's Insikt Group under the temporary moniker TAG-100, have been leveraging open-source tools in a suspected cyber espionage campaign targeting global government and private sector organizations.

ESET researchers unearthed a malicious program called HotPage that poses as an ad blocker. HotPage dupes users by promising to eliminate ads and malicious websites. However, it surreptitiously installs a kernel driver that grants attackers unrestricted access to run any code on a compromised Windows machine.

This report details the activities of the financially motivated threat actor FIN7. FIN7 has been observed using multiple pseudonyms across various underground forums to advertise a security-bypassing tool known as AvNeutralizer. AvNeutralizer has been used by multiple ransomware groups, including Black Basta.

A China-linked threat actor, APT17, has been observed targeting Italian companies and government entities using a variant of the known malware 9002 RAT. According to an analysis published last week by Italian cybersecurity company TG Soft, the attacks took place on June 24 and July 2, 2024.

A China-linked threat actor, APT17, has been observed targeting Italian companies and government entities using a variant of the known malware 9002 RAT. According to an analysis published last week by Italian cybersecurity company TG Soft, the attacks took place on June 24 and July 2, 2024. I

The SEXi ransomware operation, notorious for targeting VMware ESXi servers, has rebranded as APT INC and has attacked numerous organizations. Since February 2024, the attackers have employed the leaked Babuk encryptor for VMware ESXi servers and the leaked LockBit 3 encryptor for Windows systems.

According to Cloudflare's 2024 Application Security report, threat actors are increasingly quick to weaponize available proof-of-concept (PoC) exploits, sometimes within just 22 minutes of their public release. Covering activity from May 2023 to March 2024, the report highlights several emerging threat trends.

A critical remote code execution vulnerability (CVE-2024-27348, CVSS: 9.8) impacting Apache HugeGraph-Server versions before 1.3.0 has been actively exploited in the wild. The flaw resides in the Gremlin graph traversal language API and allows attackers to bypass security restrictions and gain complete control over vulnerable servers.

Researchers at Check Point have disclosed details of a new backdoor implant dubbed BugSleep that is actively being deployed in attacks by MuddyWater, an Iranian state-sponsored group, to steal files of interest and run commands on compromised systems. These attacks entail the use of phishing emails disguised as invitations to webinars or online courses, designed to redirect targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform.

Last Wednesday, a critical vulnerability was patched in Exim, a free mail transfer agent (MTA) that's widely used on Unix-like operating systems. Tracked as CVE-2024-29929, the vulnerability pertains to an incorrect parsing of multiline RFC2231 header filenames, allowing threat actors to remotely deliver malicious executable attachments into end users' mailboxes by circumventing the $mime_filename extension-blocking protection mechanism.

A recent campaign observed by Trustwave researchers utilized Facebook advertisements and hijacked business pages to distribute the SYS01 information-stealing malware. The threat actors disguised the malware as free downloads for popular software, games, and Windows themes.

Microsoft has reported that the Scattered Spider cybercrime gang, also known as Octo Tempest, UNC3944, and 0ktapus, has added Qilin ransomware to its arsenal and is now using it in attacks. In the second quarter of 2024, Octo Tempest, a financially motivated threat actor, incorporated RansomHub and Qilin into its ransomware campaigns.

Summary: Cybereason Security Service Team has released a new blog post highlighting the TTPs employed by HardBit, a ransomware operation that first emerged in October 2022. HardBit seems to take inspiration from the LockBit ransomware gang, with researchers noting a similarity in the marketing tactics deployed by the group including the use of similar group image/icons, image fonts, and ransom notes.

The APT group Void Banshee has been exploiting a newly disclosed security flaw in the Microsoft MHTML browser engine CVE-2024-38112 to deploy the information-stealing malware Atlantida. Cybersecurity firm Trend Micro observed this activity in mid-May 2024, noting that the vulnerability was used in a multi-stage attack involving specially crafted internet shortcut (URL) files.

The article illuminates the intricate web of the cybercriminal ecosystem, with a particular focus on the role of infostealer malware. This kind of malware acts as a digital pickpocket, discretely extracting valuable data from compromised systems. The cybercriminal landscape has undergone a transformation, evolving from solitary actors taking care of the entire process, to a highly specialized marketplace where various threat groups collaborate to maximize their illicit gains, embodying a free market economic system.

Cybercriminals are exploiting legitimate URL protection services to disguise phishing links, according to Barracuda researchers. These services, intended to protect users from malicious websites by rewriting URLs, are being misused to mask phishing URLs and direct victims to credential-harvesting sites.

The recent DarkGate malware campaign, uncovered by Palo Alto Networks Unit 42, highlights a brief yet impactful exploitation of Samba file shares for malware distribution. Spanning March to April 2024, the campaign targeted regions across North America, Europe, and parts of Asia, utilizing Visual Basic Script (VBS) and JavaScript files hosted on public-facing servers.

ANY.RUN, an interactive malware hunting service, warned on X (formerly known as Twitter) of a massive phishing campaign that is abusing SharePoint to store PDFs containing phishing links. In a span of 24 hours ANY.RUN says it observed over 500 public sandbox sessions with SharePoint phishing.

A recent U.S. Department of Justice (DoJ) operation dismantled a large-scale Russian disinformation campaign utilizing AI-powered social media bots. The bot farm, targeting the U.S. and several other countries, employed fictitious online personas disguised as real users to spread pro-Kremlin messages. The operation, believed to be sponsored by the Kremlin and facilitated by an RT employee and an FSB officer, leveraged AI software called Meliorator to create and manage the bot network.

*Severity - Medium: High severity vulnerability exploited to deploy ransomware. This vulnerability has been patched by Veeam and can be eliminated by updating the software. Initial access is acquired without any victim interaction. Attackers utilize methods to avoid detection and hinder forensics efforts following an attack*

Japan's Computer Emergency Response Team Coordination Center (JPCERT/CC) has published a blog post warning about attacks targeting Japanese organizations by a North Korean APT group called Kimsuky.

Multiple threat actors are exploiting the recently disclosed PHP vulnerability CVE-2024-4577 to deliver various malware families, according to the Akamai Security Intelligence Response Team. This vulnerability, which has a CVSS score of 9.8, is a PHP-CGI OS Command Injection flaw in the Best-Fit feature of encoding conversion within the Windows operating system.

China-linked APT41 is suspected of using an advanced version of StealthVector malware, dubbed DodgeBox, to deliver a new backdoor named MoonWalk. Zscaler ThreatLabz discovered DodgeBox, also known as DUSTPAN, in April 2024. Researchers Yin Hong Chang and Sudeep Singh explained that DodgeBox loads MoonWalk, which shares DodgeBox's evasion techniques and uses Google Drive for command-and-control communication.

Ransomware attackers are increasingly focusing on defense evasion tactics to extend their dwell time within victim networks, as highlighted in a new report by Cisco Talos. This shift is primarily driven by the double-extortion ransomware model, where attackers steal sensitive data and threaten to publish it online while locking down victims' systems.

Russian state-sponsored media organization RT, formerly known as Russia Today, has used AI-powered software called Meliorator to create realistic social media personas for spreading disinformation over the past two years.

A new vulnerability, designated CVE-2024-6409 (CVSS score: 7.0), has been discovered in OpenSSH versions 8.7p1 and 8.8p1, specifically those shipped with Red Hat Enterprise Linux 9 (RHEL 9). The current versions of RHEL 7 and RHEL 8 are safe.

Symantec recently published a security bulletin warning about a phishing campaign targeting Apple users in the United States. These campaigns are mostly conducted via email but have increasingly been deployed via malicious SMS text messages (smishing).

A critical vulnerability (CVE-2024-3596) has been identified in the RADIUS protocol, a widely used network authentication system. Dubbed "BlastRADIUS," the flaw allows attackers to potentially bypass security checks and gain unauthorized access to a network.

Beginning in March 2024, law enforcement organizations have been distributing decryptor keys to victims of the DoNex ransomware, according to Avast. The antivirus provider announced on July 8 that they have been quietly offering the decryptor after identifying a cryptographic flaw in the ransomware and its predecessors.

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have issued a joint advisory about the China-linked cyber espionage group APT40, warning of its ability to exploit new security vulnerabilities within hours or days of their public release. APT40, also known by various aliases such as Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been active since at least 2013, primarily targeting organizations in the Asia-Pacific region.

A recent surge in attacks by the Mekotio banking trojan has been identified, particularly targeting financial institutions in Latin America since at least 2015. This malware primarily targets users in Brazil, Chile, Mexico, Spain, Peru, and Portugal with the intention of stealing banking credentials.

A major South Korean internet service provider, KT (formerly Korea Telecom), is facing serious allegations after reports surfaced that it installed malware on the computers of over 600,000 customers. The incident primarily targeted users of Webhard, a popular file-sharing service in South Korea.

Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.

Cyber extortion is rapidly increasing, with a 77% year-on-year growth in victims, according to Orange Cyberdefense (OCD). In its Cy-Xplorer 2024 report, OCD identified 60 distinct ransomware groups responsible for 4,374 victims from Q1 2023 to Q1 2024.

Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.

A new report by Sekoia highlights an increasing trend in cybercriminals distributing malware via drive-by-download, a technique that typically employs SEO-poisoning, malvertising, and code injection into compromised websites to trick users into downloading fake software installers or browser updates.

A recent attack campaign exploited a now-patched vulnerability (CVE-2021-40444) in Microsoft Office's MSHTML component to deliver MerkSpy spyware. This spyware primarily targeted users in Canada, India, Poland, and the U.S. The attackers meticulously crafted a deceptive Microsoft Word document disguised as a software developer job description to trick users into initiating the exploit.

Censys reports that over 380,000 internet-exposed hosts still reference JavaScript scripts from the recently suspended polyfill[.]io domain. Originally used to provide modern functionality in older browsers, polyfill[.]io was suspended after redirecting visitors to betting and adult sites.

On June 18th, CDK Global, a leading software-as-a-service provider that is used by over 15,000 car dealerships across North America, was the target of a ransomware attack, causing a massive IT outage. In particular, CDK Global's dealer management system was impacted, forcing car dealerships to switch to pen and paper, with buyers unable to purchase cars or receive service for already-bought vehicles.

A financially motivated East European threat actor known as "Unfurling Hemlock" has been employing a sophisticated technique akin to a cluster bomb to deploy up to ten unique malware files simultaneously on systems in the US, Germany, Russia, and other countries.

Cisco has patched a zero-day vulnerability in NX-OS that was exploited in April to install previously unknown malware on vulnerable switches. The cybersecurity firm Sygnia reported the incidents to Cisco, attributing the attacks to a Chinese state-sponsored threat actor, Velvet Ant. Amnon Kushnir, Director of Incident Response at Sygnia, revealed that Velvet Ant used administrator-level credentials to access Cisco Nexus switches and deploy custom malware.

A North Korean APT group, Kimsuky, was discovered using a malicious Google Chrome extension codenamed TRANSLATEXT to target South Korean academia focused on North Korean affairs in March 2024. Kimsuky is a notorious hacking crew from North Korea that's known to be active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean entities.

On June 20th, one of Indonesia's temporary National Data Centers suffered from a cyberattack that led to the encryption of the government's servers and disruption of immigration services, passport control, issuing of event permits, and other online services.

BleepingComputer has confirmed that the helpdesk portal of Canadian router manufacturer Mercku has been compromised and is sending MetaMask phishing emails in response to new support tickets. Mercku supplies equipment to several ISPs and networking companies, including Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom.

Fake IT support sites are exploiting common Windows errors like the 0x80070643 error to distribute information-stealing malware through malicious PowerShell "fixes." These sites, identified by eSentire's Threat Response Unit, gain legitimacy by being promoted on compromised YouTube channels.

A critical vulnerability (CVE-2024-6387), dubbed regreSSHion, has been identified in OpenSSH servers, potentially affecting over 14 million instances exposed on the internet. This remote unauthenticated code execution flaw allows attackers to compromise systems, leading to full system control, malware installation, data manipulation, creation of backdoors, and network propagation.

TeamViewer, a prominent developer of remote monitoring and management (RMM) software, reported a breach of their corporate network this week. The company attributes the attack to Midnight Blizzard, a Russian state-sponsored hacking group also known as APT29, Nobelium, or Cozy Bear.

Multiple security vulnerabilities have been identified in Emerson Rosemount gas chromatographs, potentially allowing attackers to access sensitive information, cause denial-of-service (DoS) conditions, and execute arbitrary commands. The affected models include GC370XA, GC700XA, and GC1500XA, with versions 4.1.5 and earlier. Claroty, an operational technology (OT) security firm, highlighted two command injection flaws and two authentication and authorization vulnerabilities.

Apple recently released a firmware update to address a critical vulnerability (CVE-2024-27867) affecting various AirPods models (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro. This authentication issue could have allowed a malicious actor within Bluetooth range to impersonate a trusted device and gain unauthorized access to the targeted AirPods.

A critical security flaw in Fortra FileCatalyst Workflow, tracked as CVE-2024-5276 with a CVSS score of 9.8, has been disclosed. This SQL injection vulnerability affects versions 5.1.6 Build 135 and earlier and allows attackers to modify application data, potentially creating administrative users or altering and deleting database information.

The LockBit ransomware group falsely claimed to have breached the Federal Reserve and stolen 33 terabytes of sensitive banking information. This claim was debunked, revealing that LockBit had actually targeted Evolve Bank & Trust.

Ahnlab Security Intelligence Center (ASEC) has released details of a backdoor that they first identified in 2021 and have closely monitoring since then. Dubbed, Happydoor, the backdoor is attributed to the North Korean APT group Kimsuky and has been deployed in several breaches in the last couple of years.

Suspected Chinese and North Korean threat actors have been linked to ransomware and data encryption attacks targeting global government and critical infrastructure sectors between 2021 and 2023, according to a joint report by cybersecurity firms SentinelOne and Recorded Future shared with The Hacker News.

MITRE Engenuity recently conducted an ATT&CK Evaluation focusing on managed security services, where Trend achieved a perfect 100% detection rate across all 15 critical steps. The evaluation simulated a sophisticated attack scenario involving menuPass (APT10) and ALPHV/BlackCat ransomware.

A vulnerability in Progress Software's MOVEit Transfer platform, CVE-2024-5806, allows attackers to authenticate as any valid user, gaining corresponding privileges. This vulnerability which has a CVSS score of 9.1 is actively being exploited just hours after its public disclosure.

In May 2024, researchers at Cleafy uncovered new campaigns distributing the Medusa banking trojan, which has managed to retain a low profile for the past year. Notably, these campaigns entail the use of new Medusa samples that are more light-weight and require fewer permissions than previous variants of the trojan.

The French National Cybersecurity Agency (ANSSI) reported a concerning rise in cyber threats throughout 2023. This coincides with ongoing geopolitical tensions and major international events planned for France in 2024.

The analysis highlights a growing trend where cybercriminals are leveraging cloud services to enhance the capabilities of botnets like UNSTABLE and Condi. These botnets exploit vulnerabilities in various devices to establish command and control (C2) operations through cloud servers, which provides scalability and anonymity that traditional hosting methods lack.

Checkpoint has identified several threat actors including a cyber espionage group dubbed APT-C-35, aka DoNot Team, leveraging an Android open-source administration tool called Rafel in attacks to gain remote access and exfiltrate data of interest from victims' devices.

On June 24th, in Jakarta, Indonesia, the country's national data center experienced a significant cyber attack, as reported by Reuters. The attack had widespread repercussions, particularly disrupting immigration procedures at airports nationwide.

The Lockbit ransomware group recently declared that it had successfully breached the US Federal Reserve, exfiltrating a staggering 33 TB of sensitive data, purportedly including confidential banking secrets of American citizens.

RedJuliett, a likely Chinese state-sponsored hacking group, conducted a cyber espionage campaign targeting Taiwan and other countries from November 2023 to April 2024, according to Recorded Future's Insikt Group. The group compromised 24 organizations, including government agencies in Taiwan, Laos, Kenya, and Rwanda.

According to Recorded Future, the RansomHub operation has been using a Linux encryptor since April 2024 to specifically target VMware ESXi environments in corporate attacks. The ESXi version of RansomHub's encryptor is developed in the C++ programming language and was likely derived from the now-defunct Knight ransomware's source code.

A critical vulnerability (CVE-2024-28995) in SolarWinds Serv-U file transfer software, affecting versions up to and including Serv-U 15.4.2 HF 1, allows attackers to perform directory traversal and access sensitive files on the host machine.

A sophisticated malware distribution campaign has emerged, utilizing fake error messages resembling Google Chrome, Microsoft Word, and OneDrive issues to deceive users into running malicious PowerShell scripts. This campaign involves several threat actors, including ClearFake, ClickFix, and TA571, known for their previous involvement in spam distribution and malware dissemination.

French diplomatic entities have been targeted by Midnight Blizzard, a Russia-backed advanced persistent threat, since at least 2021, according to CERT-FR. This group, infamous for its involvement in the 2016 US elections interference and the 2020 SolarWinds attacks, remains a significant cyber threat.

A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts of employees at financial firms using QR codes embedded in PDF attachments. The platform, which can target both Microsoft 365 and Office 365 email accounts, operates via Telegram bots and includes mechanisms to bypass two-factor authentication (2FA).

The LockBit group has resurfaced as the leading ransomware actor in May 2024, according to NCC Group's analysis. LockBit 3.0 conducted 176 ransomware attacks, accounting for 37% of the month's total, marking a staggering 665% increase from the previous month.

Summary: Researchers at Symantec highlighted in a blog post a campaign that has using tools associated with Chinese espionage groups to breach telecom operators in a single Asian country since at least 2021, with evidence to suggest that some of this activity may even date as far back as 2020.

LevelBlue Labs identified a novel and highly evasive malware loader named SquidLoader. This malware leverages sophisticated techniques to thwart both static and dynamic analysis, making detection difficult. SquidLoader targets Chinese organizations through phishing campaigns, with malicious actors disguising it as legitimate Microsoft Word documents.

A new speculative execution attack named "TIKTAG" targets ARM's Memory Tagging Extension, achieving over a 95% success rate in leaking data and bypassing this security feature. This attack, demonstrated by researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, affects Google Chrome and the Linux kernel.

A cyber incident at CDK Global disrupted thousands of car dealerships across the US on Wednesday, typically a busy holiday. CDK Global, a major software provider for dealers, halted all systems and is gradually restoring them after extensive testing and consulting with experts.

Recent data from Action1 indicates a growing trend of threat actors targeting edge devices, particularly load balancers, resulting in a record exploitation rate over the past three years. The study assessed various product categories from 2021 to 2023, using data from the National Vulnerability Database (NVD) and cvedetails.com to calculate the ratio of exploited vulnerabilities to total vulnerabilities.

UNC3944, a financially motivated threat group, has been active since at least May 2022 and has evolved its tactics from credential harvesting to primarily data theft extortion without ransomware. They exploit vulnerabilities in software-as-a-service (SaaS) applications and leverage social engineering tactics to gain access to privileged accounts.

The compromised data included customers' personal information like names, physical addresses, email addresses, and phone numbers. However, notably, the stolen data did not contain the precise locations of Tile devices, which are typically used for remote monitoring.

CISA has issued a warning about a new phone-based impersonation scam. In this scheme, scammers are pretending to be CISA employees, using the names and titles of real government staff to lend credibility to their deceit.

CronUp security researcher German Fernandez has shed light on a phishing and extortion campaign to target GitHub users. The campaign which has been ongoing for several months takes advantage of GitHub's notification system and a malicious OAuth app to gain access to victims' repositories and extort the contents for ransom.

Ukrainian cyber police have identified a 28-year-old resident of Kyiv as a suspected affiliate of the notorious Conti and LockBit ransomware groups. He allegedly specialized in developing cryptors, which are tools that encrypt malware to evade antivirus detection. The man reportedly sold his services to hackers linked to the Conti and LockBit groups for cryptocurrency rewards.

The Black Basta ransomware group is suspected of leveraging a critical Windows privilege escalation vulnerability, identified as CVE-2024-26169, as a zero-day exploit before Microsoft released a fix. This vulnerability, rated at 7.8 on the CVSS v3.1 scale, affects the Windows Error Reporting Service, enabling attackers to elevate their privileges to SYSTEM level.

The Dutch Military Intelligence and Security Service (MIVD) and NCSC advised yesterday that a Chinese nation-state cyber-espionage attack, first documented in February 2024, is compromising many more devices than previously observed.

Since April 2024, researchers at Elastic Security Labs have observed a wave of phishing campaigns using recruiting and job-themed lures to distribute a novel backdoor called WARMCOOKIE. T

The British and Canadian privacy authorities are collaborating on an investigation into a data breach at 23andMe, a genetic testing company, discovered in October 2023. Cybercriminals accessed information from certain accounts, including DNA profiles, affecting about 0.1% of 23andMe's users.

Researchers at CrowdStrike Falcon Intelligence identified a previously unattributed TA group targeting a U.S.-based think tank with ties to China in April 2017 which revealed a larger campaign attributed to the China-based adversary Mustang Panda. Mustang Panda has likely been operational since 2014 targeting government organizations, nonprofits, religious institutions, and other NGOs across the U.S., Europe, Mongolia, Myanmar, Pakistan, Vietnam, and other regions with LNK files associated with the APT group.

Researchers at Artic Wolf Labs have released details on a new ransomware variant dubbed ‘Fog” that has been targeting the networks of US organizations in the education and recreation sectors since May, 2024. In one of the incidents observed, Fog ransomware actors performed pass-the-hash attacks to gain access to administrator accounts and further establish RDP connections to Windows servers running Hyper-V and Veeam.

Mandiant has identified a campaign by the financially motivated group UNC5537, targeting Snowflake customer database instances to steal data and extort victims. Snowflake is a multi-cloud data warehousing platform used for storing and analyzing large datasets. UNC5537 gains access to these databases using stolen customer credentials, obtained through various info stealer malware campaigns.

The number of vulnerable Internet of Things (IoT) devices has surged by 136% over the past year, according to Forescout's report, "The Riskiest Connected Devices in 2024." This study, which analyzed data from nearly 19 million devices, revealed that the proportion of IoT devices with vulnerabilities increased from 14% in 2023 to 33% in 2024.

Two suspects were apprehended in the United Kingdom in connection with a criminal scheme utilizing a homemade mobile antenna to dispatch fraudulent text messages. Huayong Xu, 32, of Alton Road, Croydon, was charged on May 23 following an arrest made on May 9 in Manchester.

The Boston Red Sox, positioned at the forefront of the American League East in baseball, are also making significant strides in cybersecurity. By adopting a comprehensive strategy that involves transitioning critical operations to a software-as-a-service (SaaS) model and embracing the Internet of Things (IoT) at Fenway Park, the team is actively bolstering its cloud security.

Researchers at Symantec have uncovered similarities between two ransomware families, RansomHub and Knight, indicating a potential rebrand of the now defunct Knight ransomware which went silent after its source code was listed for sale on hacker forums back in February 2024. Similar to Knight ransomware, RansomHub is written in the Go programming language.

A cyberespionage campaign recently targeted a government agency that frequently clashes with China over the South China sea. This campaign used previously undetected backdoors and had links to known Chinese state threat actors. Researchers at Sophos Managed Detection and Response uncovered this complex operation, named "Crimson Palace," and attributed it with high confidence to Chinese state-sponsored hacking clusters.

Zyxel Networks has released an emergency security update to address critical vulnerabilities in its end-of-life NAS devices, specifically NAS326 and NAS542 models. These vulnerabilities, identified as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, allow attackers to perform command injection and remote code execution.

Belarusian state-sponsored hackers, UNC1151, targeted Ukraine's Ministry of Defence and a military base in a new cyberespionage operation according to Cyble Research and Intelligence Labs. Mandiant Threat Intelligence uncovered a persistent information operation called “Ghostwriter/UNC1151,” which is part of a larger influence campaign supporting Russian security interests and promoting narratives critical of NATO that has been active since March 2017 targeting audiences in Ukraine, Lithuania, Latvia, and Poland.

ReversingLabs, in their recent exploration of open-source repositories like PyPI, made a significant discovery: the emergence of a suspicious package named xFileSyncerx. Initially appearing as a potential threat due to its anomalous characteristics, this package prompted deeper investigation by the research team.

A massive amount of 361 million email addresses from credentials stolen by password-stealing malware, in credential stuffing attacks have been added to Have I Been Pwned's data breach notification service, allowing anyone to check if their accounts have been compromised.

Snowflake, a cloud computing and analytics company, has released a joint statement in coordination with third-party cybersecurity experts at CrowdStrike and Mandiant stating that it is investigating a threat campaign that targeted a “limited” number of Snowflake customers.

Facing a burgeoning backlog of reported vulnerabilities, the National Institute of Standards and Technology (NIST) has found itself in a predicament, grappling with the daunting task of clearing its National Vulnerability Database (NVD). To tackle this challenge head-on, NIST has decided to extend its existing commercial contract with Analygence, a Maryland-based IT consultancy firm, known for its expertise in IT and security-related work.

A sophisticated cyber attack has been detected targeting devices in Ukraine to deploy Cobalt Strike and take control of the compromised systems. Fortinet FortiGuard Labs reported that the attack initiates with a Microsoft Excel file containing an embedded VBA macro that starts the infection process.

Researchers at eSentire have observed a trend in the employment of fake web browser updates to infect end users with various malware strains including SocGholish as well as Fakebat. In May 2024 eSentire's Threat Response Unit started seeing actors using this tactic to deliver BitRAT, a remote access trojan, and Lumma Stealer, a notorious info stealer malware that has gained popularity within the cybercriminal community.

On September 4, 2023, CERT-UA reported a phishing campaign that leveraged Headlace malware to target a critical energy infrastructure facility in Ukraine. During this campaign, BlueDelta sent phishing emails from a fake sender address that contained links to archive files. The archive files contained lure images and Windows BAT script, which, if executed, would result in the whoami command being run and the results being exfiltrated back to the threat actor.

The North Korean linked threat actor Andariel has been using a new Golang-based backdoor called Dora RAT to target educational institutions, manufacturing firms, and construction businesses in South Korea. The AhnLab Security Intelligence Center reported that Andariel has deployed a variety of malware, including keyloggers, infostealers, and proxy tools, to control and exfiltrate data from infected systems.

Ransomware activity surged in 2023, according to a report by Google-owned Mandiant, despite extensive law enforcement efforts against major ransomware groups like ALPHV/BlackCat. The report, published on June 3, 2024, revealed a 75% increase in posts on ransomware groups' data leak sites compared to 2022, affecting victims in over 110 countries.

Check Point has alerted its customers to a critical zero-day vulnerability (CVE-2024-24919, CVSS 8.6) affecting several products, including CloudGuard Network and Quantum Maestro. Attackers are exploiting this flaw by targeting outdated VPN local accounts using password-only authentication. Immediate software updates are crucial to mitigate the risk of unauthorized access to sensitive data and potential lateral movement within networks.

Lumen Technologies' Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement.

Microsoft has highlighted the urgent need to secure internet-exposed OT devices following a series of cyber attacks targeting such environments since late 2023. The Microsoft Threat Intelligence team stressed that these attacks highlight the critical need to improve OT security and prevent critical systems from becoming easy targets.

A previously undocumented cyber espionage group named LilacSquid has been linked to targeted attacks across various sectors in the U.S., Europe, and Asia as part of a data theft campaign ongoing since at least 2021. This campaign is aimed at establishing long-term access to compromised organizations to siphon data of interest to attacker-controlled servers, according to a new technical report by Cisco Talos researcher Asheer Malhotra.

The adversary behind the RedTail cryptocurrency mining malware has added a new exploit, Palo Alto PAN-OS CVE-2024-3400, to their attack vector quiver. The addition of the PAN-OS vulnerability is not the only upgrade added to the adversary's toolkit. The cryptocurrency malware has received its own updates which now incorporate new anti-analysis techniques.

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates covered entities to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). CISA aims to swiftly deploy resources, analyze trends, and share information with network defenders.

Since at least early May, Banking institutions in Brazil have been observed by French cybersecurity company HarfangLab being targeted by a new campaign that deploys a custom payload variant of the Windows-based AllaKore RAT called AllaSenha. The intricate infection chain involves Python scripts and a loader developed in a language called Delphi.

AhnLab Security Intelligence Center is warning of an ongoing campaign where cybercriminals are distributing various malware strains by promoting installers for cracked versions of Microsoft Office on torrent sites. The cracked Microsoft Installer comes with a well-built interface, where users can specify the version they want to install, the language, as well as whether to use 32 or 64-bit variants.

Prescription management company Sav-Rx is warning over 2.8 million people in the United States that it suffered a data breach, stating that their personal data was stolen in a 2023 cyberattack. A&A Services, doing business as Sav-RX, is a pharmacy benefit management (PBM) company that provides prescription drug management services to employers, unions, and other organizations across the U.S.

On February 12, 2024, the NIST National Vulnerability Database significantly slowed its processing and enrichment of new vulnerabilities. Since then, 12,720 new vulnerabilities have been added, but 11,885 remain unanalyzed, hindering security professionals' ability to assess affected software. By February 15, the NVD warned of analysis delays,

A US-led law enforcement operation has dismantled the 911 S5 botnet, believed to be the world's largest. The botnet consisted of millions of compromised residential Windows computers used for cyber-attacks, fraud, child exploitation, and other serious crimes. It included over 19 million unique IP addresses, with 613,841 in the US. Cybercriminals could buy access to these IP addresses for illegal activities.

Identity and Access Management company Okta warns that its cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential-stuffing attacks. “Okta's Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted.