China Launches New Cyber-Defense Plan for Industrial Networks

China's Ministry of Industry and Information Technology (MIIT) has unveiled a comprehensive strategy aimed at bolstering data security within the nation's industrial sector. This initiative, slated for completion by the end of 2026, is designed to mitigate major risks posed by cyber threats to over 45,000 companies operating in various industrial verticals.

Change Healthcare Cyber-Attack Leads to Prescription Delays Summary:

Health tech firm Change Healthcare was hit with a cyberattack on February 21, 2024, leading to a disruption of a number of its systems and services. According to Change Healthcare numerous applications across areas such as pharmacy, medical records, dental, payment services, and patient engagement are still experiencing connectivity issues. In particular, pharmacies have reported being unable to process patient prescriptions, preventing individuals from getting their medications on time.

New ScreenConnect RCE Flaw Exploited in Ransomware Attacks

Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems.

X Protests Forced Suspension of Accounts on Orders of India's Government

and government regulation in the digital age, particularly in countries like India where social and political tensions often spill over into online platforms. The global government affairs team at X, previously known as Twitter, has taken action to suspend certain accounts and posts within India as per directives received from the country's government.

Unmasking I-Soon | The Leak That Revealed China's Cyber Operations

The leak from I-Soon, a company contracting for various Chinese government agencies including the Ministry of Public Security, Ministry of State Security, and People's Liberation Army, occurred over the weekend of February 16th. The source of the leak and motives behind it remain unknown, but it offers unprecedented insight into the operations of a state-affiliated hacking contractor.

LockBit Ransomware Secretly Building Next-Gen Encryptor Before Takedown

Researchers at Trend Micro have uncovered details on a new LockBit sample that the actors were secretly building prior to law enforcement's takedown of the group's infrastructure earlier this week. The new sample dubbed LockBit-NG-Dev, is written in the .NET programming language and appears to be compiled with CoreRT, whereas previous LockBit samples were written in C++.

'Lucifer' Botnet Turns Up the Heat on Apache Hadoop Servers

A new iteration of the Lucifer botnet has emerged, specifically aimed at organizations utilizing Apache Hadoop and Apache Druid big data technologies. The variant combines the insidious traits of cryptojacking and distributed denial of service capabilities, posing a significant threat to vulnerable systems.

LockBit Leaks Expose Nearly 200 Affiliates and Bespoke Data-Stealing Malware

This article provides an update on recent revelations regarding the LockBit ransomware group. Law enforcement authorities have disclosed that nearly 200 "affiliates" have registered with the group over the past two years. Affiliates are individuals who participate in the gang's ransomware-as-a-service model, utilizing LockBit's tools in exchange for a share of the profits obtained from victims.

Warning of North Korean Cyber Threats Targeting the Defense Sector

The Bundesamt für Verfassungsschutz (BfV) of Germany and the National Intelligence Service (NIS) of the Republic of Korea (ROK) have issued a joint Cyber Security Advisory (CSA) to alert about cyber campaigns likely conducted by North Korean actors targeting the defense sector. North Korea's focus on military strength drives them to steal advanced defense technologies globally, using cyber espionage as a cost-effective method.

Cactus Ransomware Gang Claims The Theft Of 1.5tb Of Data From Energy Management And Industrial Autom

The Cactus ransomware group, who claimed responsibility for an attack on Schneider Electric, says they have stolen 1.5TBs of data from the energy management and industrial automation company. According to reports, the companies Sustainability Business division was targeted on January 17th. Impacts were felt as the companies cloud services faced outages, however, other divisions of the company were not impacted.

US Gov Dismantled The Moobot Botnet Controlled by Russia-Linked APT28

n January 2024, a court-authorized operation was able to take down Moobot Botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28. This court order enabled law enforcement to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.

Over 13,000 Ivanti gateways vulnerable to actively exploited bugs

This year, Ivanti has disclosed several vulnerabilities impacting its Connect Secure, Policy Secure, and ZTA gateways. Tracked as CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888, these flaws range from high to critical in severity and pertain to a case of authentication bypass, server-side-request forgery, arbitrary command execution, and command injection. S

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Cisco Talos disclosed details of a three-month-long campaign where Russia-linked threat actor Turla has been targeting Polish non-governmental organizations with a new backdoor dubbed TinyTurla-NG. This campaign has been ongoing since December 18, 2023, with researchers suspecting that the activity may have actually commenced in November 2023 based on malware compilation dates.

U.S. Internet Leaked Years of Internal, Customer Emails

A Minnesota-based Internet Service Provider U.S. Internet Corp has suffered a significant data leak. Specifically, a business unit called Securence, which specializes in providing filtered, secure email services to business, educational institutions and government agencies worldwide was accidently publishing more than a decade's worth of it's own internal emails, and that of thousands of clients, in plain text on the Internet where anyone could view it.

MFA and Software Supply Chain Security: It's No Magic Bullet

In a recent article from ReversingLabs, the importance of Multifactor Authentication (MFA) in securing software development environments, particularly in light of recent high-profile attacks such as SolarWinds, Codecov, and Kaseya. The report highlights how attackers target developer accounts to manipulate code, access secrets, and wreak havoc on organizations and their customers.

Warzone RAT Infrastructure Seized

On February 9, 2024, the Justice Department announced the seizure of internet domains selling the Warzone RAT malware, a sophisticated Remote Access Trojan. Domains including www[.]warzone[.]ws were seized, with two suspects arrested in Malta and Nigeria for selling the malware. The operation, led by the FBI and supported by Europol and J-CAT, aimed to disrupt cybercriminals using the malware.

FCC Makes AI-Generated Voices in Robocalls Illegal

The Federal Communications Commission (FCC) has made AI-generated voices in robocalls illegal under the Telephone Consumer Protection Act (TCPA), with a Declaratory Ruling that took effect immediately. This ruling aims to combat the rising trend of robocall scams that use AI-generated voices to deceive consumers, imitate celebrities, and spread misinformation.

Notorious Bumblebee Malware Re-emerges with New Attack Methods

The Bumblebee malware, known for its role as an initial access broker facilitating the download and execution of additional payloads like Cobalt Strike and Meterpreter, has made a comeback with fresh tactics after a period of dormancy. Proofpoint researchers observed a significant shift in the attack chain, diverging from previous Bumblebee patterns.

Bank of America Customer Data Stolen in Data Breach

Bank of America is warning its customers of a data breach exposing their personal information after one of its third-party service providers, Infosys McCamish System (IMS) fell victim to a cyber attack in November of last year. LockBit claimed responsibility for the attack, listing IMS on its data leak site on November 4.

Rhysida Ransomware Cracked, Free Decryption Tool Released

A group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA) uncovered an implementation vulnerability enabling them to reconstruct encryption keys and decrypt data locked by Rhysida ransomware. “Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data.

Exploitation of Another Ivanti VPN Vulnerability Observed

Last week, Ivanti disclosed a new vulnerability impacting its Connect Secure, Policy Secure, and ZTA gateway appliances. Tracked as CVE-2024-22024, the flaw impacts the SAML component of these appliances and can be exploited by actors to gain access to restricted resources without authentication. At the time of the disclosure, Ivanti noted that it had no evidence to suggest that the flaw was being actively exploited.

Raspberry Robin Keeps Riding the Wave of Endless Zero-days

Researchers from Checkpoint have released a new report on the evolution of Raspberry Robin malware. The latest strains are stealthier and implement various 1-day exploits that are deployed on specific vulnerable systems. 1-day exploits are similar to zero-day exploits, but have a public disclosure and/or patch available by the vendor. Even though a patch may be available, threat actors will exploit these vulnerabilities soon after disclosure, before victims have installed the patch.

Ransomware Payments Reached Record $1.1 billion in 2023

In 2023, ransomware payments soared to a record $1.1 billion, reversing the declining trend in 2022. According to researchers from Chainalysis, this trend is likely attributed to the escalating attacks against major institutions and critical infrastructure and Clop's massive MOVEit campaign, which compromised dozens of organizations across the globe.

Lessons from the Mercedes-Benz Source Code Exposure

Mercedes-Benz faced a significant security breach when a private key was mistakenly left online, resulting in the exposure of sensitive internal data. The breach, discovered by RedHunt Labs security researchers, exposed critical internal information, intellectual property, and sensitive credentials. M

Verizon Insider Data Breach Hits over 63,000 Employees

Verizon Communications issued an advisory this week that an insider data breach has impacted almost half it's workforce, exposing sensitive employee personal identifiable information (PII). A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.

Hackers Steal Data of 2 Million in SQL Injection, XSS Attacks

A group known as ‘Resume Looters' has conducted SQL injection attacks on 65 legitimate job listing and retail websites, compromising the personal data of over two million job seekers, mainly in the APAC region, The group targeted sites in Australia, Taiwan, China, Thailand, India, and Vietnam to steal names, email addresses, phone numbers, employment history, education and other information.

Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

A new campaign has been uncovered by Trustwave SpiderLabs where actors are using Facebook job advertisements to trick unsuspecting end users into installing a novel Windows-based stealer malware codenamed Ov3r_Stealer. For its part, Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.

US to Roll Out Visa Restrictions on People Who Misuse Spyware to Target Journalists, Activists

Yesterday, the Biden administration announced it would be rolling out a new policy to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware. This includes those who have used spyware to target individuals such as journalists, activists, perceived dissidents, members of marginalized communities, or the family members of those who are targeted.

US Condemns Iran, Issues Sanctions for Cyber-Attacks on Critical Infrastructure

The US issues new sanctions against Iran after “destabilizing and potentially escalatory” cyber attacks against US critical infrastructure. The remarks were made in a statement that announced sanctions against six Iranians for last year's cyber-attack against Unitronics, an Israeli manufacturer of programmable logic controllers used in the water sector and other critical infrastructure organizations. Several organizations in the water sector were impacted by a group of hacktivists called the CyberAv3ngers.

Dirtymoe (Purplefox) Affected More Than 2000 Computers in Ukraine

The Government Computer Emergency Response Team of Ukraine (CERT-UA) took action under the law to assist a state-owned enterprise facing significant damage from the DIRTYMOE (PURPLEFOX) malicious program, affecting over 2,000 computers in the Ukrainian internet segment. Analysis of malware samples and reference to reports from Avast and Trendmicro aided in understanding the threat's intricacies.

New Windows Event Log zero-Day Flaw Gets Unofficial Patches

Temporary patches have been released to address a new Windows-zero flaw dubbed EventLogCrasher that lets attackers remotely crash the Event Log service on devices within the same Windows domain. According to security researcher Florian, who discovered and reported the flaw, Microsoft tagged the flaw as “not meeting servicing requirements” and said it's a duplicate of a bug that was disclosed in 2022 (no further details were provided).

US Shorts China's Volt Typhoon Crew Targeting America's Criticals

According to Reuters, the US Justice Department and FBI have reportedly taken action against Chinese state-sponsored hackers attempting to infiltrate American critical infrastructure. Over several months, law enforcement conducted operations authorized by a court order, to disable parts of the Chinese hacking campaign. This campaign, known as Volt Typhoon, was revealed in May 2023 after it was found that the hackers accessed US critical infrastructure networks as far back as 2021.

ICS Ransomware Danger Rages Despite Fewer Attacks

In a recent report provided by Dragos, despite the takedown of prominent ransomware groups, the remaining threat actors have evolved their tactics and maintained the exploitation of zero-day vulnerabilities. This has allowed them to inflict more damage on industrial control systems (ICS) with fewer attacks, as highlighted in Dragos' latest industrial ransomware analysis for the last quarter of 2023.

Microsoft Teams Phishing Pushes DarkGate Malware Via Group Chats

AT&T's cybersecurity research team has uncovered a new wave of phishing attacks that abuse Microsoft Teams group chat requests to distribute malicious attachments designed to infect targeted systems with DarkGate malware. In total, attackers have used what seems to be a compromised team user (or domain) to send over 1,000 malicious group chat invites to unsuspecting users.

New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility

Rsearchers at Zscaler have uncovered a new campaign that is delivering a new variant ZLoader malware to targeted systems. This variant is said to have been in development since September 2023 and contains significant changes to the loader module, which added RC4 encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time.

Energy Giant Schneider Electric Hit by Cactus Ransomware Attack

Energy management and automation giant Schneider Electric recently suffered from a ransomware attack that targeted its Sustainability Business division, which provides services to enterprise organizations, advising on renewable energy solutions and helping them navigate complex climate regulatory requirements for companies worldwide.

Rust Payloads Exploiting Ivanti Zero-Days Linked to Sophisticated Sliver Toolkit

Recent findings suggest that payloads discovered on compromised Ivanti Connect Secure appliances may originate from a single, highly skilled threat actor, according to incident response provider Synacktiv. A malware analysis by Synacktiv reveals that the 12 Rust payloads found in relation to two Ivanti Connect Secure VPN zero-day vulnerabilities share nearly identical code, suggesting a common origin.

Ukraine: Hack Wiped 2 Petabytes of Data from Russian Research Center

Ukraine's Ministry of Defense says that pro-Ukrainian hacktivists have breached the Russian Center for Space Hydrometeorology (Planeta), and have wiped 2 petabytes of data from their systems. Planeta is a state funded research center that uses space satellite data, ground radars, and ground stations to provide accurate predictions about weather, climate, natural disasters, extreme phenomena, and volcanic monitoring.

A Cyber Insurer's Perspective on How to Avoid Ransomware

In 2023, the cybersecurity landscape saw a resurgence of ransomware attacks, with a 27% increase in frequency during the first half of the year compared to the second half of 2022. May witnessed the highest number of ransomware claims in a single month in Coalition history. Ransomware also became the leading contributor to the overall increase in claims frequency, comprising 19% of all reported claims.

Top 3 Data Breaches of 2023, and What Lies Ahead in 2024

In summary the reports says that the surge in cloud migration, coupled with AI and machine learning, accelerated data use and storage in 2023. This led to significant breaches, with notable incidents including the MOVEit ransomware attack impacting 62 million individuals globally, the ICMR breach exposing 81.5 million Indian citizens' data, and 23andMe's unauthorized access compromising 9 million user accounts.

FBI: Tech support scams now use couriers to collect victims' money

cyber criminals to collect money and valuables from victims of tech support and government impersonation scams. Many of the victims are senior citizens who are being targeted by scammers posing as employees of technology companies, financial institutions, or the U.S. government These victims are told by the actors that their financial accounts have been compromised or are under threat. T

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

Researchers at Fortinet uncovered a Python Package Index (PyPI) malware author who goes by the ID “WS” uploading malicious packages to PyPI, designed to infect developers with WhiteSnake Stealer. Several packages were identified including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, which researchers estimate to have impacted over 2000 victims.

ChatGPT Cybercrime Surge Revealed in 3000 Dark Web Posts

Kaspersky researchers are warning of a notable surge in dark web discussions related to the use of ChatGPT and other Large Language Models (LLMs) to bolster cyber attacks. Nearly 3000 dark web posts were identified, focusing on a spectrum of cyber-threats, from creating malicious chatbot versions to exploring alternative projects like XXXGPT and FraudGPT. While the chatter apparently peaked in March of last year, there have been continued ongoing discussions about exploiting AI technologies for illegal activities.

Browser Phishing Threats Grew 198% Last Year

Based on Menlo Security's browser security report for 2023, browser-based phishing attacks increased a whopping 198% in the second half of 2023. In general phishing attacks seem to have evolved in the last couple of years. According to researchers, they identified 11,000 zero-hour phishing attacks in a span of 30 days.

Thousands of GitLab Instances Unpatched Against Critical Password Reset Bug

Two weeks ago, GitLab released patches to address a critical password reset vulnerability. Tracked as CVE-2023-7028, the bug can be exploited by actors to send password reset messages to unverified email addresses under their control. If the target organization does not have two-factor authentication, an actor in this case could initiate a potential account takeover by resetting the password. Patches for the bug

Malicious Traffic Distribution System Spotted by Researchers

Researchers have uncovered the growing professionalization to the cybercrime ecosystem, highlighting an online redirection of service, VexTrio, as a major traffic broker for various threat groups. VexTrio operates malicious traffic distribution systems, accessing victims based on factors like device type and location, redirecting them to malicious sites based on client requirements.

The Number of Patient Records Exposed in Data Breaches Doubled in 2023

According to a new report from cybersecurity firm Fortified Health Security, 116 million records were compromised across 655 breaches. In 2023, the number of patient records exposed in data breaches doubled in comparison to 2022, despite the number of breaches declining slightly. This is likely due to an increase in the number of large data breaches, where 16 breaches exposed more than two million patient records each.

Kasseika Ransomware Uses Antivirus Driver to Kill Other Antiviruses

A new ransomware strain, dubbed Kasseika, that was uncovered in December 2023 has joined the list of ransomware gangs to employ Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software on targeted systems. BYOVD attacks work by either implanting or abusing a vulnerable driver in victim environments to carry out malicious operandi.

Google Pixel Phones Unusable After January 2024 System Update

According to recent reports Google Pixel smartphone owners are experiencing issues after installing the January 2024 Google Play system update. Problems include being unable to access internal storage, open the camera, take screenshots, or open apps. The issue affects various Pixel models, indicating it's not specific to a particular hardware architecture.

Exploit Code Released For Critical Fortra GoAnywhere Bug

Exploit code has been released for a critical vulnerability in Fotra GoAnywhere MFT, a managed file transfer solution. Researchers from Horizon3 released exploit details for CVE-2024-0204, a critical authentication bypass vulnerability which was patched by Fortra on December 4, 2023, but only publicly revealed by the vendor on Monday.

Mandiant Publishes Guide: Defend Against the Latest Active Directory Certificate Services Threats

Active Directory Certificate Services (AD CS) is a server role that enables organizations to leverage public key infrastructure (PKI) as part of their on-premises services to issue and use digital certificates for authenticating identities and endpoints in Active Directory environments. As highlighted by SpecterOps in 2021, AD CS has become a prime target and leverage point in the overall attack chain to achieve post-compromise objectives.

Black Basta Ransomware Group Claims Hack of UK Water Utility Southern Water

The Black Basta ransomware group has added the UK's Southern Water as a victim on their Tor based data leak site, and have threated to publish stolen data if ransom demands are not met by February 29, 2024. “Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area” (Security Affairs, 2024). The company provides water to a large portion of the UK, and employs over 6,000 people.

Attackers Can Steal NTLM Password Hashes via Calendar Invites

A patched vulnerability (CVE-2023-35636) in Microsoft Outlook, allowing theft of NTLM v2 hashes, can be exploited through specially crafted email headers. Security researcher Dolev Taler and Varonis Threat Labs disclosed two additional unpatched vulnerabilities of “moderate” severity for obtaining NTLM v2 hashes.

loanDepot Says Ransomware Gang Stole Data of 16.6 Million People

Mortgage lender loanDepot has confirmed that approximately 16.6 million individuals had their personal information stolen in a ransomware attack disclosed earlier this month. The attack, which occurred on January 6, led to the shutdown of some systems, affecting recurring automatic payments and causing delays in payment history updates. The company, acknowledging the breach as a ransomware incident, mentioned that files on compromised devices were encrypted by malicious actors.

Senior Microsoft Employee's Email Account Breached in Cyber Attack

Microsoft revealed this week that they were potentially targeted by the Russian state-sponsored hacking group Midnight Blizzard. The group targeted a senior employee at the company by utilizing a password spray attack to infiltrate a legacy non-production test tenant account. This allowed them to gain access to the email accounts of Microsoft's leadership team and employees in cybersecurity and legal departments.

Thieves Steal 35.5M Customers' Data from Vans Sneakers Maker

VF Corporation, the parent company of brands like Vans and North Face, disclosed that 35.5 million customers were impacted when criminals breached their systems in December. The announcement, made in an SEC filing, didn't specify the type of information accessed. However, VF Corp assured that social security numbers, bank details, and payment card information were not compromised, as they are not stored in its IT systems. The company also stated that there is no evidence of consumer passwords being accessed, though the investigation is ongoing.

Over 178K SonicWall Firewalls Vulnerable to DoS, Potential RCE Attacks

Security researchers at Bishop Fox have identified over 178,000 SonicWall next-generation firewalls with the management interface exposed online are vulnerable to two stack-based buffer overflow flaws. Tracked as CVE-2022-22274 and CVE-2023-0656, these two vulnerabilities are essentially the same and can be exploited by unauthenticated actors to perform denial of service and even remote code execution.

Hacker Spins Up 1 Million Virtual Servers to Illegally Mine Crypto

Last week, Europol announced the arrest of a 29-year-old Ukrainian national for using hacked accounts to create 1 million servers used in a worldwide crypto jacking scheme to illegally mine cryptocurrency. This individual is suspected to have been active since 2021 and is known for hijacking cloud computing resources for crypto-mining. Starting in 2021, the hacker infected one of the world's largest e-commerce companies and used automated tools to brute force the passwords of 1,500 accounts of a subsidiary of the e-commerce company.

Protecting MSPs and Mid-Market Companies from ‘FalseFont' Backdoor Attacks

A new backdoor named "FalseFont" has been discovered, attributed to the Iranian hacking group Peach Sandstorm. This backdoor poses a significant threat to Managed Service Providers (MSPs) and mid-market companies, particularly those with limited cybersecurity measures. Peach Sandstorm is a global threat actor known for sophisticated cyberattacks since 2013, targeting sectors like defense, aerospace, and energy.

Finland Warns of Akira Ransomware Wiping NAS and Tape Backup Devices

The Finish National Cybersecurity Center recently sent out an advisory warning of an uptick in Akira Ransomware activity. In the latest set of attacks, Akira actors are going after network-attached storage devices as well as tape devices and wiping backups saved, making it difficult for victims to recover files. As a result, the agency recommends organizations switch to offline backups instead and distribute backups across various locations to prevent unauthorized access.

Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload

Researchers at Malwarebytes have uncovered an updated version of Atomic Stealer, an information stealer designed to target macOS systems. The update was made in mid December, 2023, where authors behind the malware introduced a new payload encryption routine designed to hide certain strings that were previously used for detection and identifying the C2 server.

Cisco Says Critical Unity Connection Bug Lets Attackers Get Root

Cisco patched a critical vulnerability tracked as CVE-2024-20272 in their Unity Connection product. The flaw could allow an unauthenticated attacker to remotely gain root privileges on unpatched devices. Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.

Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware

Water Curupira, a threat actor, distributed the Pikabot loader malware in spam campaigns throughout 2023. Trend Micro reported that PikaBot's phishing attacks used a loader and a core module to gain remote access and execute commands via a connection to their server. This activity occurred from Q1 to June, earlier campaigns by cybercrime group TA571 and TA577 targeting victims with Qakbot.

'Swatting' Becomes Latest Extortion Tactic in Ransomware Attacks

Cybercriminals are now using “swatting” to pressure hospitals into paying ransom demands by targeting their patients. Swatting involves making false police reports and prompting armed responses to victims' homes. These criminals aim to coerce hospitals into paying by threatening patients, like in the Fred Hutchinson Cancer Center case, cybercriminals stole medical records and threatened to use swatting tactics on patients if their ransom demands weren't met.

Crooks Pose as Researchers to Retarget Ransomware Victims

Victims of Royal and Akira ransomware are being targeted by actors masquerading as cybersecurity researchers offering to delete the files stolen by the two ransomware gangs. According to Artic Wolf Labs, who have tracked several interactions, these actors contact victims stating they will hack into the server infrastructure of the original ransomware groups involved to delete the exfiltrated data.

NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

Security researchers at Akamai have uncovered a new crypto-mining campaign that has been active since the beginning of 2023. These attacks include the use of a new Mirai-based botnet dubbed ‘NoaBot' which comes with various capabilities including a wormable self-spreader and an SSH key backdoor designed to download and execute additional binaries and spread itself to other systems.

Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over

In its 2023 Adversary Infrastructure Report, published on January 9, 2024, Recorded Future analyzed the effect of three malware takedown operations that took place in 2023 or before: The March 2023 attempt to take down unlicensed versions of commercial red-teaming product Cobalt Strike, a joint project between Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC), and Fortra, the software company that owns Cobalt Strike In the cases of Cobalt Strike and QakBot, law enforcement operations had a significant impact in the short term and malicious activity linked with the two tools dropped drastically in the month following the operation.

Ukrainian “Blackjack” Hackers Take Out Russian ISP

A group linked to Ukraine's SBU has allegedly launched a destructive cyber-attack against a Moscow ISP in retaliation to Russia's takedown of Kyivstar last month. According to reports, the group called “Blackjack” deleted 20 TBs of data at M9 Telecom, leaving some residents of Moscow without Internet service.

.NET Hooking – Harmonizing Managed Territory

For malware researchers, analysts, or reverse engineers, Checkpoint says the ability to alter the functionality of certain parts of code is a crucial step. Manipulating processes for code execution works well for non-managed native code, but becomes more challenging when dealing with managed code. By altering the functionality of managed code, specifically for applications that run on top of .NET, Checkpoint says the open-source library Harmony is the best option.

NoName on Rampage! Claims DDoS Attacks on Ukrainian Government Sites

The NoName ransomware group recently posted a list of their latest DDoS attack victims on their data leak site. Many of these victims include Ukrainian entities such as Accordbank, Zaporizhzhya Titanium-Magnesium Plant, State Tax Service, Central Interregional Tax Administration, Western Interregional Tax Administration, and the Main Directorate of the State Tax Service in Kyiv.

Stealthy AsyncRAT Malware Attacks Targets US Infrastructure For 11 Months

Security researchers have uncovered a new campaign that has been delivering AsyncRAT malware to select targets for the last 11 months using hundreds of unique loader samples and more than 100 domains. The campaign was initially discovered by a security researcher from Microsoft, Igal Lytzki, who spotted attacks last summer that were delivered over hijacked email threads.

Zeppelin ransomware source code sold for $500 on hacking forum

A threat actor who goes by the name ‘RET' is claiming to have access to the source code as well as a builder for the Zeppelin ransomware. Both are being advertised for sale on an underground forum for 500$, with screenshots to prove the legitimacy of the package. In the post, the actor claims to have simply cracked a builder version for the ransomware strain and had acquired the package without a license.

Russian Hackers Penetrated Ukraine Telecoms Giant for Months

Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a "big warning" to the West, Ukraine's cyber spy chief told Reuters. The attack, one of the most dramatic since Russia's full-scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days from Dec. 12.

Ivanti Warns Critical EPM Bug Lets Hackers Hijack Enrolled Devices

Ivanti recently fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM). The flaw allows an unauthenticated attackers to hijack enrolled devices or the core server. The service helps manage client devices running a wide range of platforms from Windows and macOS to Chrome OS and other IoT operating systems.

Hacker Hijacks Orange Spain RIPE Account to Cause BGP Havoc

Orange Spain suffered an internet outage today after a hacker breached the company's RIPE account to misconfigure BGP routing and an RPKI configuration. The routing of traffic on the internet is handled by Border Gateway Protocol (BGP), which allows organizations to associate their IP addresses with autonomous system (AS) numbers and advertise them to other routers they are connected to, known as their peers.

Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks

Cyber Toufan, a sophisticated threat actor claiming to be formed of Palestinian state cyber warriors, has managed to target over 100 entities in Israel in the last couple of months. These series of attacks have been fueled by geopolitical tensions between Israel and Hamas, a pro-Palestinian militant group. The latest intrusions carried out by Cyber Toufan have led to the exfiltration of large amounts of data which is being released to the public web.

CISA Warns of Actively Exploited Bugs in Chrome and Excel Parsing Library

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog. The first is CVE-2023-7101, affecting the open-source Perl library Spreadsheet::ParseExcel, with a remote code execution flaw. This vulnerability was exploited by Chinese hackers in late December, targeting Barracuda ESG appliances. Mitigations were applied, and an update was released on December 29, 2023.

Nearly 11 Million SSH Servers Vulnerable to New Terrapin Attacks

Shadowservers has released new vulnerability metrics surrounding the recently discovered Terrapin vulnerabilities that threaten the integrity of some SSH connections. The Terrapin flaws target the SSH protocol, affecting both clients and servers, and was developed by academic researchers from Ruhr University Bochum in Germany.

Experts Warn of JinxLoader: Loader Used to Spread FormBook and XLoader

Researchers from Palo Alto Networks and Symantec warned of a new Go-based malware loader called JinxLoader, which is being used to deliver next-stage payloads such as Formbook and XLoader. The name of the threat comes from a League of Legends character. Palo Alto Networks’s Unit 42 first observed the malware in November 2023 reporting that it has been advertised on the hacking forum Hackforums since April 30, 2023.

Microsoft: Hackers Target Defense Firms With New FalseFont Malware

Yesterday, Microsoft posted a series of tweets on X (formerly known as Twitter) stating that it observed Iranian cyber-espionage group APT33 deploy a new backdoor dubbed FalseFont in attacks targeting organizations in the Defense Industrial Base (DIB) sector. According to the tech giant, FalseFont was first observed in attacks as early as November 2023.

Malware Leveraging Public Infrastructure Like GitHub on the Rise

Researchers from ReversingLabs have observed an increase in threat actors using GitHub open source development platform to host malware. The use of public services as command-and-control (C2) infrastructure isn’t a revolutionary technique for malicious actors, but the researchers highlight two novel techniques deployed on GitHub.

Justice Secretary in Deepfake General Election Warning

UK Secretary of State for Justice, Robert Buckland, has voiced concerns about the threat of deepfakes to British democracy prior to upcoming elections. He cited that there is a “clear and present danger” regarding deepfakes and noted how they can be used to potentially erode trust in information and sway opinions. Buckland highlighted that with AI being easily accessible and the sheer scale of generative AI, individuals can create and share content rapidly

Fake Delivery Websites Surge By 34% in December

With many shoppers rushing to order Christmas gifts, scammers are taking advantage of this opportunity by creating phishing sites impersonating delivery services. According to Group-IB, these fake delivery sites have surged by 34% in December alone, with the company identifying 587 sites designed to look like legitimate postal operators and delivery companies in the first 10 days of December.

Fake F5 BIG-IP Zero-Day Warning Emails Push Data Wipers

Israel’s National Cyber Directorate (INCD) recently disclosed a new phishing campaign that is distributing Windows and Linux data wipers via emails pretending to be a warning about a zero-day vulnerability in F5 BIG-IP devices. According to INCD, the emails push out an executable named F5UPDATER[.]exe for Windows users, while a shell script named update[.]sh is used for Linux users.

Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant Summary:

Yesterday, the U.S Justice Department announced the disruption of the BlackCat ransomware group, which to date has managed to target the computer networks of more than 1,000 victims, including those that support U.S. critical infrastructure (government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities).

New Go-Based JaskaGO Malware Targeting Windows and macOS Systems

AT&T Alien Labs has uncovered a new Go-based information stealer malware dubbed JaskaGo designed to target both Windows and Apple macOS systems. According to researchers, the info-stealer comes equipped with an extensive array of commands from its C2 server that enable actors to execute shellcode, enumerate running processes, harvest information from the victim system, and download additional payloads.

New Go-Based JaskaGO Malware Targeting Windows and macOS Systems

AT&T Alien Labs has uncovered a new Go-based information stealer malware dubbed JaskaGo designed to target both Windows and Apple macOS systems. According to researchers, the info-stealer comes equipped with an extensive array of commands from its C2 server that enable actors to execute shellcode, enumerate running processes, harvest information from the victim system, and download additional payloads.

Novel Terrapin Attack Uses Prefix Truncation to Downgrade the Security of SSH Channels

Secure Shell Protocol (SSH) was developed in early 1995, after a password sniffer was used to discover passwords store in plain text on Finland’s Helsinki University of Technology. SSH was one of the first network tools to route traffic through an impregnable tunnel fortified with a still-esoteric feature known as "public key encryption, SSH quickly caught on around the world.

What To Do When Receiving Unprompted MFA OTP Codes

This article highlights common methods cybercriminals use to bypass multi-factor authentication, specifically receiving unprompted one-time passcodes (OTP). Receiving an OTP sent as an email or text should be a cause for concern as it likely means your credentials have been stolen.

New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities

Researchers at SentinelOne have uncovered an updated version of a backdoor dubbed Pierogi which is being used by the Gaza Cyber Gang, a pro-Hamas threat actor, to target Palestinian entities. The new variant, referred to as Pierogi++, is written in the C++ programming language. Similar to its predecessor, Pierogi++ is designed to take screenshots, execute commands, and download other payloads.

Threat of Violence Likely Heightened Throughout Winter

The FBI issued an advisory that they are closely monitoring threats to public safety during the holiday season, which may be amplified by the ongoing Israel-Hamas conflict. The FBI, Department of Homeland Security (DHS), and National Counterterrorism Center (NCTC) are issuing this Public Service Announcement to highlight elements posing potential threats in the United States from a variety of actors during the winter season.

BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Campaign

Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore (and other victims), Resecurity (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.

Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet

The US cybersecurity landscape faces a critical challenge with the emergence of a highly resilient botnet operated by the Chinese-backed Volt Typhoon group. This botnet has ingeniously repurposed end of life Small Office/Home Office (SOHO) routers from Cisco, Netgear, and Fortinet, and set up a Tor-like covert data transfer network to perform malicious operations. Notably, these routers, lacking security updates, now serve as a central element in Volt Typhoon’s penetration strategy across critical sectors like communications, manufacturing and government.

Microsoft Seized the US Infrastructure of the Storm-1152 Cybercrime Group

Microsoft recently announced that it seized multiple domains used by the cybercrime group Storm-1152 to sell fraudulent Outlook accounts. According to the vendor, Storm-1152 has registered over 750 million fraudulent Microsoft accounts, enabling the group to generate millions of dollars in sales. After obtaining a court order from the Southern District of New York on December 7, 2023.

BazarCall Attacks Abuse Google Forms to Legitimize Phishing Emails

Email security firm Abnormal uncovered a new wave of BazarCall attacks abusing Google Forms to target users. First documented in 2021, BazarCall is a type of phishing attack that utilizes fake payment/subscription invoices in emails impersonating known brands. In this case, victims are notified that their account has been charged and should contact customer support if they don’t recognize the transaction. Rather than including a link in the email, the actors will leave behind a phone number that the victim can call.

Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign

In a joint advisory published on December 13, 2023, six security and intelligence agencies in the US, the UK and Poland warned that Cozy Bear has been exploiting an authentication bypass vulnerability in TeamCity (CVE-2023-42793) since at least September 2023. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes. The access could also be used to conduct software supply chain attacks.

Vulnerabilities Now Top Initial Access Route For Ransomware

Cybersecurity insurance provider Corvus reports that ransomware actors are switching tactics and are choosing to exploit vulnerabilities rather than leverage phishing emails to breach victim organizations. Analyzing metrics from claims data this year, Corvus was able to examine threat actor activity. The company claims that vulnerability exploitation rose as an initial access method from nearly 0% of ransomware claims in H2 2022 to almost a third in the first half of 2023.

Russia Set to Ramp Up Attacks on Ukraine’s Allies This Winter

A new report by Cyjax warns of an increase in cyberattacks from Russia targeting Ukraine and its allies as the Winter season approaches. According to researchers, Russia’s missile production is struggling to keep pace with its tactical, operational, and strategic usage, due to economic sanctions and a shortage of workers.

What To Do If Your Company Was Mentioned on Darknet?

This article examines different scenarios where your company may be mentioned on the darkweb, and what you can do to navigate and mitigate the potential risks associated. Specifically, the article focuses on the sale of compromised accounts, internal databases and documents, as well as access to corporate infrastructure, and the sale of personal identifiable information like ID photos, drivers licenses, etc.

Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign

A new blog post from IBM’s X-Force highlights APT28’s, a group of Russian military hackers, use of Israel-Hamas conflict lures to deliver Headlace malware. For its part, Headlace is a multi-component malware that includes a dropper, a VBS launcher, and a backdoor using MSEdge in headless mode, designed to download second-stage payloads and exfiltrate credentials as well as other sensitive details.

Ukraine's Largest Phone Operator Hack Tied to War With Russia

Ukraine’s largest mobile network operator Kyivstar was impacted by a cyber event that lead to significant shutdowns. The company, which is owned by Amsterdam-based Veon, announced on December 12th, that a powerful cyber attack caused technical failure, which impacted Internet access and mobile communications for customers.

Privilege Elevation Exploits Used in Over 50% Of Insider Attacks

A report published by Crowdstrike researchers indicates that insider threats are escalating, with Crowdstrike’s report indicating a surge in unauthorized actions using privilege escalation flaws. Approximately 55% of these threats leverage privilege scalation exploits, while 45% stem from downloading risky tools or misusing them.

AutoSpill Attack Steals Credentials from Android Password Managers

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.

Toyota Warns Customers of Data Breach Exposing Personal, Financial Info

Toyota Financial Services recently warned its customers about a data breach, where actors were able to gain unauthorized access to some of its systems in Europe and Africa, allowing the actors to steal sensitive personal and financial data. Medusa ransomware has claimed responsibility for the attack, demanding a 8 million ransomware be paid in exchange for the data stolen.

ALPHV/BlackCat Site Downed After Suspected Police Action

Last Friday, cyber security firm RedSense disclosed on X (formerly known as Twitter) that BlackCat Ransomware’s Tor data leak site had been taken down after police action. As of writing no official disclosure from law enforcement authorities has been published to the public regarding such a takedown.

Iran Threatens Israel's Critical Infrastructure With 'Polonium' Proxy

An Iranian proxy hacking group named Polonium, operating from Lebanon poses a serious threat to Israel’s critical infrastructure. Despite being less known than other hacking groups, Polonium has intensified its attacks, targeting multiple Israeli sectors and evolving its tactics over time. Microsoft reported that Polonium spied on over 20 Israeli organizations, including key sectors like Transportation, IT, Finance, and Healthcare in Spring 2022.

Russian Military Hackers Target NATO Fast Reaction Corps

APT28, a group of Russian military hackers have been exploiting a Microsoft Outlook zero-day (CVE-2023-23397) since March 2022 to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Over the course of 20 months, researchers at Palo Alto Networks’ Unit 42 have observed this group launch three different campaigns targeting at least 30 organizations across 14 nations deemed of probable strategic intelligence significance to Russia's military and government.

Ransomware Surge is Driving UK Inflation, Says Veeam

New data gathered by Veeam indicates that a surge in ransomware attacks has caused businesses in the UK to increase prices, adding to the already high inflation. Veeam surveyed 100 UK businesses with over 500 employees that had been compromised by ransomware. According to the software company, large companies had to increase costs to customers by an average of 17% following an attack.

Forward Momentum: Key Learnings From Trend Micro’s Security Predictions for 2024

Advances in cloud technology, artificial intelligence and machine learning, and Web3 are reshaping the threat landscape, urging organizations to re-strategize their defenses and stay up to date with the latest trends and threats. A new blog post by Trend Micro highlights the new challenges that will come with these emerging technologies and what to expect for the upcoming new year.

Ninety Percent of Energy Companies Suffer Supplier Data Breach

Security Scorecard recently analyzed the cybersecurity posture of the largest coal, oil, natural gas, and electric companies in the US, UK, France, Germany, and Italy, as well as their suppliers. According to the vendor, UK energy firms received the high average security rating (80% holding a B or above). However, a third of global firms received a rating of C or lower, making them susceptible to a breach.

Why Cloud Security Matters in Today’s Business World

As companies increasingly adopt cloud computing, a report by Ermetic and IDC reveals that 80% of CISOs experienced cloud data breaches in the last 18 months, with 43% facing 10 or more breaches. The report emphasizes the need for a robust understanding of cloud security to safeguard organizations, personnel, and customers during the transition. Cloud security involves principles like access controls and system audits. Key reasons to embrace it include scalability, reliability, and protection against DDoS attacks.

New Krasue Linux RAT Targets Telecom Companies in Thailand

Group-IB researchers discovered a previously undetected Linux remote access trojan called Krasue being employed in attacks aimed at telecom companies in Thailand. The Krasue Remote Access Trojan (RAT) emerged in 2021 according to samples found on VirusTotal. The name “Krasue,” comes from the Thai name of a nocturnal native spirit known throughout Southeast Asian folklore.

LockBit Remains Top Global Ransomware Threat

A new report from ZeroFox highlights LockBit’s continued dominance in the ransomware landscape, with the group accounting for 25% of all ransomware and digital extortion attacks worldwide between January 2022 and September 2023. In particular, LockBit poses a big threat to entities in North America, with an average of 40% of LockBit victims based in this region, spanning the manufacturing, construction, retail, legal & consulting, and healthcare sectors. Researchers note this is expected to increase to 50% by the end of 2023.

Hackers Breach US Govt Agencies Using Adobe ColdFusion Exploit

CISA recently published an advisory warning that hackers are exploiting a critical vulnerability in Adobe ColdFusion to gain initial access to government servers. Tracked as CVE-2023-26360, the flaw relates to an improper access control vulnerability in Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), which could result in arbitrary code execution.

Governments Spying on Apple, Google Users Through Push Notifications - US Senator

Senator Ron Wyden has raised concerns that unidentified governments are surveilling smartphone users through push notifications on apps, demanding data from Google and Apple. Push notifications, used by various apps for updates, messages, and news alerts, often travel through Google and Apple servers. This unique access gives the companies insight into app traffic and user activity, potentially facilitating government surveillance.

Russian APT28 Exploits Outlook Bug to Access Exchange

Microsoft issued a warning regarding the exploitation of CVE-2023-23397 by APT 28, a Russian state sponsored group. The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East. CVE-2023-23397 was first disclosed and patched as a zero-day bug in Microsoft’s March 2023 Patch Tuesday update round.

New AeroBlade Hackers Target Aerospace Sector in the U.S.

Cyber security firm Blackberry has uncovered a campaign targeting an aerospace organization in the United States. Researchers are tracking the actors behind this campaign as ‘AeroBlade.” Based on the observed attack, the actors used spear-phishing as their delivery mechanism, where they employed a weaponized document, sent as an email attachment.

Holiday Shopping Scams Persist with Cybercriminal Tactics

Cybercriminals are currently targeting SaaS services and utilizing AI technology, social media phishing, and brand impersonation to pilfer from various sectors, impacting the reputations of legitimate businesses. It is crucial to adopt proactive measures, such as manual or automated takedown services, to maintain consumer trust during the bustling holiday shopping season. The USPS phishing attack encompasses over 3,000 phishing domains that mimic reputable brands like Walmart, with scammers exploiting stolen data to entice victims into revealing sensitive banking details.

Florida Water Agency Latest to Confirm Cyber Incident as Feds Warn of Nation-state Attacks

A regulatory agency in Florida confirmed they responded to a recent cyber attack last week as US cybersecurity agencies warn of foreign attacks against water utilities. A spokesperson for the St. Johns River Water Management District, which works closely with utilities on water supply issues, confirmed that it “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.”

Over 20,000 Vulnerable Microsoft Exchange Servers Exposed to Attacks

The ShadowServer Foundation is warning that tens of thousands of Microsoft Exchange email servers in Europe, the United States, and Asia are exposed on the public internet and vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer receives any updates, being vulnerable to multiple security issues, some with a critical severity rating.

Check Point Research Navigates Outlook’s Security Landscape: The Obvious, the Normal, and the Advanced

In a recent blog from Check Point, Outlook, the desktop app in the Microsoft Office suite, is highlighted as one of the world's most widely used applications for organizational communication. However, it poses significant security risks, acting as a critical gateway for cyber threats. The blog categorizes attack vectors into three types: the "obvious" Hyperlink attack vector, the "normal" Attachment attack vector, and the "advanced" Email Reading and Special Object attack vectors.

Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

The DOJ and FBI collaborated to dismantle the Qakbot malware and its botnet, successfully disrupting a long standing threat. However, concerns linger as Qakbot may still pose a risk, although in a reduced form. The takedown removed the malware from a significant number of devices, including 700,000 globally and 200,000 in the U.S. Yet, recent findings suggest Qakbot remains active but weakened.

Simple Hacking Technique Can Extract ChatGPT Training Data

Researchers from Google DeepMind, Cornell University, and other institutions found that the widely used generative AI chatbot, ChatGPT, is susceptible to data leaks. By prompting ChatGPT to repetitively say words like "poem," "company," and others, the researchers were able to make the chatbot regurgitate memorized portions of its training data.

US Govt Sanctions North Korea’s Kimsuky Hacking Group

On Thursday the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for facilitating sanctions evasion including revenue generation and missile-related technology procurement that support the Democratic People’s Republic of Korea’s (DPRK) weapons of mass destruction programs.

New ‘Turtle’ macOS Ransomware Analyzed

Several vendors on VirusTotal have detected a new ransomware dubbed Turtle which is capable of not only targeting Windows and Linux systems but also macOS. Cybersecurity researcher Patrick Wardle who analyzed this new strain, says that Turtle Ransomware is currently not sophisticated. The malware was developed in the Go programming language.

RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool

Researchers from Satori Threat Intelligence discovered a new version of the ScrubCrypt obfuscation tool being used to target organizations with the RedLine stealer malware. This latest version of ScrubCrypt is for sale on dark web marketplaces, and is being used in account takeover and fraud attacks.

Behind the Attack: LUMMA Malware

Researchers at Perception Point recently unveiled a sophisticated malware attack aimed at bypassing threat detection systems. The attack involves impersonating a financial services company via a fake invoice email. The email includes a button that leads to an unavailable website which urges users to visit a seemingly legitimate link for the invoice.

Qlik Sense Exploited in Cactus Ransomware Campaign

According to a new blog post by researchers at Artic Wolf, a set of known vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform, are being exploited to deploy ransomware. Tracked as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the flaws are being chained together to achieve remote code execution on targeted systems.

Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure

The Iran-backed Cyber Av3ngers, affiliated with the IRGC, has been actively exploiting Programmable Logic Controllers (PLCs) in Water and Wastewater treatment plants, targeting critical infrastructure installations in the U.S. The group, known for making false claims, initiated attacks on various water authorities, an aquarium, and a brewery. They focus on Unitronics PLCs, leveraging open source tools and exploiting vulnerabilities. The recent campaign expanded to target critical infrastructure globally, particularly those using equipment associated with Israel.

New BLUFFS Attack Lets Attackers Hijack Bluetooth Connections

Researchers from Eurecom have developed six next attacks they have collectively named “BLUFFS.” These vulnerabilities can be used for device impersonation and man-in-the-middle (MitM) attacks. BLUFFS exploits two previously unknown flaws in Bluetooth, related to how session keys are derived to decrypt data in exchange.

Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is responding to a cyber attack on the Municipal Water Authority of Aliquippa, Pennsylvania. The attack involved the exploitation of Unitronics programmable logic controllers (PLCs) and has been attributed to the Iranian-backed hacktivist group Cyber Av3ngers.

General Electric, DARPA Hack Claims Raise National Security Concerns #2

General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA) are reported to have experienced security breaches, with stolen data allegedly available for sale on the Dark Web. The compromised information includes access credentials, DARPA-related military data, SQL files, and more. GE has acknowledged the breach and is actively investigating the matter. DARPA, known for collaborating with GE on various projects, may have classified information on weapons programs and artificial intelligence research in its data stores.

General Electric, DARPA Hack Claims Raise National Security Concerns

General Electric, an American multinational conglomerate that has several divisions including aerospace, power, and renewable energy, is investigating claims that a threat actor breached its development environment and leaked allegedly stolen data. The development comes after a threat actor named IntelBroker posted to a dark forum claiming to have access to General Electric’s development and software pipelines.

Key Cybercriminals Behind Notorious Ransomware Families Arrested in Ukraine

A joint operation carried out by Europol and law enforcement agencies has led to the arrest of 5 key suspects in Ukraine believed to be core members of various ransomware operations including LockerGoga, MegaCortex, Dharma, and the now defunct Hive ransomware. Since 2019, these individuals have targeted over 1,800 victims across 71 countries, compromising large corporations.

Daixin Team Claims Attack on North Texas Municipal Water District

The Daixin Team, a group known for carrying out ransomware attacks, has listed the North Texas Municipal Water District (NTMWD) as a victim on their data leak site. The actors claim to have stolen large amounts of sensitive data from the company and are threatening to release it publicly. The information stolen is said to include board meeting minutes, internal project documentation, personnel details, audit reports, and more. The leak of the data puts the company at risk of frauds in the next months.

Hacktivists Breach U.S. Nuclear Research Lab, Steal Employee Data

The Idaho National Laboratory (INL) announced this week that they suffered a cyberattack after SiegedSec hacktivists leaked stolen human resources data online. INL is a nuclear research center run by the U.S. Department of Energy that employs 5,700 specialists in atomic energy, integrated energy, and national security.

Exploit for CrushFTP RCE Chain Released, Patch Now

A critical vulnerability (CVE-2023-43177) in CrushFTP, allowing hackers to access files, execute code, and steal passwords. Although a fix was issued in version 10.5.2, a recent public exploit by Converge demands immediate updates for CrushFTP users. This exploit lets attackers read, delete files, and potentially gain total control over systems using specific web ports and functions in CrushFTP.

8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader

Last Friday, Cisco Talos published a blog post, highlighting that 8Base ransomware actors are using a variant of the Phobos ransomware to carry out financially motivated attacks. Although most Phobos variants have been distributed using SmokeLoader, a backdoor trojan, researchers note that in 8Base campaigns, the actors are embedding the ransomware component into encrypted payloads, which are then decrypted and loaded into the SmokeLoader process memory.

Popular Dragon Touch Tablet for Kids Infected with Corejava Malware

Retailers like Amazon have promoted affordable Android devices for children, such as the Dragon Touch KidzPad Y88X 10 tablet. However, research by the Electronic Frontier Foundation (EFF) revealed malware and riskware on the device, leading to Amazon removing it from the platform. Other Y88X models remain available. This is not the first instance; in January 2023, Amazon sold a T95 Android TV box with preinstalled malware. Both instances involved the Corejava malware.

MySQL Servers Targeted by ‘Ddostf’ DDoS-As-A-Service Botnet

The ‘Ddostf’ malware botnet is attacking MySQL servers to turn them into a DDoS service. AnhLab Security Emergency Response Center (ASEC) discovered this while tracking threats against database servers. Ddostf infiltrates MySQL servers either through vulnerabilities in unpatched systems or by cracking weak administrator account passwords. These attackers search the web for exposed MySQL servers, trying to breach them through brute forcing administrator credentials.

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Cybersecurity company Securonix has uncovered a new campaign dubbed SEO#LURKER, where actors are tricking WinSCP users into installing malware via SEO poisoning and bogus Google ads. In particular, the actors are using dynamic search ads which automatically generate ads based on a site's content to serve the malicious ads that take the victims to an infected site, which in this case is a compromised WordPress site (gameeweb[.]com). Researchers say this WordPress site will redirect the victim to a phishing site advertising a fake installation for WinSCP, in turn infecting the victim with malware.

#StopRansomware: Rhysida Ransomware

A new joint advisory from CISA and the FBI has been issued detailing observed TTPs and IOCs to help organizations protect against Rhysida Ransomware. Rhysida is a fairly new ransomware that was first detected in May 2023. Like any other ransomware gang, the group engages in double extortion schemes where it will encrypt and exfiltrate victims’ files, threatening to publish the data online unless a ransom is paid.

FBI Warns: Five Weeks In, Gaza Email Scams Still Thriving

FBI is warning of cybercriminals taking advantage of the war in Gaza to solicit funds from unsuspecting victims. According to alerts sent out by the agency, these fraudsters are using various schemes including emails, social media, cold calls, and websites masquerading as fundraisers and charities to convince end users to donate money, stating that the funds will go to victims of the ongoing conflict. These donations are requested in the form of gift cards, wire transfers, and cryptocurrency, making it difficult to trace back.

Zero-Days in Edge Devices Become China's Cyber Warfare Tactic of Choice

Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity These changes have been influenced by both internal factors like military restructuring and changes in domestic regulations, as well as external factors including reporting by Western governments and the cybersecurity community.

LockBit Ransomware Exploits Citrix Bleed in Attacks, 10K Servers Exposed

About a month ago, Citrix fixed a critical information disclosure flaw (CVE-2023-4966), “Citrix Bleed,” impacting Citrix NetScaler ADC and NetScaler Gateway. As of writing thousands of internet-exposed endpoints are still running vulnerable appliances despite patches being released. As such threat actors are using this opportunity to launch attacks. One of these actors is the LockBit Ransomware group, which researchers say is using publicly available exploits for CVE-2023-4966 to breach the systems of large organizations, steal data, and encrypt files.

82% of Attacks Show Cyber-Criminals Targeting Telemetry Data

A new report from Sophos indicates that cyber-criminals are disabling or wiping out logs in 82% of incidents, making it difficult for organizations to backtrace and determine what happened on systems during a crisis. What’s more is that based on a case study conducted by Sophos, nearly a quarter of organizations investigated didn’t have the appropriate logging available in place for incident responders. Researchers say this was due to several factors, including insufficient retention, re-imaging, or a lack of configuration. “In an investigation, not only would this mean the data would be unavailable for examination, but the defenders would have to spend time figuring out why it wasn’t available” stated researchers in a recent blog post.

BlackCat Ransomware Gang Targets Businesses Via Google Ads

ALPHV/BlackCat ransomware threat actors have been seen using Google Ads to distribute malware. By masquerading as popular software products like Advanced IP Scanner and Slack, the group has been luring professionals to attacker controlled websites. The victims, thinking they are downloading legitimate software, are unknowingly installing a piece of malware called Nitrogen. Nitrogen serves as initial-access malware providing intruders with a foothold into the target organization’s IT environment.

Steps CISOs Should Take Before, During & After a Cyberattack

In today's complex cybersecurity landscape, cyberattacks are inevitable. Organizations, regardless of size or industry, must establish detailed playbooks for effective response. Chief Information Security Officers (CISOs) play a crucial role in preparing for attacks by fostering relationships, educating leaders, and developing comprehensive frameworks.

DP World Cyberattack Blocks Thousands of Containers in Ports

International logistics firm DP World Australia announced that a cyber attack has severely disrupted it’s regular freight movement in multiple Australian ports. DP World specialized in cargo logistics, port terminal operations, maritime services, and free trade zones, they have an annual revenue of over $10 billion. In total, the firm operates 82 marine and inland terminals in 40 countries, handles 70 million containers annually carried by 70,000 vessels, and manages roughly 10% of all global container traffic. DP World has the largest presence in Australia, handling over 40% of the nation’s container trade.

Update: Iranian Hackers Launch Malware Attacks on Israel’s Tech Sector

Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm and Yellow Liderc, has launched a new campaign targeting transportation, logistics, and technology companies in the Middle East. Associated with the Iranian Revolutionary Guard Corps (IRGC), this threat actor, using the online persona Marcella Flores, has been active since at least 2017, conducting cyberattacks across sectors like defense technology, telecommunications, maritime, energy, and consulting.

New Ransomware Group Emerges with Hive's Source Code and Infrastructure

Hunters International, a newly emerged ransomware group, has acquired the source code and infrastructure from the dismantled Hive operation, a once-prolific ransomware-as-a-service (RaaS) group. The Hive group's operations were halted as part of a coordinated law enforcement effort in January 2023. This move allowed Hunters International to start its own cyber threat activities with a mature toolkit.

Signature Techniques of Asian APT Groups Revealed

The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures (TTPs) employed by Asian Advanced Persistent Threat (APT) groups. In a report published today, Kaspersky reveals TTPs found from their examination of one hundred global cybersecurity incidents.

Dragos: OT Threat Intelligence in Cyber Assessment Framework (CAF)

Dragos recently highlighted the UK National Cyber Security Centre's Cyber Assessment Framework (CAF) in a report, emphasizing its global applicability. The CAF, designed to enhance government cybersecurity, outlines top-level outcomes for good cybersecurity. While initially aimed at the UK, its principles are valuable globally.

Russian-Speaking Threat Actor “Farnetwork” Linked to 5 Ransomware Gangs

According to a report from cybersecurity company Group-IB, a threat actor known as 'farnetwork' has operated under various usernames like farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand. They actively sought affiliates for different ransomware operations on Russian-speaking hacker forums. In March, farnetwork started recruiting affiliates for their ransomware-as-a-service (RaaS) program based on the Nokoyawa locker.

Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI

According to a new report from Checkmarx, throughout 2023 threat actors have been distributing malicious Python packages disguised as legitimate obfuscation tools to execute BlazeStealer malware on targeted systems. Once executed, BlazeStealer will retrieve a malicious script from an external source and run a discord bot designed to enable the threat actor to gain complete control over the victim’s computer.

Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools

According to a new advisory from the FBI, the agency noted that ransomware actors continue to gain access through third-party vendors and services. Between 2022 and 2023, the FBI observed ransomware attacks compromising casinos through third-party gaming vendors. In particular, small and tribal casinos were targeted, with the threat actors encrypting the PII data of employees and patrons which would be held for ransom payments.

Ethical Hackers Enhance Cybersecurity with Generative AI

The growing use of digital technology makes cybersecurity more important than ever. Ethical hackers, who identify and prevent cyber threats, are increasingly using AI tools like ChatGPT. A report by Bugcrowd reveals that many hackers believe AI will change how they work in the coming years. While AI can't replace human creativity in security, it helps in tasks like data analysis and vulnerability detection.

Okta Breach: Employee's Personal Google Account Usage on Company Laptop Blamed

In a recent statement from Okta security chief David Bradbury, Bradbury confirmed that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers. These files contained session tokens, which the threat actor was able to use to hijack the legitimate Okta sessions of 5 customers.

Critical Atlassian Confluence Bug Exploited in Cerber Ransomware Attacks

Last Tuesday, Atlassian released security updates to address a critical improper authorization vulnerability impacting all versions of Confluence Data Center and Server. Tracked as CVE-2023-22518, the vulnerability can be used in data destruction attacks targeting internet-exposed and unpatched instances. While initially, Atlassian noted that it is unaware of reports of active exploitation, the vendor updated its advisory on Friday, stating that threat actors are starting to exploit the flaw in attacks in the wild.

Over Half of Users Report Kubernetes/Container Security Incidents

A report from Infosecurity magazine says that Cloud native development practices are creating dangerous new security blind spots for organizations in the US, UK, France and Germany. A study by Venafi polled 800 security and IT leaders from large organizations based in these four countries. It found that 59% of respondents have experienced security incidents in their Kubernetes or container environments.

A Ukrainian Company Shares Lessons in Wartime Resilience

MacPaw, a Ukrainian software company, faced the challenge of maintaining business continuity during the Russian invasion. Their CTO, Vira Tkachenko, explained how they prepared for wartime cyber resilience, including forming an emergency team, prioritizing employee safety and service delivery, fortifying their headquarters, ensuring power and connectivity options, building hardware reserves, setting up redundant communications, freezing code changes, and dealing with increased cyberattacks.

Adtran - AOE Server Vulnerability Advisory

AOE servers that are not properly secured are susceptible to a security vulnerability that could potentially grant unauthorized access to the server via the AOE Server Admin user account. Such compromised servers are consequently vulnerable to ransomware attacks, posing a significant security risk.

MITRE ATT&CK v14 Released

MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. The goal of MITRE ATT&CK is to catalog and categorize the known tactics, techniques, and procedures (TTPs) used by adversaries in real-world attacks.

Common Vulnerability Scoring System v4.0 Summary:

FIRST, the Forum of Incident Response and Security Teams, will release this week version 4.0 of the Common Vulnerability Scoring System (CVSS). CVSS is an open framework that allows organizations and researchers to communicate specific characteristics and severities of software vulnerabilities.

Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence

President Joe Biden has signed an executive order aimed at regulating generative AI systems like ChatGPT, recognizing their transformative potential and potential risks. The order focuses on ensuring the safe and responsible development and use of AI. It directs various federal agencies and departments to create standards and regulations for AI in various areas, including criminal justice, education, health care, housing, and labor, with an emphasis on protecting civil rights and liberties.

Mass Exploitation of ‘Citrix Bleed’ Vulnerability Underway

Last week, Citrix warned that threat actors are actively exploiting a critical information disclosure vulnerability impacting Citrix NetScaler ADC and Gateway instances. Tracked as CVE-2023-4966, the vulnerability can be exploited by unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or gateway. In the past couple of days, security researchers have noticed an alarming increase in exploitation attempts, with several threat actors including ransomware groups, targeting vulnerable instances.

Dozens of Countries Will Pledge to Stop Paying Ransomware Gangs

As part of the upcoming third annual meeting of the International Counter-Ransomware Initiative, the Biden administration and dozens of its foreign allies will pledge to stop paying ransomware gangs. Representatives from 48 countries, the European Union, and Interpol are expected to attend this week’s summit, which will focus on strategies to block funds used by ransomware gangs to fuel their operations.

'Prolific Puma' Hacker Gives Cybercriminals Access to .us Domains

A report by Infoblox uncovers a concerning trend involving a link-shortening service called "Prolific Puma." This service assists cyber attackers and scammers by providing them with top-level .us domains, enabling them to run phishing campaigns with reduced visibility. Over the past 18 months, Prolific Puma has generated up to 75,000 unique domain names, often sidestepping regulations to offer malicious actors .us URLs.

Security Brief: TA571 Delivers IcedID Forked Loader

In a recent blog post, cybersecurity firm Proofpoint disclosed that it observed two campaigns on October 11 and 18, 2023, in which TA571, a sophisticated cybercriminal threat actor, delivered the Forked variant of IceID. The forked variant was observed being delivered via emails containing 404 TDS URLs that would lead to the download of a password-protected archive, with the password listed in the email. “The zip file contained a VBS script and a benign text file.

BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group

Researchers at Security Joes have uncovered a new Linux Wiper malware dubbed “BiBi-Linux Wiper,” being used by a pro-Hamas Hacktivist group to target Israeli entities in the ongoing Israeli-Hamas conflict. BiBi-Linux Wiper is an x64 ELF executable that is designed to render files unusable by overwriting their contents, further appending targeted files with an extension that uses the following structure “[RANDOM_NAME].BiBi[NUMBER].”

OT Cyber Attacks Proliferating Despite Growing Cybersecurity Spend

The significant rise in attacks on operational technology (OT) systems is primarily due to two key factors: increasing global threats from nation state actors and the involvement of profit-driven cybercriminals often backed by the former. The lack of success in defending against these attacks can be attributed to several factors, including the complexity of OT environments, the convergence of information technology and OT, insider attacks, supply chain vulnerabilities, and more.

Russia to Launch Its Own Version of VirusTotal Due to US Snooping Fear

The Russian government is developing its own malware scanning platform, similar to VirusTotal, to address concerns that the U.S. government might access data from the popular Google-owned service. This new platform, called "Multiscanner," is being created by Russia's National Technology Center for Digital Cryptography in collaboration with other organizations and private enterprises, including companies like Kaspersky, AVSoft, and Netoscope.

CISA Releases Logging Made Easy Article

We wanted to let members know that CISA has introduced a valuable toolset designed to assist companies with their logging requirements. "Logging Made Easy (LME)," LME is a reimagined offering by CISA, that transforms a well-established log management solution into a reliable, centralized log management alternative.

A Cascade of Compromise: Unveiling Lazarus' New Campaign

Earlier this year, a software vendor fell victim to a Lazarus malware attack due to unpatched legitimate software. Despite previous warnings and patches from the vendor, vulnerabilities remained, allowing the threat actor to exploit them. Fortunately, proactive measures detected and thwarted an attack on another vendor. Further investigation revealed that the software vendor had been repeatedly targeted by Lazarus, indicating a persistent and determined threat actor likely seeking valuable source code or tampering with the software supply chain. The adversary used advanced techniques and introduced the SIGNBT malware for victim control.

Microsoft: Octo Tempest Is One of the Most Dangerous Financial Hacking Groups

Summary: Researchers at Microsoft released a comprehensive profile of Octo Tempest, a native English speaker known for advanced social engineering skills. Octo Tempest primarily focuses on data extortion and ransomware attacks against various companies. This threat actor’s tactics have been continuously evolving since early 2022, with expanded targeting encompassing organizations offering cable telecommunications, email, and tech services.

Cloudflare Sees Surge in Hyper-volumetric HTTP DDoS Attacks

Cloudflare says the number of hyper-volumetric HTTP DDoS (distributed denial of service) attacks recorded in the third quarter of 2023 surpasses every previous year, indicating that the threat landscape has entered a new chapter” (Bleeping Computer, 2023). DDoS attacks are a type of cyber attack that sends large amounts of traffic towards hosting apps, websites, and online services in an attempt to overwhelm and make them unavailable to legitimate visitors.

France Accuses Russian State Hackers of Targeting Government Systems, Universities, Think Tanks

A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency ANSII” (The Record, 2023). According to the agency, APT28 (Fancy Bear) has been breaching French networks since the second half of 2021 looking for sensitive data. The group chose not to leverage backdoors and instead compromised devices like routers that aren’t as closely monitored.

Chilean Telecom Giant GTD Hit by the Rorschach Ransomware Gang

Chile's telecommunications company, Grupo GTD, has experienced a cyberattack that affected its Infrastructure as a Service (IaaS) platform. The attack caused disruptions to various online services, including data centers, internet access, and Voice-over-IP (VoIP). The attack has been attributed to the Rorschach ransomware gang, which has led to the disconnection of their IaSS platform from the internet.

StripedFly Malware Framework Infects 1 Million Windows, Linux Hosts

A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.

Israeli-Hamas Conflict Spells Opportunity for Online Scammers

Researchers have exposed multiple cyber scams exploiting the Israeli-Hamas conflict. These scams involve more than 500 deceptive emails and fraudulent websites that take advantage of people’s desire to support those affected by the conflict. Many of these emails contain links to counterfeit websites claiming to provide information about the ongoing situation and encouraging individuals to donate using various cryptocurrency payment methods, as reported by Kaspersky researchers.

Attacks on Web Applications Spike in Third Quarter, New Talos IR Data Shows

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements.

Citrix Bleed Exploit Lets Hackers Hijack NetScaler Accounts

A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.

ESET: Winter Vivern Exploits Zero-Day Vulnerability in Roundcube Webmail Servers

As per a report by ESET security, a well-known cybersecurity endpoint protection vendor, the threat actor identified as Winter Vivern, also known as TA473 and UAC-0114, has been detected exploiting a zero-day vulnerability in Roundcube webmail software on October 11, 2023, for the purpose of gathering email messages from victims' accounts. Telemetry data indicates that the campaign specifically aimed at Roundcube Webmail servers owned by governmental entities and a think tank, all located in Europe.

Strengthening Ransomware Defense: The Importance of Title Case Security Patch Management

A recent TrendMicro report highlights that IT teams are currently grappling with a deluge of software patches, which are being released on a regular basis, ranging from monthly to daily. As per statistics, contemporary enterprises are burdened with managing an average of 1,061 applications, and due to the frequent issuance of patches by various software vendors, the need for strategic prioritization has become imperative.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

Security flaws in the use of OAuth by Grammarly, Vidio, and Bukalapak could potentially put the financial and credential information of millions of users at risk. These issues also raise concerns that other online services may face similar problems, potentially leading to account takeovers, credential theft, and financial fraud for users across various websites. Salt Labs researchers found serious API misconfigurations on websites like Grammarly, Vidio, and Bukalapak, indicating that numerous other sites might be similarly affected.

September Was a Record Month for Ransomware Attacks in 2023

Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months. According to NCC Group data, ransomware groups launched 514 attacks in September. This surpasses March 2023 activity, which counted 459 attacks, and was heavily skewed by Clop's MOVEit Transfer data theft attacks.

Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

Cybersecurity firm WithSecure, has discovered a connection between recent DarkGate malware attacks targeting its clients and Vietnam-based threat actors engaged in a campaign to compromise Meta business accounts and pilfer sensitive data. WithSecure's Detection and Response Team (DRT) reported multiple DarkGate malware infection attempts against their clients' organizations in the UK, USA, and India on August 4, 2023. The attack methods closely resemble those seen in recent DuckTail infostealer campaigns, which WithSecure has been monitoring for over a year.

New TetrisPhantom Hackers Steal Data from Secure USB Drives on Govt Systems

A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris[.]exe, which is bundled on an unencrypted part of the USB drive.

US Energy Firm Shares How Akira Ransomware Hacked its Systems

In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.

Google Chrome's New "IP Protection" Will Hide Users' IP Addresses

Google is set to introduce a new "IP Protection" feature in its Chrome browser to enhance user privacy by concealing their IP addresses through the use of proxy servers. This move aims to address privacy concerns related to IP addresses, which can be used for covert tracking, and marks Google's effort to strike a balance between user privacy and web functionality.

Tracking Unauthorized Access to Okta's Support System

In a recent statement from Okta Security, they've reported the discovery of malicious activity involving the unauthorized use of a stolen credential to access Okta's support case management system. The threat actor was able to access files uploaded by specific Okta customers as part of recent support cases. It's essential to clarify that the support case system operates independently of the primary Okta service, which remains fully functional and unaffected. Notably, the Auth0/CIC case management system has not been impacted by this incident.

Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears

A hacktivist group supporting Israel, known as Predatory Sparrow, has resurfaced recently. Last week, the group broke its year-long silence by posting a tweet referencing the ongoing Gaza conflict, warning of its return and sharing a link to a report about the United States sending fighter planes and warships to aid Israel. Predatory Sparrow is recognized as a relatively advanced Israeli hacking operation, and it has a track record of conducting disruptive attacks in Iran, aimed at undermining the Iranian government.

ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges

In a report from Fortinet, they detail a new information-stealing malware named ExelaStealer that has recently emerged in the cybersecurity landscape. ExelaStealer is described as a low-cost, mostly open-source infostealer with the option for paid customizations. This affordability and openness make it accessible to a wide range of cybercriminals, from novices to more seasoned threat actors. The malware is predominantly coded in Python and offers support for JavaScript. It possesses the capability to exfiltrate a variety of sensitive data, including passwords, Discord tokens, credit card information, cookies, session data, keystrokes, screenshots, and clipboard content.

Attacks on 5G Infrastructure from User Devices: ASN.1 Vulnerabilities in 5G Core

In a recent report from TrendMicro, researchers delve into critical vulnerabilities and risks associated with 5G and its infrastructure. They take a particular focus on the control plane and the susceptibility of the NGAP protocol to ASN.1-related issues. The first part of the report reveals how GTP-U tunnels can be exploited by user devices, potentially leading to core network crashes. In the second part, the report discusses how attackers can leverage these vulnerabilities by disguising control messages as user traffic, resulting in the transition from the user plane to the control plane.

North Korean Hackers Are Targeting Software Developers and Impersonating IT Workers

North Korean hackers have notably increased their emphasis on the IT industry, by infiltrating companies involved in software development and organizations seeking IT professionals. On Wednesday, Microsoft disclosed that North Korean affiliated hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been exploiting a critical authentication bypass vulnerability (CVE-2023-42793) within JetBrains TeamCity server.

QR Codes Used in 22% of Phishing Attacks

Hoxhunt released the results of their Hoxhunt Challenge, an exercise conducted in 38 organizations across nine industries and 125 countries. Their study revealed that 22% of phishing attacks in the first weeks of October 2023 used QR codes to deliver malicious payloads.

E-Root Admin Faces 20 Years for Selling Stolen RDP, SSH Accounts

Sandu Diaconu, the operator of the E-Root marketplace, has been extradited to the U.S. to face a maximum imprisonment penalty of 20 years for selling access to compromised computers. The Moldovan defendant was arrested in the U.K. in May 2021 while attempting to flee the country following the authorities' seizure of E-Root's domains in late 2020. Last month, Diaconu consented to be extradited to the United States for wire fraud, money laundering, computer fraud, and access device fraud

Iran-Linked OilRig Targets Middle East Governments in 8-Month Cyber Campaign

The OilRig threat group, connected to Iran, conducted an eight-month-long cyber campaign against an unspecified Middle Eastern government from February to September 2023. This operation resulted in the theft of files and passwords, and at one point, they used a PowerShell backdoor called PowerExchange. The Symantec Threat Hunter Team refers to this operation as "Crambus." The attackers used the PowerExchange implant to monitor emails from an Exchange Server, execute commands, and send the results to themselves. They compromised at least 12 computers and installed backdoors and keyloggers on an additional dozen machines, indicating a significant breach.

The Iron Swords War – Cyber Perspectives from the First 10 Days of the War in Israel

In a recent report from Check Point, the focus is on escalating cyber activities during the Israel-Hamas conflict. The key points include a surge in cyberattacks targeting Israel, diverse cyber threats like DDoS attacks and hack-and-leak incidents, and the involvement of various hacktivist groups aligned with geopolitical interests. These developments are causing heightened risks and tensions in the cyber domain.

Multiple North Korean Threat Actors Exploiting the TeamCity CVE-2023-42793 Vulnerability

wo North Korean nation-state actors, Lazarus (or Zinc) and Plutonium (or Andariel), have been exploiting a known remote code execution vulnerability in the TeamCity continuous integration and continuous deployment tool. The vulnerability, CVE-2023-42793, was patched by JetBrains in version 2023.05.4. These actors have been targeting on-premises instances of TeamCity, deploying backdoors, stealing credentials, and more. Microsoft's threat intelligence group observed these attacks and noted that both groups may be opportunistically compromising vulnerable servers, but they have also used techniques that could provide persistent access to victim environments.

Ex-Navy IT Head Gets 5 Years for Selling People’s Data on Darkweb

Marquis Hooper, a former U.S. Navy IT manager, has received a sentence of five years and five months in prison for illegally obtaining US citizens' personally identifiable information (PII) and selling it on the dark web. The man was indicted with his wife, Natasha Renee Chalk, in February 2021 and pleaded guilty to aggravated identity theft and conspiracy to commit wire fraud in March 2023.

Ukrainian Activists Hack Trigona Ransomware Gang, Wipe Servers

A group of cyber activists under the Ukrainian Cyber Alliance (UAC) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available. The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys.

D-Link Confirms Data Breach after Employee Phishing Attack

Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month. The attacker claims to have stolen source code for D-Link's D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company's CEO.

Critical Vulnerabilities Expose Weintek HMIs to Attacks

Last week, CISA warned organizations about critical and high-severity vulnerabilities in a human-machine interface (HMI) product made by Taiwan-based Weintek. According to CISA, the impacted product, the Weintek cMT HMI, is used worldwide, including in critical manufacturing organizations, which are considered part of critical infrastructure.

Is It On or Off? Cisco IOS XE Devices Hacked in Widespread Attacks

Amid the COVID-19 pandemic, as remote work became a necessity, IT teams had to rapidly implement protocols and software suites to maintain business continuity and efficiency. This involved enabling routing configurations and adjusting inbound and outbound policies on appliances that previously didn't support remote connections. This allowed networking appliances and software packages to be accessed and configured on-the-fly, enabling staff to access the necessary resources for their work from locations outside the traditional office spaces.

Russian Sandworm Hackers Breached 11 Ukrainian Telcos Since May

The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023. That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers.

Researchers Warn of Increased Malware Delivery via Fake Browser Updates

Researchers from Sekoia have released details on a new campaign from the threat group behind SocGholish. This latest activity leverages compromised WordPress sites to push malicious fake browser updates. The campaign, which has been called ClearFake, injects Javascript into compromised WordPress websites so that it downloads another Javascript payload from an attacker controlled domain.

Colonial Pipeline Attributes Ransomware Claims to ‘Unrelated’ Third-Party Data Breach

Colonial Pipeline has reported that there has been no disruption to its pipeline operations or systems following threats from a ransomware group known as Ransomed.vc. Colonial Pipeline is responsible for operating the largest pipeline system for refined oil products in the United States. The Ransomed.vc gang claimed that they had stolen data from Colonial Pipeline's systems.

macOS Malware 2023 | A Deep Dive into Emerging Trends and Evolving Techniques

In a recent report by SentinelOne, they've highlighted a noteworthy shift in the behavior of macOS malware. The trend we're observing is a move away from the concept of persistence, particularly in many malware families. Specifically, infostealers have taken center stage, aiming to accomplish their objectives in a single execution. This includes the theft of valuable data such as admin passwords, browsing history, and cookies, all achieved without relying on traditional methods of maintaining persistence.

Women Political Leaders Summit Targeted in Romcom Malware Phishing

A less detectable version of the RomCom backdoor was used to target attendees of the Women Political Leaders Summit in Brussels, which centers on gender equality and women in politics. The attackers created a fake website resembling the official WPL portal to lure individuals looking to participate or learn about the summit.

EPA Calls Off Cyber Regulations for Water Sector

The Environmental Protection Agency will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys. “In a letter to state drinking water administrators on Thursday, the EPA said litigation from Republican states and trade associations, which raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities, drove the decision to rescind a March memorandum implementing the rule.

Ransomware Attacks Now Target Unpatched WS_FTP Servers

Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.

DarkGate Malware Spreading via Messaging Services Posing as PDF Files

The DarkGate malware is being spread through messaging platforms like Skype and Microsoft Teams. It disguises itself as a PDF document, but contains a harmful script that downloads and runs the malware. It’s uncertain how the attackers compromised the messaging app accounts, but it’s suspected to be due to leaked credentials or a previous compromise of the organization.

Newest Ransomware Trend: Attackers Move Faster with Partial Encryption

In a recent report from Check Point, it was observed that ransomware actors can rapidly incapacitate systems through partial encryption. You might be wondering, what is partial encryption and why is it effective? Generally, encryption, especially for large data volumes, can be a time-consuming process. Consequently, attackers are seeking more efficient and effective methods to make victims' data inaccessible until the ransom is paid.

Assessed Cyber Structure and Alignments of North Korea in 2023

North Korea’s state-sponsored hackers, under the direction of its ruling regime, are constantly improving their tactics for conducting cyber operations. This information comes from a recent report by Google’s Mandiant threat intelligence team. The report reveals how the Pyongyang-based regime, despite its small population of 25 million, utilizes cyber intrusions for both espionage and financial crimes, thereby bolstering its power and financing its cyber and kinetic capabilities.

A Frontline Report of Chinese Threat Actor Tactics and Techniques

Microsoft threat intelligence experts are seeing a trend of Chinese threat groups deploying less desktop malware and prioritizing in stealing passwords and tokens that can be used to access sensitive systems used by remote workers. Ever since the COVID-19 pandemic, work from home has become a norm with organizations granting employees remote access to sensitive systems and resources.

LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it.

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn's domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” .

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

High Severity Vulnerability in curl 8.4.0

Last week, researchers warned of a critical flaw in curl, the popular command line transfer tool. Curl project founder and lead developer Daniel Stenberg called it “probably the worst curl security flaw in a long time.” While details were initially withheld, a patch released today fixed two separate vulnerabilities tracked as CVE-2023-38545 and CVE-2023-38546.

One-Click Exploit Reveals Common Software's Supply Chain Risk in Linux Operating Systems

Researchers from GitHub security lab have discovered a critical vulnerability in a library used within the GNOME desktop environment for Linux systems. GNOME is a popular open-source desktop environment found in distributions like Ubuntu and Fedora. The vulnerability, rated 8.8 out of 10, resides in a library called "libcue," which is used for parsing metadata related to CD or DVD track layouts.

Google Mitigated the Largest DDoS Attack to Date, Peaking Above 398 Million RPS

Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.

Microsoft to kill off VBScript in Windows to block malware delivery

Microsoft says it is in the works of removing VBScript (Visual Basic Script), a scripting language that was introduced by the tech giant approximately 30 years ago. Although VBScript was originally designed for Windows automation and administrative tasks, over the years, threat actors have misused it to create and distribute malicious payloads.

New Threat Actor “Grayling” Blamed For Espionage Campaign

Security researchers have revealed evidence of a newly discovered APT group that primarily targeted Taiwanese organizations during a cyber-espionage campaign spanning at least four months. Known as "Grayling" according to Symantec, this group initiated their operations in February 2023 and persisted until at least May 2023.

Phishing Scam Alert - Impersonation of USPS and Dozens of National Postal Services

As we approach the holiday season, we've remained vigilant in warning our members about the recent surge in phishing attacks targeting U.S. Postal Service (USPS) customers. These malicious campaigns are disseminated through SMS, email, and various other phishing methods. In these attacks, criminals impersonate USPS services with the intent to deceive individuals and pilfer personal and financial information.

Microsoft Releases New Report on Cybercrime, State-Sponsored Cyber Operations

According to Microsoft’s latest Digital Defense Report, Ukraine, the United States, and Israel were the most targeted countries based on state-sponsored threat activity observed by the tech giant against organizations in more than 120 countries. Based on intel gathered between July 2022 and June 2023, the majority of cyber attacks observed were fueled by nation-state spying and influence operations, with 40% of all observed attacks targeting critical infrastructure organizations.

D.C. Board of Elections Confirms Voter Data Stolen in Site Hack

The District of Columbia Board of Elections (DCBOE) is currently probing a data leak involving an unknown number of voter records following breach claims from a threat actor known as RansomedVC. DCBOE operates as an autonomous agency within the District of Columbia Government and is entrusted with overseeing elections, managing ballot access, and handling voter registration processes.

Hackers Hijack Citrix NetScaler Login Pages to Steal Credentials

Hackers are conducting a large-scale campaign to exploit the recent CVE-2023-3519 flaw in Citrix NetScaler Gateways to steal user credentials. The flaw is a critical unauthenticated remote code execution bug discovered as a zero-day in July that impacts Citrix NetScaler ADC and NetScaler Gateway. By early August, the flaw had been leveraged to backdoor at least 640 Citrix servers, and the figure reached 2,000 by mid-August.

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations

The UK's National Cyber Security Centre (NCSC) has released guidance to assist medium to large organizations in mapping their supply chains, with a focus on boosting confidence in managing vulnerabilities related to suppliers. Additionally, a report by Picus Security highlights the growing prevalence of multipurpose malware, which possesses multiple functionalities.

GitHub's Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub recently updated its secret scanning feature to extend validity checks to popular services including Amazon Web Services (AWS), Microsoft, Google, and Slack. The feature was introduced earlier this year to help alert users whether exposed tokens found by the secret scanning are active. While the feature was first enabled for GitHub tokens, the cloud-based code hosting and version control service is now including support for more tokens.

Sony Confirms Data Breach Impacting Thousands in the U.S.

Sony Interactive Entertainment (Sony) has informed both current and former employees and their family members regarding a cybersecurity incident that resulted in the exposure of personal information. The company has dispatched data breach notifications to approximately 6,800 individuals, verifying that the breach transpired due to an unauthorized entity exploiting a zero-day vulnerability in the MOVEit Transfer platform.

Maritime Infrastructure Security Breaches from Drones ‘Becoming a Common Occurrence,’ Says Report

A recent report highlights the growing presence of drones above sensitive maritime facilities, signaling a common occurrence. The report also criticizes the effectiveness of current federal counter-UAS legislation, citing a lack of authorities and capabilities to intercept suspicious drones. U.S. Coast Guard Capt. Andrew J. Meyers emphasized the importance of Area Maritime Security Committees (AMSCs) in safeguarding the nation's ports, praising their role in fostering relationships, collaborative planning, communication, and unity of effort.

Exploits Released for Linux Flaw Giving Root on Major Distros

Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library's dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. Dubbed 'Looney Tunables' and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness, and it affects default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38.

Atlassian Confluence Hit by New Actively Exploited Zero-Day – Patch Now

Atlassian has published security updates to fix an actively exploited zero-day vulnerability in its Confluence Data Center and Server software. Tracked as CVE-2023-22515, the flaw relates to a case of privilege escalation. Although Atlassian did not specify the root cause of this flaw, the vulnerability could allow a regular user account to elevate to admin.

US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform

In a recent report from Menlo Security, it was discovered that Indeed, a widely recognized global job search platform headquartered in the US, boasting over 350 million monthly visitors and a global workforce of more than 14,000 employees, has become the focus of a significant phishing campaign. This campaign underscores how threat actors can exploit the platform's credibility and popularity.

EvilProxy Uses Indeed.com Open Redirect For Microsoft 365 Phishing

A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings. The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.

New BunnyLoader Threat Emerges as a Feature-Rich Malware-As-A-Service

Security researchers discovered a new malware-as-a-service (MaaS) named 'BunnyLoader' advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard. The malware is under rapid development, with updates adding new features and bug fixes. It can currently download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands.

Ransomware Reinfections on the Rise Due to Improper Remediation

According to a recent report from Malwarebytes, it was found that ransomware attacks don't typically originate as a fresh problem for organizations; instead, they are the grim culmination of unresolved network compromises. Threat actors gain initial access through stolen login credentials, deployed malware, or established backdoors—akin to leaving an unlocked door for future visits.

Malware-Infected Devices Sold Through Major Retailers

Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.

FBI Warns of Surge in 'Phantom Hacker' Scams Impacting Elderly

The FBI issued a public service announcement warning of a significant increase in 'phantom hacker' scams targeting senior citizens across the United States. ‘This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,’ the FBI said.

Ransomware Gangs Now Exploiting Critical TeamCity RCE Flaw

Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction.

Future Government Shutdowns: Potential Impact on National Cybersecurity

In a recent report from Forbes, the nation's cybersecurity was in a tight spot when Congress passed a bill to keep the government running for the next 45 days. A government shutdown could have caused problems for many government functions, including those responsible for protecting the country from cyberattacks. Depending on how long the shutdown lasted, it could have led to a crisis for companies and organizations across the country.

Microsoft Edge, Teams Get Fixes for Zero-days in Open-source Libraries

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. The first bug is a flaw tracked as CVE-2023-4863 and is caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution.

Strengths and Weaknesses of a Single-Vendor Approach: Microsoft

In a recent report by SentinelOne, it's highlighted that Microsoft's security business has seen substantial growth, generating over $20 billion annually. The International Data Corporation (IDC) reported that Microsoft holds the largest market share in 2022, at 18.9%, with a 7.2% increase. Similarly, Gartner estimated that in 2021, Microsoft controlled 8.5% of the entire security software market, outperforming its competitors.

Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach - Filing

This report was filed under "Vendor Reports" because it was investigated by Microsoft (being the vendor) as a notable incident, "Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email." Microsoft corrected the issue in its products by, "Revoking all valid MSA signing keys to prevent attackers from accessing other compromised keys."

Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. ‘Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device,’ Kaspersky said in an analysis published last week.

Millions of Exim Mail Servers Exposed to Zero-Day RCE Attacks

A critical zero-day vulnerability was disclosed in the Exim mail transfer agent (MTA) software, which if successfully exploited could enable an unauthenticated attacker to gain remote code execution on Internet-exposed servers. Tracked as CVE-2023-42115, the flaw resides in the SMTP service, which listens on TCP port 25 by default. According to Trend Micro’s Zero Day Initiative, which uncovered the flaw, CVE-2023-42115 results from a lack of proper validation of user-supplied data which could result in a write past the end of a buffer and further allow an attacker to execute code in the context of the service account.

Exploit Available for Critical WS_FTP Bug Exploited in Attacks

Over the weekend, security researchers uncovered a critical vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server. They released a proof-of-concept (PoC) exploit along with technical details. The flaw stems from a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to execute remote commands via a simple HTTP request. Assetnote researchers, who discovered the issue, expressed surprise at how long it remained unpatched.

Exploit Released for Microsoft SharePoint Server Authentication Bypass Flaw

Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction.

Hackers Steal User Database from European Telecommunications Standards Body

Hackers targeted the European Telecommunications Standards Institute (ETSI), a nonprofit organization responsible for developing communication standards, and stole a user database. The motive behind the attack remains unclear, with suspicions ranging from financial gain to potential espionage. ETSI engaged France's cybersecurity agency ANSSI to investigate and enhance its information systems' security.

Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach

China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.

Budworm Hackers Target Telcos and Govt Orgs With Custom Malware

A Chinese cyber-espionage group known as Budworm has recently been detected engaging in cyberattacks. They have specifically targeted a telecommunications company in the Middle East and a government organization in Asia. What's noteworthy is that they've deployed a new version of their customized 'SysUpdate' malware.

Google Fixes Fifth Actively Exploited Chrome Zero-Day of 2023

Yesterday, Google released emergency security updates to address a zero-day flaw impacting its Chrome Browser. Tracked as CVE-2023-5217, the flaw relates to a heap buffer overflow weakness in the VP8 encoding of libvpx, an open-source video codec library from Google and the Alliance for Open Media (AOMedia). A successful exploit of this flaw could lead to browser crashes or arbitrary code execution.

Cisco Urges Admins to Fix IOS Software Zero-Day Exploited in Attacks

Multiple vulnerabilities have been identified in Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage). These vulnerabilities could potentially allow attackers to access an affected instance or cause a denial of service (DoS) condition on the affected system. Cisco has taken action to address these vulnerabilities through software updates, "Although exploiting this vulnerability demands significant access to the target environment, threat actors have already initiated attacks, as reported by the company in the same advisory.

US and Japan Warn of Chinese Hackers Backdooring Cisco Routers

US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks. The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.

GitHub Repos Bombarded By Info-Stealing Commits Masked as Dependabot

Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers. The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.

New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software

Researchers at Proofpoint have uncovered a new malware strain dubbed ZenRAT which is being distributed via bogus installation packages of the Bitwarden password manager. ZenRAT is a modular remote access trojan that comes with various modules designed to steal information from victims’ systems. Although researchers noted that ZenRAT is being hosted on fake websites pretending to be associated with Bitwarden, it’s unclear how end users are being directed to these sites.

New Zerofont Phishing Tricks Outlook Into Showing Fake AV-Scans

Threat actors are employing a novel tactic by incorporating zero-point fonts within emails, creating the illusion that malicious emails have undergone successful security scans in Microsoft Outlook. While the ZeroFont phishing method has been previously observed, its current application marks a significant development. ISC Sans analyst Jan Kopriva, in a recent report, cautions that this technique could greatly enhance the success rate of phishing attacks, underscoring the importance of user awareness regarding its deployment in real-world scenarios.

Shadowsyndicate Hackers Linked to Multiple Ransomware Ops, 85 Servers

Security researchers have identified ShadowSyndicate as a threat actor using seven ransomware families in attacks over the past year. They suggest it could be an initial access broker and affiliate to ransomware operations. Their findings are based on a distinct SSH fingerprint found on 85 IP servers, discovered using tools like Shodan and Censys. This fingerprint was first seen in July 2022 and still in use in August 2023. Researchers also found eight different Cobalt Strike watermarks on ShadowSyndicate servers.

BORN Ontario child registry data breach affects 3.4 million people

The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware's MOVEit hacking spree. BORN is a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. ‘Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

New Stealthy and Modular Deadglyph Malware Used in Govt Attacks

A highly advanced backdoor malware called 'Deadglyph' was recently employed in a cyber espionage operation targeting a Middle Eastern government agency. This sophisticated malware, known as Deadglyph, has been linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as Project Raven or FruityArmor.

Is Gelsemium APT Behind a Targeted Attack in Southeast Asian Government?

Researchers at Kaspersky Lab have uncovered a new backdoor called "SessionManager" that has been used in attacks targeting Microsoft IIS Servers since March 2021. This backdoor allows threat actors to maintain persistent, update-resistant, and stealthy access to a targeted organization's IT infrastructure. It has been deployed in over 20 organizations, and as of late April 2022, many samples were not yet flagged as malicious by online file scanning services.

Dallas says Royal Ransomware Breached its Network Using Stolen Account

The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.

Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape

Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity. Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well.

Pro-Russia Hacker Group NoName Launched a DDoS Attack on Canadian Airports Causing Severe Disruption

Pro-Russia hacker group NoName is suspected of launching a DDoS cyberattack that caused significant disruptions at several Canadian airports. The attack affected check-in kiosks and electronic gates, leading to delays in the processing of arrivals at border checkpoints across the country. The Canada Border Services Agency (CBSA) confirmed the DDoS attack and is investigating the incident, assuring that no personal information has been compromised. No evidence of a data breach has been found at this time.

P2PInfect Botnet Activity Surges 600x with Stealthier Malware Variants

The P2PInfect botnet worm has entered a phase of significantly increased activity, with a notable surge observed from late August through September 2023. Initially documented by Unit 42 in July 2023, P2PInfect is categorized as a peer-to-peer malware that exploits a remote code execution vulnerability to breach Redis instances on internet-exposed Windows and Linux systems.

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).

T-Mobile App Glitch Let Users See Other People's Account Info

Today, T-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application. According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.

GitLab Releases Urgent Security Patches for Critical Vulnerability

GitLab recently rolled out security updates to address a critical vulnerability impacting its enterprise edition. Tracked as CVE-2023-5009, the flaw could enable an attacker to run pipelines as an arbitrary user via scheduled security scan policies. As such, the actor could use elevated permissions of the impersonated user to further access sensitive information, modify source code, or even run arbitrary code on the targeted system.

Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace

Finnish law enforcement authorities have announced the takedown of PIILOPUOTI, a dark web marketplace that specialized in illegal narcotics trade since May 2022. ‘The site operated as a hidden service in the encrypted TOR network,’ the Finnish Customs (aka Tulli) said in a brief announcement on Tuesday. ‘The site has been used in anonymous criminal activities such as narcotics trade.’

Fake WinRAR Proof-of-Concept Exploit Drops VenomRAT Malware

Threat actors exploited a recently disclosed WinRAR vulnerability (CVE-2023-40477) by repurposing an older proof-of-concept (PoC) code. The Zero Day Initiative initially reported the WinRAR vulnerability to the vendor on June 8, 2023, but publicly disclosed it on August 17, 2023. Within four days of the public disclosure, an actor known as "whalersplonk" uploaded a fake PoC script to their GitHub repository.

Snatch Ransomware Alert

Snatch is a ransomware group primarily targeting Windows-based systems. They employ various tactics, including exploiting vulnerabilities, brute force attacks, and data exfiltration to compromise and extort victims. Snatch operates under a ransomware-as-a-service (RaaS) model and has targeted critical infrastructure sectors such as Defense Industrial Base (DIB), Food and Agriculture, and Information Technology.

ShroudedSnooper Threat Actors Target Telecom Companies in the Middle East

Telecommunications companies have increasingly become the focus of state-sponsored actors and advanced adversaries in recent years. In 2022, the telecommunications sector consistently ranked as one of the most targeted verticals in Talos IR (Incident Response) engagements. Telecom companies control critical infrastructure assets, which make them attractive targets for adversaries seeking to create significant disruptions.

Trend Micro Fixes Endpoint Protection Zero-day Used in Attacks

Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro's Apex One endpoint protection solution that was actively exploited in attacks. Apex One is an endpoint security solution catering to businesses of all sizes, and the 'Worry-Free Business Security' suite is designed for small to medium-sized companies.

Earth Lusca Expands Arsenal with SprySocks Linux Malware

China-linked threat group Earth Lusca has deployed a new Linux malware called SprySOCKS in a recent cyber espionage campaign. Researchers at Trend Micro discovered this malware while tracking Earth Lusca's activities. SprySOCKS, based on an open-source Windows backdoor called Trochilus, was adapted for Linux. Earth Lusca continues to develop it, as evidenced by different versions detected.

Bumblebee Malware Returns in New Attacks Abusing WebDAV Folders

The malware loader 'Bumblebee' has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that enables clients to perform remote authoring operations such as creating, accessing, updating, and deleting web server content.

Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data

Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.

New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services

A new cloud-native cryptojacking operation, known as AMBERSQUID, is targeting less common AWS services like AWS Amplify, AWS Fargate, and Amazon SageMaker for illicit cryptocurrency mining. Sysdig, a security firm, identified this campaign while analyzing 1.7 million Docker Hub images and attributed it to Indonesian attackers due to their use of the Indonesian language in scripts and usernames.

FBI Hacker USDOD Leaks Highly Sensitive TransUnion Data

“Researchers at vx-underground have uncovered a major data breach involving the hacker known as "USDoD," who leaked highly sensitive data from TransUnion, a leading consumer credit reporting agency. The breach exposed personal information of 58,505 individuals globally, including names, passport details, financial data, and more, dating back to March 2022.

Canadian Government Targeted With DDoS Attacks by Pro-Russia Group

The pro-Russian cybercrime group named NoName057(16) has been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, a fresh government alert warns. Since March 2022, the threat actor – also known as NoName05716, 05716nnm or Nnm05716 – has been launching disruptive attacks in support of Russia’s invasion of Ukraine.

BlackCat Ransomware Hits Azure Storage with Sphynx Encryptor

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage. While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials. After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies

Iranian Hackers Breach Defense Orgs in Password Spray Attacks

Since February 2023, Microsoft has reported that an Iranian-backed threat group known as APT33 (or Peach Sandstorm, HOLMIUM, Refined Kitten) has been conducting password spray attacks against thousands of organizations in the U.S. and globally. These attacks involve attempting to access multiple accounts using a single or commonly used password, increasing the chances of success without triggering account lockouts.

ORBCOMM Ransomware Attack Causes Trucking Fleet Management Outage

Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets. ORBCOMM is a solutions provider for freight companies to manage fleets and track transported assets. The company also provides Electronic Logging Devices (ELD) that truckers use to log their hours to adhere to federal safety regulations.

NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers

An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. ‘The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.

Pirated Software Likely Cause of Airbus Breach

A major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software, according to researchers. The European aerospace giant said it has launched an investigation into the incident.

Enterprises Persist with Outdated Authentication Strategies

Despite authentication being a cornerstone of cybersecurity, risk mitigation strategies remain outdated, according to new research from Enzoic. With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches.

Scattered Spider Behind MGM Cyberattack, Targets Casinos

The "Scattered Spider" threat group is believed to be responsible for the cyberattack on MGM Resorts that occurred on September 10. This attack has left systems offline in over 30 hotels and casinos owned by the conglomerate worldwide, and the disruption continues even days later. As reported by Reuters, the Scattered Spider ransomware group, as identified by sources familiar with the situation, is believed to consist of young individuals based in the US and UK.

Russian Journalist's iPhone Compromised by NSO Group's Zero-Click Spyware

The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around February 10, 2023. Timchenko is the executive editor and owner of Meduza, an independent news publication based in Latvia.

Update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability

Adobe recently addressed a critical flaw in Acrobat and Reader that could enable actors to execute malicious code on targeted systems. Tracked as CVE-2023-26369, the vulnerability has been rated 7.8 out of 10 on the CVSS scale, indicating a high level of severity. According to the vendor, CVE-2023-26369 relates to an out-of-bounds write issue and can be exploited to execute arbitrary code via specially crafted PDF documents.

Suspected Ransomware Attack Hits Auckland Transport's Hop Cards

Auckland Transport's Hop card system has been hit by a suspected ransomware attack, leading to disruptions in card top-up services and limited functionality at customer service centers. The attack is under investigation, and there is no indication that personal or financial data has been compromised. Commuters can still use their cards to tag on and off, but online top-ups and services on the AT website are unavailable.

Kubernetes Flaws Could Lead to Remote Code Execution on Windows Endpoints

Akamai researchers recently discovered a high-severity vulnerability in Kubernetes tracked as CVE-2023-3676 (CVSS 8.8). This identification of this issue led to the discovery of two more vulnerabilities tracked as CVE-2023-3893, and CVE-2023-3955 (CVSS 8.8). All three vulnerabilities were caused by insecure function call and the lack of user input sanitization.

MetaStealer Malware is Targeting Enterprise macOS Users

A new strain of macOS malware is targeting enterprise users, as indicated by file names and content. Some versions of this malware, called MetaStealer, masquerade as Adobe files, while others use deceptive methods like password-protected ZIP files sent by fake clients. Once opened, these files reveal an app disguised as a PDF.

Ransomware Access Broker Steals Accounts via Microsoft Teams Phishing

Microsoft has reported a change in tactics by an initial access broker, previously associated with ransomware groups. This actor, identified as Storm-0324, has shifted its focus to Microsoft Teams phishing attacks as a means to infiltrate corporate networks. Storm-0324 is a financially motivated threat group with a history of deploying ransomware such as Sage and GandCrab in previous campaigns.

Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family

A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network. 3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime.

Microsoft September 2023 Patch Tuesday Fixes 2 Zero-Days, 59 Flaws

As part of the September Patch Tuesday, Microsoft addressed 59 flaws, including two zero-days that were exploited in attacks in the wild. In total, Microsoft released fixes for 3 Security Feature Bypass Vulnerabilities, 24 Remote Code Execution Vulnerabilities, 9 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, 5 Spoofing Vulnerabilities, and 5 Edge - Chromium Vulnerabilities.

Facebook Messenger Phishing Wave Targets 100K Business Accounts Per Week

Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. The attackers trick the targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored in the victim's browser.

Google Fixes Another Chrome Zero-Day Bug Exploited in Attacks

Yesterday, Google released security updates to fix a critical zero-vulnerability in its Chrome web browser. Tracked as CVE-2023-4863, the flaw relates to a heap-based buffer overflow in the WebP image format. Successful exploitation of this issue could result in browser crashes or arbitrary code execution.

Cuba Ransomware Group Unleashes Undetectable Malware

Security researchers at Kaspersky have exposed the activities of the infamous ransomware group Cuba. In a recent advisory, Kaspersky revealed that this cyber-criminal gang has been targeting organizations across different industries worldwide. In December 2022, Kaspersky detected a suspicious incident on a client's system, which led to the discovery of three mysterious files triggering the komar65 library, also known as BUGHATCH.

Apple Backports BLASTPASS Zero-Day Fix to Older iPhones

Apple released security updates for older iPhones to fix a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to infect iOS devices with NSO's Pegasus spyware. CVE-2023-31064 is a remote code execution flaw that is exploited by sending maliciously crafted images via iMessage.

'Redfly' Hackers Infiltrated Power Supplier's Network for 6 Months

An espionage threat group tracked as 'Redfly' hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months. These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization's network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers.

Microsoft Teams Phishing Attack Pushes Darkgate Malware

A recent phishing scheme has exploited Microsoft Teams messages as a means to distribute harmful attachments that deploy the DarkGate Loader malware. This campaign commenced in late August 2023, as phishing messages originating from two compromised external Office 365 accounts were observed, targeting various organizations. These accounts were employed to deceive Microsoft Teams users into downloading and launching a ZIP file titled "Alterations to the holiday calendar."

'Evil Telegram' Android apps on Google Play infected 60K with spyware

Several malicious Telegram clones for Android on Google Play were installed over 60,000 times, infecting people with spyware that steals user messages, contacts lists, and other data. The apps appear to be tailored for Chinese-speaking users and the Uighur ethnic minority, suggesting possible ties to the well-documented state monitoring and repression mechanisms. The apps were discovered by Kaspersky, who reported them to Google.

Ragnar Locker Claims Attack on Israel's Mayanei Hayeshua Hospital

The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, threatening to leak 1 TB of data allegedly stolen during the cyberattack. The cyberattack on Mayanei Hayeshua occurred in early August, disrupting the hospital's record-keeping system and preventing new patients from receiving care.

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

Sri Lanka's government cloud system, Lanka Government Cloud (LGC), has fallen victim to a massive ransomware attack that began on August 26, 2023. The attack resulted in the encryption of LGC services and backup systems, affecting approximately 5,000 email addresses using the "gov[dot]lk" domain, including those of the Cabinet Office.

UK and US Sanction 11 Members of the Russia-Based TrickBot Gang

The United States, in coordination with the United Kingdom, sanctioned eleven more individuals who are members of the Russia-based Trickbot cybercrime group. The sanctions were provided by the U.S. Department of the Treasury’s Office of Foreign Assets Control. The sanctioned TrickBot members worked as administrators, managers, developers, and coders, who have materially supported the operations of the group. The group has been tied to Russian intelligence services and has targeted the U.S. government, companies and hospitals.

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users.

Apple Discloses 2 New Zero-Days Exploited to Attack iPhones, Macs

Yesterday, Apple issued emergency security updates to address two zero-day flaws that were exploited in attacks targeting iPhone and Mac users. The vulnerabilities are being tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple) and were found in the Image I/O and Wallet frameworks. CVE-2023-41064 relates to a validation issue in Wallet which can be exploite

Attackers Leverage Windows Advanced Installer to Drop Cryptocurrency Malware

Attackers operating from IP addresses in France, Luxembourg, and Germany have been utilizing the legitimate Windows tool, Advanced Installer, to create software packages that deliver cryptocurrency mining malware onto computers in various sectors. The malware payloads, as reported by Cisco Talos researchers on September 7, include the M3_Mini_RAT client stub. This remote access trojan enables the attackers to establish backdoors, download, and execute additional threats, including PhoenixMiner for Ethereum cryptocurrency mining and IOIMiner, a multi-coin mining threat.

Mirai Variant Infects Low-Cost Android TV Boxes for DDoS attacks

A variant of the Mirai malware botnet has been observed infecting affordable Android TV set-top boxes that are widely used for media streaming by millions of users. Dr. Web's antivirus team reports that this trojan represents a fresh iteration of the 'Pandora' backdoor, initially seen in 2015. The primary focus of this campaign is on economical Android TV boxes such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.

September Android updates Fix Zero-Day Exploited in Attacks

As part of the September 2023 Android security updates, Google addressed 33 vulnerabilities, including a high-severity zero-day that is actively being exploited in the wild. Tracked as CVE-2023-35674, the zero-day flaw impacts the Android Framework and could allow threat actors to escalate privileges on vulnerable devices without requiring user interaction or additional execution privileges

US and UK Sanction 11 TrickBot and Conti Cybercrime Gang Members

The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations. The TrickBot malware operation launched in 2015 and focused on stealing banking credentials. However, over time, it developed into a modular malware that provided initial access to corporate networks for other cybercrime operations, such as Ryuk and, later, Conti ransomware operations.

China, North Korea Pursue New Targets While Honing Cyber Capabilities

China has developed a new capability using artificial intelligence to automatically generate images for influence operations in the United States and other democracies. These images aim to mimic U.S. voters across the political spectrum and create controversy along racial, economic, and ideological lines. Microsoft's Threat Analysis Center (MTAC) has observed China-affiliated actors using AI-generated visual media in campaigns that focus on politically divisive topics and denigrate U.S. political figures and symbols.

New Python Variant of Chaes Malware Targets Banking and Logistics Industries

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. ‘It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,’ Morphisec said in a new detailed technical write-up shared with The Hacker News.

New BLISTER Malware Update Fueling Stealthy Network Infiltration Summary:

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. ‘New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,’ Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month.

W3ll Phishing Kit Hijacks Thousands of Microsoft 365 Accounts, Bypasses MFA

An entity identified as W3LL created a phishing toolkit capable of evading multi-factor authentication and employed various tools to compromise over 8,000 corporate Microsoft 365 accounts. Over the course of ten months, security experts detected the utilization of W3LL's resources and infrastructure in the establishment of approximately 850 phishing campaigns, targeting login credentials for more than 56,000 Microsoft 365 accounts.

Smishing Triad Targeted USPS and US Citizens for Data Theft

The "Smishing Triad" cybercriminal group, believed to be Chinese-speaking, has been targeting individuals worldwide through a package tracking text scam sent via iMessage. Impersonating various postal services and government agencies, including the Royal Mail, New Zealand Postal Service, Correos, Postnord, Poste Italiane, and the Italian Revenue Service, the group aims to collect personal and payment information for identity theft and credit card fraud.

APT28 Cyberattack: Msedge as a Bootloader, TOR, and Mockbin[.]org/Website[.]hook Services as a Control Center

The government computer emergency response team of Ukraine, CERT-UA, recorded a targeted cyber attack against a critical energy infrastructure facility in Ukraine. To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, "photo.zip", was distributed. Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim's computer.

MITRE and CISA Release OT Attack Emulation Tool

A new open source tool designed to emulate cyber-attacks against operational technology (OT) has been released by MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA). The MITRE Calder for OT is now publicly available as an extension to the open-source Caldera platform on GitHub.

Exploit released for critical VMware SSH auth bypass vulnerability

Summoning Team’s Sina Kheirkhah recently published a proof-of-concept exploit code for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool. Tracked as CVE-2023-34039, the vulnerability can be exploited by remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface.

German financial agency site disrupted by DDoS attack since Friday

The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday. BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.

Hackers Exploit MinIO Storage System to Breach Corporate Networks

Two recent vulnerabilities in MinIO have been exploited by threat actors to breach object storage systems. This access allows the actors to view private information, execute arbitrary code, and potentially take over servers. MinIO is a open-source storage service that is compatible with various cloud containers including Amazon S3.

Okta: Hackers Target IT Help Desks to Gain Super Admin, Disable MFA

Researchers at Okta issued a warning regarding social engineering attacks directed at IT service desk agents serving U.S.-based clients. The aim of these attacks was to deceive these agents into resetting multi-factor authentication (MFA) for users with elevated privileges. The attackers' ultimate objective was to gain control of Okta Super Administrator accounts, which have extensive privileges. This access would enable them to exploit identity federation functionalities, permitting impersonation of users within the compromised organization.

North Korean Hackers Behind Malicious VMConnect PyPI Campaign

North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector. The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools.

WordPress Migration Add-on Flaw Could Lead to Data Breaches

Researchers found a vulnerability in the widely-used plugin, All-in-One WP Migration, employed for migrating WordPress sites, and having an active user base of 5 million. This vulnerability involves unauthorized manipulation of access tokens, potentially granting attackers access to sensitive site data. All-in-One WP Migration is a user-friendly tool tailored for WordPress site migration.

Paramount Discloses Data Breach Following Security Incident

American entertainment giant Paramount Global disclosed a data breach after its systems got hacked and attackers gained access to personally identifiable information (PII). Paramount said in breach notification letters signed by Nickelodeon Animation Studio EVP Brian Keane sent to affected individuals that the attackers had access to its systems between May and June 2023.

Cisco VPNs with No MFA Enabled Hit by Ransomware Groups

Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances, “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday.

How to Prevent ChatGPT From Stealing Your Content & Traffic

ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools.

Easy-to-Exploit Skype Vulnerability Reveals Users’ IP Address

A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret. The security vulnerability has been discovered by a security researcher named Yossi, who privately reported it to Microsoft and demonstrated its effective exploitation to journalist Joseph Cox.

Spain Warns of LockBit Locker Ransomware Phishing Attacks

The Spanish National Police has issued an alert about an active ransomware campaign known as 'LockBit Locker,' which is currently targeting architecture firms in the country using phishing emails. According to the translated police statement, a series of emails have been identified as being sent to architecture companies.

Four in Five Cyber-Attacks Powered by Just Three Malware Loaders

Researchers from ReliaQuest found that cybercriminals relied primarily on seven different malware loaders to carry out attacks in the first half of 2023. QakBot, SocGholish, and Raspberry Robin were the most commonly used loaders, accounting for roughly 80% of all intrusions. GootLoader, ChromeLoader, Guloader, and Ursnif were also commonly seen.

MalDoc in PDFs: Hiding Malicious Word Docs in PDF Files

Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs. The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document (.doc). Polyglots are files that contain two distinct file formats that can be interpreted and executed as more than one file type, depending on the application reading/opening them.

Microsoft: Stealthy Flax Typhoon Hackers Use Lolbins to Evade Detection

Microsoft has detected a new hacking collective referred to as Flax Typhoon. This group focuses on government bodies, educational institutions, vital manufacturing units, and IT organizations, presumably with the aim of espionage. The attackers avoid heavy usage of malware for infiltrating and controlling victim networks. Instead, they opt for utilizing existing components within the operating system, often referred to as living-off-the-land binaries (LOLBins), along with legitimate software.

KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities

An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. ‘The binary now includes support for Telnet scanning and support for more CPU architectures,’ Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors.

Rhysida Claims Ransomware Attack On Prospect Medical, Threatens to Sell Data

The Rhysida ransomware group recently claimed responsibility for a cyberattack targeting Prospect Medical Holdings, a US healthcare company operating 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island and a network of 166 outpatient clinics and centers. The attack allegedly took place on August 3rd, with employees finding ransom notes on their systems stating that their network was hacked and devices had been encrypted. Due to the attack, the hospitals were forced to shut down their IT networks to mitigate the impact, causing employees to use paper charts.

Poland’s Authorities Investigate a Hacking Attack on Country’s Railways

Poland's Internal Security Agency (ABW) and national police are investigating a hacking attack on the country's state railway network. The attack disrupted railway traffic overnight and triggered an emergency status that stopped trains near the city of Szczecin. The attack is suspected to be part of broader destabilization efforts by Russia, possibly in conjunction with Belarus.

New Study Sheds Light on Adhubllka Ransomware Network

Cybersecurity experts have revealed an intricate network of interconnected ransomware types that all stem from a shared origin: the Adhubllka ransomware group. Netenrich, a cybersecurity firm, conducted a study exploring the lineage of various ransomware versions, such as LOLKEK, BIT, OBZ, U2K, and TZW. The researchers discovered significant resemblances in code, tactics, and infrastructure among these apparently distinct ransomware types. By tracking the evolution of these variants, the experts established a genealogical link connecting them to the original Adhubllka ransomware, which emerged in January 2020.

New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia

A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye, a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals.

Jupiter X Core WordPress plugin could let hackers hijack sites

WordPress security company Patchstack discovered two critical vulnerabilities affecting Jupiter X Core, a premium visual editor plugin for setting up Wordpress and WooCommerce websites. The first flaw tracked as CVE-2023-38388, allows unauthenticated threat actors to upload files, which could lead to arbitrary code execution on the server.

Whiffy Recon Malware: New Threat Analysis and Insights

Researchers from Secureworks Counter Threat Unit (CTU) have identified a new Wi-Fi scanning malware named Whiffy Recon, which has been dropped by the Smoke Loader botnet. This malicious code employs nearby Wi-Fi access points as reference points for Google's geolocation API to triangulate the positions of infected systems.

Ransomware Hackers' Dwell Time Drops to 5 Days, RDP Still Widely Used

Ransomware threat actors are reducing the time they spend within compromised networks before being detected by security solutions. In the first half of this year, the median dwell time for these hackers decreased to five days from nine days in 2022. However, the overall median dwell time for all cyberattacks dropped to eight days from ten in 2022, indicating a general trend of quicker detection. Ransomware attacks constituted nearly 69% of all recorded cyberattacks during this period.

FBI Identifies Wallets Holding Cryptocurrency Funds Stolen by North Korea Summary:

The FBI in the United States issued a cautionary notice regarding the potential efforts of threat actors associated with North Korea to convert pilfered cryptocurrency, totaling over $40 million in value. In a disclosure, the Federal Bureau of Investigation outlined the actions of six cryptocurrency wallets operated by entities connected to North Korea. These wallets possess approximately 1,580 Bitcoin, equivalent to around $41 million based on current valuations. Authorities suspect these funds are connected to the recent heist of a substantial sum of cryptocurrency, amounting to hundreds of millions of dollars.

Russian Toolkit Aims to Make Online Scamming Easy for Anyone

A toolkit possibly developed by Russian individuals, known as Telekopye to security experts, aims to let fraudsters focus on refining their social engineering skills, freeing them from the technical aspects of online scams. Eset researchers uncovered a tool they named Telekopye, derived from the combination of "Telegram" and "kopye," the Russian word for spear.

Over 3,000 Openfire Servers Vulnerable to Takover Attacks

Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times. On May 23, 2023, it was disclosed that the software was impacted by an authentication bypass issue that affected version 3.10.0, released in April 2015, until that point.

Hosting Firm Says it Lost All Customer Data After Ransomware Attack

Danish hosting firms CloudNordic and AzeroCloud recently disclosed that they suffered from a ransomware attack, causing the firms to lose a majority of customer data and shut down all systems, including websites, emails, and customer sites. Since the attack took place last Friday, IT teams have only managed to restore some of the servers without any data, with CloudNordic stating that the restoration process isn’t going smoothly and that many of their customers’ data seems irrecoverable.

FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective

The Barracuda Email Security Gateway (ESG) vulnerability, identified as CVE-2023-2868, has been exploited by a Chinese state-sponsored cyberespionage group named UNC4841. This vulnerability affects Barracuda ESG versions 5.1.3.001 to 9.2.0.006, enabling attackers to perform command injections via specially crafted TAR file attachments in emails. Despite Barracuda's patch release in May 2023, the FBI has found that the patches are ineffective, and the vulnerability remains actively exploited.

A North Korean State-Backed Hacking Group Leveraged Zoho's ManageEngine ServiceDesk for Compromrise

The North Korean state-backed hacker group Lazarus has been exploiting a critical vulnerability (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk software to compromise an internet backbone infrastructure provider and healthcare organizations. This campaign began in early 2023, targeting entities in the U.S. and U.K. The attackers employed the QuiteRAT malware and a newly identified remote access trojan (RAT) named CollectionRAT. The latter was discovered through the analysis of the group's infrastructure.

Scarab Ransomware Deployed Worldwide Via Spacecolon Toolset

ESET researchers found the Spacecolon toolkit spreading Scarab ransomware across global organizations. It exploits weak web servers or RDP credentials for entry, with Turkish elements hinting at a Turkish-speaking developer. Spacecolon dates back to May 2020, with ongoing campaigns and a recent May 2023 build. ESET hasn’t linked it to any known group naming it “CosmicBeetle”.

Akira Ransomware Targets Cisco VPNs to Breach Organizations Summary:

There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.

WinRAR Zero-Day Exploited Since April to Hack Trading Accounts

According to Group-IB a WInRaR zero-day vulnerability was actively exploited to install malware when clicking on harmless files in an archive, allowing hackers to breach online cryptocurrency trading accounts. Tracked as CVE-2023-38831, the vulnerability is triggered by creating specially crafted archives with a slightly modified structure compared to safe files, which causes WinRAR's ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file.

Scraped data of 2.6 million Duolingo users released on hacking forum

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information. Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide. In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500. This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.

Ivanti Warns of New Actively Exploited MobileIron Zero-Day Bug

US based software company Ivanti has issued a warning to its customers about an ongoing exploitation of a critical Sentry API authentication bypass vulnerability. The vulnerability affects Ivanti Sentry, which serves as a gatekeeper for enterprise ActiveSync and Sharepoint servers, as well as a Kerberos Key Distribution Center Proxy server. The cybersecurity firm Mnemonic discovered the vulnerability (CVE-2023-38035), allowing unauthorized attackers to access sensitive admin portal configuration APIs through port 8443 used by Mobile Iron Configuration Service (MICS).

Carderbee Hacking Group Hits Hong Kong Orgs in Supply Chain Attack

An undisclosed Advanced Persistent Threat (APT) hacking collective known as 'Carderbee' has been detected launching assaults on various institutions situated in Hong Kong and other parts of Asia. This group employs authentic software to infiltrate victims' machines with the PlugX malware. According to findings from Symantec, the legitimate software involved in this supply chain breach is Cobra DocGuard, designed by the Chinese developer 'EsafeNet.' This software is typically employed in security applications for tasks like data encryption and decryption.

Sneaky Amazon Google ad leads to Microsoft support scam

A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results. The advertisement shows Amazon's legitimate URL, just like in the company's typical search result.

New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called ‘OfficeNote.’ ‘The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg, SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis.

Cuba Ransomware Uses Veeam Exploit Against Critical U.S. Organizations

The Cuba ransomware group has been observed launching attacks against critical infrastructure organizations in the US and IT firms in Latin America. They utilize a mix of both old and new tools. In early June 2023, Blackberry’s Threat Research and Intelligence Team identified this recent campaign. They have noted that Cuba now uses CVE-2023-27543 to extract credentials from configuration files.

HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack

The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week.

Interpol Arrests 14 Suspected Cybercriminals For Stealing $40 Million

An international law enforcement operation led by Interpol has led to the arrest of 14 suspected cybercriminals in an operation codenamed 'Africa Cyber Surge II,' launched in April 2023. The four-month operation spanned 25 African countries and disrupted over 20,000 cybercrime networks engaged in extortion, phishing, BEC, and online scams, responsible for financial losses of over $40,000,000.

Alarming Lack of Cybersecurity Practices on World’s Most Popular Websites

The Cybernews research team delved into an often overlooked aspect of website security—HTTP security headers. These headers guide browsers in interacting with web pages, defending against cyber threats. They studied the top 100 sites, including Pinterest, IMDB, and Facebook. Results revealed many popular websites lacking crucial security measures, raising concerns for both site owners and users.

Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions

Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware.

New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft

A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia.

Monti Ransomware Targets VMware ESXi Servers With New Linux Locker

The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations. Researchers at Trend Micro analyzing the new encryption tool from Monti found that it has ‘significant deviations from its other Linux-based predecessors.

Credentials for Cybercrime Forums Found on Roughly 120K Computers Infected with Info Stealers

Hudson Rock, a threat intelligence firm, uncovered cybercrime forum credentials on about 120,000 computers infected with various info-stealer malware. These compromised computers, spanning from 2018 to 2023, were largely owned by threat actors themselves. The analysis of over 14.5 million infected computers revealed hackers' identities through additional credentials, autofill data, and system info.

Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign

As part of a joint effort with Dutch Institute of Vulnerability Disclosure (DIVD), researchers at cybersecurity company Fox-IT (NCC Group) have uncovered a large-scale campaign that planted webshells on Citrix Netscaler servers vulnerable to CVE-2023-3519, a critical remote code execution flaw that was patched on July 18. By scanning the internet, they uncovered 2491 webshells across 1952 distinct NetScaler servers, which made up 6% of all Netscalers (31,127) vulnerable to CVE-2023-3519, on a global scale, as of July 21, 2023.

Major U.S. Energy Org Targeted in QR Code Phishing Attack

A phishing campaign was observed predominantly targeting a notable energy company in the US, employing QR codes to slip malicious emails into inboxes and bypass security. Roughly one-third (29%) of the 1,000 emails attributed to this campaign targeted a large US energy company, while the remaining attempts were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). According to Cofense, who spotted this campaign, this is the first time that QR codes have been used at this scale, indicating that more phishing actors may be testing their effectiveness as an attack vector.

LinkedIn Accounts Hacked in Widespread Hijacking Campaign

Linkedin is facing a surge of account breaches, leading to numerous accounts being either locked for security concerns or seized by malicious actors. According to a recent report from Cyberint, numerous LinkedIn users have expressed frustration over compromised accounts or access issues, with attempts to address these problems through LinkedIn support. Although, LinkedIn’s support response time has lengthened, no official statement has been made yet.

File Sharing Site Anonfiles Shuts Down Due to Overwhelming Abuse

Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users. Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged. However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material. F

Cleaning Products Manufacturer Clorox Company Took Some Systems Offline After a Cyberattack

The Clorox Company, a prominent multinational consumer goods firm known for its household and professional cleaning, health, and personal care products, recently faced a cybersecurity breach that compelled them to take specific systems offline. Detecting unauthorized activity on their Information Technology (IT) systems, Clorox swiftly initiated measures to halt and rectify the situation, including offline system shutdowns, as stated in an 8-K filing.

Raccoon Stealer Malware Returns With New Stealthier Version

The resurgence of the Raccoon Stealer malware is marked by the release of version 2.3.0 after a 6-month hiatus. Raccoon Stealer is a well-known information-stealing malware that has been active since 2019, offered to threat actors through a subscription model at $200 per month. The malware targets over 60 applications to collect sensitive data such as login credentials, credit card details, browsing history, cookies, and cryptocurrency wallets.

Massive 400,000 Proxy Botnet Built With Stealthy Malware Infections

Researchers have discovered a widespread operation that distributed proxy server applications to over 400,000 Windows systems. These devices function as residential exit nodes without obtaining users’ permission, and a company is making money by charging for the proxy traffic that passes through these machines. Threat actors find residential proxies useful for carrying out extensive credential stuffing attacks using new IP addresses.

QwixxRAT: A New Windows RAT Emerges in the Threat Landscape

The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram and Discord platforms. According to the experts, QwixxRAT is meticulously designed to steal a broad range of information, including data from browser histories, credit card details, screenshots, and keystrokes.

Multiple Flaws Uncovered in Data Center Systems

Multiple vulnerabilities have been discovered in data center power management systems and supply technologies, enabling unauthorized access and remote code injection by threat actors. These vulnerabilities can be exploited to gain full access to data center systems, perform remote code injection, and create backdoors, potentially compromising connected devices and the broader network. The vulnerabilities were found in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management platform and Dataprobe's iBoot Power Distribution Unit.

Threat Actors Use Beta Apps to Bypass Mobile App Store Security

The FBI has raised an alert about a new strategy employed by cybercriminals. They are now pushing harmful “beta” editions of cryptocurrency investment applications on widely used mobile app stores. These apps are subsequently exploited to pilfer cryptocurrency. The perpetrators introduce these harmful apps to the mobile app stores under the guise of “beta” versions.

Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. ‘The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days,’ Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin.

Almost All VPNs Are Vulnerable to Traffic-Leaking TunnelCrack Attacks

Researchers from New York University, New York University Abu Dhabi, and KU Leuven University have discovered several vulnerabilities affecting most VPN products that can be exploited by attackers to read user traffic, steal user information, or attack user devices. The attacks, known as TunnelCrack attacks, are independent of the VPN protocol being used and can reveal which websites a user is visiting, posing a significant privacy risk even if the user is using additional encryption such as HTTPS.

MaginotDNS Attacks Exploit Weak Checks for DNS Cache Poisoning

Researchers from UC Irvine and Tsinghua University have introduced a cache poisoning attack named 'MaginotDNS' that targets Conditional DNS (CDNS) resolvers, potentially compromising entire top-level domains (TLDs). This attack capitalizes on security inconsistencies in various DNS software and server modes, rendering around one-third of CDNS servers vulnerable.

Count of Organizations Affected by MOVEit Attacks Hits 637

A cyberattack on MOVEit file-transfer servers since late May has affected over 637 organizations. German cybersecurity company KonBriefing reported this number. It includes groups directly hacked through their MOVEit servers and others connected to users of Progress Software's file-transfer tool. The Clop ransomware group, thought to be Russian, is behind the attacks. They've taken data with personal details of about 41 million people.

New SystemBC Malware Variant Targets Southern African Power Company

An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. ‘The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure,’ Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said.

New Statc Stealer Malware Emerges: Your Sensitive Data at Risk

Researchers at Zscaler recently disclosed details of a new information-stealing malware dubbed Statc Stealer that has been observed infecting Windows devices. Written in the C++ programming language, Statc Stealer is capable of performing filename discrepancy checks to prevent sandbox detection and reverse engineering analysis by security professionals.

Lapsus$ Hackers Took SIM-swapping Attacks to the Next Level

The U.S. government released a report after analyzing simple techniques, e.g. SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture. Reviewing the group’s operations started in December last year following a long trail of incidents attributed to or claimed by Lapsus$ after leaking proprietary data from alleged victims.

Rhysida Ransomware Analysis Reveals Vice Society Connection

The newly surfaced Rhysida ransomware faction has swiftly become a concerning addition to the growing threat landscape. Its involvement in a series of impactful assaults since its emergence in May of this year has been linked to the well-known Vice Society ransomware group, which has been operating since 2021. Among the entities targeted by Rhysida are the Chilean Army and Prospect Medical Holdings. In a recent incident, the group’s attack had a far reaching impact, affecting 17 hospitals and 166 clinics across the United States.

Missouri Warns That Health Info Was Stolen in IBM MOVEit Data Breach

This week, the Missouri Department of Social Services (DSS) disclosed that Medicaid healthcare information was potentially exposed after IBM suffered a data breach. The attack was carried out by the Clop ransomware gang, which has been hacking vulnerable MOVEit Transfer servers worldwide by exploiting a SQL injection vulnerability (CVE-2023-34362) in the file transfer solution.

NIST Expands Cybersecurity Framework with New Pillar

The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation. The NIST Cybersecurity Framework (CSF) 2.0 is the first refresh since it was launched in 2014. It is designed to help organizations “understand, reduce and communicate about cybersecurity risk,” the standards body said.

Evilproxy Phishing Campaign Targets 120,000 Microsoft 365 Users

EvilProxy has emerged as a widely used phishing platform for attacking MFA-secured accounts. According to Proofpoint’s recent findings, over 120,000 phishing emails have been sent to more than a hundred organizations in an attempt to compromise Microsoft 365 accounts. Proofpoint’s research highlights a significant increase in successful cloud account takeovers, especially affecting top-level executives, over the last five months.

Microsoft August 2023 Patch Tuesday Warns of 2 Zero-Days, 87 Flaws Summary:

As part of the August Patch Tuesday, Microsoft patched 87 flaws, two of which were actively exploited zero-days. In total, the tech giant released fixes for 18 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 23 Remote Code Execution vulnerabilities, 10 Information Disclosure vulnerabilities, 8 Denial of Service vulnerabilities, and 12 Spoofing vulnerabilities.

Notorious Phishing-as-a-Service Platform Shuttered

A phishing-as-a-service (PaaS) platform which may have been responsible for over 150,000 phishing domains has been taken offline after an Interpol-led operation, the policing group said. Interpol teamed up with investigators in Indonesia, Japan and the US and industry partners the Cyber Defense Institute, Group-IB, Palo Alto Networks Unit 42, Trend Micro and Cybertoolbelt to make the arrests.

LockBit Threatens to Leak Medical Data of Cancer Patients Stolen from Varian Medical Systems

The LockBit ransomware group has claimed responsibility for hacking Varian Medical Systems, a healthcare company that designs and manufactures medical devices and software for cancer treatment. The group threatens to leak medical data belonging to cancer patients. Varian Medical Systems operates globally and is owned by Siemens Healthineers, generating significant revenue.

Google Play Apps With 2.5M Installs Load Ads When Screen's Off

The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone's screen was off, running down a device's battery. McAfee's Mobile Research Team discovered the malicious Android apps and reported them to Google as they violated Google Play Store's policies.

North Korean Hackers ‘Scarcruft’ Breached Russian Missile Maker

The cyberattack on the IT systems and email server of NPO Mashinostroyeniya, a Russian organization specializing in space rocket design and intercontinental ballistic missile engineering, has been attributed to the North Korean state sponsored hacking group ScarCruft. This group has a history of engaging in cyber activities with links to various targets.

Researchers Uncover New High-Severity Vulnerability in PaperCut Software

Horizon3 researchers recently disclosed a new high-severity vulnerability in PaperCut print management software for Windows that could result in remote code execution in certain configurations. Tracked as CVE-2023-39143, the flaw impacts PaperCut NG/MF prior to version 22.1.3. A successful exploit of CVE-2023-39143 could potentially allow unauthenticated attackers to read, delete, and upload arbitrary files to the PaperCut MF/NG application server.

Colorado Department of Higher Education Warns of Massive Data Breach

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in June. In a 'Notice of Data Incident' published on the CDHE website, the Department says they suffered a ransomware attack on June 19th, 2023. When ransomware gangs breach an organization, they quietly spread through a network while stealing sensitive data and files from computers and servers.

Clop Ransomware Now Uses Torrents to Leak Data and Evade Takedowns

The Clop ransomware gang has changed their extortion approach once more, now employing torrents to release the data they stole during MOVEit attacks. The ransomware gang started extorting victims on June 14 by gradually adding names to their Tor data leak site and eventually making the files public. However, the slow download speed on Tor sites limited the potential damage.

Russian Hacktivists Overwhelm Spanish Sites With DDoS

A leading Spanish research institute has become the latest organization in the country to come under cyber-attack from Russia, after a weeks-long DDoS campaign that appears to be geopolitically motivated. Local reports claimed that prolific hacktivist group NoName057 is responsible for the DDoS blitz, which impacted at least 72 websites between July 19 and 30.

New Acoustic Attack Steals Data from Keystrokes with 95% Accuracy

A team of researchers from British universities has developed a deep learning model called 'CoAtNet' that can perform acoustic attacks by stealing data from keyboard keystrokes recorded using a microphone. The model achieved an alarming accuracy of 95% in predicting the keystrokes, showcasing the potential danger of sound-based side-channel attacks. The study reveals that even when using platforms like Zoom for training, the prediction accuracy only dropped slightly to 93%, which is still a significant threat.

OT/IoT Malware Surges Tenfold in First Half of the Year

Malware-related cyber-threats in operational technology (OT) and Internet of Things (IoT) environments jumped tenfold year-on-year in the first six months of 2023, according to Nozomi Networks. In their latest “OT & IoT Security Report” the researchers shared ICS vulnerabilities, data from IoT honeypots and attack statistics from OT environments. “Specific to malware, denial-of-service (DoS) activity remains one of the most prevalent attacks against OT systems,” the vendor explained in a blog post announcing the report.

Hackers Use New Malware to Breach Air-gapped Devices in Eastern Europe

Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems. Air-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either physically or through software and network devices. Researchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group APT31, a.k.a. Zirconium.

Ransomware Attacks on Industrial Organizations Doubled in Past Year: Report

The number of ransomware attacks targeting industrial organizations and infrastructure has doubled since the second quarter of 2022, according to data from industrial cybersecurity firm Dragos. In a report analyzing data from the second quarter of 2023, Dragos said it saw 253 ransomware incidents, up 18% from the first quarter of 2023, when it observed 214 attacks.

Hackers Steal Signal, WhatsApp User Data With Fake Android Chat App

Hackers are using a fake Android app named 'SafeChat' to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. The Android spyware is suspected to be a variant of "Coverlm," which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. CYFIRMA researchers say the Indian APT hacking group 'Bahamut' is behind the campaign, with their latest attacks conducted mainly through spear phishing messages on WhatsApp that send the malicious payloads directly to the victim.

Experts Discovered a Previously Undocumented Initial Access Vector Used by P2PInfect Worm

In July, researchers from Palo Alto Networks Unit 42 discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers on Linux and Windows systems. P2PInfect is written in Rust and exploits the CVE-2022-0543 vulnerability to gain initial access. It establishes P2P communication to the network and has been found on over 307,000 unique public Redis systems in the past two weeks, with 934 possibly vulnerable. The worm's goal and the threat actors behind it remain unclear.

Cybercriminals Train AI Chatbots for Phishing, Malware Attacks

In the wake of WormGPT, a ChatGPT clone trained on malware-focused data, a new generative artificial intelligence hacking tool called FraudGPT has emerged, and at least another one is under development that is allegedly based on Google's AI experiment, Bard. Both AI-powered bots are the work of the same individual, who appears to be deep in the game of providing chatbots trained specifically for malicious purposes ranging from phishing and social engineering, to exploiting vulnerabilities and creating malware.

Experts Warn Attackers Started Exploiting Citrix ShareFile RCE Flaw CVE-2023-24489

Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE) tracked as CVE-2023-24489 (CVSS score of 9.1). The flaw impacts the customer-managed ShareFile storage zones controller, an unauthenticated, remote attacker can trigger the flaw to compromise the controller by uploading arbitrary file or executing arbitrary code.

CISA: New Submarine Malware Found on Hacked Barracuda ESG Appliances

In May, Network and email security firm Barracuda disclosed that a recently patched remote command injection zero-day vulnerability had been exploited since October 2022 to gain access to a subset of its Email Security Gateway appliances. The flaw tracked as CVE-2023-2868, was further exploited to deploy previously unknown malware dubbed Saltwater and SeaSpy as well as a malicious tool called SeaSide to establish reverse shells for easy remote access. In light of the attacks, Barracuda offered replacement devices to all affected customers at no charge.

Linux Version of Abyss Locker Ransomware Targets VMware ESXi Servers

The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in attacks on the enterprise. As the enterprise shifts from individual servers to virtual machines for better resource management, performance, and disaster recovery, ransomware gangs create encryptors focused on targeting the platform.

Experts Link AVRecon Bot to the Malware Proxy Service SocksEscort

In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet, which targeted small office/home office (SOHO) routers and infected over 70,000 devices across 20 countries. The threat actors behind the campaign aimed to build a botnet for various criminal activities, including password spraying and digital advertising fraud.

Microsoft Fixes WSUS Servers Not Pushing Windows 11 22H2 Updates

Microsoft fixed a known issue impacting WSUS (Windows Server Update Services) servers upgraded to Windows Server 2022, causing them not to push Windows 11 22H2 updates to enterprise endpoints. While the updates would successfully download to the WSUS server, they failed to propagate further to client devices. The root cause stems from the accidental removal of .msu and .wim MIME types during the upgrade process to Windows Server 2022.

BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities

The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday.

Zimbra Patches Zero-Day Vulnerability Exploited in XSS Attacks

Zimbra recently addressed a zero-day vulnerability that was exploited in attacks targeting Zimbra Collaboration Suite email servers. Tracked as CVE-2023-38750, the flaw relates to a case of reflected Cross-Site Scripting impacting Zimbra Collaboration Suite Version 8.8.15, which could enable threat actors to steal sensitive information or execute arbitrary code on vulnerable systems. The flaw was uncovered by security researcher Clément Lecigne of Google Threat Analysis Group and was initially disclosed to the public two weeks ago.

High Severity Vulnerabilities Discovered in Ninja Forms Plugin

Multiple critical vulnerabilities have been detected in Ninja Forms. a widely used WordPress forms builder plugin with more than 900,000 active installations. The plugin, created by Saturday Drive, enables users to generate a wide range of forms such as contact forms, event registration, file uploads, and payments. Security researchers from Patchstack published a new advisory revealing the presence of the first vulnerability which is a reflected cross site scripting flaw based on POST requests.

BreachForums Database and Private Chats for Sale in Hacker Data Breach

While consumers are usually the ones worried about their information being exposed in data breaches, it's now the hacker's turn, as the notorious Breached cybercrime forum's database is up for sale and member data has been shared with Have I Been Pwned. Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.

Australia and US Issue Warning About Web App Threats

The Australian and US governments have issued a joint advisory about the growing cyber-threats to web applications and application programming interfaces (APIs). The guidance, Preventing Web Application Access Control Abuse was released by the Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) on July 27, 2023/

Repeatable VEC Attacks Target Critical Infrastructure

The incidence of vendor email compromise attacks has surged, as recent data reveals a significant uptick in these cyber threats. A new report released yesterday by Abonormal Security, a cybersecurity firm, highlight the growing risk posed by VEC attacks, which are a variant of business email compromise.

New Nitrogen Malware Pushed via Google Ads For Ransomware Attacks

A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. The goal of the Nitrogen malware is to provide the threat actors initial access to corporate networks, allowing them to conduct data-theft, cyberespionage, and ultimately deploying the BlackCat/ALPHV ransomware.

NATO Investigates Alleged Data Theft by SiegedSec Hackers

NATO has confirmed that its IT team is investigating claims about an alleged data-theft hack on the Communities of Interest (COI) Cooperation Portal by a hacking group known as SiegedSec. The COI Cooperation Portal (dnbl.ncia.nato.int) is the military alliance's unclassified information-sharing and collaboration environment, dedicated to supporting NATO organizations and member nations. Yesterday, the hacking group 'SiegedSec' posted on Telegram what they claimed to be hundreds of documents stolen from the COI Cooperation Portal.

FraudGPT, A New Malicious Generative AI Tool Appears in the Threat Landscape

Generative AI models are becoming very attractive for crooks, Netenrich researchers recently spotted a new platform dubbed FraudGPT which is advertised on multiple marketplaces and the Telegram Channel since July 22, 2023. According to Netenrich, this generative AI bot was trained for offensive purposes, such as creating spear phishing emails, conducting BEC attacks, cracking tools, and carding.

Microsoft Previews Defender for IoT Firmware Analysis Service

Microsoft announced a new Defender for IoT feature that will allow analyzing the firmware of embedded Linux devices like routers for security vulnerabilities and common weaknesses. Dubbed Firmware Analysis and now available in Public Preview, the new capability can detect a wide range of weaknesses, from hardcoded user accounts and outdated or vulnerable open-source packages to the use of a manufacturer's private cryptographic signing key.

ALPHV Ransomware Adds Data Leak API in New Extortion Strategy

ALPHV ransomware gang, aka BlackCat, is now providing an API for their leak site to increase visibility for their attacks. Earlier this week, several researchers spotted a new page within the BlackCat leak site with instructions for using their API to collect timely updates about new victims. APIs, or Application Programming Interfaces, are typically used to enable communication between two software components based on agreed definitions and protocols .

VMware fixes bug exposing CF API admin credentials in Audit Logs

VMware recently fixed an information disclosure bug impacting its VMware Tanzu Application service for VMs (TAS for VMs) and Isolation Segment. “TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack). Tracked as CVE-2023-20891, the issue seems to be caused by credentials being logged and exposed via system audit logs.

Critical Vulnerabilities Found in Radio Encryption System

Security experts have discovered numerous vulnerabilities in a widely employed radio communication system, which is extensively used by law enforcement and critical infrastructure for transmitting data. These vulnerabilities could potentially enable remote decryption of cryptographically protected communications. Five vulnerabilities in Terrestrial Trunked Radio, a European radio communication standard have been identified by researchers from the Dutch security firm Midnight Blue.

Super Admin Elevation Bug Puts 900,000 MikroTik Devices at Risk

A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected. The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.

Over 400,000 Corporate Credentials Stolen by Info-stealing Malware

The analysis of nearly 20 million information-stealing malware logs sold on the dark web and Telegram channels revealed that they had achieved significant infiltration into business environments. Information stealers are malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients, and gaming services. The stolen information is packaged into archives called 'logs,' which are then uploaded back to the threat actor for use in attacks or sold on cybercrime marketplaces.

Biden-Harris Administration Secures AI Commitments For Safety

The Biden-Harris Administration has taken a new step towards ensuring the responsible development of artificial intelligence (AI) technology by securing voluntary commitments from leading AI companies. As part of the new initiative, Amazon, Anthropic, Google, Inflection, Meta, Microsoft and OpenAI have pledged to prioritize safety, security and trust in their AI systems.

Norway Says Ivanti Zero-Day Was Used to Hack Govt IT Systems

The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country. The Norwegian Security and Service Organization (DSS) said on Monday that the cyberattack did not affect Norway's Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.

Lazarus Hackers Hijack Microsoft IIS Servers to Spread Malware

The Lazarus hacking group, sponsored by the North Korean state, is currently involved in breaching Windows Internet Information Service (IIS) web servers with the intention of taking control of these servers for distributing malware. IIS is a web server solution developed by Microsoft, commonly used to host websites or application services, including Microsoft Exchange’s Outlook on the web.

Clop Now Leaks Data Stolen in MoveIT Attacks on Clearweb Sites

The Clop ransomware group is emulating the tactics of the ALPHV ransomware gang by constructing dedicated internet accessible websites for individual victims. “To overcome these obstacles, last year, the ALPHV ransomware operation, also known as BlackCat, introduced a new extortion tactic of creating clearweb websites to leak stolen data that were promoted as a way for employees to check if their data was leaked.

New Variant of AsyncRAT Malware Spreading Through Pirated Software

According to researchers at Avast, a new variant of AsyncRAT is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. Dubbed HotRat, the remote access trojan has been seen in the wild since October 2022, with majority of the infections being located in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attack chain disclosed by Avast entails bundling cracked software available online via torrent sites with a malicious AutoHotKey (AHK script).

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection

Qualys Threat Research Unit recently uncovered a remote code execution vulnerability impacting OpenSSH’s forwarded ssh-agent, a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again. Tracked as CVE-2023-38408, the vulnerability impacts OpenSSH before 9.3p2 and can be exploited to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. A successful exploit requires certain libraries to be present on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system.

Experts Warn of OSS Supply Chain Attacks Against the Banking Sector

In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector. These attacks targeted specific components in web assets used by banks, according to the experts the attackers used advanced techniques. A threat actor leverage the NPM platform to upload malicious packages that included malicious objects upon installation.

Critical AMI MegaRAC Bugs Can Let Hackers Brick Vulnerable Servers

Recently, American Megatrends International, a hardware and software company, identified two critical severity vulnerabilities in their MegaRAC Baseboard Management Controller software. The MegaRac BMC software is designed to offer administrators “out of band” and “lights out” remote system management capabilities. This functionality allows administrators to troubleshoot servers as if they were physically present in front of the devices, even when operating remotely.

VirusTotal Apologizes For Data Leak Affecting 5,600 Customers

VirusTotal apologized on Friday for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month. The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses. Emiliano Martines, the online malware scanning service's head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.

DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks

Researchers at FortiGuard Labs have observed several distributed denial-of-service botnets exploiting a critical flaw in Zyxel devices to gain remote control of vulnerable systems. Tracked as CVE-2023-28771, the vulnerability is related to a command injection bug affecting multiple firewall models that could enable an unauthorized actor to execute arbitrary code via specially crafted packets sent to the targeted appliance.

Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware

Researchers at Lookout released a report on July 19, 2023, revealing that the Chinese espionage group APT41 is associated with the advanced Android surveillanceware known as WyrmSpy and DragonEgg. The report emphasized APT41’s well documented past of conducting espionage and seeking financial advantages by targeting government institutions and private companies.

Adobe Emergency Patch Fixes New ColdFusion Zero-Day Used in Attacks

Adobe recently published an emergency ColdFusion security update that addressed several vulnerabilities, including a new zero-day that was exploited in attacks in the wild. The zero-day tracked as CVE-2023-38205 is being described as an instance of improper access control that could result in a security bypass. Two other flaws were addressed, one of which was rated critical in severity while the other was rated medium in severity.

JumpCloud Breach Traced Back to North Korean State Hackers

US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne and CrowdStrike. In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report.

drIBAN Fraud Operations Target Corporate Banking Customers

Threats actors have extensively employed an advanced web-inject kit known as drlBAN to orchestrate fraudulent assaults on corporate banking institutions and their customers. As stated in a recent advisory from Cleafy security researchers, drlBAN was initially discovered in 2019. It utilizes customized JavaScript code to specifically target different entities within the corporate banking sector. Functioning as part of a Man-in-the-Browser attack, these web injects enable cyber criminals to manipulate the content of legitimate web pages in real time, circumventing the TLS protocol.

Ukraine Takes Down Massive Bot Farm, Seizes 150,000 SIM Cards

Ukraine’s Cyber Police Department has dismantled another massive bot farm linked to more than 100 individuals after researching nearly two dozen locations. The bots were allegedly used to promote Russian propaganda, justifying Russia’s invasion of Ukraine. The bots were also leveraged to spread illegal content and personal information and conduct other fraudulent activities.

Cybersecurity Firm Sophos Impersonated by New SophosEncrypt Ransomware

Cybersecurity researcher MalwareHunterTeam recently uncovered a new ransomware as a service (RaaS) dubbed SophosEncrypt which is allegedly impersonating Sophos. MalwareHunterTeam Initially thought SophosEncrypt to be part of a red team exercise by Sophos, however, Sophos followed up on Twitter stating that they did not create the encryptor and are conducting an investigation. Taking a closer look at the sample uncovered by MalwareHunterTeam, the encryptor is written in the Rust programming language.

Security Alert: Social Engineering Campaign Targets Technology Industry Employees

GitHub has identified a low-volume social engineering campaign targeting personal accounts of employees in technology firms. The attackers use GitHub repository invitations and malicious npm package dependencies. The targets are often associated with blockchain, cryptocurrency, online gambling, or cybersecurity sectors. The threat actor behind this campaign is likely linked to North Korean objectives and has been identified as Jade Sleet or TraderTraitor.

U.S. Preparing Cyber Trust Mark for More Secure Smart Devices

A new cybersecurity certification and labeling program called U.S. Cyber Trust Mark is being shaped to help U.S. consumers choose connected devices that are more secure and resilient to hacker attacks. A proposal from the Federal Communications Commission, the program is expected to roll out next year with smart device vendors committing to it voluntarily.

Hackers Exploiting Critical WordPress Woocommerce Payments Bug

A critical vulnerability in the widely used WooCommerce Payments plugin is being exploited by hackers, enabling them to gain unauthorized privileges of any user, including administrators, on vulnerable WordPress installations. WooCommerce Payments is a highly popular WordPress plugin that facilitates credit and debit card payments in WooCommerce stores, with over 600,000 active installations as, reported by WordPress.

Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews. Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022.

Meet NoEscape: Avaddon ransomware gang's likely successor

The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. NoEscape launched in June 2023 when it began targeting the enterprise in double-extortion attacks. As part of these attacks, the threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers. The threat actors then threaten to publicly release stolen data if a ransom is not paid. BleepingComputer is aware of NoEscape ransomware demands ranging between hundreds of thousands of dollars to over $10 million. Like other ransomware gangs, NoEscape does not allow its members to target CIS (ex-Soviet Union) countries, with victims from those countries receiving free decryptors and information on how they were breached.

Google Cloud Build Bug Lets Hackers Launch Supply Chain Attacks

A critical design flaw in Google Cloud Build has been discovered by cloud security firm Orca Security, allowing hackers to launch supply chain attacks. The flaw, named Bad.Build, enables attackers to escalate privileges and gain unauthorized access to Google Artifact Registry code repositories. By impersonating the service account for Google Cloud Build, threat actors can run API calls against the artifact registry, inject malicious code into applications, and potentially compromise the entire supply chain.

FIN8 Deploys ALPHV Ransomware Using Sardonic Malware Variant

A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version. Tracked as FIN8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, focusing on targeting industries such as retail, restaurants, hospitality, healthcare, and entertainment.

CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise

Last week, the computer emergency response team of Ukraine (CERT-UA) released an article disclosing details about a Russian-linked threat actor known as Gamaredon (Aka Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010). Active since at least 2013, Gamaredon is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014.

AI Tool WormGPT Enables Convincing Fake Emails For BEC Attacks

New research conducted by security firm SlashNext reveals that cyber-criminals are utilizing a potent tool called WormGPT, a generative AI system, for carrying out business email compromise (BEC) attacks. Security expert Daniel Kelley, observed a worrisome trend in online forums where cyber-criminals are offering “jailbreaks” for interfaces like ChatGPT. These jailbreaks are specialized prompts that aim to exploit ChatGPT by manipulating it to generate outputs involving sensitive information disclosure, inappropriate content generation, or even the execution of harmful code.

JumpCloud Discloses Breach by State-Backed APT Hacking Group

US-based enterprise software firm JumpCloud has disclosed a breach by a state-backed hacking group that occurred almost one month ago. The attack was highly targeted and focused on a limited set of customers. The breach was discovered on June 27 after the attackers gained access through a spear-phishing attack. Although no evidence of customer impact was found initially, JumpCloud decided to rotate credentials and rebuild compromised infrastructure.

A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Network

5G technology has bolstered productivity in modern-day factories, allowing multiple devices to be connected simultaneously, but 5G networks are not immune to cyberattacks. In our recent joint research effort with CTOne and the Telecom Technology Center (TTC), the official advisory group to Taiwan's National Communications Commission and Ministry of Digital Affairs, Trend Micro looked into ZDI-CAN-18522, a packet reflection vulnerability in the UPF of 5G cores (5GC).

Colorado State University says data breach impacts students, staff

Colorado State University (CSU) has confirmed that the Clop ransomware operation stole sensitive personal information of current and former students and employees during the recent MOVEit Transfer data-theft attacks. Colorado State University is a public research university with nearly 28,000 students and 6,000 academic and administrative staff members, operating on an endowment of $558,000,000.

New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year.

Cisco SD-WAN vManage Impacted by Unauthenticated REST API Access

The Cisco SD-WAN vManage management software is impacted by a flaw that allows an unauthenticated, remote attacker to gain read or limited write permissions to the configuration of the affected instance. Cisco SD-WAN vManage is a cloud-based solution allowing organizations to design, deploy, and manage distributed networks across multiple locations.

Popular WordPress Security Plugin Caught Logging Plaintext Passwords

A popular WordPress plugin dubbed All-In-One Security (AIOS) was found to log plaintext passwords from login attempts. With over one million installs on WordPress sites, AIOS is a security and firewall plugin designed to log user activity and prevent cyberattacks such as brute-force attempts by warning admins when the default admin username is used for login. Approximately two weeks ago, user reports started coming in about an insecure design flaw in the plugin.

Russian State Hackers Lure Western Diplomats With BMW Car Ads

The Russian state-backed hacking collective known as APT29 has been employing unique tactics such as offering car listings to attract diplomats in Ukraine into clicking on harmful links, which ultimately distribute malware. APT29 is affiliated with Russia’s Foreign Intelligence Service (SVR), and it has gained notoriety for executing multiple cyber-espionage operations aimed at influential individuals worldwide.

Fortinet Warns of Critical RCE flaw in FortiOS, FortiProxy Devices

Fortinet recently disclosed a critical severity flaw impacting FortiOS and FortiProxy that could enable remote attackers to execute arbitrary code on vulnerable devices. Tracked as CVE-2023-33308, the flaw was uncovered to disclosed to Fortinet by cybersecurity firm Watchtowr. According to Fortinet, CVE-2023-33308 relates to a stack-based overflow vulnerability and could allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Microsoft July 2023 Patch Tuesday Warns of 6 Zero-Days, 132 Flaws

As part of the July Patch Tuesday, Microsoft addressed 132 vulnerabilities, six of which were actively exploited zero-days. In total, there were 33 Elevation of Privilege Vulnerabilities, 13 Security Feature Bypass Vulnerabilities, 37 Remote Code Execution Vulnerabilities, 19 Information Disclosure Vulnerabilities, 22 Denial of Service Vulnerabilities, and 7 Spoofing Vulnerabilities. Out of the 132 flaws addressed, nine have been rated critical in severity.

Ransomware Payments on Record-Breaking Trajectory for 2023

Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small. According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline, "In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June."

Experts Released PoC exploit for Ubiquiti EdgeRouter Flaw

A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released. The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit it to potentially execute arbitrary code and interrupt UPnP service to a vulnerable device.

Owncast, EaseProbe Security Vulnerabilities Revealed

Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk. The vulnerabilities were discovered in Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967), two open-source platforms written in Go. The first vulnerability was discovered in Owncast, an open-source, self-hosted, decentralized, single-user live video streaming and chat server written in Go.

VMware Warns of Exploit Available for Critical vRealize RCE Bug

VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments. The flaw (CVE-2023-20864) is a deserialization weakness patched in April, and it allows unauthenticated attackers to gain remote execution on unpatched appliances.

RomCom RAT Targeting NATO and Ukraine Support Groups

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.

New TOITOIN Banking Trojan Targeting Latin American Businesses

Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. ‘This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage,’ Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.

Charming Kitten Hackers Use New ‘NokNok’ Malware for macOS

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. The campaign started in May and relies on a different infection chain than previously observed, with LNK files deploying the payloads instead of the typical malicious Word documents seen in past attacks from the group.

Apps with 1.5M installs on Google Play send your data to China

Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what's needed to offer the promised functionality. The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.

Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities

or the month of June, Google released 46 new software vulnerabilities, some of which were actively exploited in attacks in the wild. Among the vulnerabilities addressed is a memory leak flaw impacting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. Tracked as CVE-2023-26083, the bug was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022. Another serious vulnerability addressed is CVE-2021-29256 which relates to a high-severity issue impacting specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers.

Iranian Hacking Group Impersonating Nuclear Experts to Gain Intel From Western Think Tanks

Researchers at Proofpoint have revealed that a cyber espionage group associated with the Iranian government has been engaging in phishing attacks targeting Middle Eastern nuclear weapons experts by impersonating employees of think tanks. The group, known by various names such as TA453, Charming Kitten, or APT35, has a history of targeting government officials, politicians, think tanks, and critical infrastructure entities in the United States and Europe.

MOVEit Transfer Customers Warned to Patch New Critical Flaw

MOVEit Transfer, the software at the center of the recent massive spree of Clop ransomware breaches, has received an update that fixes a critical-severity SQL injection bug and two other less severe vulnerabilities. SQL injection vulnerabilities allow attackers to craft special queries to gain access to a database or tamper with it by executing code. For these attacks to be possible, the target application must suffer from a lack of appropriate input/output data sensitization.

International Police Arrest Head of Opera1er Cybercrime Gang

International law enforcement agencies have announced the arrest of the leader of a cybercriminal syndicate called Opera1er, responsible for over 30 successful cyberattacks targeting financial institutions, banks, mobile banking services, and telecommunications companies. The group, also known as Desktop-Group and NXSMS, was involved in various scams, including malware, phishing, and business email compromise, resulting in an estimated $30 million in stolen funds. Interpol, along with AFRIPOL, Group-IB, Direction de L'information et des Traces Technologiques, and the Orange CERT Coordination Center, led the operation named Nervone. The arrest took place in early June in Abidjan, Côte d'Ivoire, Mali. Group-IB, who had been tracking the Opera1er group since 2018, provided crucial intelligence that helped identify the leader's identity and potential location.

Over 130,000 Solar Energy Monitoring Systems Exposed Online

Researchers are raising concerns about the vulnerability of over 130,000 photovoltaic monitoring and diagnostic systems accessible through the public internet. This accessibility exposes them to potential attacks from hackers. These systems play a crucial role in remote performance monitoring, troubleshooting, optimizing system efficiency, and enabling the remote management of renewable energy production units.

Researchers Uncover New Linux Kernel 'StackRot' Privilege Escalation Vulnerability

Researchers at Peking University recently disclosed details of a new flaw in the Linux Kernel that could enable a threat actor to elevate privileges on a targeted host. Dubbed StackRot, the flaw is being tracked as CVE-2023-3269 and impacts Linux versions 6.1 through 6.4. According to security researcher Ruihan Li, “As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger…However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging.”

Cisco Warns of Bug That Lets Attackers Break Traffic Encryption

Yesterday, Cisco released an advisory warning its customers of an unpatched vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode that could be exploited by an unauthenticated remote attack to read or modify intersite encrypted traffic. Tracked as CVE-2023-20185, the flaw received a CVSS score of 7.4, indicating a high level of severity. According to Cisco, the vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches.

Microsoft Investigates Outlook.com Bug Breaking Email Search

Microsoft is investigating an ongoing issue preventing Outlook[.]com users from searching their emails and triggering 401 exception errors. When searching, users see an error saying, "Sorry, something went wrong. Please try again later." "Our initial review of Outlook[.]com server logs, in parallel with HTTP Archive format (HAR) logs captured during an internal reproduction of impact, indicates 401 errors are occurring due to an exception when users attempt to perform the search," Microsoft says on the service health portal.

RedEnergy Stealer-as-a-Ransomware Employed in Attacks in the Wild

Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks against energy utilities, oil, gas, telecom, and machinery sectors. The malware has the capabilities to steal information from various Internet browsers, but can also support ransomware activities. In this recent campaign, threat actors are masquerading as fake web browser updates to lure victims into installing the malware.

Hackers Target European Government Entities in SmugX Campaign

Since December 2022, a Chinese threat actor has been conducting a phishing campaign referred to as SmugX, which specifically targets embassies and foreign affairs ministries in the UK, France, Sweden Czech Republic, Hungary, and Slovakia. Security researchers at Check Point, a cybersecurity company, conducted analysis of the attacks and identified similarities with previous activities carried out by APT groups known as Mustang Panda and RedDelta.

New Tool Exploits Microsoft Teams Bug to Send Malware to Users

A member of U.S. Navy's red team has published a tool called TeamsPhisher that leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization, the so-called external tenants. The tool exploits a problem highlighted last month by Max Corbridge and Tom Ellson of UK-based security services company Jumpsec, who explained how an attacker could easily go around Microsoft Teams' file-sending restraints to deliver malware from an external account.

Mexico-Based Hacker Targets Global Banks with Android Malware

An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net, according to security researcher Pol Thill.

Japan’s largest Port Stops Operations After Ransomware Attack

The Port of Nagoya, the largest and busiest port in Japan, has been targeted in a ransomware attack that currently impacts the operation of container terminals. The port accounts for roughly 10% of Japan's total trade volume. It operates 21 piers and 290 berths. It handles over two million containers and cargo tonnage of 165 million every year. The port is also used by the Toyota Motor Corporation, one of the world’s largest automakers, to export most of its cars.

BlackCat Uses Malvertising to Push Backdoor

The BlackCat ransomware-as-a-service group is developing a threat activity cluster by deploying malicious malware using chosen keywords on webpages of legitimate organizations. They engage in unauthorized activities within company networks using cloned webpages of legitimate applications like WinSCP and SpyBoy. These cybercriminals hijack keywords to display malicious ads and lure unsuspecting users into downloading malware, a technique known as malvertising.

Blackcat Ransomware Pushes Cobalt Strike via WinSCP Search Ads

The ALPHV ransomware group, also known as the BlackCat, is engaging in malvertising activities to trick individuals into visiting counterfeit websites that closely resemble the legitimate WinSCP file-transfer application for Windows. However, these deceptive pages distribute installers infected with malicious software. WinSCP, a widely-used application for secure file transfer on Windows, is an open-source client and file manager supporting SFTP, FTP, S3, and SCP protocols. It boasts a significant user base, with approximately 400,000 weekly downloads from SourceForge alone. The BlackCat group is leveraging the WinSCP program as bait to potentially infiltrate the computers of system administrators, web administrators, and IT professionals, aiming to gain initial entry into valuable corporate networks.

New Windows Meduza Stealer Targets Tens of Crypto Wallets and Password Managers

A newly discovered information-stealing malware known as Meduza Stealer has been identified by researchers. The creators of this malware utilize advanced marketing tactics to promote its distribution. Meduza Stealer is designed to extract various browser-related data, such as login credentials, browsing history, and bookmarks, thereby compromising the victim’s browsing activities. Additionally, the malware targets specific extensions related to cryptocurrency wallets, password managers, and two-factor authentication (2FA). The authors of Meduza Stealer actively work on developing the malware in order to evade detection. However, no specific attacks have been attributed to this malware as of now.

TSMC Denies LockBit Hack as Ransomware Gang Demands $70 Million

Chipmaking giant TSMC (Taiwan Semiconductor Manufacturing Company) denied being hacked after the LockBit ransomware gang demanded $70 million not to release stolen data. TSMC is one of the world's largest semiconductor manufacturers, with its products used in a wide variety of devices, including smartphones, high performance computing, IoT devices, automotive, and digital consumer electronics/

300,000+ Fortinet Firewalls Vulnerable to Critical FortiOS RCE Bug

Hundreds of thousands of FortiGate firewalls are vulnerable to a critical security issue identified as CVE-2023-27997, almost a month after Fortinet released an update that addresses the problem. The vulnerability is a remote code execution with a severity score of 9.8 out of 10 resulting from a heap-based buffer overflow problem in FortiOS, the operating system that connects all Fortinet networking components to integrate them in the vendor's Security Fabric platform.

Experts Detected a New Variant of North Korea-Linked RUSTBUCKET macOS Malware

Researchers from Elastic Security Labs have discovered a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using this new malware. BlueNoroff operates under the control of the notorious Lazarus APT group, also linked to North Korea. The RustBucket malware enables the operators to download and execute different payloads. The attribution to BlueNoroff APT is based on similarities found in Kaspersky's analysis.

MITRE Unveils Top 25 Most Dangerous Software Weaknesses of 2023: Are You at Risk?

MITRE recently published its list of the top 25 most dangerous software weaknesses for 2023. Every year, this list is calculated by analyzing public vulnerability data in the National Vulnerability Database for root cause mappings to CWE weaknesses for the previous two years. In total, 43,996 CVE entries were examined, with a score being assigned to each entry based on the prevalence and severity of the flaw.

Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign

An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. ‘This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain,’ Akamai researcher Allen West said in a Thursday report. Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node.

New EarlyRAT Malware Linked to North Korean Andariel Hacking Group

Security analysts have discovered a previously undocumented remote access trojan (RAT) named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group. Andariel (aka Stonefly) is believed to be part of the Lazarus hacking group known for employing the DTrack modular backdoor to collect information from compromised systems, such as browsing history, typed data (keylogging), screenshots, running processes, and more

Clop's MOVEit Campaign Affects Over 16 Million Individuals

The victims of the Clop ransomware group's supply chain attack include a wide range of organizations, such as healthcare software firm Vitality Group International, Talcott Resolution Life Insurance Company, and several universities including Georgia, Johns Hopkins, Missouri, Rochester, and Southern Illinois. Government departments like the U.S. Department of Energy, Department of Agriculture, and Office of Personnel Management were also targeted.

Manifest Confusion Threat Undermines Trust in Entire NPM Registry

The lack of metadata validation in the npm registry, which is widely used by developers to download Javascript code, has raised concerns about potential cyber threats. Despite being the largest software registry globally, with 17 million developers relying on it, the registry fails to perform checks on package metadata.

Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts

Wordfence recently disclosed a critical flaw in miniOrange's Social Login and Register plugin for WordPress, which could be leveraged by a malicious threat actor to access any account on websites running the vulnerable plugin. Tracked as CVE-2023-2982 (CVSS score: 9.8), the flaw has been described as an authentication bypass flaw and impacts all versions of the plugin, including and prior to 7.6.4.

Linux version of Akira ransomware targets VMware ESXi servers

Operators behind the Akira Ransomware have released a new Linux variant that is capable of encrypting VMware ESXi virtual machines. The Linux variant was discovered by malware analyst rivitna, who shared a sample of the new encryptor on VirusTotal last week. According to analysts, Linux encryptor shows it has a project name of 'Esxi_Build_Esxi6,’ indicating that is specially designed to target VMware ESXi servers.

Microsoft Fixes Windows Bug Causing File Explorer Freezes

Microsoft has resolved a Windows bug that was causing freezes in the File Explorer application. The issue primarily affected non-consumer environments and was observed in Windows 11 21H2/22H2 and Windows Server 2022. Users experienced freezes in File Explorer after installing Windows updates released since May 9th, 2023. Microsoft released an optional cumulative update (KB5027303) this month to address the issue for Windows 11 22H2 users, with a plan to make it available to all affected Windows users in the July Patch Tuesday cumulative updates.

CISA and NSA Help Organizations Defend Their CI/CD Environments

The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) published a joint Cybersecurity Information Sheet (CSI) titled, “Defending Continuous Integration/Continuous Delivery Environment,” which can help organizations improve their defenses in cloud implementations of development, security, and operations (DevSecOps). Specifically, this joint guide explains how to integrate security best practices into typical software development and operations (DevOps) CI/CD environments, without regard for the specific tools being adapted.

CryptosLabs Scam Ring Targets French-Speaking Investors, Rakes in €480 Million

Group-IB recently uncovered the operations of a scam ring dubbed CryptoLabs that has allegedly made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018. The syndicate is known for impersonating well-known banks, fin-techs, asset management firms, and crypto platforms, setting up scam infrastructure spanning over 350 domains hosted on more than 80 servers. According to researchers, the threat actors have been experimenting with different landing pages, since 2015, ultimately launching their campaign around June 2018.

8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses

A ransomware threat called **8Base** that has been operating under the radar for over a year has been attributed to a ‘massive spike in activity’ in May and June 2023. ‘The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms,’ VMware Carbon Black researchers Deborah Snyder and Fae Carlisle [said](https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player) in a report. ‘8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries.’

EncroChat Bust Leads to 6,558 Criminals' Arrests and €900 Million Seizure

On Tuesday, Europol announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds. The operation was carried out by French and Dutch authorities which intercepted and analyzed over 115 million conversations made between approximately 60,000 users using the encrypted messaging platform.

Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

Researchers have recently detected a new info stealer known as ThirdEye, which exhibits various variants, all designed to target and steal victims’ data. During a preliminary analysis, FortiGuard Labs came across this highly malicious yet, relatively unsophisticated info stealer while examining suspicious files. The researchers, became suspicious after encountering a Russian archive file translated to “time sheet” in English.

Hundreds of Devices Found Violating New CISA Federal Agency Directive

Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies.

Anatsa Android Trojan Now Steals Banking Info From Users in US, UK

Researchers at ThreatFabric recently disclosed details of a new mobile campaign that has been pushing Anatsa, an Android banking trojan, to online banking customers in the U.S., the U.K., Germany, Austria, and Switzerland since March 2023. The malware is being distributed via the Play Store by masquerading as PDF viewer and editor apps and office suites, having over 30,000 installations in the last couple of months. Although ThreatFabric reported the malicious applications to Google, which ended up removing them altogether from the play store, the attackers were observed uploading new malware samples soon after under the guise of other applications.

New PindOS Javascript Dropper Deploys Bumblebee, Icedid Malware

Researchers have identified a novel malicious tool reffered to as PindOS. This tool acts as a delivery mechanism for the Bumblebee and IcedID malware, which are commonly associated with ransomware attacks. PindOS operates as a JavaScript malware dropper, seemingly designed with the sole purpose of retrieving subsequent-stage payloads that ultimately deliver the perpetrators’ final malicious payload.

CISA Releases Cloud Services Guidance and Resources

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments. SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.

New Mockingjay Process Injection Technique Evades EDR Detection

A new process injection technique called "Mockingjay" has been discovered by researchers at cybersecurity firm Security Joes. This technique allows threat actors to bypass EDR (Endpoint Detection and Response) systems and execute malicious code on compromised systems without detection. Unlike traditional process injection methods, Mockingjay does not rely on commonly abused Windows API calls, special permissions, or memory allocation, making it more difficult to detect.

American Airlines, Southwest Airlines Disclose Data Breaches Affecting Pilots

American Airlines and Southwest Airlines, two of the largest airlines in the world, recently experienced data breaches caused by the hack of a third-party vendor called Pilot Credentials. The breach occurred on April 30, and both airlines were informed on May 3. The unauthorized individual gained access to Pilot Credentials' systems and stole documents containing information provided by pilot and cadet applicants. American Airlines reported that the breach affected 5,745 pilots and applicants, while Southwest reported a total of 3,009. The stolen information included personal details such as names, Social Security numbers, driver's license numbers, passport numbers, and more. Both airlines have terminated their relationship with the vendor and are directing applicants to self-managed internal portals. They have also notified law enforcement and are cooperating with investigations.

MOVEIt Breach Impacts Genworth, Calpers as Data for 3.2 Million Exposed

PBI Research Services has experienced a data breach, resulting in the disclosure of sensitive information for approximately 4.75 million individuals. This breach occured during the recent series of data-theft attacks targeting MOVEit Transfer. The attacks, initiated by the Clop ransomware gang, commenced on May 27th, 2023. Exploiting a previously unknown vulnerability in MOVEit Transfer, the gang proceeded to extract data from nemerious companies, including PBI and its three clients. In recent days, the Clop gang has adopted an extortion strategy gradually revealing the names of affected organizations on their data leak site. The tactic aims to exert pressure on victims, compelling them to meet the gang's ransom demands.

Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers

In a series of Twitter posts last week, Microsoft stated that it has observed an uptick in credential-stealing attacks from Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes), a notorious Russian state-affiliated hacker group that was behind the 2020 SolarWinds attack. The latest intrusions are using a variety of password spray, brute force, and token theft techniques, with the group also conducting session replay attacks to gain initial access to cloud resources leveraging stolen sessions. Targets highlighted by Microsoft include governments, IT service providers, NGOs, the defense industry, and critical manufacturing.

China-linked APT Group VANGUARD PANDA Uses a New Tradecraft in Recent Attacks

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

Suncor Energy Cyberattack Impacts Petro-Canada Gas Stations

Over the weekend, Suncor, one of Canada’s largest synthetic crude producers, disclosed it suffered from a cyberattack, stating that it is working on resolving the incident and that some transactions with customers and suppliers may have been impacted. Although no additional details were reported in Suncor’s notice, Petro-Canada, a subsidiary of Suncor that operates 1,500 gas stations across Canada, stated it is facing technical issues, preventing customers from paying with credit cards or rewards points. According to a post on Twitter, the company warned customers that they cannot currently log in to their accounts via the app or website and apologized for the inconvenience caused. This outage also prevents earning points when refueling at the company's gas stations.

China-linked APT Group VANGUARD PANDA Uses a New Tradecraft in Recent Attacks

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

Mirai Botnet Targets 22 Flaws in D-Link, Zyxel, Netgear Devices

Researchers from Palo Alto Networks’ Unit 42 have detected a modified version of the Mirai botnet, which is actively exploiting nearly 20 vulnerabilities. The primary objective of this botnet is to compromise devices manufactured by D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. These compromised devices are then utilized to launch distributed of denial of service attacks (DDoS) attacks.

Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware

Cybersecurity firm Deep Instinct has uncovered a new JavaScript dropper, dubbed PindOS, that is being used to deliver next-stage payloads like BumbleBee and IceID, both of which are loaders that have also been leveraged to deploy other malware on hosts, including ransomware. “Bumblebee, notably, is a replacement for another loader called BazarLoader, which has been attributed to the now-defunct TrickBot and Conti groups. A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including that of Conti, Emotet, and IcedID.

IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

Security researchers from Jumpsec have discovered a vulnerability in Microsoft Teams that enables attackers to deliver malware directly to employees' inboxes. The bug allows external users to send malicious payloads that appear as downloadable files. By combining this vulnerability with social engineering tactics, attackers can increase the success rate of their attacks. This method bypasses anti-phishing security controls and takes advantage of the trust employees have in messages received through Microsoft Teams. This vulnerability affects every organization using Teams in the default configuration.

RedEyes Group Wiretapping Individuals

“RedEyes, a state-sponsored APT group also known as APT37, ScarCruft, and Reaper, has been identified as targeting individuals such as North Korean defectors, human rights activists, and university professors. Their objective is to monitor the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered RedEyes distributing and utilizing an Infostealer with wiretapping capabilities and a GoLang-based backdoor that exploits the Ably platform. The backdoor allowed the threat actor to send commands through the Ably service, with the API key value required for communication stored in a GitHub repository. This key value allowed anyone with knowledge of it to subscribe to the threat actor's channel”

404 TDS Phishing Campaign: Truebot, FlawedGrace, and Cobalt Strike Intrusion Revealed

During the DFIR investigation conducted in May 2023, a significant intrusion was observed, involving the deployment of Truebot, Cobalt Strike, FlawedGrace (also known as GraceWire & BARBWIRE), and the subsequent deployment of the MBR Killer wiper. The threat actors executed their attack swiftly, successfully exfiltrating data and rendering numerous systems inoperable with the wiper within a span of 29 hours after gaining initial access.

Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. ‘This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,’ Defiant's Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system.

UPS Discloses Data Breach After Exposed Customer Info Used in SMS Phishing

Multinational company UPS is notifying customers in Canada that certain personal details could have been compromised through its online package tracking tools, potentially leading to their misuse in phishing attempts. The communication sent by UPS Canada titled “An Update from UPS: Combatting Phishing and Smishing,” appears to be initially aimed at cautioning customers about the risk associated with phishing. However, the communication is, in fact, a notification of a data breach. UPS Canada discreetly includes a disclosure within the message, revealing that they have been receiving reports of SMS phishing messages containing recipients’ names and address information.

Apple Fixes Zero-Days Used to Deploy Triangulation Spyware Via iMessage

Apple recently addressed three zero-day vulnerabilities that were exploited in attacks to install spyware on iPhones via iMessage zero-click exploits. Below is a list of the CVEs:

  • CVE-2023-32434: A kernel integer overflow was addressed with improved input validation
  • CVE-2023-32435: A memory corruption issue in Apple WebKit was addressed with improved state management.
  • CVE-2023-32439: A type confusion issue in WebKit was addressed with improved checks.

    The first two flaws were uncovered by researchers at Kaspersky, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin. According to Kaspersky, the vulnerabilities have been exploited in an ongoing campaign dubbed Operation Triangulation, which has been active since 2019.

  • APT37 Hackers Deploy New FadeStealer Eavesdropping Malware

    The North Korean APT37 hacking group, also known as StarCruft, Reaper, or RedEyes, has recently deployed a new information-stealing malware called "FadeStealer." This malware includes a wiretapping feature, allowing the threat actors to eavesdrop and record from victims' microphones. APT37 has a history of conducting cyber espionage attacks aligned with North Korean interests, targeting North Korean defectors, educational institutions, and EU-based organizations.

    Exploit Released for Cisco AnyConnect Bug Giving SYSTEM Privileges

    A proof-of-concept exploit code has been released for a high-severity vulnerability in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw, tracked as CVE-2023-20178, allows authenticated attackers to escalate privileges to the SYSTEM account, which is used by the Windows operating system. The vulnerability can be exploited without user interaction and takes advantage of a specific function in the Windows installer process.

    New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks

    A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez. ‘The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code,’ security researchers Joie Salvio and Roy Tay said.

    Zyxel Warns of Critical Command Injection Flaw in NAS Devices

    Zxyel recently published security updates to address a critical command injection vulnerability impacting its Network Attached Storage (NAS) devices, warning customers to update their firmware. Tracked as CVE-2023-27992, the vulnerability is due to a pre-authentication command injection problem that could enable an unauthenticated attacker to execute operating system commands on the impacted device via specially crafted HTTP requests.

    Hackers Infect Linux SSH Servers With Tsunami Botnet Malware

    An unidentified malicious entity is employing brute-force techniques to gain unauthorized access to Linux SSH servers, enabling the installation of various forms of malicious software. The malware includes the Tsunami DDoS bot, ShellBot, log cleaners, tools for privilege escalation, and an XMRig coin miner designed to mine Monero. SSH (Secure Socket Shell) is a secure and encrypted network communication protocol used for remote administration of Linux devices. It facilitates activities such as executing commands, modifying configurations, updating software, and resolving issues for network administrators.

    3CX Data Exposed, Third-Party to Blame

    3CX, a popular Voice over Internet Protocol (VoIP) comms provider, was exposed due to the negligence of a third-party vendor. The vendor's open server left instances of Elasticsearch and Kibana vulnerable, leading to the discovery of the exposed data on May 15th. This discovery came to light nearly two months after the initial cyberattacks on 3CX, which had previously been targeted by North Korean hackers. The exposed data included call metadata, license keys, and encoded database strings, posing significant risks.

    Clop Ransomware and the MOVEit Cyberattack: What to Know

    The recent Clop ransomware attack targeted the MOVEit Transfer file-transfer platform, resulting in compromised networks worldwide. The attack exploited a vulnerability in the Managed File Transfer (MFT) application using a structured query language (SQL) attack vector. The compromised platforms contained sensitive data, potentially exposing a wide range of sensitive customer information from various industries and geographies. Affected entities included U.S. government agencies, airlines, media companies, an oil giant, health services, and international consulting firms.

    New RDStealer Malware Steals From Drives Shared Over Remote Desktop

    Bitdefender Labs has discovered a cyberespionage and hacking campaign called 'RedClouds' that utilizes custom malware known as 'RDStealer' to automatically steal data from drives shared through Remote Desktop connections. The campaign has been active since at least 2020, primarily targeting systems in East Asia. While the specific threat actors behind RedClouds have not been identified, Bitdefender suggests that their interests align with China and that they possess the sophistication of a state-sponsored Advanced Persistent Threat (APT) group.

    Chinese APT15 Hackers Resurface with New Graphican Malware

    Today, the Threat Hunter Team at Symantec, part of Broadcom, reports that APT15's latest campaign targets foreign affairs ministries in Central and South American countries. The researchers report that the new Graphican backdoor is an evolution of an older malware used by the hackers rather than a tool created from scratch. It is notable for using Microsoft Graph API and OneDrive to stealthily obtain its command and control (C2) infrastructure addresses in encrypted form, giving it versatility and resistance against take-downs.

    Iowa’s Largest School District Confirms Ransomware Attack, Data Theft

    Des Moines Public Schools, Iowa's largest school district, confirmed today that a ransomware attack was behind an incident that forced it to take all networked systems offline on January 9, 2023. While the school district also received a ransom demand following the attack from an unnamed ransomware group, the ransom has not been paid. Almost 6,700 individuals whose data was affected in the resulting data breach will be contacted this week with details regarding what personal information was exposed.

    Russian APT28 Hackers Breach Ukrainian Govt Email Servers

    A cyber-espionage group known as APT28, which is associated with Russia's General Staff Main Intelligence Directorate (GRU), has successfully infiltrated Roundcube email servers belonging to various Ukrainian organizations, including government entities. This threat group, also identified as BlueDelta, Fancy Bear, Sednit, and Sofacy, took advantage of the ongoing Russia-Ukraine conflict to deceive recipients.

    ASUS Urges Customers to Patch Critical Router Vulnerabilities

    Yesterday, ASUS released firmware updates to address vulnerabilities impacting several of its router models, warning customers to update their devices or restrict WAN access until they’re secure. In total, 9 vulnerabilities were addressed, some of which have been rated high and critical in severity. Most severe of the flaws include CVE-2022-26376 and CVE-2018-1160, which have both received a 9.8 score out of 10 on the CVSS scale. CVE-2022-26376 relates to a critical memory corruption weakness in the Asuswrt firmware used in Asus routers. Successful exploitation of this flaw could enable a threat actor to trigger a denial of service or gain code execution.

    Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities

    The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. ‘Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia,’ cybersecurity company Team Cymru said in a new analysis shared with The Hacker News. Vidar is a commercial information stealer that's known to be active since late 2018. It's also a fork of another stealer malware called Arkei and is offered for sale between $130 and $750 depending on the subscription tier. Typically delivered through phishing campaigns and sites advertising cracked software, the malware comes with a wide range of capabilities to harvest sensitive information from infected hosts.

    MOVEit Transfer Customers Warned of New Flaw as PoC Info Surfaces

    On Thursday, Progress software disclosed yet another vulnerability in its MOVEit Transfer application, making this the third vulnerability the company has addressed since May 2023. Similar to the previous flaws (CVE-2023-34362 (May 31, 2023) & CVE-2023-35036 (June 9, 2023)), the latest vulnerability (CVE-2023-35708 (June 15, 2023)) also relates to a case of SQLi injection and could allow threat actors to escalate privileges and potentially gain unauthorized access to MOVEit Transfer’s database.