A critical vulnerability (CVE-2025-31161) in CrushFTP versions 10 and 11, allowing for remote authentication bypass and admin access, was disclosed privately to customers on March 21st. Outpost24, the discoverer, had initiated a responsible disclosure process with MITRE, aiming for a 90-day embargo to prevent malicious exploitation.
A significant uptick in generative AI scraper bot activity has been observed between December 2024 and February 2025, signaling a growing operational concern for organizations managing web applications.
In the first quarter of 2025, Steam became the most imitated brand in phishing campaigns, marking a shift from the usual dominance of tech giants like Microsoft and Meta, Guardio researchers reported.
According to a new report from the AhnLab SEcurity intelligence Center (ASEC), threat actors were observed impersonating a recruitment email from a developer community called Dev.[]to to distribute malware.
Wiz Threat Research uncovered a new variant of an ongoing campaign targeting misconfigured and publicly exposed PostgreSQL servers, primarily those with weak or easily guessable login credentials.
The financially motivated cybercrime group FIN7—also known as Carbon Spider, Sangria Tempest, ELBRUS, Gold Niagara, and Savage Ladybug, has been linked to a sophisticated Python-based backdoor called Anubis. This malware is designed to provide remote access and control over compromised Windows systems.
Beginning in late 2024, Unit 42 researchers have noticed a shift in QR code phishing tactics. Attackers are employing strategies such as hiding the final malicious website destination by leveraging the redirection mechanisms of legitimate sites and other phishing tactics.
In late January 2025, a Managed Service Provider (MSP) administrator fell victim to a sophisticated phishing attack targeting their ScreenConnect Remote Monitoring and Management (RMM) tool. The attack, attributed with high confidence by Sophos to the ransomware affiliate tracked as STAC4365, began with a well-crafted phishing email purporting to be a ScreenConnect authentication alert.
North Korean IT workers, often referred to as “IT warriors,” have expanded their operations beyond the United States and are now increasingly targeting organizations across Europe.
Ontinue's Cyber Defence Centre (CDC) analyzed a sophisticated, multi-stage attack that effectively combined vishing, remote access tools, and living-off-the-land techniques to infiltrate the victim's system.
Ontinue's Cyber Defence Centre investigated a complex, multi-stage attack involving social engineering, remote support abuse, and stealthy post-exploitation techniques. The intrusion began with a vishing campaign where the threat actor impersonated IT support and delivered a malicious PowerShell payload via Microsoft Teams chat.
Attackers are actively exploiting a critical authentication bypass vulnerability in CrushFTP file transfer software, tracked as CVE-2025-2825.
Yesterday, Apple released security updates to address several vulnerabilities impacting a range of products including macOS, ipadOS, iOS, and much more. Notably, three of the flaws, tracked as CVE-2025-24200, CVE-2025-24201, and CVE-2025-24085, were exploited as zero-days in attacks in the wild:
GreyNoise has reported a significant increase in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals, with nearly 24,000 unique IP addresses attempting access in the past 30 days. This surge, which peaked at nearly 20,000 IPs per day from March 17 to March 26, suggests a coordinated effort to probe for vulnerable systems, potentially indicating preparations for future exploitation.
Ukrainian entities have been targeted in a phishing campaign aimed at delivering Remcos RAT, a remote access trojan used for surveillance and data theft.
North Korea's Lazarus Group has adopted a new tactic known as "ClickFix" in its ongoing efforts to compromise job seekers in the cryptocurrency industry, particularly within the centralized finance space.
CISA has identified a new malware strain named RESURGE targeting the patched vulnerability CVE-2025-0282 in Ivanti Connect Secure (ICS) appliances. RESURGE is an improved version of the SPAWNCHIMERA malware, retaining its reboot persistence mechanisms but introducing 3 distinct commands for malware behavior modification.
DarkCloud is a sophisticated infostealer malware that first gained prominence in 2022 and has continued to evolve and expand its presence since then. It is primarily distributed through phishing campaigns, where attackers impersonate legitimate entities or use social engineering tactics to compromise targets, especially HR departments.
DFIR Report researchers shared details of an intrusion that occurred in May 2024, where actors leveraged a fake zoom installer to infect the targeted system with BlackSuit ransomware. The attack initiated when an unsuspecting victim visited a malicious site masquerading Zoom's official download page (zoommanager[.]com).
Lucid is identified as a significantly impactful and sophisticated Phishing-as-a-Service (PhAAS) platform operated by Chinese-speaking threat actors. This platform targets a vast global landscape, impacting 169 entities across 88 countries.
CoffeeLoader is a sophisticated malware loader identified by security firm Zscaler in September 2024, designed to download and execute second-stage payloads while evading detection by security solutions.
Cybercriminals are now exploiting sponsored Google ads to target users searching for the popular AI chatbot, DeepSeek. According to security firm Malwarebytes, the attackers are using Google Ads to promote domains that mimic DeepSeek's official site, such as deepseek-ai-soft[.]com and deepseakr[.]com.
ESET researchers have uncovered that a custom security evasion tool developed by the RansomHub ransomware group has been used in attacks linked to three additional cybercrime gangs: Play, Medusa, and BianLian.
A sophisticated Phishing-as-a-Service platform, identified by Infoblox Threat Intelligence and dubbed Morphing Meerkat, has been observed spoofing over 100 well-known brands in order to steal user credentials through dynamic and highly evasive phishing attacks.
Security researchers from Forescout's Vedere Labs have disclosed 46 serious vulnerabilities in solar inverters produced by the world's top three manufacturers. These flaws, which affect both the devices and their associated cloud platforms, could allow attackers to remotely take control of the inverters, execute malicious code, access sensitive user data, or even physically damage components.
A widespread and persistent cyber campaign compromised around 150,000 legitimate websites by injecting malicious JavaScript to redirect users to Chinese-language gambling platforms. According to c/side security analyst Himanshu Anand, the threat actor continues to rely on iframe injections to deliver fullscreen overlays in victims' browsers.
RedCurl, aka Earth Kapre and Red World, is a Russian-speaking hacking group, that has been active since November 2018. The group is known for launching spear-phishing attacks (e.g. phishing emails containing IMG files disguised as CV documents) against organizations in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States.
Credential stuffing is a type of cyberattack in which malicious actors exploit of a list of stolen or leaked usernames and passwords to gain unauthorized access to accounts that use the same credentials.
The Chinese threat actor FamousSparrow has been observed deploying new variants of its custom SparrowDoor backdoor and, for the first time, the widely shared Chinese state-sponsored malware ShadowPad RAT in attacks targeting a trade group in the United States and a research institute in Mexico during July 2024.
Cybersecurity researchers have uncovered two malicious packages on the npm registry ethers-provider2 and ethers-providerz that exemplify a new wave of software supply chain attacks targeting open-source ecosystems. Published on March 15, 2025, ethers-provider2 was downloaded 73 times before detection, while ethers-providerz received no downloads and was likely removed by its author.
The threat actor known as EncryptHub has been exploiting a recently patched zero-day vulnerability in Microsoft Windows, CVE-2025-26633 (CVSS score: 7.0), to deliver various malware families, including Rhadamanthys and StealC, which are commonly used for backdoor access and information stealing.
A recent analysis by K7 Labs has uncovered a new campaign attributed to the North Korean APT group Kimsuky, also known as "Black Banshee." The analysis details the group's latest infection chain, which involves the use of malicious VBScript and PowerShell scripts along with encoded text files to deliver and execute payloads.
On Tuesday, Google addressed a zero-day vulnerability in its Chrome browser that had been actively exploited in attacks. Tracked as CVE-2025-2783, the vulnerability stems from an “incorrect handle provided in unspecified circumstances in Mojo on Windows.”
IOCONTROL is a newly emerging malware strain attributed to the anti-Israeli and pro-Iranian hacktivist group, Cyber Av3ngers. First observed in December 2024, IOCONTROL targets IoT devices and Linux-based systems and supports various functions enabling operators to gain remote access to systems and conduct surveillance, manipulate systems, exfiltrate data, and facilitate lateral movement.
Sygnia investigated a prolonged cyber espionage campaign targeting a major telecommunications company in Asia. The threat actor, tracked as Weaver Ant, is assessed to have China-nexus ties based on their operational behavior, infrastructure, and targeting.
A new in-depth investigation by Silent Push, in collaboration with Team Cymru, has identified nearly 200 unique command-and-control domains linked to the Raspberry Robin malware, highlighting the growing scale and complexity of this threat.
Launched on March 7, 2025, VanHelsingRaaS is a rapidly growing ransomware-as-a-service platform that has already infected at least three known victims within its first two weeks of operation.
Threat actors are exploiting free online document converter tools to infect victims' computers with malware, including ransomware. The FBI's Denver Field Office has issued a warning, noting an increase in scams involving these tools, which claim to convert or merge files (such as turning a .doc file into a .pdf or combining multiple .jpg files into one .pdf) or, in some cases, masquerade as MP3 or MP4 downloaders.
Cyble has uncovered a new social engineering campaign targeting developers, particularly Polish-speaking job-seekers, by disguising malware as a technical coding challenge on GitHub.
Security researchers have issued a warning about a new malvertising campaign that exploits fake Google ads for Semrush, a SEO and marketing platform widely used by businesses, to harvest victims' Google account credentials and sensitive data.
A critical security flaw has been disclosed in the Next.js React framework that could be potentially exploited to bypass authorization checks under certain conditions.
New variants of the Albabat ransomware were recently discovered by researchers at Trend Micro, which now target not only Microsoft Windows systems but also gather hardware and system information from Linux and macOS environments.
Researchers at SEQRITE have uncovered a new C++ based information stealer, dubbed SvcStealer, which is being distributed through spear-phishing emails. First observed in late January 2025, SvcStealer is designed to harvest a wide range of sensitive information from the targeted system.
Cisco Talos researchers have identified a previously unknown threat actor, UAT-5918, which has been actively targeting critical infrastructure in Taiwan since at least 2023. The group is believed to be an advanced persistent threat actor focused on establishing long-term access to victim environments for the purpose of espionage and data theft.
Cybersecurity researchers at Sygnia have discovered a concerning attack method that exploits recent VMware vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226). This observed technique allows attackers to escape virtual machines, circumvent security controls, and deploy ransomware at scale.
Cybercriminals are increasingly using malicious kernel drivers—either exploiting vulnerable legitimate ones or deploying custom-built drivers—to disable endpoint detection and response tools and evade detection.
Summary: Swiss Telecommunications provider, Ascom recently issued an advisory, stating that it is investigating a cyberattack that compromised it's technical ticketing system. The company reassured that other IT and customer systems remain unaffected, and there has been no disruption to business operations.
In November, 2024, NAKIVO patched a path traversal flaw in its backup & replication software, which could allow unauthenticated actors to read arbitrary files on vulnerable devices.
On March 5, 2025, the U.S. Department of Justice unsealed an indictment against employees of the Chinese contractor I‑SOON, revealing their involvement in global cyber espionage campaigns. The indictment detailed a series of attacks attributed to I‑SOON's operational arm, the FishMonger APT group, including a 2022 cyber campaign known as Operation FishMedley, which targeted governments, NGOs, and think tanks across Asia, Europe, and the United States.
Symantec researchers have uncovered a RansomHub affiliate deploying Betruger, a sophisticated multi-function backdoor designed to enhance cyberattacks. This malware provides extensive capabilities, including capturing screenshots, logging keystrokes, scanning networks, dumping credentials, escalating privileges, and uploading files to a command-and-control server.
As the April tax deadline draws near, scammers are taking advantage of the heightened stress and urgency of individuals rushing to file their returns. According to a press release by F-Secure, fraudsters are impersonating the Internal Revenue Service (IRS) to deceive victims through text messages and emails.
CERT-UA has issued a warning regarding a new campaign targeting Ukraine's defense sector, utilizing the Dark Crystal RAT (DCRat). They have recorded numerous cases of these cyberattacks. This activity cluster, identified in June 2024, targets both defense-industrial complex enterprises and military personnel.
Security firm Intel471 notes an increasing trend in threat actors leveraging remote monitoring and management (RMM) applications to gain initial access and move laterally across organizational networks.
A critical, unpatched security flaw in Microsoft Windows, identified as ZDI-CAN-25373, has been actively exploited by 11 state-sponsored threat groups from China, Iran, North Korea, and Russia since 2017. T
Threat actors are actively exploiting CVE-2024-4577, a severe argument injection vulnerability in PHP running on Windows in CGI mode, to deploy cryptocurrency miners and remote access trojans like Quasar RAT.
Pillar researchers have uncovered an undocumented supply chain attack vector, "Rules File Backdoor," that exploits AI-powered code editors like GitHub Copilot and Cursor. Attackers embed malicious prompts within seemingly benign configuration files, specifically, rules files that guide AI behavior.
The ongoing exploitation of VPN-related vulnerabilities such as CVE-2018-13379 and CVE-2022-40684, continues to be a major threat to organizations worldwide. These vulnerabilities, despite being disclosed years ago, are still widely used by attackers in large-scale campaigns targeting VPN infrastructure.
Researchers at BI.Zone have uncovered a campaign where a North Korean threat group dubbed Squid Werewolf (aka APT37, Ricochet Chollima, ScarCruft, Reaper Group) was observed masquerading as recruiters to target job seekers and employees at specific organizations.
Guardz researchers have identified a sophisticated phishing campaign that bypasses traditional email security controls by abusing the inherent trust of Microsoft 365 infrastructure.
Researchers have confirmed that BlackLock is a rebranded version of the notorious Eldorado ransomware group, revealing a direct link between the two. After facing increased pressure from law enforcement and security experts, Eldorado resurfaced under the BlackLock banner, refining its operational model while maintaining its ransomware-as-a-service structure.
Threat hunters have uncovered new details about a cyber espionage campaign by the China-aligned MirrorFace group, which targeted a European Union diplomatic organization using the ANEL backdoor. The attack, detected by ESET in late August 2024, specifically focused on a Central European diplomatic institute, using lures themed around the upcoming World Expo in Osaka, Japan.
According to security researchers at Akamai, a critical command injection flaw impacting the Edimax IC-7100 network camera has been exploited in attacks in the wild since at lest May 2024 to deliver Mirai botnet malware variants.
Microsoft has uncovered details of a novel remote access trojan (RAT), dubbed StilachiRAT, which it uncovered in November, 2024. For its part, StilachiRAT employs sophisticated techniques to evade detection, maintain persistence on targeted environments, and exfiltrate sensitive information.
Cybersecurity researchers have recently uncovered a significant supply chain compromise targeting the widely adopted GitHub Action, "tj-actions/changed-files," which is integrated into the CI/CD workflows of over 23,000 software repositories.
Malicious actors are exploiting Cascading Style Sheets to evade spam filters and track user activity in phishing campaigns, posing significant security and privacy risks. According to Cisco Talos, attackers leverage CSS features to bypass detection in email clients, which impose strict restrictions on JavaScript and other dynamic content.
Cybercriminals are leveraging malicious Microsoft OAuth apps disguised as Adobe and DocuSign applications to steal Microsoft 365 credentials and deliver malware. Proofpoint researchers identified these highly targeted campaigns, which impersonate Adobe Drive, Adobe Drive X, Adobe Acrobat, and DocuSign to appear legitimate.
A widespread phishing campaign is underway, where fake security alerts on are being posted on GitHub repositories to trick unsuspecting developers into authorizing a malicious OAuth app that grants attackers full control over their accounts and source code.
EclecticIQ security researcher Arda Byukkaya has uncovered details of a novel framework, dubbed ‘BRUTED,' which the Black Basta ransomware gang has used since 2023 to conduct large-scaled credential-stuffing and brute force attacks against edge network devices.
A new malware campaign, OBSCURE#BAT, has been identified using social engineering tactics to deploy the r77 rootkit, an open-source tool that enables persistence and evasion on compromised systems.
Microsoft Threat Intelligence has detected an active and evolving phishing campaign, designated as Storm-1865, which commenced in December 2024 and persists as of February 2025. This campaign specifically targets organizations within the hospitality sector, with a focus on individuals most likely to interact with Booking.com.
Barracuda's March Email Threat Radar report highlights a new campaign, where fraudsters are impersonating Clop ransomware to extort payments from victims. In this case, the attackers send emails falsely claiming to be Clop and state that they have successfully exploited a vulnerability in Cleo, a company known for developing managed file transfer platforms such as Cleo Harmony, VLTrader, and LexiCom.
A new ransomware group, dubbed SuperBlack (also referred to as "Mora_001"), was recently discovered by researchers at Forescout. This group has been exploiting two authentication bypass vulnerabilities (CVE-2024-55591 and CVE-2025-24472) affecting Fortigate firewall appliances.
A dual Russian-Israeli national, Rostislav Panev, has been extradited to the United States, where he faces charges for his alleged role as a key developer in the LockBit ransomware operation.
Facebook has issued a warning about a critical vulnerability in FreeType, an open-source font rendering library widely used across multiple platforms, including Linux, Android, game engines, GUI frameworks, and online services.
XWorm Remote Access Trojan (RAT) is a sophisticated malware tool that has gained popularity among cybercriminals due to its advanced capabilities and widespread availability.
This report details a sophisticated phishing campaign targeting users of Microsoft Copilot, a relatively new Generative AI service. Attackers are leveraging the novelty of Copilot and the widespread usage of the Microsoft ecosystem in organizations to deceive employees.
Mimecast recently conducted a study surveying 1,100 IT security professionals and decision-makers from the United States, United Kingdom, France, Germany, South Africa, and Australia to gain insights into their current cybersecurity challenges and priorities for the upcoming year.
Lookout has uncovered details of a new Android spyware, dubbed ‘KoSpy,' that is masquerading as utility apps to target Korean and English speaking users. KoSpy has been active since March 2022 and uses the Google Play store and Firebase Firestore for propagation.
A recent campaign, tracked by Trend Micro, leverages fake GitHub repositories to distribute malware, primarily SmartLoader, which then deploys Lumma Stealer. These repositories, designed to appear legitimate, offer gaming cheats, cracked software, and system tools, utilizing AI-generated content and social engineering to deceive users.
On March 9, GreyNoise detected a sharp and coordinated spike in Server-Side Request Forgery exploitation, affecting multiple widely used platforms. At least 400 unique IPs were observed actively exploiting 10 different SSRF-related CVEs simultaneously, with notable overlap in attack attempts.
Security firm Cyfirma has uncovered details of a new ransomware strain dubbed, “Ebyte” which has been made publicly available on GitHub by its developer, EvilByteCode. Written in the Go programming language, Ebyte utilizes a combination of ChaCha20 and ECIES encryption to lock victim files.
As part of the March Microsoft Patch Tuesday, Microsoft addressed 57 flaws, including 7 zero-days, 6 of which are being actively exploited in attacks in the wild. Of the 57 flaws, there were 23 elevation of privilege vulnerabilities, 3 security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 4 information disclosure vulnerabilities, 1 denial of service vulnerabilities, and 3 spoofing vulnerabilities.
A hacktivist group calling themselves "Dark Storm," claiming pro-Palestinian motivations, has asserted they are responsible for a series of Distributed Denial-of-Service (DDoS) attacks that caused widespread outages on the X platform. X owner Elon Musk confirmed a "massive cyberattack" but initially didn't attribute it to Dark Storm.
SideWinder, an India-based cyber-espionage group active since at least 2012, has recently escalated its cyberattacks on maritime and logistics organizations across Africa and Asia. Security researchers from Kaspersky have tracked the group's activities since early 2024, identifying targeted organizations in Egypt, Djibouti, the United Arab Emirates, Bangladesh, Cambodia, and Vietnam.
The Ballista botnet is actively targeting unpatched TP-Link Archer routers by exploiting a remote code execution vulnerability (CVE-2023-1389). This high-severity flaw, affecting TP-Link Archer AX-21 routers, enables attackers to execute arbitrary commands and spread malware.
The misuse of Cobalt Strike, a legitimate adversary simulation tool, has significantly decreased over the past two years, according to its developer, Fortra. While initially designed for security penetration testing, cybercriminals and state-sponsored threat actors have exploited cracked versions of the tool to target critical sectors like healthcare with ransomware and other malware.
A new blog post by Group-IB highlights a surge in SIM swap fraud, despite security measures implemented by telecom providers to prevent such attacks. SIM swap fraud occurs when an actor obtains sensitive information, such as a victim's national ID, phone number, and card details, typically through phishing websites or social engineering tactics.
Researchers have detected a sharp rise in malicious software packages designed to exploit system vulnerabilities through obfuscation and stealth tactics. A newly published report from Fortinet, covering threats observed since November 2024, details how attackers are leveraging lightweight, concealed software packages to infiltrate systems while evading traditional security measures.
Travelers' latest Cyber Threat Report published on March 6, 2025 reveals a significant shift in ransomware tactics during 2024.
Former software developer Davis Lu, 55, of Houston, was convicted of sabotaging Eaton Corporation's computer systems after losing responsibilities following a corporate restructuring in 2018. Lu, who worked at the Ohio-based power management company from November 2007 to October 2019, retaliated by deploying malicious code that severely disrupted the company's operations.
The Medusa ransomware has become a primary weapon for the threat group Spearwing, which has claimed nearly 400 victims since 2023, as evidenced by its leak site. According to Symantec researchers, Spearwing has rapidly expanded its operations, likely filling the void left by the decline of major ransomware groups such as Noberus and LockBit.
Researchers at SquareX have uncovered a new campaign leveraging polymorphic browser extensions to steal credentials and other sensitive data. These malicious extensions can silently impersonate any extension installed on a victim's browser, creating the illusion that trusted tools like password managers, crypto wallets, or banking apps are requesting sensitive information.
Several U.S. cities are issuing warnings about a surge in phishing text messages that impersonate municipal parking violation departments in an attempt to steal sensitive data from unsuspecting recipients.
Microsoft has reported on X (formerly Twitter) that the North Korean hacking group Moonstone Sleet has recently deployed Qilin ransomware in a limited number of attacks, marking a shift in their operational tactics.
Medusa ransomware, a Ransomware-as-a-Service (RaaS) operation tracked as Spearwing by Symantec, has demonstrated a significant surge in activity since its emergence in early 2023. Claiming nearly 400 victims, the group has seen a 42% increase in attacks between 2023 and 2024, with over 40 attacks reported in the first two months of 2025 alone.
Threat hunters have uncovered Ragnar Loader, a sophisticated and adaptable malware toolkit leveraged by multiple ransomware and cybercrime groups, including Ragnar Locker, FIN7, FIN8, and Ruthless Mantis (formerly REvil). While it is closely associated with Ragnar Locker, it remains unclear whether the group owns it outright or if they rent it to other threat actors.
A new blog post by Microsoft highlights a large-scale malvertising campaign that has been active since early December, 2024, and that has impacted nearly one million devices to date.
Security firm S-RM recently uncovered details of an Akira ransomware intrusion where the group was able to identify and compromise an unsecured webcam on the targeted network and further deploy ransomware (T1486 - Data Encrypted for Impact) from it without triggering detection from existing Endpoint Detection and Response (EDR) solutions in place.
Phantom Goblin is a recently discovered malware campaign distributed through RAR attachments and social engineered malicious LNK files to infect systems. The malware employs a LNK file disguised as a legitimate document to execute a PowerShell script, which retrieves additional payloads from a GitHub repository to avoid detection.
EncryptHub, a financially motivated threat actor, has been conducting sophisticated phishing campaigns to distribute information stealers and ransomware while also developing a new tool called EncryptRAT.
The U.S. Department of Justice has charged 12 Chinese nationals for their involvement in a far-reaching cyberespionage campaign aimed at stealing sensitive data and suppressing free speech worldwide.
Software company Elastic has addressed a critical vulnerability in Kibana, a widely used data visualization platform for Elasticsearch, that could allow attackers to execute arbitrary code on affected systems by uploading a specially crafted file and sending malicious HTTP requests.
According to a post on the social media platform X by cybersecurity firm PRODAFT, a new ransomware group, dubbed SecP0, has emerged with a novel approach to extorting payments from organizations. Unlike traditional ransomware groups that typically encrypt victims' data and demand payment for decryption keys, SecP0 is reportedly identifying critical vulnerabilities in widely used applications and systems, threatening to publicly disclose these flaws unless a ransom is paid.
VMware has released a critical security advisory addressing three zero-day vulnerabilities (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226) that are being actively exploited in the wild. These vulnerabilities affect VMware ESXi, Workstation, and Fusion products, with severity levels ranging from high to critical.
Lotus Panda, a suspected China-nexus APT group active since at least 2012, has intensified its targeting of government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan. Cisco Talos observed Lotus Panda deploying updated versions of its Sagerunex backdoor, including new "beta" variants, demonstrating a focus on long-term persistence and evasion.
The China-linked threat actor Silk Typhoon (formerly Hafnium), known for exploiting zero-day vulnerabilities in Microsoft Exchange servers in January 2021, has evolved its tactics to focus on the IT supply chain as a means of gaining initial access to corporate networks.
A newly identified polyglot malware is being leveraged in targeted attacks against aviation, satellite communication, and critical transportation organizations in the United Arab Emirates. The malware delivers a backdoor named Sosano, enabling attackers to establish persistence on infected systems.
A new botnet malware, dubbed 'Eleven11bot,' has infected over 86,000 IoT devices, primarily security cameras and network video recorders, to launch DDoS attacks against telecommunication providers and online gaming servers. Discovered by Nokia researchers, Eleven11bot is one of the largest DDoS botnets in recent years.
GuidePoint has uncovered a new campaign in which threat actors are sending physical ransom notes to senior executives at US organizations via the United States Postal Service.
The Splunk Threat Research Team has identified a mass exploitation campaign targeting ISP infrastructure providers on the West Coast of the United States and China.
Nisos has uncovered a network of likely North Korean DPRK-affiliated IT workers posing as Vietnamese, Japanese, and Singaporean nationals to obtain remote engineering and blockchain developer positions in Japan and the United States.
In 2024, a total of 33.5 million attacks involving malware and unwanted software targeting mobile devices were prevented. Notably, Adware was the most common type of mobile threat, accounting for 35% of detections observed by Kaspersky.
Paragon Partition Manager's BioNTdrv.sys driver, in versions prior to 2.0.0, contains five vulnerabilities that can be exploited by attackers with local access to escalate privileges on targeted devices or launch denial of service attacks.
Trend Micro researchers have uncovered a sophisticated cyber-attack leveraging social engineering and widely used remote access tools to deploy a stealthy infostealer malware. This campaign grants attackers persistent access to compromised machines, enabling them to steal sensitive data.
DragonForce, a Ransomware-as-a-Service (RaaS) group discovered in August 2023, executed a considerably major cyberattack, first announced on February 14, 2025, against a large enterprise in Saudi Arabia's real estate and construction sector, marking their first major attack against a KSA entity.
In late February 2025, major updates for two prominent info-stealers, Vidar and StealC, were simultaneously released, both transitioning to version 2.0. These updates introduce new builds which have been written from scratch, modernized user interfaces, and enhanced capabilities, including a new “morpher” module to improve runtime stability and speed up execution.
Malwarebytes has uncovered a new campaign that exploits Google ads, directing victims to specially crafted PayPal payment links. These links trick users into calling fraudsters posing as legitimate customer service representatives.
Unit 42 researchers have identified phishing activity linked to the cyber threat actor JavaGhost, which has been active for over five years. Initially known for website defacement, the group shifted in 2022 to targeting cloud environments, specifically AWS, to conduct phishing campaigns for financial gain.
Microsoft has updated its civil lawsuit to name four individuals responsible for developing and distributing tools that bypass security measures in generative AI services, including Microsoft's Azure OpenAI Service.
Netskope Threat Labs researchers expanded upon their report on threat actors leveraging fake CAPTCHAs for phishing on February 12th, 2025, with new research published in a blog post yesterday.
According to a new report from GreyNoise, 40% of exploited CVEs in 2024 were at least four years old, with some dating back to the 1990s. Furthermore, in 2024, ransomware groups leveraged 28% of vulnerabilities listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating that mass exploitation is a major driver of financially motivated attacks.
Security firm Darktrace has shined light on an emerging ransomware group dubbed Lynx which is known for targeting organizations in the finance, architecture, retail, energy, and manufacturing sectors. Operating under a ransomware-as-a-service model, Lynx provides affiliates a portion of the ransom after gaining initial access and deploying Lynx's encryptor.
A newly uncovered malware campaign leveraging Winos 4.0 is actively targeting organizations in Taiwan through phishing emails that impersonate Taiwan's National Taxation Bureau. First observed by FortiGuard Labs in January 2025, this attack marks a shift in cybercriminal tactics, using government-themed social engineering to increase credibility and deceive victims.
Researchers at KELA have uncovered activity belonging to a group named Anubis Ransomware. Anubis has an official X account which suggests they have been active since at least November 2024.
On February 21, 2025, cryptocurrency exchange Bybit revealed that a cyberattack resulted in the theft of over $1.5 billion worth of cryptocurrency from one of its Ethereum cold wallets, marking the largest single crypto heist in history.
Sekoia has uncovered details of a new campaign targeting edge devices, integrating them into a sophisticated botnet dubbed “PolarEdge.” Based on network traces observed through honeypots set up by Sekoia, actors were found exploiting a remote code execution vulnerability (CVE-2023-20118) in the web-based management interface of Cisco Small Business routers on two separate occasions.
This report from Palo Alto Networks' Unit 42 details a sophisticated macOS malware campaign, attributed with moderate confidence to North Korean state-sponsored threat actors, targeting job-seeking software developers within the cryptocurrency sector.
Between November and December 2024, Palo Alto Networks researchers discovered a new Linux malware variant named Auto-color, which derives its name from the filename it renames itself to upon installation.
LCRYX ransomware, a VBScript-based malware, has resurfaced in February 2025 after its initial emergence in November 2024. The ransomware encrypts files using the ‘.lcryx' extension and demands a $500 bitcoin ransom for decryption.
The Have I Been Pwned (HIBP) service has added over 284 million accounts to its database, which were stolen by information-stealer malware and found on a Telegram channel.
Researchers at Securelist have uncovered details of a malware campaign, dubbed "GitVenom," which has been distributing malicious code through fraudulent repositories on GitHub to target developers seeking tools for automation, cryptocurrency, and gaming hacks.
A new report from Forescout's Vedere Labs reveals a significant shift in cyber threats against the healthcare sector, with attackers moving beyond hospital networks to infiltrate patient-facing medical software.
Researchers have discovered an upgraded version of the LightSpy spyware, now equipped with expanded data collection features targeting social media applications like Facebook and Instagram.
Hunt[.]io has published an analysis of a threat actor campaign targeting users attempting to download messaging apps including Signal, Line, and Gmail. Signal, Line, and Gmail are popular apps that users often discover and download via search engines, making them attractive targets for SEO poisoning by cybercriminals to distribute malware.
Researchers at AhnLab Security Intelligence Center (ASEC) have uncovered a malware campaign distributing the LummaC2 information stealer disguised as a cracked version of Total Commander, a popular Windows file management tool.
Security firm Group-IB has uncovered details of a campaign dubbed “ScreamedJungle,” which is using stolen browser fingerprints to impersonate legitimate users and bypass defenses.
A newly discovered botnet of over 130,000 compromised devices is launching a highly coordinated password-spraying attack on Microsoft 365 accounts, exposing critical vulnerabilities in modern authentication practices.
Paypal users are facing an ongoing email scam campaign that leverages the platform's address settings to distribute fraudulent purchase notifications that use social engineering techniques to convince users to grant the attacker remote access.
Proof-of-concept (POC) code has been released on GitHub for a high severity command injection vulnerability in F5's iControl REST API and BIG-IP Traffic Management Shell (TMSH) command-line interface.
Researchers at DFIR Report have uncovered details of an intrusion where LockBit ransomware was deployed by a threat actor within 2 hours of gaining initial access. The intrusion initiated with the compromise of an exposed Windows Confluence server that was vulnerable to critical a server-side template injection vulnerability in Confluence.
Summary: The AhnLab Security Intelligence Center (ASEC) has observed a significant increase in the distribution of ACRStealer infostealer malware, often disguised as cracks and keygens for illegal software.
Cisco Talos has been tracking a widespread intrusion campaign targeting major U.S. telecommunications companies, attributed to the sophisticated threat actor Salt Typhoon. Initially reported in late 2024 and later confirmed by the U.S. government, this campaign demonstrates advanced persistence techniques, allowing the attackers to maintain access for over three years in some cases.
A leaker known as ExploitWhispers has released an archive of internal Matrix chat logs from the Black Basta ransomware operation, initially uploaded to MEGA before being removed and later shared on a dedicated Telegram channel. I
In December 2024, 18,000 devices were scanned using an application developed by iVerify, which leverages signature-based detection, heuristic analysis, and machine learning to identify Pegasus artifacts.
In January 2025, Ivanti addressed a stack-based buffer overflow flaw (CVE-2025-0282) in its Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways which could enable unauthenticated actors to remotely execute code.
The Darcula phishing-as-a-service (PhaaS) platform is set to launch a new version, Darcula V3, significantly enhancing its capabilities to allow anyone to create highly convincing phishing sites with no technical expertise.
U.S. authorities have released an advisory detailing the activities of Ghost, a financially motivated ransomware group originating from China, which has compromised organizations across more than 70 countries.
Cybercriminals have been observed approaching their targets under the guise of company recruiters in the past, enticing them with fake offers of employment. Cybercriminals exploit the vulnerability of an individual distracted by a potential job offer.
Microsoft recently addressed an elevation-of-privilege vulnerability in its Power Pages platform, which the vendor confirms was exploited as a zero-day in attacks in the wild. Power Pages is a low-code, Software-as-a-Service (SaaS) platform that allows organizations to build, host, and manage business websites with ease.
An unidentified threat actor has been observed targeting European organizations, notably in the healthcare sector, with an undocumented C++ ransomware strain, dubbed NailaoLocker. The campaign, tracked as Green Nailao, was uncovered by Orange Cyberdefense CERT and initiated between June and October last year.
Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft's Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection.
Exploitation attempts against CVE-2025-0108, a critical authentication bypass vulnerability affecting the management web interface of Palo Alto Networks' firewalls, have surged in recent days.
Google Threat Intelligence Group (GTIG) has observed and analyzed a significant uptick in Russian-aligned cyber operations targeting Signal Messenger to compromise accounts belonging to individuals of interest to Russian intelligence services like GRU.
Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft's Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection.
KnownHost recently conducted a study to examine the most commonly used passwords and the likelihood of these passwords being hacked based on the frequency of their appearance in recorded data breaches.
Researchers at Malwr-Analysis have uncovered details of a new campaign that is infecting end users with Arechclient2 (aka sectopRAT), a highly obfuscated .NET-based Remote Access Trojan. SectopRAT is being disguised as a legitimate Google Chrome extension, “Google Docs,” for propagation.
Recently, Proofpoint identified two new actors, TA2726 and TA2727, involved in web-based malware distribution. TA2726 functions as a TDS operator, selling traffic to other threat actors, including TA569 and TA2727.
FortiGuard Labs recently detected a new variant of Snake Keylogger (also known as 404 Keylogger) using FortiSandbox v5.0 (FSAv5), this malware has been responsible for over 280 million blocked infection attempts, with the highest concentrations in China, Turkey, Indonesia, Taiwan, and Spain.
In January 2025, the eSentire Threat Response Unit (TRU) observed the use of a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader. RedCurl APT is a highly sophisticated group known for targeting private-sector organizations with a focus on corporate data theft and persistence.
Researchers at Cyfirma have uncovered details of a new ransomware strain, dubbed Vgod, which specifically targets Windows systems with advanced encryption techniques. Similar to other ransomware families such as LockBit, Vgod employs the AES-256 encryption algorithm to lock files, with RSA-4096 encryption used for key protection.
On January 7, 2024, SonicWall released security updates to address an improper authentication vulnerability in the SSLVPN authentication mechanism, which could allow remote attackers to hijack active SSL VPN sessions without authentication.
Securonix has been tracking a cyberattack campaign being conducted by a North Korea-sponsored threat actor known as Kimsuky (APT43, Emerald Sleet). This ongoing campaign, dubbed DEEP#DRIVE has been targeting South Korean business, government, and cryptocurrency sectors.
Attackers leveraged a PostgreSQL zero-day vulnerability (CVE-2025-1094) in conjunction with two BeyondTrust flaws (CVE-2024-12356 and CVE-2024-12686) and a stolen API key to breach BeyondTrust's network in December 2023. BeyondTrust later revealed that 17 of its Remote Support SaaS instances were affected.
Microsoft Threat Intelligence Center has identified an ongoing and highly effective device code phishing campaign attributed to Storm-2372, a suspected Russian state-affiliated threat actor.
A recent report from Group-IB reveals that RansomHub emerged as the most active ransomware group of 2024, targeting over 600 organizations across various sectors, including healthcare, finance, government, and critical infrastructure. RansomHub initiated operations in early February 2024, shortly after coordinated law enforcement efforts dismantled the infrastructure of the BlackCat and LockBit ransomware groups, both of which were among the most active at the time.
Recorded Future's Insikt Group has uncovered details of a campaign exploiting unpatched internet-facing Cisco network devices, primarily associated with global telecommunications providers and a handful of universities.
Astaroth, a newly emerged phishing tool, is rapidly gaining traction on cybercrime platforms due to its advanced ability to bypass two-factor authentication. First advertised in January 2025, it employs session hijacking and real-time credential interception to compromise accounts on major platforms like Gmail, Yahoo, and Office 365.
Symantec researchers have identified a China-based threat actor, Emperor Dragonfly, leveraging RA World ransomware in a financially motivated attack against an Asian software and services company in late 2024.
According to researchers at Hunt.io, hackers have been exploiting the open-source Pyramid pentesting tool to establish stealthy command-and-control (C2) communications. Pyramid, which was first released on GitHub in 2023, is a Python-based post-exploitation framework that is capable of evading endpoint detection and response tools by leveraging Python's widespread presence in many environments.
Netskope Threat Labs has uncovered details of a widespread phishing campaign aimed at stealing credit card information for financial fraud. The campaign has been ongoing since mid-2024 and exploits search engines to direct victims to PDF documents containing CAPTCHA images that are embedded with phishing links.
Microsoft has recently released research they conducted into a subgroup within the Russian state APT Seashell Blizzard (Sandworm) and the details of their initial access campaign that Microsoft dubbed BadPilot.
North Korean threat actor Kimsuky has been observed employing a new social engineering tactic to trick victims into running malicious PowerShell commands as administrators. The attackers impersonate South Korean government officials, gradually building rapport with targets before sending a spear-phishing email containing a PDF attachment.
The United States, Australia, and the United Kingdom have jointly sanctioned Zservers, a Russia-based bulletproof hosting provider, for facilitating ransomware attacks by supplying critical infrastructure to the LockBit gang.
Ivanti released an advisory detailing multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products. Some of the flaws allow for RCE and unauthorized data access. The vulnerabilities range from medium to critical severity and impact various versions of Ivanti products.
Although QR codes have transformed digital interactions by providing quick access to websites, services, and adding a layer of security to applications, their ubiquity has made them a prime target for threat actors. In "quishing" attacks, fraudsters use fake QR codes to redirect users to counterfeit websites, enabling them to steal personal data, login credentials, or financial details.
As part of the February Microsoft Patch Tuesday, Microsoft addressed 55 flaws, including 4 zero-day flaws, two of which are actively being exploited in attacks in the wild. Of the 55 flaws, there was 19 elevation of privilege vulnerabilities, 2 security feature bypass vulnerabilities, 22 remote code execution vulnerabilities, 1 information disclosure vulnerability, 9 denial of service vulnerabilities, and 3 spoofing vulnerabilities. 3 flaws have been rated critical in severity, all of which can lead to remote code execution.
The Russian military cyber-espionage group Sandworm (APT44), also tracked as UAC-0113 and Seashell Blizzard, has been actively targeting Windows users in Ukraine using trojanized Microsoft Key Management Service activators and fake Windows updates.
Beginning in early January 2025, eSentire Threat Response Unit observed an increase in the number of incidents involving the NetSupport Remote Access Trojan (RAT). The RAT was originally developed as a remote IT support tool in 1989 and was known as NetSupport Manager but has been weaponized by cybercriminals in recent years.
In 2024, ransomware groups such as Lynx, Akira, and RansomHub refined their techniques, prioritizing agility and speed over high-profile targets. According to the 2025 Cyber Threat Report by Huntress, these groups adopted a quantity-over-quality strategy, executing a larger number of attacks at an accelerated pace.
Four suspected European hackers were recently arrested in Phuket, Thailand, in connection with cyberattacks targeting over 1,000 victims worldwide. Dubbed, “Operation Phobos Aetor,” the arrest was carried out by Thai authorities after an urgent request for international cooperation from Swiss and US law enforcement.
Apple has issued out emergency security updates to address a zero-day vulnerability that it says has been exploited in the wild. Tracked as CVE-2025-24200, the flaw pertains to an authorization issue which could enable a malicious actor to disable the USB Restricted Mode on a locked device as part of a physical cyber attack.
Facebook is the third-most visited website on the internet, following Google and YouTube, which makes attacks abusing the brand have a consequential impact. Check Point researchers have recently discovered a new phishing campaign luring unwitting victims by utilizing Facebook-themed copyright infringement emails to harvest credentials.
A large-scale brute force password attack is currently underway, utilizing nearly 2.8 million IP addresses to target a variety of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.
CISA has added a new vulnerability to its KEV catalog, impacting Trimble's Cityworks, a GIS-centric asset management software used by local governments, utilities, and public works organizations, to manage public assets, work orders, permitting, licensing, capital planning, and budgeting.
Microsoft has issued a critical warning about a growing security risk in which developers are unknowingly incorporating publicly disclosed ASP.NET machine keys from online sources, making their applications vulnerable to cyberattacks.
Cybercriminals are leveraging scalable vector graphics files in phishing attacks to evade detection by traditional security tools, according to a recent report from Sophos. SVG files, commonly used for rendering vector-based images, contain Extensible Markup Language (XML)-like instructions that allow for the embedding of interactive elements such as hyperlinks and scripts.
Field Effect thwarted a cyberattack where an threat actor exploited newly discovered vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) client to gain unauthorized access to a targeted network.
Linwei Ding, a 38 year old Chinese national and former software engineer at Google, has been been indicted for illegally transferring over 500 confidential AI files from Google to his personal accounts. The stolen data, which includes critical hardware and software designs, was allegedly shared with Chinese companies in the AI sector.
This new activity cluster leverages deceptive LinkedIn job offers and is a part of the North Korea-sponsored Contagious Interview operation, primarily targeting individuals in the cryptocurrency and travel industries, to deploy cross-platform malware capable of compromising Windows, macOS, and Linux systems.
Cybercriminals are increasingly leveraging legitimate HTTP client tools, such as Axios and Node Fetch, to facilitate account takeover attacks on Microsoft 365 environments. According to enterprise security company Proofpoint, these tools, often sourced from public repositories like GitHub, are being repurposed for sophisticated attack techniques, including Adversary-in-the-Middle and brute-force tactics.
A new report from Chainalysis highlights a promising shift in the ransomware landscape from 2023 to 2024: more victims are refusing to pay ransoms. As a result, total ransomware payments dropped by approximately 35%, from $1.25 billion in 2023 to $813.55 million in 2024.
Cisco has disclosed several high-severity vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of its IOS, IOS XE, and IOS XR software. Tracked as CVE-2025-20169, CVE-2025-20170, and CVE-2025-20171, these flaws could allow authenticated, remote attackers to trigger a Denial of Service (DoS) on affected devices.
Palo Alto Network's Unit 42 has observed a growing number of attacks targeting macOS users with infostealer malware. Infostealer malware is typically designed to exfiltrate sensitive credentials, financial records, and intellectual property, which often leads to data breaches, financial losses and reputational damage.
Cybersecurity researchers at Morphisec Threat Labs have investigated a series of indicators of attacks in a campaign that deploys a new version of ValleyRAT malware. Attacks utilizing this malware are frequently attributed to Silver Fox APT.
Five Eyes cybersecurity agencies (UK, Australia, Canada, New Zealand, and the U.S.) have issued guidance urging network device manufacturers to enhance forensic visibility, helping defenders detect and investigate breaches. Network edge devices—such as firewalls, routers, VPN gateways, OT, and IoT systems—are prime targets for both state-sponsored and financially motivated attackers.
In September 2024, the Trend Micro's Threat Hunting team identified CVE-2025-0411, a zero-day vulnerability in 7-Zip, exploited in a SmokeLoader malware campaign targeting Ukrainian entities.
Apple recently updated its XProtect malware tool to block several variants of the macOS Ferret family—FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.
The Forcepoint X-Labs research team recently uncovered an AsyncRAT malware campaign that leverages malicious payloads delivered via TryCloudflare quick tunnels and Python packages.
According to Security Scorecard STRIKE researchers, North Korea-nexus Lazarus Group has compromised hundreds of victims in multiple countries in a large-scale data harvesting supply chain attack campaign which is ongoing as of mid-January 2025.
Researchers at Trend Micro have uncovered details of a campaign where actors leveraged a zero-day vulnerability in 7-Zip (CVE-2025-0411), to deploy SmokeLoader malware, a modular loader first identified in 2011. SmokeLoader primarily serves as a downloader for secondary payloads but also has capabilities for credential theft, data exfiltration, establishing backdoors, and using obfuscation and sandbox evasion techniques to evade detection.
While the compromise of user credentials and phishing are popular tactics employed in cyberattacks, the widespread adoption of multi-factor authentication has led adversaries to focus more on exploiting vulnerabilities to gain initial access to organizational networks.
SentinelOne researchers have detailed an active phishing campaign targeting “high-profile” X accounts endeavoring to hijack and exploit them to conduct malicious and fraudulent activity. SentinelOne observed this campaign targeting a variety of individual and organization accounts including U.S. political figures, leading international journalists, an X employee, large technology organizations, cryptocurrency organizations, and owners of valuable, short usernames.
On January 29, 2025, two malicious Python packages, deepseeek and deepseekai, were uploaded to the PyPI repository, masquerading as legitimate client libraries for interacting with the DeepSeek AI API.
Brazilian Windows users are the target of an evolving malware campaign deploying the Coyote Banking Trojan, a sophisticated banking malware designed to steal financial credentials and sensitive information.
Last Friday, Meta-owned WhatsApp, a popular messaging platform, stated it disrupted a spyware campaign back in December 2024, targeting journalists and civil society members. In total, 90 individuals were targeted and possibly compromised in the latest campaign, which WhatsApp asserts with high confidence.
Security researchers at Malwarebytes have uncovered a malvertising campaign targeting Microsoft advertisers with fake Google ads that lead to phishing sites designed to steal login credentials.
The Cybereason Security Team has recently published an analysis of a new attack campaign involving the Phorpiex botnet. In this campaign, the botnet is being used to automatically deploy LockBit Black Ransomware. This differs from previous attacks, which often relied on human interaction from LockBit operators, by making the attacks faster and more difficult to detect via the botnet.
DeepSeek, a Chinese AI company known for its open-source large language models (LLMs), launched its chatbot app in January 2025, quickly becoming the most downloaded free app on the U.S. iOS App Store, surpassing OpenAI's ChatGPT.
Google's Threat Intelligence Group conducted an in-depth analysis of how cyber threat actors interacted with Google's AI assistant, Gemini, to assess AI's role in cybersecurity threats. While AI has revolutionized cybersecurity by enhancing secure coding, vulnerability detection, and operational efficiency, it has also raised concerns about its misuse by cybercriminals and state-sponsored actors.
Europol, in coordination with law enforcement from eight countries, successfully dismantled the world's two largest cybercrime forums, Cracked and Nulled. Together, these platforms boasted over 10 million users and served as hubs for cybercrime discussions and marketplaces for illicit goods, including stolen data, malware, and hacking tools.
A critical unauthenticated Remote Code Execution vulnerability has been discovered in DSL-3788 routers, allowing attackers to remotely gain full control of the targeted device. The flaw impacts firmware versions v1.01R1B036_EU_EN and earlier and was reported by Max Bellia of SECURE NETWORK BVTECH.
A new attack technique dubbed Browser Hijacking was uncovered by security researchers at SquareX that enables a seemingly benign Chrome extension to take over a victim's device. This involves several steps, including Google profile hijacking, and browser hijacking, which eventually lead to device takeover.
POISONPLUG.SHADOW, also known as Shadowpad, is a highly sophisticated malware that leverages a custom obfuscating compiler to evade detection and analysis. Its complex obfuscation techniques make it particularly challenging for security researchers to identify and mitigate.
SecurityScorecard's investigation into Lazarus Group's recent cyber attacks on cryptocurrency entities and software developers uncovered a hidden administrative layer, dubbed Phantom Circuit, used to centrally manage the group's command-and-control infrastructure.
Researchers at SlashNext have uncovered a new SMS phishing tool, dubbed Devil-Traff, which features advanced capabilities like sender ID spoofing and automated messaging, allowing cybercriminals to send thousands of fraudulent messages in a short time.
A new variant of the Mirai-based botnet malware, Aquabotv3, has been observed exploiting a command injection vulnerability (CVE-2024-41710) in Mitel SIP phones.
Lynx ransomware has emerged as a highly structured and sophisticated Ransomware-as-a-Service operation, demonstrating an industrial-scale approach to cybercrime. The group operates through a well-organized affiliate program, providing cybercriminals with access to a centralized panel that facilitates ransomware deployment, victim management, and data leak coordination.
One of the most common methods cybercriminals use involves exploiting open redirects, a vulnerability that allows attackers to manipulate website links to redirect users to malicious destinations without proper validation. Cofense found that multiple .gov domains were primarily used for credential phishing, with some hosting as many as nine different phishing campaigns simultaneously.
Rapid advancements in AI are revealing new possibilities for the way humans work and accelerating innovation in science, technology, and more. AI is at the cusp of revolutionizing security and defense. With capabilities to sift through complex telemetry, secure coding, improve vulnerability discovery, and modernize operations.
In December, 2024, PowerSchool, a K-12 cloud-based software provider serving over 60 million students and 18,000 customers worldwide, experienced a breach where attackers were able to gain unauthorized access to its customer support portal, PowerSource.
CVE-2024-40891 is a critical command injection vulnerability impacting Zyxel CPE Series devices. The vulnerability was initially disclosed by VulnCheck back in August 1, 2024. However, the vulnerability has not been officially published by Zyxel, nor have patches been released.
Cisco Talos researchers have released a new report detailing a surge in the number of email phishing threats leveraging “Hidden Text Salting” techniques which they observed in the second half of 2024. Hidden Text Salting refers to poisoning the HTML source of an email.
Salt Labs researchers have uncovered details of a now-patched account takeover vulnerability affecting a popular online travel service used for booking hotels and car rentals.
Since its inception in March 2023, the Akira has grown to be one of the most prolific ransomware groups out here. Akira operates under a Ransomware-as-a-service model wherein affiliates or other cybercriminals are hired to gain initial access to victim environments and deploy the group's ransomware strain, in exchange for a portion of the ransom paid by victims.
Apple has patched a use-after-free zero-day vulnerability (CVE-2025-24085) in the Core Media component that could enable a malicious application already installed on the device to elevate privileges.
In early January 2025, threat hunters from eSentire detected and analyzed an ongoing threat campaign that utilizes the malware loader, MintsLoader, to deliver secondary payloads that include the StealC information stealer and BOINC, a legitimate open-source network computing platform.
A newly discovered phishing campaign is targeting mobile users with advanced social engineering techniques and malicious PDF files, aiming to compromise sensitive information on a global scale.
Ransomware actors have increasingly targeted VMware ESXi bare-metal hypervisors, exploiting SSH tunneling to establish persistence, move laterally, and deploy ransomware payloads without detection.
Such a sophisticated intrusion was initiated in January 2024 with a user downloading and executing the malicious file named setup_wm.exe, masquerading as the Windows Media Configuration Utility, with an almost legitimate-looking filename and icon.
A malware campaign has specifically targeted low-skilled hackers, or "script kiddies," to steal data and take control of systems. CloudSEK researchers report that a threat actor distributed a trojanized XWorm RAT builder through platforms like GitHub, file hosting sites, Telegram channels, YouTube, and various websites, promoting it as a free tool.
Almost 1000 fake websites, discovered by the Sekoia researcher, “crep1x”, are being distributed by a threat actor to deliver malware that leads to the deployment of Lumma Stealer malware on the victim's machine.
Over the past six months, ransomware activity has escalated significantly, marked by the rise of new groups such as FunkSec, Nitrogen, and Termite, alongside the reappearance of Cl0p and the introduction of LockBit 4.0.
Threat actors are capitalizing on the recent news about Ross Ulbricht, founder of the infamous Silk Road marketplace, to trick users into downloading malware. Using fake, verified accounts on X (formerly Twitter), these actors direct unsuspecting users to Telegram channels masquerading as official portals for Ulbricht.
Cybercriminals have introduced a new malicious AI chatbot named GhostGPT, which is specifically designed to assist in creating malware, developing exploits, and crafting phishing emails. Researchers from Abnormal Security discovered that GhostGPT has been actively marketed and sold through Telegram since late 2024.
The FBI has warned that North Korean IT worker schemes are stealing data to extort their victims as part of efforts to generate revenue for the Democratic People's Republic of Korea (DPRK). The US intelligence agency confirmed it has observed North Korean IT workers engaging in this tactic over recent months.
CYFIRMA's Research and Advisory team uncovered a new ransomware strain while monitoring various underground forums. Dubbed “Nnice,” the strain is designed to target Windows systems and comes with advanced encryption techniques.
Salt Typhoon is identified by the United States Cybersecurity and Infrastructure Security Agency (CISA) as a state-sponsored threat actor that has successfully compromised at least nine telecommunications companies with headquarters in the United States, thus prioritizing government and political figures and very high-profile targets.
Cisco Product Security Incident Response Team (PSIRT) recently released patches for a critical privilege escalation vulnerability in Meeting Management, CVE-2025-20156, and a heap-based buffer overflow flaw, CVE-2025-20128, that can terminate the ClamAV scanning process on endpoints running a Cisco Secure Endpoint Connector.
SonicWall has released patches for a pre-authentication of untrusted data vulnerability impacting its SMA1000 Appliance Management Console and Central Management Console, which in specific conditions could enable remote unauthenticated actors to execute arbitrary OS commands.
Cybersecurity researchers at Specops are delivering a new report regarding a major password-related security issue. According to them, over 1 billion passwords were stolen by malware in 2024.
Cyble Threat Intelligence has discovered thousands of account credentials belonging to some major cybersecurity vendors on the dark web. Cyble researchers shared their findings on January 22nd, 2025, noting they found credentials for at least 14 security providers.
PlushDaemon, a newly identified China-aligned advanced persistent threat (APT) group, has been linked to a supply chain attack targeting a South Korean VPN provider in 2023, as revealed by ESET.
In 2024, 84% of healthcare organizations (HCOs) experienced cyber-attacks or intrusions, with account hijacking and phishing being the most prevalent threats, according to a Netwrix study.
Asif William Rahman, a 34-year-old former CIA analyst from Vienna, admitted to leaking highly classified information to people who didn't have clearance to see it.
The Ukrainian government's Computer Emergency Response Team (CERT-UA) has received several reports of unidentified actors falsely claiming to represent CERT-UA in an attempt to connect to victims' systems via AnyDesk.
On January 13, the Biden administration proposed the "Framework for Artificial Intelligence Diffusion," a landmark rule with far-reaching implications for global AI development. It threads a difficult needle: encouraging U.S. AI technology globally,
Researchers at Sophos have raised concerns about two ransomware groups employing social engineering tactics to gain remote access to corporate machines for data theft and extortion.
Trend Micro uncovered an IoT botnet in late 2024 and has been continuously monitoring its activity as it conducts large-scale distributed denial-of-service (DDoS) attacks. The attack commands sent from its C2 server have mainly targeted Japan, but Trend Micro has observed these attacks targeting various companies in different countries as well.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on two individuals and four entities tied to North Korea's extensive revenue-generation schemes that directly fund its weapons programs.
Cybersecurity researchers have uncovered a sophisticated phishing kit called Sneaky 2FA, specifically engineered to compromise Microsoft 365 accounts by stealing credentials and bypassing two-factor authentication (2FA). First identified in December 2024 by the French cybersecurity firm Sekoia, this adversary-in-the-middle (AitM) phishing kit has been linked to nearly 100 domains, reflecting its growing use among cybercriminals.
Consequently, it was found that GoDaddy, one of the major hosting service providers, had not taken proper security measures to protect the services since 2018. The FTC ordered GoDaddy to increase its security practices.
The Russian threat group Star Blizzard, formerly known as SEABORGIUM, has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts, marking a shift from its usual tactics to likely avoid detection.
A recently patched vulnerability, CVE-2024-7344 (CVSS 6.7), highlights a critical flaw in the Secure Boot mechanism for UEFI systems, potentially allowing attackers to bypass protections and execute unsigned malicious code during the boot process.
On Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss with local representatives the implementation of energy projects and to counter Chinese and Western influence. P
The North Korea-nexus APT, Lazarus Group, has been observed conducting a new cyber attack campaign dubbed Operation 99. This campaign targets software developers who are searching for freelance Web3 and cryptocurrency work to ultimately embed malware into the victim's environment.
On January 15, 2025, GuidePoint Security published findings from a Q4 2024 incident response involving a Python-based backdoor used by threat actors to maintain access to compromised systems. This access was leveraged to deploy RansomHub encryptors across the targeted network.
The U.S. Cybersecurity and Infrastructure Security Agency has released a new playbook providing detailed guidance for AI developers, providers, and adopters on how to voluntarily share cybersecurity information with federal agencies, private industry partners, and international stakeholders.
A new malvertising campaign is underway targeting individuals and businesses that use Google Ads for advertising. According to researchers at Malwarebytes, the scheme involves impersonating Google Ads to direct victims to fake login pages in an effort to capture as many advertiser accounts as possible.
As part of the January Microsoft Patch Tuesday, Microsoft addressed 159 flaws, including 8 zero-day flaws, 3 of which are actively being exploited in attacks in the wild.
According to the U.S. Department of Justice (DoJ), thousands of computers in the U.S. have been cleaned of a version of the "PlugX" malware, a sophisticated tool that has been used by Chinese state-sponsored hackers since 2014.
Fortinet revealed a security lag in one of its FortiOS and FortiProxy systems, CVE-2024-55591. Attacks began in November 2024, attacking before the vendor released fixes. Remote attackers can take control of the systems with super admin privileges by sending specially crafted requests to exploit the Node.js websocket module.
The ReliaQuest report stated that in the last quarter of 2024, ransomware had grown excessively, with 2024 showing a record high in victim counts of all months in December.
Cybersecurity researchers have identified infrastructure links between North Korean threat actors behind fraudulent IT worker schemes and a 2016 crowdfunding scam, highlighting Pyongyang's long-standing involvement in illicit financial activities.
The ransomware group Codefinger has been observed exploiting compromised AWS keys to encrypt data stored in Amazon S3 buckets, using AWS's Server-Side Encryption with Customer-Provided Keys, cybersecurity firm Halcyon reports.
CVE-2024-44243 represents a significant vulnerability in macOS that allows attackers to bypass System Integrity Protection (SIP) by exploiting improperly validated third-party kernel extensions. SIP, a security mechanism that restricts root-level access to critical system components, serves as a cornerstone of macOS's security framework.
Threat actors are targeting individuals searching for pirated or cracked software by using YouTube comments and Google search results to distribute infostealing malware like Lumma Stealer, Vidar, MarsStealer, and others.
Cloud security firm Wiz is currently responding to multiple incidents involving the active exploitation of a recently disclosed critical security flaw, CVE-2024-50603 impacting Aviatrix Controller cloud networking platform.
In mid-2024, Huntress identified cyber espionage activity targeting several Canadian organizations, which was attributed to the APT group RedCurl (also known as Earth Kapre or Red Wolf).
A recent investigation has revealed a highly sophisticated credit card skimmer malware targeting WordPress websites. This malware is designed to inject malicious JavaScript into database entries rather than traditional files like themes or plugins, allowing it to avoid detection by common file-scanning tools.
CrowdStrike has issued a warning about a phishing campaign targeting job seekers by impersonating the company. Discovered on January 7, 2025, the campaign involves fake job offer emails from a supposed CrowdStrike recruiter, thanking recipients for applying for a developer position.
Hackers responsible for a December 2024 ransomware attack on RIBridges, Rhode Island's health and benefits system, have released stolen files on the dark web.
he FunkSec ransomware group emerged in late 2024, quickly gaining attention by claiming over 85 victims in December, more than any other ransomware group during that period. Despite their rapid rise, analysis reveals that much of their activity may be overstated.
n December 2024, two critical vulnerabilities in Microsoft's Windows Lightweight Directory Access Protocol (LDAP) were addressed via Microsoft's monthly Patch Tuesday release.
The Banshee infostealer, a sophisticated malware targeting macOS systems, has been leveraging a stolen Apple encryption algorithm to evade detection by antivirus solutions.
UPDATE: Ivanti has issued an urgent warning about a critical zero-day vulnerability, CVE-2025-0282, which attackers exploited to install malware on Ivanti Connect Secure appliances.
Researchers have identified a rise in sophisticated phishing and malspam campaigns employing email spoofing, neglected domains, and social engineering to bypass traditional security measures.
SonicWall released a security bulletin on January 7, 2025, warning customers to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that SonicWall deemed susceptible to in-the-wild attacks.
Threat actors are actively attempting to exploit CVE-2024-52875, a critical CRLF injection vulnerability in the GFI KerioControl firewall, which can lead to 1-click remote code execution (RCE) attacks.
A Mirai botnet variant has been observed exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the intention of conducting DDoS attacks.
Ivanti has issued an urgent warning regarding a critical remote code execution vulnerability, CVE-2025-0282, that is being actively exploited in zero-day attacks targeting Ivanti Connect Secure appliances.
A new phishing technique exploiting PayPal's money request feature has been identified in a recent advisory by Fortinet. This method uses legitimate-looking PayPal payment requests to deceive recipients, making them appear genuine and bypassing traditional email security checks.
Researchers at Cyfirma have discovered a new remote access trojan called NonEuclid, written in C#, which provides attackers with comprehensive control over compromised Windows systems.
The U.S. government has officially launched the U.S. Cyber Trust Mark, a cybersecurity safety label designed for Internet-of-Things (IoT) consumer devices.
In August, 2024 SonicWall addressed a critical improper access control flaw (CVE-2024-40766) in its SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.
A malicious plugin recently discovered on a Russian cybercrime forum manipulates WordPress sites into phishing pages by creating fake online payment processes that impersonate trusted checkout services. This attack masquerades as a legitimate e-commerce app like Stripe to steal customer payment data and browser metadata.
Telegram disclosed that it fulfilled 900 requests from U.S. law enforcement in 2024, resulting in the sharing of phone numbers or IP addresses of 2,253 users. This represents a sharp increase from prior years, largely attributed to a significant policy shift in September 2024.
Moxa, a provider of industrial networking solutions, has issued an urgent advisory regarding two severe vulnerabilities affecting several models of its cellular routers, secure routers, and network security appliances.
The Salt Typhoon cyber-espionage campaign continues to escalate as Charter Communications, Consolidated Communications, and Windstream have been identified as the latest U.S. telecom companies breached by Chinese state-sponsored hackers, according to a report from The Wall Street Journal.
Kaspersky researchers recently identified a campaign being deployed against ISPs and governmental entities in the Middle East following their investigation into the EAGERBEE backdoor. T
Cybersecurity researchers have uncovered a new and sophisticated malware strain, PLAYFULGHOST, which exhibits a wide array of information-gathering capabilities, including keylogging, screen and audio capture, remote shell access, file transfer, and execution.
During the end-of-year holiday season, a series of distributed denial-of-service attacks severely disrupted operations across several major Japanese organizations, including leading airlines, financial institutions, and telecommunications providers.
ASUS has released security updates to address two high severity flaws impacting several of its router models.
On December 31, 2024, Tenable Nessus vulnerability scanner agents were taken offline due to a buggy differential plugin update that impacted users globally. This issue affected Nessus Agent versions 10.8.0 and 10.8.1 across the Americas, Europe, and Asia. Tenable has since pulled these faulty versions and released Nessus Agent version 10.8.2 to resolve the problem and restore agent functionality.
A new and sophisticated variation of clickjacking attacks, termed DoubleClickjacking, has been identified by cybersecurity expert Paulos Yibelo. This novel technique exploits the timing of double-click mouse actions to deceive users into performing sensitive operations on legitimate websites.
Researchers have discovered a malicious npm package, ethereumvulncontracthandler, masquerading as a library for detecting vulnerabilities in Ethereum smart contracts.
On January 2, 2025, NTT Docomo, Japan's largest mobile operator, experienced a DDoS (Distributed Denial of Service) attack that disrupted several services for nearly 12 hours.
Symantec has uncovered a new ransomware operation, dubbed Nitrogen, which has been notably active over the past four months. This group has targeted a wide range of industries, including construction, financial services, manufacturing, and technology.
Threat actors are actively exploiting a critical remote command injection vulnerability, tracked as CVE-2024-12856, in Four-Faith routers, specifically models F3x24 and F3x36. These devices are commonly deployed in critical sectors such as energy, utilities, transportation, telecommunications, and manufacturing, making the potential impact of exploitation significant. T
A phishing campaign has compromised at least 35 Chrome extensions, including those from cybersecurity firm Cyberhaven, where actors have injected malicious code into compromised extensions to steal user data.
The Lumma Stealer malware has experienced a significant rise in usage, with ESET reporting a 369% increase in detections during the second half of 2024. First discovered in 2022, Lumma has become one of the top ten most-detected infostealers, targeting high-value assets such as two-factor authentication browser extensions, user credentials, and cryptocurrency wallets.
Threat actors are actively exploiting a critical remote command injection vulnerability, tracked as CVE-2024-12856, in Four-Faith routers, specifically models F3x24 and F3x36.
A phishing campaign has compromised at least 35 Chrome extensions, including those from cybersecurity firm Cyberhaven, where actors have injected malicious code into compromised extensions to steal user data. I
December has continued to see targeted spearphish involving compromised mailboxes across Texas and Kentucky, as well as a massive surge in USPS phishing around the holidays.
Cybercriminals are increasingly combining traditional and new tactics to steal sensitive information, using remote access tools (RATs) like AsyncRAT and SectopRAT. Recent trends show attackers exploiting SEO poisoning, typosquatting, and legitimate remote monitoring software to breach systems.
Adobe has released some emergency security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code. The company released an advisory on Monday, December 23, 2024, stating that the flaw, tracked as CVE-2024-53961 is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.
Security Researchers at IProov, a biometric threat intelligence service, have urged customer-facing businesses to improve their verification checks after they uncovered a large-scale identity data farming operation conducted by an unnamed underground group on the dark web.
The developers of Rspack, a popular high-performance JavaScript bundler written in Rust, have discovered that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack. This supply chain attack granted the attacker the capability to publish malicious versions of these packages to the official package registry.
A new phishing-as-a-service platform dubbed "FlowerStorm" is quickly gaining traction, stepping in to replace the now-defunct Rockstar2FA cybercrime service. Rockstar2FA, which was first documented by Trustwave in late November 2024, enabled large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials.
Cybercriminals are taking advantage of a newly discovered Microsoft Office vulnerability to deliver malware and gain access to systems. Researchers have found that attackers are sending out malicious Office documents that exploit the flaw, allowing them to run harmful code without the victim realizing it.
In a detailed report from Picus Security, the Volt Typhoon cyber espionage campaign has been exposed as one of the most advanced and stealthy operations targeting critical infrastructure and government organizations.
In a significant move against cybercrime, the U.S. Department of Justice has charged an Israeli-Russian national for allegedly developing software used by the notorious LockBit ransomware gang.
The LockBit ransomware group is signaling a potential comeback after a challenging period marked by a significant takedown in February 2024. On December 19, LockBitSupp, believed to be an administrator for the group, announced the forthcoming release of "LockBit 4.0," scheduled for February 3, 2025. T
The Lazarus Group, a North Korean state-sponsored threat actor, has been linked to sophisticated cyberattacks targeting employees of a nuclear-related organization in January 2024. These attacks used a complex infection chain culminating in the deployment of a new modular backdoor, CookiePlus.
Threat actors are actively exploiting a recently patched security flaw impacting Fortinet FortiClient EMS in a campaign that installs remote desktop software like AnyDesk and ScreenConnect. The vulnerability is tracked as CVE-2023-48788 (CVSS score: 9.8) and is an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.
CISA is advising organizations to promptly patch a critical vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS).
In a report from Security Intelligence, it was found that 2024 saw several high-profile data breaches that highlighted critical vulnerabilities across industries. Among the most notable was a breach in the healthcare sector, where attackers targeted a major hospital network, compromising sensitive patient records, insurance information, and medical histories.
A report from the Canadian Centre for Cyber Security highlights the increasing sophistication of Iranian state-sponsored cyber campaigns, focusing on social engineering and spear-phishing techniques.
Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks.
Recent research by Forescout's Vedere Labs sheds light on the mechanisms driving the rise of malware targeting operational technology and industrial control systems.
Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks.
In a complex threat landscape undergoing constant evolution, targeted phishing campaigns have become more sophisticated due to attackers leveraging new techniques and analyzing the platform-specific behaviors of organizations' defenses they target.
Sublime Security recently reported that it was successfully able to intercept a phishing campaign targeting end users with Xloader malware. The attack begins with the victim receiving an email designed to resemble a legitimate SharePoint file-sharing notification.
The Trend Micro Managed Detection and Response (MDR) team analyzed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call to gain remote access to the victim's system.
The rise of generative AI has introduced advanced capabilities but also new security vulnerabilities, including prompt injection attacks. Traditionally, these attacks exploit how AI processes inputs, often requiring permissions for external interactions.
Unit 42 researchers recently investigated a sophisticated phishing campaign targeting European companies, particularly in Germany and the UK, with a focus on the automotive, chemical, and industrial compound manufacturing sectors.
UAC-0099, a cyber-espionage threat actor linked to advanced persistent threats (APTs), has been identified targeting organizations with sophisticated campaigns. According to a recent analysis by SOC Prime, UAC-0099 employs a combination of spear-phishing emails, malicious attachments, and advanced malware to infiltrate targeted networks.
A recent scan conducted by cybersecurity firm Bishop Fox uncovered 430,363 SonicWall publicly exposed firewall appliances. Among these, 25,485 SonicWall SSLVPN devices were found to be vulnerable to critical security flaws, while an additional 94,018 were vulnerable to high-severity issues.
The Securonix Threat Research team has been monitoring a new tax-related phishing campaign where threat actors leveraged MSC files and advanced obfuscation techniques to execute a stealthy backdoor payload. Securonix is tracking this activity as FLUX#CONSOLE and the adversary employs tax-themed social engineering lures.
The Mask, also known as Careto, is a highly sophisticated cyber espionage group that has been active since at least 2007, primarily targeting high-profile organizations such as governments, diplomatic entities, and research institutions.
Earth Koshchei (APT29/Midnight Blizzard) conducted a large-scale rogue RDP campaign in October 2024, targeting governments, military, think tanks, academic researchers, and Ukrainian entities. The group used spear-phishing emails containing malicious RDP configuration files that redirected victims' connections to rogue servers via 193 RDP relays.
Firefighters have issued an urgent warning about the fire hazards associated with lithium-ion battery-powered devices, a popular category of Christmas gifts, including e-bikes, e-scooters, and hoverboards.
On Monday, the FBI released an advisory warning of a new HiatusRAT malware campaign that is actively scanning for and infecting vulnerable Chinese-branded web cameras and DVRs that are exposed online.
Dragos has released its Q3 2024 Industrial Ransomware Analysis, which highlights a continued increase in ransomware attacks targeting industrial sectors, including manufacturing, energy, and transportation.
A high-severity Windows kernel vulnerability, identified as CVE-2024-35250, is currently being exploited in the wild. This flaw, stemming from an untrusted pointer dereference in the Microsoft Kernel Streaming Service (MSKSSRV.SYS), allows local attackers to escalate privileges to SYSTEM level without user interaction.
QiAnXin XLab researchers have uncovered the use of a new PHP backdoor named Glutton they have observed in a global campaign targeting China, the United States, Cambodia, Pakistan, and South Africa. The malicious activity was discovered in April 2024 and Glutton has been attributed to the Chinese nation-state group APT41 (Winnti) with moderate confidence. To the researchers' surprise, some of these Glutton attacks are part of targeted operations against cybercrime systems.
A recent campaign exploiting fake CAPTCHA pages has been identified as a sophisticated method to deliver malware through malvertising networks. Cybercriminals use these fake CAPTCHA pages to lure users into clicking on malicious links or downloading harmful files, under the guise of proving they are not bots.
The Clop ransomware gang has claimed responsibility for a series of recent data-theft attacks targeting Cleo's managed file transfer platforms—Harmony, VLTrader, and LexiCom—leveraging vulnerabilities to breach corporate networks and steal sensitive information.
A recent campaign exploiting fake CAPTCHA pages has been identified as a sophisticated method to deliver malware through malvertising networks. Cybercriminals use these fake CAPTCHA pages to lure users into clicking on malicious links or downloading harmful files, under the guise of proving they are not bots.
Threat actor MUT-1244, tracked by DataDog, has been conducting a widespread and multifaceted campaign targeting a range of individuals, including academics, security researchers, pentesters, red teamers, and even other threat actors. The group's primary goal is to steal sensitive data such as AWS access keys, WordPress credentials, private SSH keys, bash history, and other critical system information.
Corvus Insurance reported a surge in ransomware attacks in November 2024, with 632 victims being listed on ransomware groups' data leak sites. This number is more than double the monthly average of 307 victims and exceeds the previous peak of 528 victims recorded in May 2024.
IOCONTROL is a custom-built IoT/OT malware linked to Iranian state-sponsored threat actors, specifically the CyberAv3ngers group. It targets critical infrastructure in Israel and the United States, including routers, IP cameras, firewalls, PLCs, HMIs, and fuel management systems such as Orpak and Gasboy devices.
Elastic Security has discovered a new Linux rootkit called Pumakit. This rootkit uses stealth and sophisticated privilege escalation techniques to maintain persistence on compromised systems.
Two Russian hacktivist groups, the People's Cyber Army (PCA) and Z-Pentest, have intensified their attacks on critical infrastructure in the U.S. and allied nations.
As the holiday shopping season intensifies, UK consumers are increasingly frustrated by the prevalence of bots that snap up popular items before human shoppers have a chance.
In October, Cleo patched a remote code vulnerability (CVE-2024-50623) in its LexiCom, VLTrader, and Harmony software, which is commonly used to manage file transfers. However on December 3, Huntress identified actors targeting fully patched Cleo software.
EagleMsgSpy is a newly identified Android surveillance tool reportedly employed by Chinese law enforcement agencies to conduct targeted monitoring and tracking of individuals.
Prometheus is a popular monitoring tool used extensively in DevOps and cloud-native environments. However, the default configurations often prioritize accessibility over security, leaving systems vulnerable to exploitation.
AWS Single Sign-On (SSO) access tokens are critical credentials used for authenticating users to AWS resources. If these tokens are exposed or mishandled, they can be exploited by threat actors to assume the identity of legitimate users, bypassing standard authentication mechanisms.
Zscaler's ThreatLabz team has uncovered a new version of ZLoader (2.9.4.0), that features an interactive shell for hands-on keyboard activity and a Domain Name System tunnel for C2 communications.
The Shiny Nemesis Cyber Operation highlights a highly sophisticated campaign targeting misconfigured public websites, predominantly hosted on AWS, to exploit vulnerabilities and gain unauthorized access to sensitive data, credentials, and proprietary resources.
Earlier this year, a large U.S. organization with operations in China experienced a targeted cyberattack attributed to China-based threat actors, likely for intelligence gathering.
Yesterday, Ivanti released a security advisory regarding a new maximum-severity authentication bypass flaw in Ivanti's Cloud Services Appliance (CSA) solution. The critical vulnerability is tracked as CVE-2024-11639 and was reported to Ivanti by CrowdStrike's advanced research team.
As part of the December Patch Tuesday, Microsoft addressed 71 flaws, including a zero-day vulnerability which is actively being exploited in attacks in the wild. Of the 71 flaws, there were 27 elevation of privilege vulnerabilities, 30 remote code execution vulnerabilities, 7 information disclosure vulnerabilities, 5 denial of service vulnerabilities, and 1 spoofing vulnerabilities.
Senator Ron Wyden has introduced a new bill aimed at bolstering the security of U.S. telecommunications infrastructure in the wake of recent hacks by the Salt Typhoon cyber espionage group.
AhnLab Security Intelligence Response Center (ASEC) has released a new blog post uncovering threat actors exploiting a critical Apache ActiveMQ vulnerability, CVE-2023-46604, to deploy Mauri ransomware in attacks most recently against Korean systems.
Huntress researchers have reported active exploitation of a vulnerability (CVE-2024-50623) in Cleo's file transfer software—Harmony, VLTrader, and LexiCom.
A suspected China-linked cyber espionage group targeted major business-to-business IT service providers in Southern Europe as part of a campaign known as Operation Digital Eye, according to a joint report by SentinelOne SentinelLabs and Tinexta Cyber.
A recently uncovered phishing campaign has revealed a new tactic employed by cybercriminals involving fake recruiters targeting unsuspecting victims.
Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about a new wave of phishing attacks targeting the country's defense sector, including both defense companies and security forces.
Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about a new wave of phishing attacks targeting the country's defense sector, including both defense companies and security forces.
In early October 2024, Rapid7 witnessed a resurgence of activity related to an ongoing social engineering campaign being conducted by Black Basta ransomware operators. This activity was initially reported on by Rapid7 and has been ongoing since at least May 2024.
Mandiant has identified an innovative method to bypass browser isolation technology by leveraging QR codes for command-and-control operations. Browser isolation is a security approach that routes web requests through remote browsers hosted in the cloud, virtual machines, or on-premises environments.
Researchers at Bitsight has identified a malicious botnet called Socks5Systemz, which powers the proxy service PROXY.AM. This malware enables other criminal activities by providing threat actors with anonymous proxy services, leveraging compromised systems as proxy exit nodes.
Generative Artificial Intelligence (AI) has paved the way for criminals to commit fraud at a scale larger than ever before. “Generative AI reduces the time and effort criminals must expend to deceive their targets.
U.S. authorities have arrested 19-year-old Remington Goy Ogletree, a key member of the Scattered Spider cybercrime gang, for breaching a U.S. financial institution and two telecommunications firms.
BlueAlpha, a Russian state-sponsored APT group, has recently refined its malware delivery techniques by abusing Cloudflare Tunnels to distribute its proprietary GammaDrop malware.
Cybersecurity researchers at WatchTowr Labs have released a PoC exploit that chains together a recently patched critical vulnerability impacting Mitel MiCollab, CVE-2024-41713, and an arbitrary file read zero-day vulnerability that requires authentication to exploit.
On December 4, 2024, the ransomware group Brain Cipher publicly claimed responsibility for a breach allegedly targeting Deloitte UK.
According to Citizen Lab, a concerning incident has surfaced where devices confiscated by Russian authorities were returned to their owners with Monokle-type spyware installed. Monokle, a highly advanced spyware tool, is capable of extracting sensitive data such as contact lists, messages, and login credentials, while also intercepting communications and remotely activating device cameras and microphones.
Cado Security Labs recently uncovered a DocuSign spear-phishing campaign targeting tech executives. These campaigns mimic authentic DocuSign communications, luring recipients to input their credentials on fraudulent websites.
Secret Blizzard, a Russian state-sponsored advanced persistent threat group attributed to Center 16 of the FSB, has developed a unique strategy of leveraging tools and infrastructure from other threat actors to enhance its espionage operations.
According to Symantec, they found evidence that a large US organization with a quote-unquote significant presence in China was targeted by China-nexus threat actors earlier this year and was subjected to a four-month-long intrusion where persistence was established on the organization's network seemingly for intelligence gathering purposes.
The manufacturing industry is increasingly targeted by cybercriminals leveraging sophisticated malware campaigns involving Lumma Stealer and Amadey Bot. This attack campaign primarily exploits phishing emails with malicious attachments to infiltrate organizational systems.
The Chinese cyber-espionage group known as Salt Typhoon has significantly broadened its activities, targeting U.S. telecommunications networks with a strategy that extends beyond previously understood objectives.
Microsoft has warned that a recent premature patch could cause issues with the "Recall" feature in Windows, potentially rendering it unable to function properly. The bug, which emerged after the update was rolled out, could lead to a loss of essential data recall functions, disrupting workflows for many users.
Mikhail Matveev, known in the cybercriminal world by the aliases "Wazawaka" and "Boriselcin," has been a prominent figure in several ransomware groups responsible for extorting hundreds of millions of dollars from various sectors, including healthcare, education, government agencies, and private enterprises.
Researchers have disclosed a PoC exploit for CVE-2024-8785, a critical remote code execution vulnerability in Progress WhatsUp Gold, a widely used enterprise network monitoring tool.
Researchers at Trend Micro have observed a significant evolution in the behavior of the Gafgyt malware, which has expanded its targeting scope from vulnerable IoT devices to misconfigured Docker Remote API servers.
A known threat actor in the Malware-as-a-Service business, Venom Spider, has expanded the capabilities of their MaaS platform with a new backdoor and loader malware.
SmokeLoader, which has been around since 2011, is a malware loader that's still being actively used by cybercriminals. Recently, it's been found exploiting outdated vulnerabilities in Microsoft Office documents, particularly old DOC and XLS files.
Researchers at the South Korean cybersecurity company Genians have uncovered a series of email phishing attacks originating from Russian sender addresses that they link to the North Korea-aligned APT, Kimsuky. According to Genians researchers, the phishing emails were delivered through email services in Japan and Korea up until early September.
The Social Design Agency, recently accused by the US government of operating the "Doppelgänger" malign influence campaign, is now running a parallel effort called "Operation Undercut."
Cybersecurity researchers have uncovered malicious email campaigns using a sophisticated phishing-as-a-service toolkit called Rockstar 2FA, designed to steal Microsoft 365 account credentials.
Researchers have disclosed significant vulnerabilities in Palo Alto Networks GlobalProtect and SonicWall SMA100 NetExtender VPN clients for Windows, macOS, and Linux, which could enable attackers to execute remote code and gain elevated access.
A newly uncovered malware campaign, Horns&Hooves, primarily targets private users, retailers, and service businesses in Russia to deploy NetSupport RAT and BurnsRAT.
In September 2024, Fortinet researchers observed a sophisticated phishing attack that utilized SmokeLoader malware to target organizations in Taiwan. SmokeLoader is notorious for conducting attacks against manufacturing, healthcare, information technology, and other critical sectors.
On November 21, 2024, a ransomware attack on Blue Yonder, an Arizona-based supply chain management and cloud services provider, disrupted operations for major clients, including Starbucks, U.K. grocery chain Sainsbury, and potentially Ford.
APT-C-60, the moniker assigned to a South Korea-aligned cyber espionage group, has been linked to a cyber attack targeting an unnamed organization in Japan.
CISA has received recent evidence of threat actors actively exploiting an RCE vulnerability in some SSL VPN products from Array Networks. The products affected are Array Networks AG and vxAG ArrayOS.
Trend Micro has uncovered a new spear-phishing campaign targeting individuals as well as organizations in Japan since at least June 2024.
CyberVolk, also referred to as Gloriamist, is a pro-Russian hacktivist group that emerged in May 2024 and quickly evolved from conducting distributed denial-of-service attacks and website defacements to launching ransomware campaigns.
83% of Organizations Reported Insider Attacks in 2024
The Russia-aligned threat actor RomCom has been linked to the exploitation of two critical zero-day vulnerabilities, one in Mozilla Firefox (CVE-2024-9680, CVSS 9.8) and the other in Microsoft Windows (CVE-2024-49039, CVSS 8.8), as part of a sophisticated campaign to deliver their eponymous backdoor malware.
Google has uncovered a sophisticated pro-China influence network operated by four public relations firms, collectively tracked as "GlassBridge." Active since at least 2022, this network has leveraged deceptive online tactics to spread Chinese state narratives to international audiences.
Surefire Cyber has identified SafePay as a rising ransomware operator, demonstrating advanced capabilities in infiltrating networks and encrypting data. The group is known for targeting organizations across multiple industries and operates with remarkable speed and stealth.
In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts.
In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts. Here are some examples and highlights.
Trellix researchers have discovered a new threat campaign that leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to disarm security protections and perform operations on the infected system.
Two malicious Python packages, "gptplus" and "claudeai-eng," posed as tools for API integration with popular AI chatbots like OpenAI's GPT-4 Turbo and Anthropic's Claude, but instead delivered a newly documented infostealer called "JarkaStealer."
Russian state-sponsored hackers APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy) executed a sophisticated breach of a U.S. company's enterprise WiFi network, leveraging an innovative technique termed the "nearest neighbor attack."
A phishing campaign targeting telecommunications and financial sectors was identified in October 2024 by EclecticIQ analysts. The attackers utilized Google Docs to deliver phishing links, which redirected victims to fake login pages hosted on Weebly, a trusted website builder.
ESET researchers have identified multiple samples of a new Linux-based malware backdoor named WolfsBane, attributed to the Gelsemium group with high confidence by ESET. This malware acts as a Linux counterpart to the previously identified Gelsevirine, showing the group's growing interest in cross-platform capabilities.
Email attacks are intensifying in the manufacturing sector, with phishing and business email compromise attacks surging as cybercriminals exploit the industry's low tolerance for downtime.
A helpline service established to assist victims of Yakuza-related crimes has come under scrutiny following reports of a potential data breach.
According to Bitdefender, 77% of Black Friday-themed spam emails in 2024 have been identified as scams, highlighting a 7% rise in the proportion of spam emails identified as scams compared to Black Friday 2023, and a 21% increase compared to 2022.
The US and Australian governments have issued a joint advisory warning critical infrastructure organizations about evolving tactics used by the BianLian ransomware group, a Russia-linked cybercriminal organization.
Lumma Stealer is a sophisticated and fast-spreading information-stealing malware, primarily distributed through Telegram channels disguised as cracked software.
While creating an automatic credential validation system for Fortinet VPN, Pentera says it uncovered a bug that actors can exploit to potentially compromise the security of dozens of organizations. Initially, to automate the validation of credentials, Pentera attempted to use clients like OpenConnect to establish a connection, but this approach proved unreliable.
Security researchers at SentinelOne have provided a new analysis of components of the broader DPRK fake IT worker scheme. This scheme involves the Democratic People's Republic of Korea (DPRK) impersonating U.S.-based software and technology consulting businesses in order to further their financial objectives.
Apple recently released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation according to Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG) who discovered the flaws.
Earth Kasha, a cyber threat group tracked by Trend Micro, has been active since 2019, leveraging the LODEINFO malware to target organizations in Japan.
The NSOCKS botnet, underpinned by the ngioweb malware, has emerged as a major player in the cybercrime ecosystem, driving criminal proxy services like VN5Socks and Shopsocks5.
CrowdStrike has identified a previously unknown Chinese cyber espionage group, Liminal Panda, which has been active since at least 2020 and is believed to be behind cyber intrusions targeting telecom providers.
According to Semperis' new report, 2024 Ransomware Holiday Risk, ransomware gangs often strike when defenses are the weakest. Semperis conducted a global study of 900 IT and security professionals.
Helldown, a ransomware strain derived from the leaked LockBit 3.0 codebase, has been expanding its operations, with researchers recently identifying a Linux variant. This development indicates the group's growing focus on targeting virtualized infrastructures, such as VMware. First documented in August 2024, Helldown has been described as an aggressive ransomware group targeting sectors like IT services, telecommunications, manufacturing, and healthcare.
Proofpoint has observed a significant rise in the use of the ClickFix social engineering technique, a deceptive method that tricks users into executing malicious PowerShell commands. Initially linked to campaigns by TA571 and the ClearFake threat cluster, the technique has now become a favorite across multiple financially motivated and espionage-focused threat actors.
In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt energy infrastructure for over 600 apartment buildings, leaving people without heat for 2 days in Lviv in April 2024 due to an ICS attack on a municipal energy company.
Between November 13 and 14, 2023, researchers at Cyberint observed a significant increase in activity from the Akira ransomware group, which listed over 30 victims on its data leak site.
Today, as part of National Critical Infrastructure Security and Resilience Month, the National Counterintelligence and Security Center (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA) released new guidance to help detect and mitigate efforts by foreign intelligence entities to harm or disrupt U.S. critical infrastructure.
According to a blog post by Istvan Marton from Wordfence, over 4 million WordPress sites are exposed to a critical authentication bypass vulnerability in the Really Simple Security plugin for WordPress that can be leveraged to grant an unauthenticated adversary remote administrative access to vulnerable sites.
Palo Alto Networks is aware of active exploitation attempts in the wild leveraging an authentication bypass vulnerability impacting its PAN-OS firewall management interface.
In a recent analysis by Palo Alto Networks' Unit 42, a North Korean hacker group identified as CL-STA-0237 has been connected to a series of phishing attacks using the BeaverTail malware.
Over 1 million domains have been identified as potentially vulnerable to "Sitting Ducks" attacks, a cyber threat that exploits DNS misconfigurations, particularly lame delegation. This misconfiguration occurs when domains mistakenly point to incorrect authoritative name servers, allowing attackers to hijack domains.
Cisco Talos uncovered a new information-stealing campaign orchestrated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. The campaign leverages a novel Python-based malware dubbed PXA Stealer, designed to exfiltrate sensitive data from victims' systems.
SentinelOne's recent report, The State of Cloud Ransomware in 2024, highlights an increasing trend in ransomware actors exploiting cloud services to directly compromise their victims or exfiltrate sensitive data.
Modern communications networks, particularly those driven by 5G technology, are increasingly relying on Artificial Intelligence (AI) to boost performance, improve reliability, and ensure security. As these networks evolve, AI plays an essential role in real-time data processing, predictive maintenance, and optimizing traffic management.
Global Navigation Satellite Systems (GNSS), which include the U.S. GPS, Russian GLONASS, European Galileo, Chinese BeiDou, Indian NavIC, and Japanese Quazi-Zenith, serve as critical infrastructure providing essential positioning, navigation, and timing (PNT) services for a wide array of industries such as telecommunications, agriculture, finance, banking, transportation, and mobile communications.
On November 14, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of two critical vulnerabilities in Palo Alto Networks' Expedition firewall configuration migration tool: CVE-2024-9463 and CVE-2024-9465. These vulnerabilities, with CVSS scores of 9.9 and 9.3 respectively, pose significant risks to affected systems.
On Tuesday, Microsoft released a security patch for a NTLM hash disclosure spoofing vulnerability (CVE-2024-43451) that could exploited to steal a user's NTLMv2 hash. The vulnerability requires minimal user interaction and is exploited by generating a malicious URL file that can be activated through seemingly harmless actions.
The Hamas-affiliated threat group WIRTE, part of the Gaza Cyber Gang, has escalated its cyber operations, moving from espionage to destructive attacks aimed at Israeli entities. According to Check Point, this shift reflects WIRTE's use of recent geopolitical events, specifically the Israel-Hamas conflict, to craft targeted cyber campaigns.
In November 2024, IBM X-Force observed an ongoing Hive0145 campaign targeting Europe, specifically Spain, Germany, and Ukraine using Strela Stealer malware, a credential-theft tool delivered through highly tailored phishing emails. These emails, posing as legitimate invoice notifications, utilize previously compromised email credentials to blend seamlessly into legitimate email traffic.
CISA and the FBI released a joint statement on November 13, 2024, confirming that PRC-affiliated threat actors have compromised the "private communications" of a "limited number" of government officials after breaching multiple U.S. broadband providers in a broad and significant cyber espionage campaign.
SlashNext researchers recently uncovered a new phishing tool called GoIssue, which allows threat actors to extract email addresses from GitHub profiles and send bulk emails to users. Advertised on cybercriminal forums, GoIssue is priced at $700 for a custom build or $3,000 for full source code access.
Iranian threat actor TA455, affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been conducting a sophisticated cyber espionage campaign that mirrors North Korea's “Dream Job” tactic.
Romanian cybersecurity company Bitdefender has developed a free decryptor for ShrinkLocker ransomware victims, offering a way to recover data encrypted by the malware. This decryptor was created after Bitdefender analyzed ShrinkLocker's mechanisms and identified a recovery opportunity right after the removal of BitLocker protectors.
Perception Point researchers published a blog post on November 11, 2024, regarding an observed dramatic increase in two-step phishing attacks targeting hundreds of organizations by leveraging Microsoft Visio's .vsdx files. By weaponizing .vsdx files rarely used in phishing attacks, the adversary exploits user trust in the reputation of Microsoft and concurrently adds a new layer of deception designed to evade detection.
According to a recent report by Group-IB, the Lazarus APT group has started attempting to smuggle code utilizing custom extended attributes, which are metadata associated with files and folders in various file systems. Extended attributes allow users to store additional information beyond standard metadata like file size, timestamps, and permissions.
The US government's Consumer Financial Protection Bureau (CFPB) has advised employees to avoid using cellphones for work after China-linked APT group Salt Typhoon breached major telecom providers. The CFPB, established in 2011 to protect consumers in the financial sector and promote fair, transparent markets, issued a directive urging employees to limit phone use and rely on Microsoft Teams and Cisco WebEx for meetings involving nonpublic data.
Researchers at WatchTowr have disclosed new vulnerabilities in Citrix Virtual Apps and Desktops, particularly affecting the Session Recording component, which administrators use to monitor and record user sessions. These security flaws could potentially allow unauthenticated remote code execution, presenting a serious threat to affected systems.
Ymir, a relatively new ransomware family, has been observed by researchers at Kaspersky encrypting systems that were previously compromised by RustyStealer, an infostealer malware first documented in 2021. Ymir ransomware initiated operations in July 2024 and is known for its in-memory execution, use of PDF files as ransom notes, and extension configuration options.
North Korean-linked threat actors have started embedding malware in applications built using Flutter, a cross-platform development framework, specifically to target Apple macOS devices—a first for this adversary.
AndroxGh0st, a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services, is being utilized in a campaign exploiting a larger set of security flaws only impacting internet-facing applications.
Cybersecurity firm Malwarebytes is warning of hackers using stolen session cookies to bypass multi-factor authentication (MFA) and take over email accounts. “When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID.
Fortinet's FortiGuard Labs recently identified a phishing campaign delivering a new Remcos RAT variant through a malicious Excel document attached to a phishing email. The attack starts with a convincing email that includes the Excel file, disguised as an order form to lure the recipient into opening it.
CosmicBeetle, also known as NoName, is a ransomware-as-a-service (RaaS) operation that has been active since 2020. This group is known for exploiting known vulnerabilities, such as EternalBlue (CVE-2017-0144), and the Zerologon vulnerability (CVE-2020-1472) to infiltrate systems.
In November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading the financial sanctions against North Korea (DPRK).
On October 31, 2024, telematics provider Microlise disclosed it suffered from a cyberattack that disrupted tracking services for clients like DHL, a global logistics and shipping company, and Serco, a company that manages the transport of prisoners for the Ministry of Justice in the United Kingdom.
Since July 2024, the "CopyRightadamantys" phishing campaign has been exploiting copyright infringement themes to trick victims into downloading a new version of the Rhadamanthys information stealer. Tracked by cybersecurity firm Check Point, this large-scale operation spans the U.S., Europe, East Asia, and South America.
Cybersecurity experts recently uncovered a malicious package on PyPI, "fabrice," which has been secretly stealing AWS credentials from developers since its launch in March 2021.
SentinelLabs has identified a new multi-stage malware campaign, named "Hidden Risk", attributed to the North Korean state-backed threat actor BlueNoroff, which targets businesses in the cryptocurrency industry.
Cleafy's Threat Intelligence team witnessed a significant spike in malicious activity utilizing a new Android malware sample in late October 2024. Initially classified as TgToxic malware, this malware sample was further analyzed and although it has similar bot commands with TgToxic, the code differs greatly in that many TgToxic capabilities are absent and some commands act as placeholders for unimplemented modules, leading Cleafy to classify this malware as a new family called ToxicPanda.
The GoZone ransomware, a new strain identified by SonicWall researchers, targets victims with a relatively low ransom demand of $1,000 in Bitcoin for file decryption. Written in Go, it employs Chacha20 and RSA algorithms to encrypt files, appending a ".d3prU" extension to signal compromise.
Summary: On Tuesday, Interpol announced the takedown of more than 22,000 malicious IP addresses or servers linked to cyber threats, as part of a coordinated operation involving private sector partners and law enforcement agencies from 95 INTERPOL member countries.
ClickFix is a new social engineering tactic that uses deceptive error messages to prompt users into executing malicious code, allowing attackers to infiltrate their devices.
In the first half of 2024, ransomware activity continued to surge, with 75 active ransomware groups and 2,260 organizations falling victim—marking a 24.5% increase compared to H1 2023. LockBit's resurgence in May, following Operation CRONOS, was a significant contributor to this spike.
As part of the November Security updates, Google addressed a total of 51 vulnerabilities, two of which are actively being exploited in attacks in the wild.
Canadian authorities have detained Alexander "Connor" Moucka in connection with an extensive data breach campaign that compromised sensitive information from hundreds of millions of individuals.
Pakistan's APT36 threat group has been observed by Check Point Research utilizing a new and improved ElizaRAT malware in a growing number of successful attacks against Indian government agencies and military entities in the past year.
Researchers at Securonix recently uncovered a sophisticated phishing campaign where attackers trick Windows users into launching a custom Linux virtual machine (VM) with a pre-configured backdoor.
“In 2023, organizations were hit hard by cyberattacks, many of which exposed serious weaknesses in security practices. One of the biggest issues was how patching and vulnerability management was handled. I
LastPass, a popular password manager software, is currently facing an ongoing phishing campaign targeting its users. Cybercriminals are writing fake reviews on the Chrome Web Store for the LastPass extension, promoting a fraudulent customer support phone number: 805-206-2892.
Cybersecurity firm Rapid7 recently shed light on a Microsoft SharePoint remote code execution vulnerability (CVE-2024-38094) which is actively being exploited in attacks in the wild to gain initial access to corporate networks.
Cybercriminals have adopted a sophisticated approach by exploiting DocuSign's API capabilities to send convincing fake invoices that appear to come from reputable companies like Norton Antivirus.
The Interlock ransomware, a relatively new threat that emerged in late September 2024, has been targeting organizations worldwide with a distinctive tactic: it uses an encryptor specifically designed for FreeBSD servers.
The Passion group, which has established connections with notorious hacktivist collectives such as Killnet and Anonymous Russia, has recently emerged as a significant player in the cyber threat landscape by offering DDoS-as-a-Service specifically tailored for pro-Russian hacktivists.
Cisco Talos has identified an ongoing phishing campaign targeting Facebook business and advertising account users in Taiwan since at least July 2024. The campaign leverages social engineering tactics to deceive victims into downloading and executing malware.
The landscape of autonomous systems, particularly in the realms of drones and robotics, has undergone transformative advancements in recent years. These technologies have enhanced operational efficiency and capability across a multitude of sectors, ranging from agriculture and logistics to national defense and emergency response.
U.S. and Israeli cybersecurity agencies have recently linked the Iranian cyber group Emennet Pasargad, now operating under the alias Aria Sepehr Ayandehsazan, to sophisticated cyber operations targeting the 2024 Summer Olympics.
Microsoft has shed light on a botnet dubbed CovertNetwork-1658, aka xlogin and Quad7 (7777), which has enabled Chinese threat actors to steal credentials in highly evasive password spray attacks.
Researchers recently disclosed the Xiū gǒu phishing kit, which has been operational since at least September 2024 in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. Xiū gǒu is a sophisticated phishing toolkit responsible for over 2,000 phishing websites aimed at various industries, including government, postal services, digital services, and banking.
Trend Micro researchers identified a complex attack exploiting the Atlassian Confluence vulnerability CVE-2023-22527, allowing attackers to achieve remote code execution (RCE) to install cryptomining software on compromised systems using the Titan Network.
QNAP recently published security updates to address two critical zero-day flaws impacting its network-attached storage (NAS) devices, which were exploited by security researchers during the Pwn2Own hacking contest in Ireland last week.
French internet service provider Free has publicly disclosed a significant cyber attack that has compromised certain personal information of its customers. As the second-largest ISP in France, with over 22.9 million mobile and fixed subscribers, Free plays a crucial role in the country's telecommunications landscape.
Strela Stealer, a malware originally identified by the German cybersecurity organization DCSO in late 2022, is an information stealer primarily designed to exfiltrate email account credentials from email clients like Microsoft Outlook.
A critical Remote Code Execution vulnerability in CyberPanel exposed over 22,000 instances online, leading to a large-scale PSAUX ransomware attack that took most affected servers offline. This vulnerability affects CyberPanel versions 2.3.6 and likely 2.3.7 and includes three significant flaws: defective authentication, command injection, and a security filter bypass.
The North Korean APT group Andariel, linked to the Reconnaissance General Bureau, was found to be associated with the Play ransomware operation, likely acting as an affiliate or initial access broker. In May 2024,
Yesterday, the FBI issued an advisory warning about scammers exploiting the 2024 US General election to scam individuals across the United States. The agency has identified four different schemes employed by these fraudsters.
This is a sophisticated campaign with a large scope and it utilizes the commonly used Facebook software as an avenue for initial access. The TA has the infrastructure to impersonate ads for essentially any commonly used software. This malware has the capability to evade AV detection. The possibility of legitimate business accounts being utilized to propagate the malware further, highlights the severity of the threat.
The "EmeraldWhale" campaign, a large-scale malicious operation, has reportedly scanned for exposed Git configuration files, compromising over 15,000 cloud account credentials across thousands of private repositories.
Cybersecurity experts at Proofpoint have reported a concerning rise in online job scams targeting financially vulnerable individuals, especially those seeking remote or flexible work.
Russian threat group UNC5812 has launched a complex espionage and influence campaign targeting Ukrainian military recruits, deploying malware for both Windows and Android devices.
The Canadian Centre for Cyber Security (Cyber Centre) recently stated that a sophisticated Chinese state-sponsored threat actor has performed reconnaissance scanning against numerous domains in Canada.
Evasive Panda, a China-aligned APT group, has been observed utilizing a post-compromise toolset named CloudScout to target government and religious institutions in Taiwan between 2022 and 2023.
Several vulnerabilities have been identified in the Realtek SD card reader driver, RtsPer[.]sys, impacting a broad range of laptops from major brands.
Researchers at ReliaQuest have uncovered a new social engineering technique employed by Black Basta ransomware actors to gain an initial foothold into victim environments. Previously, these actors would overwhelm users with email spam, prompting recipients to create a legitimate help-desk ticket to resolve the issue. From here, Black Basta operators would then contact the end user, posing as the help desk to respond to the ticket. I
The notorious cryptojacking group TeamTNT is gearing up for a large-scale attack campaign targeting cloud-native environments. This new effort focuses on exploiting exposed Docker daemons to deploy the Sliver malware, cryptominers, and a cyber worm. TeamTNT uses compromised Docker servers and Docker Hub as their infrastructure to spread the malware.
Fog and Akira ransomware groups are actively exploiting a critical vulnerability, CVE-2024-40766, in SonicWall SSL VPNs to gain unauthorized access to corporate networks. This flaw, found in SonicOS, affects access controls within SSL VPNs, allowing attackers to bypass security and compromise networks remotely.
A recent surge in phishing activity has been identified by Netskope Threat Labs, with a 10-fold increase in traffic directed towards phishing pages built using Webflow. These campaigns target a range of information, including login credentials for various crypto wallets (Coinbase, MetaMask, Phantom, Trezor, Bitbuy), company webmail platforms, and even Microsoft365 credentials.
The Dutch National Police, in coordination with the FBI and other international agencies, have dismantled the network infrastructure supporting the Redline and Meta infostealer malware operations in an effort known as "Operation Magnus." This disruption serves as a direct warning to cybercriminals that their data is now in the hands of law enforcement.
LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."
In June 2024, Aqua Security discovered a security vulnerability in the AWS Cloud Development Kit (CDK), an open-source tool for building cloud infrastructure. This vulnerability could potentially allow attackers to gain administrative access to a target AWS account, allowing account hijacking for executing malicious code.
Amazon recently seized domains used by APT 29, a Russian state-backed actor, in a mass email phishing campaign targeting government agencies, enterprises, and militaries. The campaign which was initially identified and disclosed by Ukraine's Computer Emergency Team (CERT-UA),
LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."
UnitedHealth has confirmed that over 100 million individuals had their personal and healthcare data stolen in the Change Healthcare ransomware attack, marking it as the largest healthcare data breach in recent years. CEO Andrew Witty previously warned that "maybe a third" of all Americans' health data was compromised.
A newly enhanced version of the Qilin (Agenda) ransomware, dubbed 'Qilin.B,' has been detected in cyberattacks, showcasing stronger encryption techniques, improved evasion from security tools, and sophisticated methods to disrupt data recovery processes.
Summary: A new vulnerability in Fortinet's FortiManager, known as "FortiJump" and tracked as CVE-2024-47575, has been actively exploited in zero-day attacks since June 2024. The flaw has affected over 50 servers and was first revealed in a report by Mandiant.
Cisco has released security updates to address an actively exploited flaw impacting the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Tracked as CVE-2024-20481, a successful exploitation could enable an unauthenticated, remote attacker to cause a denial of service of the RAVPN service.
In October 2024, a significant cybersecurity event involving a manufacturing firm was analyzed by ReliaQuest. The investigation attributed the breach to a group called "Scattered Spider," a collective of English-speaking cybercriminals connected to the ransomware organization "RansomHub."
In June 2024, ESET researchers identified a new ransomware group, Embargo, utilizing a Rust-based toolkit for its operations. The toolkit consists of MDeployer, a loader, and MS4Killer, an EDR killer. Both tools are designed to facilitate the deployment and execution of the Embargo ransomware.
A new blog post by Cisco Talos shed light on the activities of Akira ransomware, noting that the group is actively creating new variants of its encryptor and refining its TTPs to adapt to shifts in the threat landscape. In 2023 Akira typically employed a double-extortion tactic where victim data was exfiltrated before encryption.
Cisco Talos recently uncovered a phishing campaign leveraging the open-source Gophish toolkit, executed by an unknown threat actor. The campaign utilizes modular infection chains, either via malicious documents (Maldoc) or HTML files containing JavaScript, which lead to the deployment of two Remote Access Trojans (RATs): PowerRAT, a newly identified PowerShell-based RAT, and DCRAT, a widely recognized malware.
Cybercriminals have compromised a third-party provider linked to Verizon's Push-to-Talk systems, a service used by government agencies, first responders, and enterprises for secure internal communication. This breach, advertised on a Russian-language cybercrime forum, does not impact Verizon's core consumer network but reveals significant vulnerabilities in telecoms' security practices.
A high-severity vulnerability (CVE-2024-38094) impacting Microsoft SharePoint has been identified following the release of a public PoC and subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog. This deserialization vulnerability allows an authenticated attacker with Site Owner permissions to inject and execute arbitrary code on the SharePoint server.
In a report from ANY.RUN, DarkComet is highlighted as a highly versatile and dangerous Remote Access Trojan (RAT) that has been a persistent threat since its creation by Jean-Pierre Lesueur in 2008.
ForcePoint has observed an increase in the use of Latrodectus malware by cybercriminals in attacks targeting the financial, automotive, and healthcare sectors. For its part, Latrodectus is a malware downloader that has been around since October 2023. The strain is believed to be developed by LunarSpider, a threat actor who developed the notorious IceID trojan, which has been used by dozens of malware families for distribution purposes.
Two Russian pro-hacker groups, NoName057 and the Russian Cyber Army Team, launched coordinated DDoS attacks against Japanese logistics, shipbuilding companies, and government agencies starting on October 14, 2024.
Attackers are exploiting exposed Docker Remote API servers to deploy the perfctl malware, utilizing a structured attack flow that begins with probing the vulnerable server and ends with payload execution and persistence. The attack starts with the attacker identifying an exposed Docker Remote API server through a ping request. Once the server is located, the attacker creates a Docker container using the ubuntu image.
On Monday, October 21, 2024, the Biden administration officially announced new proposed rules related to a February executive order designed to prevent foreign adversaries such as China and Russia from exploiting easily obtained American financial, biometric, precise geolocation, health, genomic, and other data to carry out future cyberattacks or continue to spy on Americans.
Threat groups are exploiting a critical vulnerability (CVE-2024-40711) in Veeam Backup and Replication software for ransomware attacks, according to researchers and federal authorities. This vulnerability, with a CVSS score of 9.8, was disclosed by Veeam in a security bulletin on September 4.
VMware has released a new security update for CVE-2024-38812, a critical remote code execution (RCE) vulnerability in VMware vCenter Server that wasn't fully addressed by the initial patch in September 2024. The flaw, with a CVSS score of 9.8, stems from a heap overflow issue in the DCE/RPC protocol, affecting vCenter Server and related products like vSphere and Cloud Foundation. It can be exploited without user interaction through specially crafted network packets.
APT41 (also known as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) launched a sophisticated cyberattack on the gambling and gaming industry. Over a span of six to nine months, the attackers gathered sensitive information such as network configurations, passwords, and data from the LSASS process.
The Bumblebee malware loader appears to have resurfaced after being disrupted by Europol's Operation Endgame in May 2024. A new infection chain deploying Bumblebee has been detected by Netskope Threat Labs, marking its first reappearance since the Europol-led takedown.
Last Friday, ESET announced on X (formerly known as Twitter) that it is aware of a security incident that affected its partner company in Israel. Notably, a phishing campaign initiating on October 8th was observed, where emails branded with ESET's logo were sent from eset[.]co[.]il, a legitimate domain that is operated by ESET's Israel distributor, Comsecure.
In a recent cyberattack, the North Korea-backed advanced persistent threat (APT) group known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer (IE) web browser to launch a zero-click supply chain campaign targeting South Korean entities.
Microsoft has urged all macOS users to update their systems due to a vulnerability (CVE-2024-44133, CVSS 5.5) patched in the September macOS Sequoia updates. The flaw may be exploited by the Adloader macOS malware family. It targets Apple's Transparency, Consent, and Control (TCC) protections, potentially allowing unauthorized access to a device's camera, microphone, and location.
Researchers at Sekoia have shed light on a new social engineering tactic called ClickFix, which involves displaying fake error messages in web browsers to trick users into copying and executing malicious PowerShell code to infect targeted systems. In the last couple of months, ClickFix has been used to distribute Windows and macOS infostealers, botnets, and remote access tools.
Microsoft has identified a vulnerability in macOS, named "HM Surf," that enables attackers to bypass the system's Transparency, Consent, and Control technology, which is responsible for managing user permissions for accessing sensitive data. This flaw, tracked as CVE-2024-44133, allows attackers to gain unauthorized access to user data, including browsing history, camera, microphone, and location.
Group-IB researchers successfully infiltrated the Cicada3301 ransomware-as-a-service group, uncovering significant details about its operations and affiliate panel. Cicada3301, which started recruiting affiliates in June 2024, has targeted approximately 30 victims, primarily in the U.S. and U.K.
The pentester encountered a session fixation vulnerability in a PHP web application, but knew it might not be taken seriously on its own. To demonstrate its severity, they combined it with an existing XSS vulnerability and a lesser-known technique called the Cookie Jar Overflow Attack. This combination allowed them to show how an attacker could bypass security measures and hijack user sessions.
In December, a new ransomware group targeting Russian businesses and government agencies was identified, dubbed “Crypt Ghouls.” Investigation revealed connections to other cybercriminal groups through shared tactics, tools, and infrastructure. The group employs a variety of utilities, including Mimikatz and LockBit 3.0 for ransomware attacks, utilizing compromised contractor credentials to gain access via VPN.
Iranian hackers are increasingly breaching critical infrastructure organizations to steal credentials and network data, which they sell on cybercriminal forums, enabling further cyberattacks by other threat actors.
Secureworks Counter Threat Unit researchers have identified evolving tactics in fraudulent employment schemes involving North Korean IT workers, linked to the NICKEL TAPESTRY threat group. These schemes involve North Korean nationals using stolen or falsified identities to secure employment at Western companies, including those in the U.S., UK, and Australia.
According to Symantec's new report, Ransomware: Threat Level Remains High in Third Quarter, ransomware continues to be a growing threat in the cyber landscape, with Symantec observing 1,255 ransomware attacks in the third quarter of 2024. One of the biggest developments observed by Symantec in Q3 of 2024 was a decline in LockBit activity, a previously dominant player in the ransomware ecosystem.
Cronus is a sophisticated ransomware strain developed using .NET technology, first reported by Seqrite. This analysis arose from the discovery of a malicious document presented as a PayPal invoice, which was submitted to VirusTotal. The investigation outlines the ransomware's method of file encryption, its persistence mechanisms, and a detailed examination of its ransom note.
North Korean threat actor ScarCruft, also known as TA-RedAnt, APT37, and several other aliases, has been linked to the exploitation of a now-patched zero-day vulnerability in Windows, identified as CVE-2024-38178 (CVSS score: 7.5). This flaw, a memory corruption issue in the Windows Scripting Engine, allowed remote code execution when using Microsoft Edge in Internet Explorer Mode. Microsoft patched the vulnerability as part of its August 2024 Patch Tuesday updates.
Fortinet FortiGuard Labs has uncovered a suspected nation-state actor exploiting a chain of three vulnerabilities impacting Ivanti Cloud Service Appliance to gain unauthenticated access to the CSA, enumerate users configured in the appliance, and further attempt to access the credentials of those users.
A newly discovered Golang ransomware variant has been found to abuse Amazon S3's Transfer Acceleration feature to exfiltrate data from victim machines to attacker-controlled S3 buckets. The ransomware samples analyzed contained hardcoded AWS credentials, which were used to create S3 buckets and enable faster data transfers through Amazon's globally distributed CloudFront edge locations.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors' use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.
Security teams are increasingly recognizing large language models (LLMs) as vital business tools capable of automating various tasks, thereby allowing employees to focus on more strategic functions and potentially providing a competitive advantage.
Cofense has shared insights on a phishing campaign it detected earlier this year, where actors were observed using GitHub links to bypass email security gateways and distribute malware. These links were generated through the submission of GitHub comments, which can be added to the source code repository and may include but are not limited to proposed changes, more information from a user on an issue, or documentation.
Threat actors are exploiting the open-source EDRSilencer tool to bypass endpoint detection and response systems, according to Trend Micro researchers. Originally designed for red teaming, EDRSilencer leverages the Windows Filtering Platform to block EDR communications by identifying and filtering EDR processes, preventing them from sending alerts or telemetry.
The recent activities of Iranian state-sponsored hacking group APT34, also known as OilRig, have focused on government and critical infrastructure entities in the UAE and Gulf region. Trend Micro researchers identified a new campaign in which OilRig deployed a novel backdoor to target Microsoft Exchange servers for credential theft.
OzarksGo, a fiber ISP based in Fayetteville, Arkansas, experienced a cyber incident on October 7 that specifically targeted the servers responsible for providing linear TV service to approximately 4,500 customers in northwest Arkansas and northeast Oklahoma. Upon discovering the potential issue, the company acted promptly by deactivating the affected equipment and bringing in external experts to assess the situation and mitigate further impact.
Amateur ham radio operators have long served as vital communication links during disasters, providing essential support when conventional systems fail. Despite advancements in technology, these skilled volunteers remain prepared through training and drills, such as the Amateur Radio Emergency Service (ARES) Field Day.
Recently, Tend Micro has been tracking Earth Simnavaz (also known as APT34 and OilRig), a cyber espionage group believed to be linked to Iranian interests. This group primarily targets organizations in the energy sector, particularly those involved in oil and gas, as well as other critical infrastructure.
The FBI, NSA, CNMF, and NCSC-UK have released a joint advisory highlighting the tactics, techniques, and procedures (TTPs) employed by actors associated with the Russian Federation Foreign Intelligence Service (SVR), including APT29, Midnight Blizzard (formerly Nobelium), Cozy Bear, and the Dukes.
CISA has issued a warning that threat actors are exploiting unencrypted persistent cookies managed by the F5 BIG-IP Local Traffic Manager module. These cookies are being leveraged to conduct reconnaissance on target networks, allowing attackers to map out and enumerate non-internet-facing devices.
Ransomware gangs are actively exploiting a critical vulnerability in Veeam Backup & Replication servers, designated as CVE-2024-40711, which allows attackers to achieve remote code execution. This vulnerability was discovered by Florian Hauser, a security researcher at Code White.
Resecurity has reported a growing trend of attacks on AI conversational platforms, particularly those using Natural Language Processing and Machine Learning to simulate human-like interactions. These platforms, commonly used in industries such as finance, e-commerce, and customer support, enable personalized, automated responses to consumers.
The Internet Archive, a nonprofit digital library known for providing free access to archived websites and digital materials, has been facing a distributed denial-of-service attack for three consecutive days, severely limiting users' ability to access the site. Alongside this DDoS attack, a data breach was discovered, exposing 31 million user accounts, including email addresses, screen names, and bcrypt-hashed passwords.
A new, previously undetected loader builder, dubbed "MisterioLNK," has been identified by Cyble Research and Intelligence Labs (CRIL). This versatile tool, publicly accessible on GitHub, poses a significant threat to security defenses due to its ability to generate loader files that largely evade detection by conventional security systems.
There has been a recent increase in actors employing callback phishing to infect unsuspecting victims with malware. Callback phishing, otherwise known as telephone-oriented attack delivery (TOAD), is a hybrid phishing model (a combination of voice and phishing) that aims to take advantage of the trust people often assign to strangers who assume authority over the phone.
Mamba 2FA is an emerging phishing-as-a-service platform that targets Microsoft 365 accounts through adversary-in-the-middle attacks. It uses highly convincing phishing login pages to steal authentication tokens, bypassing multi-factor authentication protections. Priced at $250 per month, Mamba 2FA is gaining popularity due to its accessibility and effectiveness, positioning it as one of the fastest-growing phishing platforms in the market.
In the wake of Hurricane Helene and the impending arrival of Hurricane Milton on October 9th, 2024, Florida faces another threat: a myriad of cyberattacks targeting vulnerable individuals and organizations. Veriti, a cybersecurity research firm based in Israel, identified three key emerging threats exploiting the chaos and urgency surrounding hurricane relief efforts.
Summary: Barracuda threat analysts have identified a new wave of QR code phishing attacks, known as "quishing," that employ sophisticated techniques to bypass traditional security measures. These phishing attempts use QR codes generated from text-based ASCII/Unicode characters instead of conventional static images, making them difficult for optical character recognition systems to interpret.
Actors are increasingly misusing legitimate file hosting services in campaigns intended to conduct identity phishing, commonly leading to business email compromise attacks. SharePoint, OneDrive, and Dropbox are some of the common services being exploited.
Ivanti, a prominent U.S.-based IT software company, has issued critical security updates to fix three newly discovered zero-day vulnerabilities in its Cloud Services Appliance (CSA), which are being actively exploited in ongoing attacks.
Security giant ADT disclosed it suffered a breach after actors gained access to its systems using stolen credentials and exfiltrated employee account data. On Monday, ADT filed a 8-K filing with the SEC, noting that the credentials were stolen from a third-party business partner, thus enabling the actors to breach ADT systems.
Qualcomm has recently issued security updates that address nearly two dozen vulnerabilities in proprietary and open-source components within their systems. Among these vulnerabilities, one of particular concern is a high-severity flaw, identified as CVE-2024-43047, which has been actively exploited in the wild.
Secureworks' 2024 State of the Threat Report highlights a significant 30% rise in active ransomware groups over the past year, despite extensive law enforcement actions aimed at disrupting these operations. In the last 12 months, 31 new ransomware groups have emerged, shifting the landscape from a few dominant players to a more fragmented ecosystem.
Japanese tech giant Casio has recently experienced a significant cyberattack, with unauthorized access to its networks reported on October 5. This incident has led to notable disruptions in its systems, affecting various services that the company offers.
Last week, Microsoft and the U.S. Department of Justice (DOJ) announced that they seized 107 internet domains that were being used by Star Blizzard, a Russian nation-state actor. 66 of these domains were used by Star Blizzard to target over 30 civil society organizations including journalists, think tanks, and non-governmental organizations (NGOs), between January 2023 and August 2024.
A new China-aligned threat actor, dubbed CeranaKeeper, has been identified targeting governmental institutions in Southeast Asia, primarily Thailand. The group has been active since at least early 2022 and is characterized by its relentless pursuit of data exfiltration. CeranaKeeper leverages a variety of techniques and tools, including custom backdoors, exfiltration tools, and the abuse of legitimate cloud and file-sharing services like DropBox and OneDrive, to achieve its objectives.
ESET researchers uncovered a sophisticated cyberespionage campaign by the GoldenJackal APT group, targeting governmental and diplomatic entities across Europe and South Asia from 2019 to 2024. The group primarily focused on breaching air-gapped systems—networks isolated from the internet to protect highly sensitive data—using custom tools delivered via USB drives.
Researchers have identified a new botnet malware family called Gorilla or GorillaBot, which is a variant of the Mirai botnet source code. Discovered by NSFOCUS, this malware has shown significant activity between September 4 and September 27, 2024, during which it executed over 300,000 attack commands, with an average of 20,000 DDoS commands per day.
CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency's ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors.
A cybersecurity campaign targeting organizations in mid-September, in the U.K. and the U.S., employed Prince Ransomware, a freely available variant advertised on GitHub for educational purposes by developer “SecDbg”. The connection to Prince Ransomware was identified due to the observed sample downloading the same PNG from Imgur, and setting the PNG as the background, exactly as Prince Ransomware does in the configuration example on GitHub.
A sophisticated cyberattack targeting organizations worldwide has been uncovered by Cyble Research and Intelligence Labs (CRIL). The threat actor (TA) employed a multi-stage attack, utilizing legitimate tools such as Visual Studio Code (VS Code) and GitHub to gain unauthorized remote access to victims' machines. The attack chain's initial access is achieved through a malicious .LNK file, disguised as a legitimate setup file, which is potentially delivered to victims through spam or phishing emails.
Researchers at Cisco Talos have uncovered a financially motivated threat actor deploying a new MedusaLocker ransomware variant, dubbed “BabyLockerKZ.” First observed in late 2023, this variant distinguishes itself from the original MedusaLocker by using unique autorun keys and an additional public-private key set stored in the registry. Despite these differences, BabyLockerKZ utilizes the same chat and leak site URLs as its predecessor, marking its first identification as a MedusaLocker variant.
Check Point Research uncovered a recent mobile malware campaign exclusively targeting cryptocurrency users through a malicious Android app disguised as the legitimate WalletConnect protocol, taking advantage of its trusted name. This fake app, identified by Check Point, employed various evasion techniques including BASE64 encoding and encryption to avoid detection, deceive users, and steal their crypto assets. It achieved high visibility in Google Play Store search results through fake reviews and consistent branding, leading to over 10,000 downloads. Another malware app identified by Check Point exhibits similar features and achieved more than 5,000 downloads. Once the fake app is installed, it checks if the user isn't on a desktop, taking users to a legitimate website if they are, and then drops the MS Drainer and prompts the user to sign several transactions. The information is transmitted to a C2 server and it sends commands to MS Drainer to transfer funds to the attacker's wallet. This campaign is notable because it represents the first instance of a cryptocurrency drainer focusing exclusively on mobile device users. While the exact number of victims is unknown, over 150 users are estimated to have lost funds.
In a recent development, researchers identified significant security vulnerabilities within the OpenPrinting Common Unix Printing System (CUPS), which is a crucial component in many Linux environments. These vulnerabilities could enable attackers to execute arbitrary code remotely, potentially compromising the integrity of affected systems. Given the widespread use of CUPS in personal and enterprise settings, this poses a substantial threat to printing and document-handling workflows, highlighting the need for immediate attention from cybersecurity professionals.
A recent discovery by Datadog Security Research has unveiled a new cryptojacking campaign targeting Docker and Kubernetes, two widely used platforms for containerized development. The attackers exploit vulnerable Docker Engine APIs exposed to the internet to deploy a cryptocurrency miner on compromised containers. The campaign then utilizes additional malicious scripts to achieve lateral movement across the network, compromising other Docker hosts, Kubernetes deployments, and even SSH servers.
Law enforcement from 12 countries arrested four suspects tied to the LockBit ransomware gang, including a developer, a bulletproof hosting administrator, and two individuals linked to LockBit activities. These arrests were part of Operation Cronos, a global crackdown led by the UK National Crime Agency (NCA), which began in April 2022. A suspected LockBit developer was arrested in August 2024 at the request of French authorities, while two other individuals were arrested in the UK, one for LockBit affiliation and the other for money laundering. Additionally, Spain arrested a bulletproof hosting service administrator used by LockBit.
Last week, Texas healthcare provider UMC Health System disclosed that it detected unusual activity within its IT systems and took steps to proactively disconnect systems to contain the incident. Due to the outage, medical prescription lists are unavailable at UMC clinics. As such, patients have been advised to bring their prescriptions with them when visiting. As a precaution, UMC decided to temporarily divert incoming emergency and non-emergency patients to nearby health facilities. In an update on Monday, the healthcare giant stated that it will start accepting patients via ambulance. However, a select number of patients will still be diverted until all UMC resources are fully functional. As of writing, the investigation is still ongoing, with UMC working with third parties to determine the full scope of the incident and recover systems as soon as possible.
A critical XML external entity reference (XXE) vulnerability, tracked as CVE-2024-34102, has been exploited to compromise five percent of Adobe Commerce and Magento stores. This vulnerability, dubbed CosmicSting, has been exploited by malicious actors to gain remote code execution on vulnerable systems. The flaw was patched by Adobe on June 27th, 2024, but widespread exploitation has continued. Sansec research discovered seven different groups running large-scale campaigns utilizing this CosmicSting vulnerability.
An IT-ISAC member shared some indicators related to Lumma Stealer and it's use of Steam Workshop for C2 communications. Lumma Stealer, a subscription-based malware active since 2022, is believed to be developed by the threat actor "Shamel" under the alias "Lumma." It is promoted on dark web forums and a Telegram channel with over a thousand subscribers, and sold for as little as $250 USD. Lumma Stealer collects system data, sensitive information like cookies, passwords, credit card details, and cryptocurrency wallet data from compromised devices. The malware is typically delivered by users downloading trojanized software or opening malicious emails containing Lumma payloads.
Cloudflare has shared significant insights regarding a notable increase in the frequency and severity of Distributed Denial of Service (DDoS) attacks, particularly starting from early September. During this period, the company successfully neutralized over 100 hyper-volumetric Layer 3 and Layer 4 DDoS attacks. Many of these incidents surpassed critical benchmarks, with some exceeding 2 billion packets per second (Bpps) and reaching impressive peaks of 3 terabits per second (Tbps). One of the most alarming attacks peaked at an extraordinary 3.8 Tbps, which stands as the largest DDoS attack ever made public by any organization.
In May 2024, Ivanti released patches to address a SQL injection vulnerability in its Endpoint Manager. Tracked as CVE-2024-29824, the flaw impacts the Core server of Ivanti EPM 2022 SU5 and prior, and can be exploited by an unauthenticated attacker within the same network to execute arbitrary code. In its initial advisory, Ivanti did not have evidence to suggest that the flaw was exploited in attacks in the wild. However, the vendor recently updated the advisory stating that it is aware of in-the-wild exploitation. According to Ivanti, CVE-2024-29824 has been used against “a limited number of customers.” Details of these attacks have not been disclosed at this time. CISA recently added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, advising organizations to apply patches by October 23.
On July 25, 2024, Rim Jong Hyok, an alleged member of the North Korean threat group Stonefly (aka Andariel, APT45, Silent Chollima, Onyx Sleet), was indicted by the U.S. Justice Department for his involvement in extorting U.S. hospitals and other healthcare providers between 2021 and 2023, laundering the ransom proceeds, and then using these proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide.
Linux servers are under threat from a stealthy malware known as "perfctl," aimed at running cryptocurrency mining and proxyjacking software. This malware employs advanced evasion tactics, remaining inactive during user activity and deleting its own files to avoid detection. It exploits a vulnerability in Polkit (CVE-2021-4043) to gain root access and install the miner. The name "perfctl" is a deliberate attempt to mimic legitimate system processes. The attack typically involves exploiting vulnerable Apache RocketMQ instances to deliver the malware. Once activated, perfctl hides itself by copying to different locations and may also download additional proxyjacking tools from remote servers.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have released a joint advisory warning against a group of Iran-based cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. and foreign organizations since 2017 and as recently as August 2024, including schools, municipal governments, financial institutions, and healthcare facilities.
A critical security vulnerability tracked as CVE-2024-6386 has been disclosed in the WPML WordPress multilingual plugin. WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations. This vulnerability could allow authenticated users with Contributor-level access or higher to execute arbitrary code remotely under certain circumstances.
ESET researchers discovered a remote code execution vulnerability (CVE-2024-7262) in WPS Office for Windows, which was actively exploited by the South Korea-aligned cyberespionage group APT-C-60. This group targeted users in East Asian countries, leveraging the vulnerability to deploy a custom backdoor named "SpyGlace" by ESET, designed for cyberespionage purposes.
The BlackByte ransomware group has been observed likely exploiting a newly patched vulnerability (CVE-2024-37085) in VMware ESXi hypervisors, while simultaneously leveraging various vulnerable drivers to bypass security protections.
Volt Typhoon is a Chinese state-sponsored hacker group known by various aliases such as Vanguard Panda and Bronze Silhouette. Recent developments reveal that these hackers have exploited a high-severity zero-day vulnerability in the Versa Director platform, which is used by ISPs to manage complex networks.
Volt Typhoon is a Chinese state-sponsored hacker group known by various aliases such as Vanguard Panda and Bronze Silhouette. Recent developments reveal that these hackers have exploited a high-severity zero-day vulnerability in the Versa Director platform, which is used by ISPs to manage complex networks.
A significant phishing campaign has leveraged Microsoft Sway, a cloud-based platform for creating online presentations, to host malicious landing pages designed to steal Microsoft 365 credentials.
A sophisticated cyber campaign is currently targeting high-profile organizations in Southeast Asia, employing two advanced and under-the-radar techniques to infiltrate their systems.
The National Cyber Security Centre (NCSC) of Ireland is warning of a growing trend in WhatsApp verification code scams targeting users. These scams initiate with the actors obtaining the victim's phone number and entering the number into WhatsApp's login screen.
A recent discovery by Kaspersky researchers revealed a new macOS version of the HZ RAT backdoor. This backdoor specifically targets users of DingTalk, an enterprise messaging platform, and WeChat, a popular social media app, both widely used and essentially required in China.
Malicious hackers, likely backed by the Chinese government, have exploited a critical zero-day vulnerability in the Versa Director virtualization platform used by ISPs. This vulnerability, tracked as CVE-2024-39717, allowed attackers to infect at least four US-based ISPs with malware named "VersaMem," which steals customer credentials before they are encrypted.
Cybercriminals have expanded the scope of so-called highway toll text scams in recent months, targeting people across multiple states with malicious SMS messages demanding payment for fictitious charges.
Recent research has revealed critical vulnerabilities in several widely-used Python applications for Windows. These vulnerabilities could allow attackers to steal NTLM credentials, which are essential for authenticating users within Windows environments.
A previously undiscovered group, dubbed "Greasy Opal," has been found aiding cyber attackers by providing CAPTCHA-solving services and other tools to bypass security measures. This group, based in the Czech Republic and active since 2009, was recently identified by Arkose Cyber Threat Intelligence Research after its tools were used in attacks on Arkose Labs' customers.
A complex multi-stage malware campaign utilizing a newly documented memory-only dropper has been observed by Mandiant in recent investigations and published on August 22, 2024. This dropper serves as a conduit for launching subsequent-stage malware.
Meta shared insights on a small cluster of likely social engineering activity on WhatsApp that its security team was able to block after investigating user reports. This activity which originated from Iran attempted to target individuals in Israel, Palestine, Iran, the United States and the UK, focusing on political and diplomatic officials, and other public figures, including some associated with administrations of President Biden and former President Trump.
Unit 42's recent investigation uncovered a shift in strategy by the Bling Libra group, which is known for its ShinyHunters ransomware. Instead of just selling stolen data as they have in the past, they've now turned to extorting their victims. This new approach involves using legitimate credentials they found in public repositories to break into and compromise Amazon Web Services (AWS) environments.
A critical security vulnerability (CVE-2024-28000) has been identified in the LiteSpeed Cache plugin for WordPress, a widely used caching plugin with over five million active installations. This vulnerability, discovered by John Blackburn and submitted via the Patchstack Zero Day bug bounty program for WordPress, could allow unauthenticated attackers to gain administrator privileges on vulnerable WordPress websites.
Aqua Security's threat research team, Nautilus, has uncovered PG_MEM, a sophisticated new malware designed to target PostgreSQL databases. This malware exploits weak passwords by launching brute force attacks, gaining unauthorized access to databases, and delivering malicious payloads, including cryptocurrency mining software.
Chinese-language hackers are increasingly leveraging the Windows Installer MSI file format to bypass conventional security measures, marking a shift in how malware is delivered.
Ukraine's Computer Emergency Response (CERT-UA) is warning of a new phishing campaign distributing emails on the subject of ‘prisoners of war' to infect end users with malware. In this case, these emails contain photos of alleged prisoners of war from the Kursk region, urging recipients to click on a link designed to download a malicious Zip archive.
Today, Google released a new Chrome emergency security update to patch a zero-day vulnerability tagged as exploited in attacks. "Google is aware that an exploit for CVE-2024-7971 exists in the wild," the company said in an advisory published on Wednesday.
A critical vulnerability, CVE-2024-6800, was discovered in GitHub Enterprise Server by “ahacker1” through GitHub's Bug Bounty Program. This vulnerability could be exploited by an attacker with network access to bypass authentication and gain administrator privileges on the affected machine.
Based on research conducted by Barracuda Networks, which analyzed 200 reported ransomware incidents from August 2023 to July 2024, more than a fifth of these attacks targeted the healthcare sector, highlighting an 18% increase from the previous year.
A report from Malwarebytes reveals that most ransomware attacks now occur between 1 a.m. and 5 a.m., aiming to catch cybersecurity teams off guard. The 2024 State of Ransomware Report, based on threat intelligence from Malwarebytes' ThreatDown unit, indicates that a majority of incidents happen in the early morning,
A new remote access trojan called MoonPeak has been discovered, being used by a state-sponsored North Korean threat group in a recent cyber campaign. Cisco Talos has attributed this campaign to a hacking group they track as UAT-5394.
A Taiwanese university has recently been targeted by a sophisticated cyberattack involving a previously undocumented Windows backdoor named Msupedge. This malware is distinctive for its use of DNS tunneling—a technique where data is transmitted through DNS queries—to communicate with its command-and-control (C&C) server.
Yesterday, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement, highlighting Iran's longstanding interest in exploiting societal tensions, including the use of cyber operations to attempt to gain access to sensitive information related to U.S. elections.
The North Korean Lazarus hacking group exploited a zero-day vulnerability in the Windows AFD.sys driver to elevate privileges and install the FUDModule rootkit on targeted systems. Microsoft addressed this flaw, identified as CVE-2024-38193, during its August 2024 Patch Tuesday, along with seven other zero-day vulnerabilities.
A newly discovered backdoor named Msupedge has been deployed in a cyberattack against an unnamed university in Taiwan. The backdoor stands out due to its unconventional method of communicating with its command-and-control server via DNS traffic, which is a relatively rare and stealthy technique. The origins and objectives behind the Msupedge attack remain unknown.
A recent report by Kaspersky details the activities of BlindEagle, an APT group targeting Latin American entities and individuals since at least 2018. The group employs a variety of tactics, techniques, and procedures (TTPs) to achieve its objectives, which fluctuate between financial gain and espionage. BlindEagle primarily leverages phishing campaigns, often impersonating government or financial institutions, to deliver malicious payloads.
A recent ValleyRAT malware campaign targeting Chinese speakers has been identified by FortiGuard Labs. This multi-stage malware employs sophisticated evasion techniques to establish persistent control over compromised systems. Key characteristics include heavy reliance on shellcode for in-memory execution, reducing file footprint, and the use of legitimate application icons to deceive victims.
Researchers from Check Point have uncovered significant details about Styx Stealer, a new malware strain, due to a major operational security blunder by its developer. The developer leaked sensitive information from their computer, including client data and earnings, which Check Point used to gain insight into the malware's operation.
Researchers have uncovered new infrastructure linked to the financially motivated cybercrime group FIN7. This discovery, detailed in a report by Team Cymru in collaboration with Silent Push and Stark Industries Solutions, reveals two clusters of FIN7 activity connected to IP addresses from Post Ltd in Russia and SmartApe in Estonia.
Sophos uncovered details on a new ransomware operation dubbed Mad Liberator, which uses social engineering to obtain access to victim environments, targeting users who use remote access tools installed on endpoints and servers. Since initiating operations in mid-July, 2024. Mad Liberator has been observed targeting users of Anydesk, a popular software used by IT teams to manage their environments, particularly when working with remote users and devices.
Malicious actors are increasingly using a cloud-based attack tool called Xeon Sender to conduct widespread smishing and spam campaigns by abusing legitimate software-as-a-service (SaaS) platforms. The tool, as noted by SentinelOne security researcher Alex Delamotte, allows attackers to send bulk SMS messages through multiple SaaS providers by using valid credentials for those services. Importantly, Xeon Sender doesn't exploit any inherent vulnerabilities in these providers but instead uses their legitimate APIs to carry out large-scale SMS spam attacks.
A recent surge in malware infections has been attributed to malvertising campaigns targeting users seeking popular business software such as Brave, KeePass, Notion, Steam, and Zoom. The attack vector involves trojanized MSIX installers, which execute PowerShell scripts upon installation of the booby-trapped software to download secondary payloads.
Elastic Security Labs has uncovered a new stealer malware dubbed Banshee Stealer designed to target Apple macOS systems. Banshee Stealer is currently advertised on cybercriminals forums for a price tag of $3,000 per month. The stealer is capable of targeting a wide range of browsers, cryptocurrency wallets, and approximately 100 browser extensions.
Researchers have exposed a sophisticated cybercrime campaign, codenamed "Tusk," orchestrated by Russian-speaking cybercriminals. This campaign is notable for its strategic impersonation of legitimate brands to distribute various forms of malware, including DanaBot and StealC, through a series of interconnected sub-campaigns.
Unit 42 researchers uncovered a highly sophisticated extortion campaign that specifically targeted cloud environments by exploiting exposed environment variable files, commonly referred to as .env files. These files, which are often used to store sensitive information such as cloud service keys, API tokens, and database credentials, were inadvertently exposed due to misconfigurations in web servers and applications.
A recent ransomware attack targeting India's National Payments Corporation (NPCI) has been linked to a flaw in Jenkins, a popular automation tool. The security weakness, known as CVE-2024-23897, was found in Jenkins' Command Line Interface, enabling unauthorized access to sensitive data on servers that hadn't been updated with the latest security patches.
A recent discovery by security researchers at Sonatype, published on August 7th, 2024, highlights a new malicious package on the Python Package Index (PyPI) masquerading as a legitimate Solana blockchain library, "solana-py". This fake package leverages a typosquat technique, exploiting the slight naming discrepancy between the genuine "solana-py" project on GitHub and its simplified name "solana" on PyPI.
On August 8, 2024, Evolution Mining, a prominent Australian gold mining firm, experienced a ransomware attack that impacted its IT systems. The company has engaged external cyber forensic experts to investigate the incident, which is currently believed to be contained. While the attack disrupted IT operations, it is not anticipated to significantly impact overall mining operations.
HUSKY, a products filter plugin for the e-commerce product plugin WooCommerce, developed by “realmag777” which enhances the functionality of the base WooCommerce product for WordPress. Around 478 million websites are built on WordPress. It empowers your website visitors to easily search and filter WooCommerce products based on: categories, attributes, tags, taxonomies, meta fields, and product prices.
In this report, they delve into WormGPT—a Dark Web counterpart to ChatGPT, which is designed to quickly generate phishing emails, malware, and harmful recommendations for hackers. Despite its alarming reputation, many of the concerns surrounding WormGPT are rooted in misunderstandings and exaggerations about AI-based hacking applications.
The Inc ransomware group recently carried out a significant cyberattack on McLaren Health Care, a multibillion-dollar healthcare network operating across Michigan, Indiana, and Ohio. The attack severely disrupted McLaren's IT and phone systems, forcing hospitals and outpatient clinics to implement "downtime procedures."
The China-backed cyber espionage group known as Earth Baku, associated with APT41, has significantly expanded its scope of operations beyond its traditional focus on the Indo-Pacific region.
Wiz Threat Research has shed light on a new phishing campaign targeting AWS accounts. The campaign was spotted after an employee at Wiz received a phishing email containing a PNG image. The email was sent from an AWS account (likely compromised) using a spoofed email address -admin@alchemistdigital[.]ae.
On August 14, 2024, Microsoft issued patches for six actively exploited vulnerabilities as part of its regular Patch Tuesday updates. These flaws affect Microsoft Project, various Windows products, and the Windows Scripting Engine. Notably, one high-severity vulnerability in Microsoft Project (CVE-2024-38189) could allow remote code execution if a victim opens a malicious file.
X (formerly Twitter) and Elon Musk's xAI are facing criticism for allegedly using the personal data of over 60 million EU users without consent to train the conversational AI chatbot, Grok. The European privacy group NOYB has filed GDPR complaints in nine countries, claiming X's practices violate EU data protection laws.
Non-profit organization MITRE announced a call for intelligence contributions for ATT&CK evaluations addressing ICS (industrial control systems) to enrich its emulation. The enhanced insight from contributors enables a more holistic emulation approach that reflects the breadth of adversary behaviors.
Researchers at ReasonLabs have uncovered details of a ongoing widespread malware campaign that is forcefully installing malicious browser extensions on targeted endpoints. To date, ReasonLabs has observed atleast 300,000 impacted users across Google Chrome and Microsoft Edge.
Attackers can leverage a critical flaw associated with the 0.0.0.0 IP address to remotely execute code on major web browsers, including Chrome, Safari, and Firefox. This vulnerability exposes users to risks such as data theft, malware installation, and other malicious activities.
Microsoft has revealed a critical, unpatched zero-day vulnerability in Office that could lead to the unauthorized disclosure of sensitive information if successfully exploited.
A co-founder of transparency activism organization Distributed of Denial of Secrets (DDoSecrets) was a dark web drug kingpin who ran the successor to the infamous Silk Road marketplace and was later convicted of child abuse imagery crimes.
Data exfiltration has become a key component in double extortion ransomware attacks, which are now a prevalent method used by cybercriminals. According to a new report by ReliaQuest, the top three tools used for data exfiltration between September 2023 and July 2024 are Rclone, WinSCP, and cURL.
Iran-linked threat actors are accelerating their malicious online activity intending to influence the United States presidential election by capitalizing on political polarization via TTPs such as creating fake news websites that target extremists, impersonating U.S. political activists, performing email phishing attacks from former political advisors, and making attempts to successfully log into an account belonging to a former presidential candidate, all to stoke division and political tension, especially in swing states where they potentially have the most influence.
Security giant ADT has confirmed that it suffered a data breach after actors allegedly leaked stolen customer data on Breached Forums, a popular cybercriminal platform. In a form 8-K filing with the Securities and Exchange Commission (SEC), ADT stated that it recently “experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information.”
The U.S. Justice Department arrested Matthew Isaac Knoot, a 38-year-old Nashville man, for aiding North Korean IT workers in obtaining remote work at U.S. companies by posing as U.S.-based individuals. Knoot operated a "laptop farm," using stolen identities, including that of "Andrew M.," to deceive companies into sending laptops to his residence.
The CrowdStrike update from July, which caused significant disruptions across industries, has led to a flurry of lawsuits from investors and affected companies. This update, known as "Channel File 291," resulted in major operational issues, including crashes on 8.5 million computers, with damages estimated at $5.4 billion.
CISA and the FBI have updated a joint advisory released back in March 2023 on the Royal ransomware group, highlighting that the gang has now rebranded into the BlackSuit operation. BlackSuit which is an evolution of the Royal ransomware, has been observed in attacks from September 2022 through June 2023 and shares numerous code similarities with Royal ransomware while exhibiting improved capabilities.
Previous analyses of ICS exposure have focused on the automation protocols themselves, recent research explored the exposure of HMIs and web administration interfaces, which often reveal location information and other identifying details.
Researchers have detailed activities of the North Korean APT group Kimsuky, which has been targeting universities globally for espionage. Active since 2012, Kimsuky primarily targets South Korean entities but has extended its reach to the US, the UK, and Europe. The group specializes in sophisticated phishing campaigns, often impersonating academics or journalists to steal sensitive information.
A phishing campaign leveraging Google Drawings and WhatsApp URL shorteners to evade detection and compromise user accounts has been identified by security researchers at Menlo Security. The attack commences with a phishing email directing recipients to a seemingly legitimate Amazon account verification link hosted on Google Drawings.
In April, FortiGuard Labs uncovered a sophisticated attack using multiple layers of obfuscation and evasion techniques to distribute VenomRAT via ScrubCrypt. This campaign extended beyond VenomRAT, deploying additional malware through a plugin.
Researchers have discovered critical flaws in software that manages 20% of the world's solar electricity, posing significant risks of grid overloads and blackouts. Although solar power currently represents a minor share of U.S. electricity generation, it is projected to grow exponentially and potentially make up half of domestic electricity generation by 2050.
Reputation-based security controls may not be as effective as commonly assumed in protecting organizations against unsafe web applications and content, according to a new study by Elastic Security. Researchers have identified several techniques attackers use to bypass these mechanisms, which rely on the reputation and trustworthiness of applications and content.
A path traversal vulnerability that leads to a critical and unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2024-4885 reported on April 24th, 2024, affecting Progress WhatsUp Gold versions 23.1.2 and earlier has been actively exploited by threat actors since August 1, 2024. Zero Day Initiative (ZDI) publish a related advisory on July 3rd, 2024.
In the past year, there has been an increase in the number of threat actors leveraging legitimate cloud services in attacks. According to researchers at Symantec, trusted services like Microsoft OneDrive or Google Drive are frequently being abused given that traffic to and from such services is less likely to raise red flags than communications with attack-controlled infrastructure.
CrowdStrike has released a root cause analysis for the Falcon Sensor software update crash, which impacted millions of Windows devices globally. The incident, identified as "Channel File 291," was caused by a content validation issue linked to a new Template Type designed to enhance visibility into novel attack techniques.
Qualys' new 2024 Midyear Threat Landscape Review highlights a growing number of reported Common Vulnerabilities and Exposures (CVEs). From January to mid-July 2023-2024, the annual count of reported CVEs increased by 30%, from 17,114 in 2023 to 22,254 in 2024.
Cybersecurity researchers at Aqua Nautilus have identified a new Distributed Denial of Service attack called “Panamorfi,” which exploits misconfigured Jupyter Notebooks. This attack targets data scientists and engineers using these notebooks, which are widely employed for data analysis and visualization.
Evasive Panda, also known as Bronze Highland, Daggerfly, and StormBamboo, is a China-linked cyber espionage group active since at least 2012. In mid-2023, they compromised an unnamed ISP to deliver malicious software updates to target companies, showcasing their sophisticated tactics.
A sophisticated phishing campaign, linked to the Russian state-sponsored threat actor Fighting Ursa (APT28), targeted diplomatic personnel earlier this year was reported by Palo Alto Network's Unit 42. This operation employed a deceptive lure centered around a purported car sale that often resonates with diplomats, designed to entice victims into downloading a malicious ZIP archive.
Millions of nearly undetectable phishing emails impersonating well-known companies spread daily in the first half of 2024 due to certain features in Microsoft 365 and Proofpoint's email protection service.
Enterprise Resource Planning (ERP) software is crucial for managing human resources, accounting, shipping, and manufacturing within enterprises. These systems often become complex and difficult to maintain due to extensive customization, complicating the patching process.
Proofpoint is warning of an increase in malware infections delivered through Cloudflare's TryCloudflare, a feature that allows an actor to create a one-time tunnel without creating a Cloudflare account.
Researchers at Infoblox and Eclypsium have collaborated to uncover a sophisticated new attack vector within the Domain Name System (DNS), dubbed the Sitting Ducks attack. This discovery came while studying the infrastructure used by 404TDS, a Russian-hosted traffic distribution system, indicating the involvement of Russian-nexus cybercriminals.
OneBlood, the not-for-profit blood center serving much of the southeastern United States, stated that it is experiencing a ransomware event impacting its software system. While OneBlood remains operational and continues to collect, test, and distribute blood, the non-profit noted that it is operating at a significantly reduced capacity.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory warning of Denial of Service (DDoS) attacks on election infrastructure, or adjacent infrastructure that support election operations, as the 2024 U.S. general election approaches closer.
Security researchers have identified a sophisticated information-stealing fraud network, dubbed “Eriakos,” that lures victims to fake web shops through malicious Facebook ads. According to Recorded Future, this campaign exclusively targets mobile devices and users, making the scam websites accessible only via malvertising to evade security scanners.
DigiCert, a certificate authority, has announced that it will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in verifying domain ownership. The affected certificates lack proper Domain Control Validation. DigiCert validates domain control by methods approved by the CA/Browser Forum, one of which involves setting up a DNS CNAME record with a random value provided by DigiCert.
A new malicious campaign has been observed utilizing Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale operation. These malicious apps, numbering over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification, leading to identity fraud.
The ongoing malware campaign targeting software developers has expanded its focus to Windows, Linux, and macOS systems. Known as DEV#POPPER and linked to North Korea, the campaign targets victims in South Korea, North America, Europe, and the Middle East.
On July 30th, 2024, a distributed denial-of-service (DDoS) attack triggered a service disruption impacting a subset of Microsoft 365 and Azure customers globally. The outage, lasting approximately eight hours between 11:45 UTC and 19:43 UTC, resulted in intermittent errors, timeouts, and latency spikes for affected users.
Black Basta is a ransomware-as-a-service (RaaS) operation that has been active since April 2022. To date, the ransomware gang has been attributed to over 500 attacks targeting organizations across the world. Just this year, the group claimed responsibility for attacks against a couple of notable victims including Veolia North America, Hyundai Motor Europe, and Keytronic.
Ukraine's Computer Emergency Response Team (CERT-UA) in a new alert stated that it recorded a surge in activity of the UAC-0057 (Aka GhostWriter) group between July 12 to 18, 2024.
Walmart's Cyber Intelligence Team has discovered an unknown PowerShell backdoor alongside a new variant of the Zloader/SilentNight malware. The PowerShell backdoor is designed to provide actors further access through reconnaissance activities and deploy additional malware.
A recent cyberattack targeting Israeli companies has been attributed to the Iranian threat actor, Handala. The campaign leveraged the CrowdStrike outage as a pretext to distribute malicious software.
Cybersecurity experts are warning about an ongoing campaign exploiting internet-exposed Selenium Grid services for unauthorized cryptocurrency mining. Wiz, a cloud security firm, is tracking this activity as SeleniumGreed, which has been targeting outdated Selenium versions (3.141.59 and earlier) since April 2023.
A hacktivist group, USDoD, has claimed to have leaked CrowdStrike's internal threat actor list, including indicators of compromise (IoCs). CrowdStrike acknowledged these claims in a blog post on July 25, 2024, noting that USDoD provided a download link for the alleged list and shared sample data on BreachForums.
A targeted cyberattack from an unfamiliar threat actor leveraging the recent CrowdStrike Falcon Sensor update incident has been identified. This threat actor is distributing malicious installers disguised as legitimate CrowdStrike software to targeted German-based organizations.
According to Cisco Talos's new Quarterly Trends report, business email compromise (BEC) and ransomware were the top threats in the second quarter of 2024, accounting for 60 percent of security incidents. Notably, technology was the most targeted vertical in Q2 2024, accounting for 24 percent of engagements, highlighting a 30 percent increase compared to Q1.
French authorities launched a major operation to clean the country's computer systems of malware believed to have affected several thousand users, “particularly for espionage purposes,” Paris's top prosecutor announced shortly before the start of the Olympics.
Researchers at Trend Micro have uncovered a new Linux variant of the Play ransomware that is specially designed to target VMWare ESXi environments. Based on a sample submitted to VirusTotal, the Linux variant is compressed in an RAR file with its Windows variant and is hosted in the URL hxxp://108.[BLOCKED].190/FX300.rar, a domain that has been used to host tools like PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor, which have been used by Play actors in previous attacks.
A now-patched Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) has been exploited to deliver information stealers like ACR Stealer, Lumma Stealer, and Meduza Stealer. This vulnerability allowed attackers to bypass SmartScreen warnings and deliver malicious payloads. The stealer campaign is targeting Spain, Thailand, and the US. The attack chain involves a series of intricately crafted files.
The Department of Homeland Security (DHS) has acquired a dog-like robot called NEO that can overload people's home networks in an attempt to disable any internet of things (IoT) devices they have.
A financially motivated threat actor based in Latin America (LATAM), codenamed FLUXROOT, has been leveraging Google Cloud serverless projects to conduct credential phishing campaigns, underscoring the misuse of cloud computing for nefarious activities.
Last Friday, at 04:09 UTC, CrowdStrike automatically pushed out a configuration update (Channel File) to Windows systems for its endpoint detection and response solution, Falcon sensor.
ESET researchers discovered a critical zero-day vulnerability on June 26th, 2024 named EvilVideo in Telegram for Android versions up to 10.14.4 being sold on an underground cybercriminal forum.
A recent discovery by security researchers at PayPal revealed multiple vulnerabilities in numerous email-hosting platforms that attackers are exploiting to forge emails from trusted organizations.
CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes.
Researchers have identified a cybercriminal group known as Revolver Rabbit, which has registered over 500,000 domain names for infostealer campaigns targeting Windows and macOS systems. This operation relies on registered domain generation algorithms, enabling the automated registration of numerous domain names quickly.
CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes.
A new report by the Identity Theft Resource Center (ITRC), H1 2024 Data Breach Analysis, highlights a 1000% increase in the number U.S. data breach victims in Q2 2024, despite an overall 12% decrease in the actual number of incidents in those three months.
Security researchers have uncovered a new variant of BeaverTail, an infostealer malware that has been associated with the Democratic People's Republic of Korea (DPRK). BeaverTail was first documented by Palo Alto Networks Unit 42 in November 2023.
Unknown threat actors, tracked by Recorded Future's Insikt Group under the temporary moniker TAG-100, have been leveraging open-source tools in a suspected cyber espionage campaign targeting global government and private sector organizations.
ESET researchers unearthed a malicious program called HotPage that poses as an ad blocker. HotPage dupes users by promising to eliminate ads and malicious websites. However, it surreptitiously installs a kernel driver that grants attackers unrestricted access to run any code on a compromised Windows machine.
This report details the activities of the financially motivated threat actor FIN7. FIN7 has been observed using multiple pseudonyms across various underground forums to advertise a security-bypassing tool known as AvNeutralizer. AvNeutralizer has been used by multiple ransomware groups, including Black Basta.
A China-linked threat actor, APT17, has been observed targeting Italian companies and government entities using a variant of the known malware 9002 RAT. According to an analysis published last week by Italian cybersecurity company TG Soft, the attacks took place on June 24 and July 2, 2024.
A China-linked threat actor, APT17, has been observed targeting Italian companies and government entities using a variant of the known malware 9002 RAT. According to an analysis published last week by Italian cybersecurity company TG Soft, the attacks took place on June 24 and July 2, 2024. I
The SEXi ransomware operation, notorious for targeting VMware ESXi servers, has rebranded as APT INC and has attacked numerous organizations. Since February 2024, the attackers have employed the leaked Babuk encryptor for VMware ESXi servers and the leaked LockBit 3 encryptor for Windows systems.
According to Cloudflare's 2024 Application Security report, threat actors are increasingly quick to weaponize available proof-of-concept (PoC) exploits, sometimes within just 22 minutes of their public release. Covering activity from May 2023 to March 2024, the report highlights several emerging threat trends.
A critical remote code execution vulnerability (CVE-2024-27348, CVSS: 9.8) impacting Apache HugeGraph-Server versions before 1.3.0 has been actively exploited in the wild. The flaw resides in the Gremlin graph traversal language API and allows attackers to bypass security restrictions and gain complete control over vulnerable servers.
Researchers at Check Point have disclosed details of a new backdoor implant dubbed BugSleep that is actively being deployed in attacks by MuddyWater, an Iranian state-sponsored group, to steal files of interest and run commands on compromised systems. These attacks entail the use of phishing emails disguised as invitations to webinars or online courses, designed to redirect targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform.
Last Wednesday, a critical vulnerability was patched in Exim, a free mail transfer agent (MTA) that's widely used on Unix-like operating systems. Tracked as CVE-2024-29929, the vulnerability pertains to an incorrect parsing of multiline RFC2231 header filenames, allowing threat actors to remotely deliver malicious executable attachments into end users' mailboxes by circumventing the $mime_filename extension-blocking protection mechanism.
A recent campaign observed by Trustwave researchers utilized Facebook advertisements and hijacked business pages to distribute the SYS01 information-stealing malware. The threat actors disguised the malware as free downloads for popular software, games, and Windows themes.
Microsoft has reported that the Scattered Spider cybercrime gang, also known as Octo Tempest, UNC3944, and 0ktapus, has added Qilin ransomware to its arsenal and is now using it in attacks. In the second quarter of 2024, Octo Tempest, a financially motivated threat actor, incorporated RansomHub and Qilin into its ransomware campaigns.
Summary: Cybereason Security Service Team has released a new blog post highlighting the TTPs employed by HardBit, a ransomware operation that first emerged in October 2022. HardBit seems to take inspiration from the LockBit ransomware gang, with researchers noting a similarity in the marketing tactics deployed by the group including the use of similar group image/icons, image fonts, and ransom notes.
The APT group Void Banshee has been exploiting a newly disclosed security flaw in the Microsoft MHTML browser engine CVE-2024-38112 to deploy the information-stealing malware Atlantida. Cybersecurity firm Trend Micro observed this activity in mid-May 2024, noting that the vulnerability was used in a multi-stage attack involving specially crafted internet shortcut (URL) files.
The article illuminates the intricate web of the cybercriminal ecosystem, with a particular focus on the role of infostealer malware. This kind of malware acts as a digital pickpocket, discretely extracting valuable data from compromised systems. The cybercriminal landscape has undergone a transformation, evolving from solitary actors taking care of the entire process, to a highly specialized marketplace where various threat groups collaborate to maximize their illicit gains, embodying a free market economic system.
Cybercriminals are exploiting legitimate URL protection services to disguise phishing links, according to Barracuda researchers. These services, intended to protect users from malicious websites by rewriting URLs, are being misused to mask phishing URLs and direct victims to credential-harvesting sites.
The recent DarkGate malware campaign, uncovered by Palo Alto Networks Unit 42, highlights a brief yet impactful exploitation of Samba file shares for malware distribution. Spanning March to April 2024, the campaign targeted regions across North America, Europe, and parts of Asia, utilizing Visual Basic Script (VBS) and JavaScript files hosted on public-facing servers.
ANY.RUN, an interactive malware hunting service, warned on X (formerly known as Twitter) of a massive phishing campaign that is abusing SharePoint to store PDFs containing phishing links. In a span of 24 hours ANY.RUN says it observed over 500 public sandbox sessions with SharePoint phishing.
A recent U.S. Department of Justice (DoJ) operation dismantled a large-scale Russian disinformation campaign utilizing AI-powered social media bots. The bot farm, targeting the U.S. and several other countries, employed fictitious online personas disguised as real users to spread pro-Kremlin messages. The operation, believed to be sponsored by the Kremlin and facilitated by an RT employee and an FSB officer, leveraged AI software called Meliorator to create and manage the bot network.
*Severity - Medium: High severity vulnerability exploited to deploy ransomware. This vulnerability has been patched by Veeam and can be eliminated by updating the software. Initial access is acquired without any victim interaction. Attackers utilize methods to avoid detection and hinder forensics efforts following an attack*
Japan's Computer Emergency Response Team Coordination Center (JPCERT/CC) has published a blog post warning about attacks targeting Japanese organizations by a North Korean APT group called Kimsuky.
Multiple threat actors are exploiting the recently disclosed PHP vulnerability CVE-2024-4577 to deliver various malware families, according to the Akamai Security Intelligence Response Team. This vulnerability, which has a CVSS score of 9.8, is a PHP-CGI OS Command Injection flaw in the Best-Fit feature of encoding conversion within the Windows operating system.
China-linked APT41 is suspected of using an advanced version of StealthVector malware, dubbed DodgeBox, to deliver a new backdoor named MoonWalk. Zscaler ThreatLabz discovered DodgeBox, also known as DUSTPAN, in April 2024. Researchers Yin Hong Chang and Sudeep Singh explained that DodgeBox loads MoonWalk, which shares DodgeBox's evasion techniques and uses Google Drive for command-and-control communication.
Ransomware attackers are increasingly focusing on defense evasion tactics to extend their dwell time within victim networks, as highlighted in a new report by Cisco Talos. This shift is primarily driven by the double-extortion ransomware model, where attackers steal sensitive data and threaten to publish it online while locking down victims' systems.
Russian state-sponsored media organization RT, formerly known as Russia Today, has used AI-powered software called Meliorator to create realistic social media personas for spreading disinformation over the past two years.
A new vulnerability, designated CVE-2024-6409 (CVSS score: 7.0), has been discovered in OpenSSH versions 8.7p1 and 8.8p1, specifically those shipped with Red Hat Enterprise Linux 9 (RHEL 9). The current versions of RHEL 7 and RHEL 8 are safe.
Symantec recently published a security bulletin warning about a phishing campaign targeting Apple users in the United States. These campaigns are mostly conducted via email but have increasingly been deployed via malicious SMS text messages (smishing).
A critical vulnerability (CVE-2024-3596) has been identified in the RADIUS protocol, a widely used network authentication system. Dubbed "BlastRADIUS," the flaw allows attackers to potentially bypass security checks and gain unauthorized access to a network.
Beginning in March 2024, law enforcement organizations have been distributing decryptor keys to victims of the DoNex ransomware, according to Avast. The antivirus provider announced on July 8 that they have been quietly offering the decryptor after identifying a cryptographic flaw in the ransomware and its predecessors.
Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have issued a joint advisory about the China-linked cyber espionage group APT40, warning of its ability to exploit new security vulnerabilities within hours or days of their public release. APT40, also known by various aliases such as Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been active since at least 2013, primarily targeting organizations in the Asia-Pacific region.
A recent surge in attacks by the Mekotio banking trojan has been identified, particularly targeting financial institutions in Latin America since at least 2015. This malware primarily targets users in Brazil, Chile, Mexico, Spain, Peru, and Portugal with the intention of stealing banking credentials.
A major South Korean internet service provider, KT (formerly Korea Telecom), is facing serious allegations after reports surfaced that it installed malware on the computers of over 600,000 customers. The incident primarily targeted users of Webhard, a popular file-sharing service in South Korea.
Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.
Cyber extortion is rapidly increasing, with a 77% year-on-year growth in victims, according to Orange Cyberdefense (OCD). In its Cy-Xplorer 2024 report, OCD identified 60 distinct ransomware groups responsible for 4,374 victims from Q1 2023 to Q1 2024.
Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.
A new report by Sekoia highlights an increasing trend in cybercriminals distributing malware via drive-by-download, a technique that typically employs SEO-poisoning, malvertising, and code injection into compromised websites to trick users into downloading fake software installers or browser updates.
A recent attack campaign exploited a now-patched vulnerability (CVE-2021-40444) in Microsoft Office's MSHTML component to deliver MerkSpy spyware. This spyware primarily targeted users in Canada, India, Poland, and the U.S. The attackers meticulously crafted a deceptive Microsoft Word document disguised as a software developer job description to trick users into initiating the exploit.
Censys reports that over 380,000 internet-exposed hosts still reference JavaScript scripts from the recently suspended polyfill[.]io domain. Originally used to provide modern functionality in older browsers, polyfill[.]io was suspended after redirecting visitors to betting and adult sites.
On June 18th, CDK Global, a leading software-as-a-service provider that is used by over 15,000 car dealerships across North America, was the target of a ransomware attack, causing a massive IT outage. In particular, CDK Global's dealer management system was impacted, forcing car dealerships to switch to pen and paper, with buyers unable to purchase cars or receive service for already-bought vehicles.
A financially motivated East European threat actor known as "Unfurling Hemlock" has been employing a sophisticated technique akin to a cluster bomb to deploy up to ten unique malware files simultaneously on systems in the US, Germany, Russia, and other countries.
Cisco has patched a zero-day vulnerability in NX-OS that was exploited in April to install previously unknown malware on vulnerable switches. The cybersecurity firm Sygnia reported the incidents to Cisco, attributing the attacks to a Chinese state-sponsored threat actor, Velvet Ant. Amnon Kushnir, Director of Incident Response at Sygnia, revealed that Velvet Ant used administrator-level credentials to access Cisco Nexus switches and deploy custom malware.
A North Korean APT group, Kimsuky, was discovered using a malicious Google Chrome extension codenamed TRANSLATEXT to target South Korean academia focused on North Korean affairs in March 2024. Kimsuky is a notorious hacking crew from North Korea that's known to be active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean entities.
On June 20th, one of Indonesia's temporary National Data Centers suffered from a cyberattack that led to the encryption of the government's servers and disruption of immigration services, passport control, issuing of event permits, and other online services.
BleepingComputer has confirmed that the helpdesk portal of Canadian router manufacturer Mercku has been compromised and is sending MetaMask phishing emails in response to new support tickets. Mercku supplies equipment to several ISPs and networking companies, including Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom.
Fake IT support sites are exploiting common Windows errors like the 0x80070643 error to distribute information-stealing malware through malicious PowerShell "fixes." These sites, identified by eSentire's Threat Response Unit, gain legitimacy by being promoted on compromised YouTube channels.
A critical vulnerability (CVE-2024-6387), dubbed regreSSHion, has been identified in OpenSSH servers, potentially affecting over 14 million instances exposed on the internet. This remote unauthenticated code execution flaw allows attackers to compromise systems, leading to full system control, malware installation, data manipulation, creation of backdoors, and network propagation.
TeamViewer, a prominent developer of remote monitoring and management (RMM) software, reported a breach of their corporate network this week. The company attributes the attack to Midnight Blizzard, a Russian state-sponsored hacking group also known as APT29, Nobelium, or Cozy Bear.
Multiple security vulnerabilities have been identified in Emerson Rosemount gas chromatographs, potentially allowing attackers to access sensitive information, cause denial-of-service (DoS) conditions, and execute arbitrary commands. The affected models include GC370XA, GC700XA, and GC1500XA, with versions 4.1.5 and earlier. Claroty, an operational technology (OT) security firm, highlighted two command injection flaws and two authentication and authorization vulnerabilities.
Apple recently released a firmware update to address a critical vulnerability (CVE-2024-27867) affecting various AirPods models (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro. This authentication issue could have allowed a malicious actor within Bluetooth range to impersonate a trusted device and gain unauthorized access to the targeted AirPods.
A critical security flaw in Fortra FileCatalyst Workflow, tracked as CVE-2024-5276 with a CVSS score of 9.8, has been disclosed. This SQL injection vulnerability affects versions 5.1.6 Build 135 and earlier and allows attackers to modify application data, potentially creating administrative users or altering and deleting database information.
The LockBit ransomware group falsely claimed to have breached the Federal Reserve and stolen 33 terabytes of sensitive banking information. This claim was debunked, revealing that LockBit had actually targeted Evolve Bank & Trust.
Ahnlab Security Intelligence Center (ASEC) has released details of a backdoor that they first identified in 2021 and have closely monitoring since then. Dubbed, Happydoor, the backdoor is attributed to the North Korean APT group Kimsuky and has been deployed in several breaches in the last couple of years.
Suspected Chinese and North Korean threat actors have been linked to ransomware and data encryption attacks targeting global government and critical infrastructure sectors between 2021 and 2023, according to a joint report by cybersecurity firms SentinelOne and Recorded Future shared with The Hacker News.
MITRE Engenuity recently conducted an ATT&CK Evaluation focusing on managed security services, where Trend achieved a perfect 100% detection rate across all 15 critical steps. The evaluation simulated a sophisticated attack scenario involving menuPass (APT10) and ALPHV/BlackCat ransomware.
A vulnerability in Progress Software's MOVEit Transfer platform, CVE-2024-5806, allows attackers to authenticate as any valid user, gaining corresponding privileges. This vulnerability which has a CVSS score of 9.1 is actively being exploited just hours after its public disclosure.
In May 2024, researchers at Cleafy uncovered new campaigns distributing the Medusa banking trojan, which has managed to retain a low profile for the past year. Notably, these campaigns entail the use of new Medusa samples that are more light-weight and require fewer permissions than previous variants of the trojan.
The French National Cybersecurity Agency (ANSSI) reported a concerning rise in cyber threats throughout 2023. This coincides with ongoing geopolitical tensions and major international events planned for France in 2024.
The analysis highlights a growing trend where cybercriminals are leveraging cloud services to enhance the capabilities of botnets like UNSTABLE and Condi. These botnets exploit vulnerabilities in various devices to establish command and control (C2) operations through cloud servers, which provides scalability and anonymity that traditional hosting methods lack.
Checkpoint has identified several threat actors including a cyber espionage group dubbed APT-C-35, aka DoNot Team, leveraging an Android open-source administration tool called Rafel in attacks to gain remote access and exfiltrate data of interest from victims' devices.
On June 24th, in Jakarta, Indonesia, the country's national data center experienced a significant cyber attack, as reported by Reuters. The attack had widespread repercussions, particularly disrupting immigration procedures at airports nationwide.
The Lockbit ransomware group recently declared that it had successfully breached the US Federal Reserve, exfiltrating a staggering 33 TB of sensitive data, purportedly including confidential banking secrets of American citizens.
RedJuliett, a likely Chinese state-sponsored hacking group, conducted a cyber espionage campaign targeting Taiwan and other countries from November 2023 to April 2024, according to Recorded Future's Insikt Group. The group compromised 24 organizations, including government agencies in Taiwan, Laos, Kenya, and Rwanda.
According to Recorded Future, the RansomHub operation has been using a Linux encryptor since April 2024 to specifically target VMware ESXi environments in corporate attacks. The ESXi version of RansomHub's encryptor is developed in the C++ programming language and was likely derived from the now-defunct Knight ransomware's source code.
A critical vulnerability (CVE-2024-28995) in SolarWinds Serv-U file transfer software, affecting versions up to and including Serv-U 15.4.2 HF 1, allows attackers to perform directory traversal and access sensitive files on the host machine.
A sophisticated malware distribution campaign has emerged, utilizing fake error messages resembling Google Chrome, Microsoft Word, and OneDrive issues to deceive users into running malicious PowerShell scripts. This campaign involves several threat actors, including ClearFake, ClickFix, and TA571, known for their previous involvement in spam distribution and malware dissemination.
French diplomatic entities have been targeted by Midnight Blizzard, a Russia-backed advanced persistent threat, since at least 2021, according to CERT-FR. This group, infamous for its involvement in the 2016 US elections interference and the 2020 SolarWinds attacks, remains a significant cyber threat.
A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts of employees at financial firms using QR codes embedded in PDF attachments. The platform, which can target both Microsoft 365 and Office 365 email accounts, operates via Telegram bots and includes mechanisms to bypass two-factor authentication (2FA).
The LockBit group has resurfaced as the leading ransomware actor in May 2024, according to NCC Group's analysis. LockBit 3.0 conducted 176 ransomware attacks, accounting for 37% of the month's total, marking a staggering 665% increase from the previous month.
Summary: Researchers at Symantec highlighted in a blog post a campaign that has using tools associated with Chinese espionage groups to breach telecom operators in a single Asian country since at least 2021, with evidence to suggest that some of this activity may even date as far back as 2020.
LevelBlue Labs identified a novel and highly evasive malware loader named SquidLoader. This malware leverages sophisticated techniques to thwart both static and dynamic analysis, making detection difficult. SquidLoader targets Chinese organizations through phishing campaigns, with malicious actors disguising it as legitimate Microsoft Word documents.
A new speculative execution attack named "TIKTAG" targets ARM's Memory Tagging Extension, achieving over a 95% success rate in leaking data and bypassing this security feature. This attack, demonstrated by researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, affects Google Chrome and the Linux kernel.
A cyber incident at CDK Global disrupted thousands of car dealerships across the US on Wednesday, typically a busy holiday. CDK Global, a major software provider for dealers, halted all systems and is gradually restoring them after extensive testing and consulting with experts.
Recent data from Action1 indicates a growing trend of threat actors targeting edge devices, particularly load balancers, resulting in a record exploitation rate over the past three years. The study assessed various product categories from 2021 to 2023, using data from the National Vulnerability Database (NVD) and cvedetails.com to calculate the ratio of exploited vulnerabilities to total vulnerabilities.
UNC3944, a financially motivated threat group, has been active since at least May 2022 and has evolved its tactics from credential harvesting to primarily data theft extortion without ransomware. They exploit vulnerabilities in software-as-a-service (SaaS) applications and leverage social engineering tactics to gain access to privileged accounts.
The compromised data included customers' personal information like names, physical addresses, email addresses, and phone numbers. However, notably, the stolen data did not contain the precise locations of Tile devices, which are typically used for remote monitoring.
CISA has issued a warning about a new phone-based impersonation scam. In this scheme, scammers are pretending to be CISA employees, using the names and titles of real government staff to lend credibility to their deceit.
CronUp security researcher German Fernandez has shed light on a phishing and extortion campaign to target GitHub users. The campaign which has been ongoing for several months takes advantage of GitHub's notification system and a malicious OAuth app to gain access to victims' repositories and extort the contents for ransom.
Ukrainian cyber police have identified a 28-year-old resident of Kyiv as a suspected affiliate of the notorious Conti and LockBit ransomware groups. He allegedly specialized in developing cryptors, which are tools that encrypt malware to evade antivirus detection. The man reportedly sold his services to hackers linked to the Conti and LockBit groups for cryptocurrency rewards.
The Black Basta ransomware group is suspected of leveraging a critical Windows privilege escalation vulnerability, identified as CVE-2024-26169, as a zero-day exploit before Microsoft released a fix. This vulnerability, rated at 7.8 on the CVSS v3.1 scale, affects the Windows Error Reporting Service, enabling attackers to elevate their privileges to SYSTEM level.
The Dutch Military Intelligence and Security Service (MIVD) and NCSC advised yesterday that a Chinese nation-state cyber-espionage attack, first documented in February 2024, is compromising many more devices than previously observed.
Since April 2024, researchers at Elastic Security Labs have observed a wave of phishing campaigns using recruiting and job-themed lures to distribute a novel backdoor called WARMCOOKIE. T
The British and Canadian privacy authorities are collaborating on an investigation into a data breach at 23andMe, a genetic testing company, discovered in October 2023. Cybercriminals accessed information from certain accounts, including DNA profiles, affecting about 0.1% of 23andMe's users.
Researchers at CrowdStrike Falcon Intelligence identified a previously unattributed TA group targeting a U.S.-based think tank with ties to China in April 2017 which revealed a larger campaign attributed to the China-based adversary Mustang Panda. Mustang Panda has likely been operational since 2014 targeting government organizations, nonprofits, religious institutions, and other NGOs across the U.S., Europe, Mongolia, Myanmar, Pakistan, Vietnam, and other regions with LNK files associated with the APT group.
Researchers at Artic Wolf Labs have released details on a new ransomware variant dubbed ‘Fog” that has been targeting the networks of US organizations in the education and recreation sectors since May, 2024. In one of the incidents observed, Fog ransomware actors performed pass-the-hash attacks to gain access to administrator accounts and further establish RDP connections to Windows servers running Hyper-V and Veeam.
Mandiant has identified a campaign by the financially motivated group UNC5537, targeting Snowflake customer database instances to steal data and extort victims. Snowflake is a multi-cloud data warehousing platform used for storing and analyzing large datasets. UNC5537 gains access to these databases using stolen customer credentials, obtained through various info stealer malware campaigns.
The number of vulnerable Internet of Things (IoT) devices has surged by 136% over the past year, according to Forescout's report, "The Riskiest Connected Devices in 2024." This study, which analyzed data from nearly 19 million devices, revealed that the proportion of IoT devices with vulnerabilities increased from 14% in 2023 to 33% in 2024.
Two suspects were apprehended in the United Kingdom in connection with a criminal scheme utilizing a homemade mobile antenna to dispatch fraudulent text messages. Huayong Xu, 32, of Alton Road, Croydon, was charged on May 23 following an arrest made on May 9 in Manchester.
The Boston Red Sox, positioned at the forefront of the American League East in baseball, are also making significant strides in cybersecurity. By adopting a comprehensive strategy that involves transitioning critical operations to a software-as-a-service (SaaS) model and embracing the Internet of Things (IoT) at Fenway Park, the team is actively bolstering its cloud security.
Researchers at Symantec have uncovered similarities between two ransomware families, RansomHub and Knight, indicating a potential rebrand of the now defunct Knight ransomware which went silent after its source code was listed for sale on hacker forums back in February 2024. Similar to Knight ransomware, RansomHub is written in the Go programming language.
A cyberespionage campaign recently targeted a government agency that frequently clashes with China over the South China sea. This campaign used previously undetected backdoors and had links to known Chinese state threat actors. Researchers at Sophos Managed Detection and Response uncovered this complex operation, named "Crimson Palace," and attributed it with high confidence to Chinese state-sponsored hacking clusters.
Zyxel Networks has released an emergency security update to address critical vulnerabilities in its end-of-life NAS devices, specifically NAS326 and NAS542 models. These vulnerabilities, identified as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, allow attackers to perform command injection and remote code execution.
Belarusian state-sponsored hackers, UNC1151, targeted Ukraine's Ministry of Defence and a military base in a new cyberespionage operation according to Cyble Research and Intelligence Labs. Mandiant Threat Intelligence uncovered a persistent information operation called “Ghostwriter/UNC1151,” which is part of a larger influence campaign supporting Russian security interests and promoting narratives critical of NATO that has been active since March 2017 targeting audiences in Ukraine, Lithuania, Latvia, and Poland.
ReversingLabs, in their recent exploration of open-source repositories like PyPI, made a significant discovery: the emergence of a suspicious package named xFileSyncerx. Initially appearing as a potential threat due to its anomalous characteristics, this package prompted deeper investigation by the research team.
A massive amount of 361 million email addresses from credentials stolen by password-stealing malware, in credential stuffing attacks have been added to Have I Been Pwned's data breach notification service, allowing anyone to check if their accounts have been compromised.
Snowflake, a cloud computing and analytics company, has released a joint statement in coordination with third-party cybersecurity experts at CrowdStrike and Mandiant stating that it is investigating a threat campaign that targeted a “limited” number of Snowflake customers.
Facing a burgeoning backlog of reported vulnerabilities, the National Institute of Standards and Technology (NIST) has found itself in a predicament, grappling with the daunting task of clearing its National Vulnerability Database (NVD). To tackle this challenge head-on, NIST has decided to extend its existing commercial contract with Analygence, a Maryland-based IT consultancy firm, known for its expertise in IT and security-related work.
A sophisticated cyber attack has been detected targeting devices in Ukraine to deploy Cobalt Strike and take control of the compromised systems. Fortinet FortiGuard Labs reported that the attack initiates with a Microsoft Excel file containing an embedded VBA macro that starts the infection process.
Researchers at eSentire have observed a trend in the employment of fake web browser updates to infect end users with various malware strains including SocGholish as well as Fakebat. In May 2024 eSentire's Threat Response Unit started seeing actors using this tactic to deliver BitRAT, a remote access trojan, and Lumma Stealer, a notorious info stealer malware that has gained popularity within the cybercriminal community.
On September 4, 2023, CERT-UA reported a phishing campaign that leveraged Headlace malware to target a critical energy infrastructure facility in Ukraine. During this campaign, BlueDelta sent phishing emails from a fake sender address that contained links to archive files. The archive files contained lure images and Windows BAT script, which, if executed, would result in the whoami command being run and the results being exfiltrated back to the threat actor.
The North Korean linked threat actor Andariel has been using a new Golang-based backdoor called Dora RAT to target educational institutions, manufacturing firms, and construction businesses in South Korea. The AhnLab Security Intelligence Center reported that Andariel has deployed a variety of malware, including keyloggers, infostealers, and proxy tools, to control and exfiltrate data from infected systems.
Ransomware activity surged in 2023, according to a report by Google-owned Mandiant, despite extensive law enforcement efforts against major ransomware groups like ALPHV/BlackCat. The report, published on June 3, 2024, revealed a 75% increase in posts on ransomware groups' data leak sites compared to 2022, affecting victims in over 110 countries.
Check Point has alerted its customers to a critical zero-day vulnerability (CVE-2024-24919, CVSS 8.6) affecting several products, including CloudGuard Network and Quantum Maestro. Attackers are exploiting this flaw by targeting outdated VPN local accounts using password-only authentication. Immediate software updates are crucial to mitigate the risk of unauthorized access to sensitive data and potential lateral movement within networks.
Lumen Technologies' Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement.
Microsoft has highlighted the urgent need to secure internet-exposed OT devices following a series of cyber attacks targeting such environments since late 2023. The Microsoft Threat Intelligence team stressed that these attacks highlight the critical need to improve OT security and prevent critical systems from becoming easy targets.
A previously undocumented cyber espionage group named LilacSquid has been linked to targeted attacks across various sectors in the U.S., Europe, and Asia as part of a data theft campaign ongoing since at least 2021. This campaign is aimed at establishing long-term access to compromised organizations to siphon data of interest to attacker-controlled servers, according to a new technical report by Cisco Talos researcher Asheer Malhotra.
The adversary behind the RedTail cryptocurrency mining malware has added a new exploit, Palo Alto PAN-OS CVE-2024-3400, to their attack vector quiver. The addition of the PAN-OS vulnerability is not the only upgrade added to the adversary's toolkit. The cryptocurrency malware has received its own updates which now incorporate new anti-analysis techniques.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates covered entities to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). CISA aims to swiftly deploy resources, analyze trends, and share information with network defenders.
Since at least early May, Banking institutions in Brazil have been observed by French cybersecurity company HarfangLab being targeted by a new campaign that deploys a custom payload variant of the Windows-based AllaKore RAT called AllaSenha. The intricate infection chain involves Python scripts and a loader developed in a language called Delphi.
AhnLab Security Intelligence Center is warning of an ongoing campaign where cybercriminals are distributing various malware strains by promoting installers for cracked versions of Microsoft Office on torrent sites. The cracked Microsoft Installer comes with a well-built interface, where users can specify the version they want to install, the language, as well as whether to use 32 or 64-bit variants.
Prescription management company Sav-Rx is warning over 2.8 million people in the United States that it suffered a data breach, stating that their personal data was stolen in a 2023 cyberattack. A&A Services, doing business as Sav-RX, is a pharmacy benefit management (PBM) company that provides prescription drug management services to employers, unions, and other organizations across the U.S.
On February 12, 2024, the NIST National Vulnerability Database significantly slowed its processing and enrichment of new vulnerabilities. Since then, 12,720 new vulnerabilities have been added, but 11,885 remain unanalyzed, hindering security professionals' ability to assess affected software. By February 15, the NVD warned of analysis delays,
A US-led law enforcement operation has dismantled the 911 S5 botnet, believed to be the world's largest. The botnet consisted of millions of compromised residential Windows computers used for cyber-attacks, fraud, child exploitation, and other serious crimes. It included over 19 million unique IP addresses, with 613,841 in the US. Cybercriminals could buy access to these IP addresses for illegal activities.
Identity and Access Management company Okta warns that its cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential-stuffing attacks. “Okta's Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted.
Operation Endgame, involving police forces from Germany, the United States, the United Kingdom, France, Denmark, and the Netherlands, resulted in the seizure of over 100 malware loader servers across Europe and North America. These servers hosted over 2,000 domains used for illicit activities, which are now under police control.
Ukraine's Computer Emergency Response Team (CERT-UA) is warning of an increase in cyberattacks associated with UAC-0006, a financially-motived threat actor that has been active since 2013.
Researchers have raised alarms about sophisticated phishing campaigns leveraging Cloudflare Workers to deploy phishing sites aimed at harvesting credentials from multiple organizations users. These campaigns utilize a method called transparent phishing or adversary-in-the-middle phishing. This technique involves using Cloudflare Workers as a reverse proxy to legitimate login pages, intercepting traffic to capture login credentials, cookies, and tokens.
ShrinkLocker is a newly identified ransomware strain that encrypts corporate systems through Windows BitLocker by creating a new boot partition. Targeting sectors such as government, vaccine, and manufacturing, ShrinkLocker operates by shrinking non-boot partitions to form a new boot volume.
Trellix Research has uncovered a concerning trend in cybersecurity: fake antivirus websites masquerading as legitimate security software while actually harboring malware. These deceptive sites, such as avast-securedownload[.]com and bitdefender-app[.]com, distribute harmful programs like SpyNote trojan, Lumma malware, and StealC malware under the guise of reputable antivirus brands. Instances of brand reputation attacks like these pose a significant threat, exploiting users' trust in reputable antivirus brands to distribute harmful malware.
With US holidays like Memorial Day upcoming, Microsoft is warning up an uptick in activity from Storm-0539, a cybercriminal group operating out of Morocco that is known for targeting gift card portals linked to large retailers, luxury brands, and well-known fast-food restaurants. According to Microsoft, Storm-0539 conducts deep reconnaissance and sophisticated cloud-based techniques to target gift card creators.
Russian hackers, particularly Advanced Persistent Threat (APT) groups, are intensifying their cyberattacks, expanding targets beyond governments and utilizing readily available malware. Flashpoint researchers reveal the evolving tactics, emphasizing the need for organizational protection. Recent reports indicate collaboration among state-sponsored groups in Iran for large-scale attacks, paralleled by activities in Russia.
Security researchers have uncovered a series of criminal campaigns that exploit cloud storage services. These campaigns, orchestrated by unnamed threat actors, aim to deceive users into visiting malicious websites through SMS messages. According to a technical analysis released by Enea today, the attackers have two main objectives.
Researchers have recently made a significant revelation regarding the BLOODALCHEMY malware, which has been employed in targeted attacks against government organizations in Southern and Southeastern Asia. These researchers found that BLOODALCHEMY is an updated iteration of Deed RAT, considered a successor to ShadowPad—a widely recognized tool utilized in APT campaigns.
Researchers have recently made a significant revelation regarding the BLOODALCHEMY malware, which has been employed in targeted attacks against government organizations in Southern and Southeastern Asia. These researchers found that BLOODALCHEMY is an updated iteration of Deed RAT, considered a successor to ShadowPad—a widely recognized tool utilized in APT campaigns.
Courtroom Software Backdoored to Deliver RustDoor Malware in Supply Chain Attack
A comprehensive survey conducted among 1,600 Chief Information Security Officers (CISOs) globally indicates a significant increase in concerns regarding cybersecurity threats. Specifically, 70% of these CISOs express apprehension about the susceptibility of their organizations to material cyber attacks over the upcoming year.
Cisco researchers have discovered various techniques used by cybercriminals to embed and deliver brand logos within emails, targeting users through brand impersonation. This widespread threat leverages the familiarity and trust associated with well-known brand logos to solicit sensitive information, particularly in phishing emails where attackers aim to deceive recipients into revealing credentials or other valuable information.
Politically-motivated hacktivist groups are increasingly using ransomware to disrupt targets and draw attention to their causes. Notably, the Ikaruz Red Team, along with aligned groups like the Turk Hack Team and Anka Underground, have been leveraging leaked ransomware builders in their recent attacks.
A Chinese APT group has been targeting governmental entities in the Middle East, Africa, and Asia since late 2022 as part of a cyber espionage campaign named Operation Diplomatic Specter. According to researchers from Palo Alto Networks Unit 42, this group has conducted long-term espionage against at least seven government entities, employing sophisticated email exfiltration techniques.
According to a post on X (formerly known as Twitter), a threat actor is claiming to have gained access to a handful of API keys for major cloud service providers, including Amazon Web Services (AWS), Microsoft Azure, GitHub, etc. The actor who goes by the alias “carlos_hank,” stated that these keys are “fresh and all working,” with high permissions that can be used to compromise entire cloud infrastructures.
Rockwell Automation is advising its customers to disconnect industrial control systems not meant for public internet access to prevent unauthorized or malicious cyber activity. This urgent advisory is in response to increasing geopolitical tensions and global cyber threats.
Chinese-backed threat actors, including groups like Volt Typhoon, are increasingly using proxy networks known as operational relay boxes for cyber espionage, according to a Mandiant report published on May 22. ORBs, similar to botnets, are mesh networks comprising compromised devices like virtual private servers, Internet of Things devices, smart devices, and routers.
Bitdefender researchers have uncovered a previously unknown threat actor named "Unfading Sea Haze," which has been targeting military and government entities in the South China Sea region since 2018.
The Blackbasta ransomware gang has listed Atlas to its data leak list, one of the largest national distributors of fuel to 49 continental US States with over 1 billion gallons per year. Based on the listing, the actors claimed to have stolen 730GB of data from the oil giant, including corporate, department, user, and employee data.
A critical security vulnerability, CVE-2024-4701, with a CVSS score of 9.9, affects Netflix's Genie open source platform, used for big data applications. It allows remote attackers to potentially execute arbitrary code on affected systems by exploiting a bug in the file upload process.
A new report from Rapid7 states that over a third of widely exploited vulnerabilities have occurred in network perimeter technologies since the start of 2023, nearly double than that of the previous year. Notably, 60% of these vulnerabilities (impacting network and security appliances) were exploited as zero days in 2023.
An Iranian threat actor affiliated with one of the Iranian intelligence agencies has been observed conducting destructive wiping attacks that target Albania and Israel. Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-842 (formerly DEV-0842) by Microsoft. The techniques, tactics, and procedures (TTPs) employed by Void Manticore are relatively straightforward and simple, involving hands-on efforts using basic, mostly publicly available tools.
A critical vulnerability in Fluent Bit has been identified, impacting major cloud providers and numerous tech giants by exposing them to denial-of-service and remote code execution attacks. Fluent Bit, a popular logging and metrics solution for Windows, Linux, and macOS, is embedded in major Kubernetes distributions.
The SolarMarker malware, known by various aliases such as Deimos, Jupyter Infostealer, Polazert, and Yellow Cockatoo, is a sophisticated and evolving cyber threat. According to new research from Recorded Future, the threat actors behind SolarMarker have established a multi-tiered infrastructure designed to complicate law enforcement takedown efforts.
The surge in sophisticated cyber-attacks has led to significant financial implications for businesses. Ransomware attacks, in particular, have become increasingly prevalent and costly. These attacks involve encrypting a victim's data and demanding payment, typically in cryptocurrency, for its release.
Threat actors are leveraging a design flaw in Foxit PDF Reader to distribute a range of malware, including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. According to a technical report from Check Point, the exploit uses security warnings to deceive users into executing harmful commands.
Researchers at Elastic Security Labs have observed an uptick in email campaigns since early March of 2024, delivering Latrodectus malware. Latrodectus is a malware loader that was identified in October of 2023 by Walmart researchers and is believed to be a successor of the IcedID malware.
In August 2023, Singing River Health System suffered a ransomware attack affecting nearly 900,000 individuals. The breach exposed sensitive data including full names, dates of birth, addresses, Social Security Numbers, and medical details.
Top10VPN and cybersecurity researcher Mathy Vanhoef have identified a new vulnerability stemming from a design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on and intercept their network traffic by spoofing a trusted network name (SSID) and utilizing similar-looking credentials.
Cyble Research and Intelligence Labs has uncovered a new banking trojan dubbed “Antidot” targeting Android devices by posing as a Google Play update application. Users who install the application are presented with a counterfeit Google Play update page that contains a “continue” button designed to redirect to the Android device's Accessibility settings. I
A newly discovered social engineering attack employing fictitious Facebook accounts to targets via Messenger has been attributed to the North Korea-linked APT group Kimsuky with the intent to deliver malware to the victim. These fictitious accounts are created with a fake identity disguised as a North Korean human rights public official.
What was described as a "smash and grab" attack has impacted the automotive giant Nissan North America (NNA). On May 15, 2024, NNA disclosed a ransomware breach, revealing the compromise of personal information, including Social Security numbers, of both current and former employees, affecting 53,038 individuals.
Symantec's Threat Hunter Team recently uncovered a new Linux backdoor, Linux.Gomir, developed by the North Korean Springtail espionage group, linked to a recent campaign against South Korean organizations. This group, also known as Kimsuky, has a history of targeting South Korean public sector organizations and was previously identified in attacks dating back to 2014.
Cloud cryptomining has surged in recent years due to the scalability and flexibility of cloud platforms. This trend makes it easier for attackers to exploit vulnerabilities and deploy resources for cryptomining quickly. A significant threat in this landscape is the Kinsing malware, notorious for targeting Linux-based cloud infrastructure.
In September 2020, a detailed investigation into a prolonged xHunt campaign targeting a Kuwaiti organization revealed the presence of a newly discovered webshell named BumbleBee, alongside two other backdoors called TriFive and Snugy. The BumbleBee webshell was notable for its ability to upload/download files and execute commands on the compromised Microsoft Exchange server.
ew Jersey's Cybersecurity and Communications Integration Cell (NJCCIC) disclosed that it uncovered a new LockBit campaign where actors are sending millions of phishing emails with the help of the Phorpiex botnet to infect potential victims with LockBit Black, an encryptor that was likely built using the LockBit 3.0 builder that was leaked by a disgruntled developer on Twitter in September 2022.
An instance involving a MS-SQL honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware. The honeypot, set up by researchers at Sekoia, was targeted by an intrusion set utilizing brute force techniques to deploy the Mallox ransomware via PureCrypter to exploit various MS-SQL vulnerabilities. Upon analyzing Mallox samples, the researchers identified two distinct affiliates using different approaches.
Threat actors are using DNS tunneling to track when targets open phishing emails and click malicious links, as well as to scan networks for vulnerabilities. DNS tunneling involves encoding data or commands within DNS queries, turning DNS into a covert communication channel. The attackers use various encoding methods, such as Base16, Base64, or custom algorithms, to transmit data via DNS records like TXT, MX, CNAME, and Address records.
Cybersecurity researchers at Rapid7 have uncovered an ongoing social engineering campaign that barrages enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. The social engineering tactics involve overwhelming a potential victim's email with junk mail, calling the victim user, and offering them assistance with the issue.
The rapid advancement of artificial intelligence and the proliferation of data worldwide, estimated to reach 200 zettabytes, have ushered in an era of unprecedented technological growth. However, despite this data abundance, there exists a crisis in accessing research data, with the government and private sector being identified as primary contributors to the problem.
The North Korean APT group Kimsuky has been observed by Kaspersky deploying a previously undocumented Golang-based malware dubbed Durian in targeted cyberattacks against two South Korean cryptocurrency firms. Kaspersky states that Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files.
Careto, also known as "The Mask," resurfaced after a lengthy hiatus, launching a cyber-espionage campaign targeting organizations primarily in Latin America and Central Africa. This APT group was initially active from 2007 to 2013, during which it targeted a diverse range of victims across 31 countries, including prominent entities like government institutions, diplomatic offices, energy companies, research institutions, and private equity firms.
There has been a notable rise in cyber threats exploiting legitimate software platforms to propagate malicious payloads. Among these threats is the Remcos RAT, a sophisticated remote access tool favored by cybercriminals. Cyber attackers have leveraged trusted applications like GoTo Meeting to facilitate the deployment of the Remcos RAT, employing advanced techniques to evade detection and compromise systems.
Cybersecurity researchers have identified a malicious Python package that purports to be an offshoot of the popular requests library and has been found concealing a Golang-version of the Sliver command-and-control (C2) framework within a PNG image of the project's logo.
Security researchers at Kaspersky's ICS CERT division revealed a series of eight vulnerabilities, including CVE-2023-47610 through CVE-2023-47616, in Telit Cinterion cellular modems, prevalent across industrial, healthcare, and telecommunications sectors. The most severe flaw, CVE-2023-47610, enables remote code execution via SMS, granting attackers unauthorized access to the modem's operating system without authentication.
CRIL (Cyble Research and Intelligence Labs) has uncovered a new ransomware variant dubbed Trinity, notable for its utilization of a double extortion tactic. This method involves exfiltrating victim data before initiating encryption and subsequently demanding ransom payments. The threat actors behind Trinity operate victim support and data leak sites, enhancing their coercive capabilities (T1486).
A group of researchers, primarily from Singapore-based universities, has demonstrated the feasibility of attacking autonomous vehicles by exploiting their reliance on camera-based computer vision systems. Dubbed GhostStripe, the attack manipulates the sensors used by brands like Tesla and Baidu Apollo, which rely on complementary metal oxide semiconductor (CMOS) sensors.
A cybercriminal group, known as STORM-0539, has been targeting employees at US retail corporate offices to create fraudulent gift cards, according to a new advisory from the FBI. In the campaigns observed by the FBI, the group is using smishing to target employees and gain unauthorized access to employee accounts and corporate systems.
The Sysdig Threat Research Team recently conducted a study on a new cyber attack termed “LLMjacking”, which specifically targets cloud-hosted large language model services by exploiting stolen cloud credentials. These credentials were obtained from a vulnerable version of Laravel (CVE-2021-3120).
A new version of the malware loader, Hijack Loader, has been spotted by researchers at Zscaler which comes with an updated set of anti-analysis techniques to fly under the radar. In total, the latest variant comes with 7 new modules. Notably, one of these modules is designed to bypass User Account Control (UAC), a security feature on Windows designed to prevent unauthorized changes to the operating system.
BogusBazaar, the vast network of fake online shops, was discovered by Security Research Labs GmbH to have successfully deceived over 850,000 individuals in the United States and Europe. This operation, which has been active for three years since 2021, has aimed to process around $50 million in fraudulent purchases by stealing credit card information and attempting fake transactions. The operations of BogusBazaar involves the creation of over 75,000 fake webshops.
"TunnelVision" is a newly discovered cyber threat that exploits a vulnerability in the Dynamic Host Configuration Protocol to bypass the encryption of VPNs. This attack method, outlined in a report by Leviathan Security, enables malicious actors to intercept and surveil unencrypted data while maintaining the facade of a secure VPN connection.
At the RSA Conference in San Francisco, cybersecurity experts revealed concerns about China-linked espionage groups exploiting zero-day vulnerabilities to infiltrate US critical infrastructure and businesses. Charles Carmakal from Mandiant Consulting highlighted how these attackers target network security devices that lack endpoint detection and response capabilities, such as routers and firewalls.
Over 52,000 out of 90,310 hosts with Tinyproxy services are vulnerable to a severe security flaw CVE-2023-49606, which exposes them to potential remote code execution. This vulnerability, with a CVSS score of 9.8 out of 10, affects Tinyproxy versions 1.10.0 and 1.11.1. The vulnerability arises from a use-after-free bug triggered by a specially crafted HTTP Connection header.
ArcaneDoor, a cyber espionage campaign targeting network devices from multiple vendors, including Cisco, has been linked to China-linked actors based on findings from Censys. The campaign, attributed to a sophisticated state-sponsored actor known as UAT4356 or Storm-1849, began around July 2023 and continued with the first confirmed attack using custom malware named Line Runner and Line Dancer in January 2024.
MITRE Corporation has provided more details regarding the recently disclosed cyber attack on MITRE's Networked Experimentation, Research, and Virtualization Environment (NERVE).
Law enforcement agencies, collaborated in a significant operation named Operation Cronos. This operation successfully dismantled the infrastructure of the LockBit ransomware group on February 19th. It involved seizing 34 servers that hosted the data leak website, along with data stolen from victims, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel used by LockBit.
The discovery of Cuckoo highlights the ongoing arms race between cybersecurity researchers and malicious actors. This malware's sophistication, from its ability to evade detection to its multifaceted information-gathering capabilities, showcases the level of expertise adversaries have attained in crafting highly effective threats.
A critical security vulnerability in GitLab is currently being actively exploited according to CISA. This vulnerability allows an attacker to send reset password requests for any account to the bad actor's chosen email address to facilitate account takeover.
A recent advisory from US government agencies like the FBI, US Department of State, and NSA highlighted the activities of North Korean threat actors, specifically the Kimsuky group, in exploiting vulnerabilities in email policies for espionage purposes.
Researchers at Trend Micro, report the botnet of hijacked Ubiquiti routers used by Russia-linked APT28 to conduct global espionage operations consists of more than just Ubiquiti devices.
Over the last couple of years, Threat actors have been weaponizing Microsoft Graph API more frequently for malicious activity in an attempt to evade detection more effectively. Bad actors utilize this tool to facilitate their C2 communications on legitimate Microsoft cloud services.
According to metrics collected by network performance management provider Netscout, distributed denial of service attacks (DDoS) targeting Sweden surged in volume between 2023 and 2024 as the country was in the process of joining NATO. Netscout notes that DDoS attacks against Swedish organizations started picking up significantly in late 2023 with 730 Gbps attacks.
The recent report from Picussecurity outlines threats, malware, vulnerabilities, and exploits for the first week of May. Critical vulnerabilities, including CVE-2024-27322 in R Programming Language and three in Judge0, pose significant risks. Malware activities involve Wpeeper Android malware utilizing compromised WordPress sites and the Dev Popper campaign targeting developers with a Python RAT.
During a government hearing on Wednesday, senators strongly criticized UnitedHealth Group CEO Andrew Witty for the organization's inadequate security measures leading up to the February ransomware attack on Change Healthcare, a subsidiary. Witty confirmed a $22 million ransom payment and acknowledged potential data theft affecting one-third of Americans.
A newly discovered botnet named Goldoon has emerged, specifically targeting D-Link routers by exploiting a critical security flaw known as CVE-2015-2051. This flaw, with a high CVSS score of 9.8, impacts D-Link DIR-645 routers, allowing malicious actors to execute arbitrary commands remotely via specially crafted HTTP requests.
Researchers at Veriti recently uncovered a concerning trend: a surge in cyberattacks targeting sensitive data within the US education and government sectors. This campaign is sophisticated, employing a combination of two notorious malware strains: Agent Tesla and Taskun.
Lumen Technologies' Black Lotus Labs has uncovered a new malware dubbed ‘Cuttlefish' that has been observed infecting enterprise-grade and small office/home office routers to monitor data passing through them and steal authentication information. The malware supports various router architectures with builds for ARM, i386, i386_i686, i386_x64, mips32, and mips64.
Threat actors continue to target operational technology as a means to disrupt critical infrastructure networks, or to deliver malware as a just-in-case measure for increasing global conflicts. Earlier this year we reported on IRGC-Affiliated Cyber Actors targeting Israeli produced programmable logic controllers (PLCs) to disrupt the water sector. We also highlighted reports of Chinese (PRC) state-Sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure with strategic and destructive malware.
Cybersecurity researchers have discovered a previously undocumented malware targeting Android devices that utilizes compromised WordPress sites as relays for its actual command-and-control (C2) servers as a defense evasion technique. The malware, Wpeeper, uses an ELF binary that leverages HTTPS to secure communications to the C2 server.
Kapeka, also known as KnuckleTouch, emerged around mid-2022 but gained formal tracking in 2024 due to its involvement in limited-scope attacks, notably in Eastern Europe. It's associated with the Sandstorm Group, operated by Russia's Military Unit 74455, known for disruptive cyber activities, particularly targeting Ukraine's critical infrastructure.
Latrodectus, also known as Unidentified 111 and IceNova, is a Windows malware downloader that acts as a backdoor, allowing threat actors to gain unauthorized access to compromised systems. The malware was initially discovered by Walmart's security team and later analyzed by cybersecurity firms such as ProofPoint and Team Cymru.
Since October 2023, security researchers at Akamai have been investigating USPS-themed phishing following a USPS smishing attempt targeting one of their team members. In this case, the SMS contained a link designed to redirect the employee to a site containing malicious JavaScript.
Operation SideCopy is a sophisticated cyber operation originating from Pakistan and primarily targeting Indian defense forces and personnel. Since its inception in early 2019, the threat group has demonstrated a high level of adaptability, continuously evolving its malware modules to avoid detection and maintain operational effectiveness. Notably, SideCopy closely monitors antivirus detections and promptly updates its modules in response.
A newly discovered cyber threat known as Muddling Meerkat has been actively engaging in sophisticated DNS activities since October 2019. This threat is believed to have affiliations with the People's Republic of China due to its utilization of DNS open resolvers from Chinese IP space and its potential control over the Great Firewall, which is known for censoring internet access and manipulating internet traffic in and out of China.
Last Friday, CrushFTP disclosed details of critical severity server-side template injection vulnerability in its file transfer software that is being actively exploited in attacks in the wild. Tracked as CVE-2024-4040, the flaw could enable actors to perform a virtual file system escape to read any file on the server's file system, gain administrative privileges, and perform remote code execution to effectively compromise unpatched systems.
Palo Alto Networks has issued remediation guidance for a critical security flaw, CVE-2024-3400, impacting PAN-OS, which is actively being exploited. This flaw allows unauthenticated remote shell command execution and has been observed in multiple versions of PAN-OS. Dubbed "Operation MidnightEclipse," the exploit involves dropping a Python-based backdoor named UPSTYLE, enabling execution of commands through crafted requests.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal civilian agencies to patch three critical vulnerabilities within a week. These vulnerabilities include two affecting Cisco products (CVE-2024-20353 and CVE-2024-20359) and one impacting CrushFTP, a popular file transfer tool. The exploits are being actively utilized by state-sponsored threat actors, posing significant risks to network security.
Perception Point researchers have identified a new phishing campaign utilizing compromised accounts to target users through an open redirect vulnerability discovered within a Nespresso domain. Nespresso is a coffee manufacturer. This redirect method allows attacks to bypass standard endpoint detection security measures assuming that these measures do not check for hidden or embedded links.
A campaign has been uncovered by researchers at Netcraft, where actors are using compromised email accounts to send phishing emails to existing contacts. These emails contain shortened URL links (generated using the autode[.]sk URL shortener) that lead to malicious PDF documents hosted on Autodesk Drive, a data-sharing platform.
This blog post from MITRE highlights a recent cyber intrusion they experienced, emphasizing the evolving tactics of foreign nation-state cyber adversaries. The breach, discovered in April 2024, involved the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPNs and subsequent lateral movement into their VMware infrastructure.
Cisco Talos has disclosed details on a campaign that has been ongoing since February 2024 to distribute three information-stealing malware, including Crypbot, LummaC2, and Rhadamanthys. Updated versions of each of the payloads are being deployed in attacks, each equipped with new obfuscation techniques to evade detection and exfiltrate data of interest from targeted systems.
Researchers have uncovered a sophisticated attack campaign leveraging phishing emails to distribute a stealthy malware called SSLoad. This campaign, named FROZEN#SHADOW by Securonix, is notable for its use of multiple tools, including Cobalt Strike and ConnectWise ScreenConnect, to gain unauthorized access to targeted systems.
The US Treasury's Office of Foreign Assets Control (OFAC) sanctioned two firms and 4 persons on Monday for their involvement in Iranian state-sponsored malicious cyber activities conducted for the Iranian Islamic Revolutionary Guard Corps (IRGC-CEC) from 2016 to April 2021.
The National Police Agency in South Korea has issued an urgent warning regarding ongoing cyberattacks targeting defense industry entities by North Korean hacking groups. The police discovered several instances of successful breaches involving the hacking groups Lazarus, Andariel, and Kimsuky, all linked to the North Korean hacking apparatus.
Key takeaways from the Cyble Research & Intelligence Labs (CRIL) report on DragonForce ransomware reveal significant insights. CRIL identified DragonForce ransomware as being based on LOCKBIT Black ransomware, suggesting that the threat actors behind DragonForce utilized a leaked builder of LOCKBIT Black to generate their binary. This discovery was made after an X user shared the download link for the LockBit ransomware builder in September 2022. DragonForce ransomware surfaced in November 2023, employing double extortion tactics and targeting victims worldwide.
GuptiMiner, a malware tool reportedly used by North Korean hackers, has recently come into the spotlight due to its sophisticated capabilities and the manner in which it has been deployed. The attack vector involves exploiting vulnerabilities in the update mechanism of eScan antivirus software, allowing the attackers to plant backdoors and deploy cryptocurrency miners on targeted networks.
While phishing remains a popular method of gaining initial access to victim environments, researchers at Mandiant note that threat actors are increasingly exploiting vulnerabilities in computer systems to breach organizations.
APT28, also known as Strontium or Forest Blizzard, is a Russian cyber-espionage group that has been active for years. They have gained notoriety for their sophisticated tactics and have previously been linked to the Russian General Staff Main Intelligence Directorate.
Security researcher at SafeBreach Or Yair uncovered a technique that exploits vulnerabilities in the DOS-to-NT path conversion process, to achieve rootkit-like capabilities on Windows systems.
CrushFTP users are facing a critical security issue stemming from a vulnerability that is actively being exploited by malicious actors. This vulnerability specifically affects CrushFTP versions prior to 11.1, allowing attackers to circumvent the virtual file system and gain unauthorized access to system files.
Last Friday, MITRE disclosed that it experienced a breach after detecting suspicious activity on its Networked Experimentation, Research, and Virtualization Environment (NERVE), a collaborative network used for research, development, and prototyping.
A group known as GhostR has claimed responsibility for stealing a sensitive database from World-Check, a global database used by various organizations, including financial institutions, regulatory bodies, and law enforcement agencies, for assessing risks associated with individuals and entities regarding financial crime, terrorism, or corruption.
In the realm of cyber extortion, re-victimization often stems from a combination of desperation and strategic maneuvering by threat actors. For instance, repeat attacks against victims may exploit persistent vulnerabilities that were not adequately addressed or leverage new entry points, such as phishing campaigns or compromises in third-party services.
The cybersecurity landscape is evolving rapidly, with AI emerging as a promising tool for chief information security officers (CISOs) to combat increasingly sophisticated threats. However, adopting AI requires careful consideration and a new playbook emphasizing due diligence, data management, and automation.
LastPass has disclosed details of a campaign targeting its customers using the CryptoChameleon phishing kit. CryptoChameleon is a phishing-as-a-service that enables threat actors to easily generate fake SSO or other login sites impersonating the legitimate sites of companies to steal credentials and other information that can be used for authentication.
Quishing attacks, a type of phishing that exploits QR codes, has seen siginificant rise from 0.8% in 2021 to 10.8% in 2024, according to the latest finding from Egress. At the same time, the report notes a substantial decline in attachment-based payloads, which decreased by half from 72.7% to 35,7%. Impersonation attacks continue to be a prevalent threat, with 77% if them masquerading as well-known brands such as DocuSign and Microsoft.
The latest trends in ransomware paint a complex picture of evolving dynamics within the cybercriminal ecosystem. Coverware's report highlights a notable decrease in ransom payments, with only 28% of victims opting to pay in the first quarter of 2024, marking a significant drop from previous periods. This shift is attributed to improved resilience among businesses, allowing them to recover from attacks without succumbing to ransom demands.
In February 2024, Kaspersky discovered a new malware campaign targeting government entities in the Middle East actively employing over 30 DuneQuixote dropper samples. The droppers come in the form of either using a regular malware dropper or abusing a legitimate tool named “Total Commander” which both carry malicious code to download additional malware using a backdoor method Kaspersky has named “CR4T”.
The Sandworm hacking group, associated with Russia military intelligence, has been employing a sophisticated strategy involving the use of multiple personas to conceal its activities. Mandiant, has conducted research revealing the extent of this strategy and its implications.
Researchers at BlackBerry have disclosed details of a spear-phishing campaign identified in late 2023 that targeted a large automotive manufacturer based in the United States. The campaign has been attributed to a financially motived threat actor called FIN7 and initiated with spear-phishing emails targeting highly privileged employees in the IT department of the unnamed U.S. based manufacturer.
Security researchers at Microsoft recently discovered a malware campaign exploiting new critical vulnerabilities in OpenMetadata to compromise Kubernetes environments, gain access to Kubernetes workloads and abuse them for malicious cryptomining activity. OpenMetadata is an open-source platform designed to manage metadata across various data sources. It serves as a central repository for users to discover, understand, and govern their data.
This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.
Multiple botnet operations are taking advantage of a year-old vulnerability, CVE-2023-1389, specifically targeting TP-Link Archer AX21 (AX1800) routers. This vulnerability allows attackers to execute commands without authentication via the locale API accessible through the router's web interface.
Threat actors are actively targeting unpatched Atlassian servers using a critical security vulnerability known as CVE-2023-22518, which has a CVSS score of 9.1. This vulnerability affects the Atlassian Confluence Data Center and Server, allowing attackers to reset Confluence and create an administrator account without authentication. Once they gain this level of access, threat actors can assume control of the affected systems.
Cisco Duo recently sent out a notice warning that some of their customer's VoIP and SMS logs for multi-factor authentication messages were stolen by hackers in a cyberattack on the vendor's telephony providers. According to Cisco Duo, an unnamed provider who handles the company's SMS and VOIP multi-factor authentication messages was compromised on April 1, 2024. In this case, the actor was able to obtain employee credentials via a phishing attack which were then used to gain access to the telephony provider's systems.
The discovery of CVE-2024-31497 in PuTTY versions 0.68 through 0.80 unveils a critical vulnerability that exposes cryptographic private keys to potential recovery by attackers. This flaw stems from PuTTY's method of generating ECDSA nonces, introducing a bias that weakens the security of private key generation, particularly on the NIST P-521 curve.
The TA558 hacking group has launched a sophisticated new campaign dubbed "SteganoAmor," leveraging steganography techniques to embed malicious code within innocuous images. This technique allows them to evade detection by both users and security products, making their attacks highly stealthy.
The OpenSSF and OpenJS Foundations have issued a warning to open source maintainers regarding a series of social engineering attacks reminiscent of the xz Utils campaign. These attacks involve suspicious emails sent to the OpenJS Foundation Cross Project Council, requesting urgent updates to popular JavaScript projects under the pretext of addressing critical vulnerabilities.
Professionals in the vulnerability management community warned that the lasting issues of the US National Vulnerability Database (NVD) could lead to a major supply chain security crisis. 50 cybersecurity professionals consolidated to sign and send an open letter on April 12th to several members of the US Congress including the Secretary of Commerce which addressed the ongoing issues with NVD.
Cybersecurity researchers have discovered a resurfaced cyber espionage campaign targeting users in South Asia to deliver an Apple iOS spyware implant called LightSpy. L
Muddled Libra, a cybercriminal group with aliases like Starfraud, UNC3944, Scatter Swine, and Scattered Spider, has gained infamy for its sophisticated attacks on software-as-a-service applications and cloud service provider environments.
Nexperia, a prominent chipmaker, disclosed that it was targeted in a cyber-attack where ransomware actors from the Dunghill group accessed sensitive documents and intellectual property.
In recent years, AI, cybersecurity, and digital transformation have emerged as pivotal themes shaping the landscape of IT. Organizations must stay ahead of the curve, understanding the evolving dynamics, reasons behind them, and how to adapt.
AT&T has confirmed a data breach impacting 51 million former and current customers, after previously denying ownership of the leaked data. The breach, initially reported in 2021 by threat actor ShinyHunters and later by 'MajorNelson', exposed personal information including names, email addresses, phone numbers, social security numbers, and AT&T account details. Although AT&T claims no financial data or call history was compromised, the breach still poses significant risks to affected individuals.
The blog delves into how the integration of the MITRE ATT&CK Framework with the Cado Security platform enriches forensic investigations, providing security teams with a structured approach to understanding and mitigating cyber threats.
The impact of Operation Cronos continues to impede the LockBit ransomware group's activities, leading them to post false victim claims on their leak site. According to Trend Micro approximately 80% of the victim entries on LockBIt's new data leak site following Operation Cronos are not genuine.
A new malware variant known as Byakuan is being distributed through fake Adobe Reader installers. This malicious campaign was initially uncovered by AnhLab Security Intelligence researchers and further analyzed by Fortinet Fortiguard Labs. The attack begins with a PDF file written in Portuguese, which, upon opening, displays a blurred image and prompts the user to click on a link to download the Adobe Reader application to view the content.
According to Check Point Software, human errors account for 95% of cybersecurity issues, emphasizing the critical need for companies to prioritize cybersecurity measures. With the average ransomware payout at $4.35 million and 71% of businesses falling victim to such attacks in 2023, employee awareness and training are essential.
Researchers at Sophos have observed a significant rise in Remote Desktop Protocol exploitation within ransomware attacks, based on their analysis of 150 incident response cases from 2023. They found that RDP abuse featured in a staggering 90% of these cases, allowing threat actors to gain unauthorized remote access to Windows environments.
A recent report from Lasso Security, has raised concerns about software developers potentially using nonexistent or hallucinated software packages when relying on chatbots to build applications. The report, based on continued research by Bar Lanyado from Lasso, builds upon previous findings that demonstrated how large language models can inadvertently recommend packages that do not actually exist.
Idan Tarab, a threat analyst at Perception Point, has released details on a massive campaign targeting entities in Latin America with Venom RAT. The campaign has been attributed to a financially motivated cybercriminal threat group dubbed TA558, which in the past has targeted entities in the LATAM region with several malware strains including Loda RAT, Vjw0rm, and Revenge RAT.
The Earth Freybug cyberthreat group, part of APT41, has been using a new malware named UNAPIMON for covert operations. This group, active since 2012, engages in espionage and financially motivated activities, targeting organizations worldwide.
The Indian government has confirmed that it has rescued and repatriated around 250 Indian citizens who were held captive in Cambodia and coerced into executing cyber scams that target people in India. These victims of human trafficking were carefully lured by crime racket agents under the guise of employment opportunities, but these victims were forced into “cyber slavery” instead.
The cybercriminal group INC Ransom has claimed responsibility for the ongoing cybersecurity incident at Leicester City Council, marking the first involvement of an established cybercrime gang in the local authority's IT troubles. According to a post on INC Ransom's leak blog, they assert having stolen 3 TB of council data before deleting it shortly after publication.
Rated at Severity Medium: At this time the Fedora Linux 40 builds have not been shown to be compromised. Current investigation indicates that the packages are only present in Fedora 40 and Fedora Rawhide within the Red Hat community ecosystem.
The latest updates to Vultur introduce several significant changes, including enhanced remote control capabilities and the addition of new features. One notable addition is the malware's utilization of Android's Accessibility Services, allowing for remote interaction with infected devices through commands sent via Firebase Cloud Messaging (FCM).
AT&T has reset passcodes for 7.6 million current customers and 65.4 million former subscribers following a data leak discovered on the dark web. The leaked information, dating back to 2019 and earlier, varies in content, potentially including full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers.
Palo Alto Network's Unit 42 researchers uncovered and disclosed a new Broken Object Level Authorization (BOLA) vulnerability that affects Grafana versions from 9.5.0 to 9.5.18, from 10.0.0 to 10.0.13, from 10.1.0 to 10.1.9, from 10.2.0 to 10.2.6, and from 10.3.0 to 10.3.5. Grafana is an established open-source data visualization and monitoring solution with almost 60,000 stars on GitHub that helps organizations drive business processes.
Kaspersky has disclosed details of a new Linux version of DinodasRAT that it discovered in early October 2023 after a publication from ESET. Also known as XDealer, the trojan is a multi-backdoor written in C++ that enables actors to surveil and harvest sensitive data from targeted systems.
Vice President Kamala Harris announced the White House Office of Management and Budget's (OMB) inaugural government-wide policy to manage the risks of artificial intelligence (AI) while harnessing its benefits, in line with President Biden's AI Executive Order. T
Researchers have noted that cybercriminals are increasingly interested in developing malicious large language models due to the limitations of existing tools like WormGPT. Ransomware and malware operators are also showing interest in this trend. The demand for AI talent has risen as previous tools like WormGPT failed to meet cybercriminals' needs.
Darcula, a Phishing-as-a-service platform first documented by security researcher Oshri Kalfon last summer, is growing in popularity among the cybercriminal community, with Netcraft analysts recently noting in a blog post that they detected 20,0000+ Darcula-related domains across 11,000 IP addresses, targeting more than 100 brands.
Researchers have recently uncovered an active cyberattack campaign targeting a shadow vulnerability in Ray, developed by Anyscale, an open-source AI framework employed by thousands of companies and servers.
SpiderLabs has disclosed details of a new campaign that utilized a novel loader to ultimately deploy Agent Tesla on targeted systems. Researchers note that they identified a phishing email on March 8, 2024, which contained a seemingly harmless archive masquerading as a legitimate payment receipt from a bank.
The parent company of The Big Issue, a renowned street newspaper supporting homeless people, is facing a cybersecurity crisis initiated by the Qilin ransomware gang. The gang has claimed to have stolen 550 GB of sensitive company data, including personal information like driving licenses, salary details of executives, and even passport and bank details of key figures within the organization.
Threat hunters have identified a potentially nefarious package named SqzrFramework480 within the NuGet package manager. This package is suspected to target developers using tools from a Chinese industrial technology firm known for manufacturing industrial and digital equipment. The package, uploaded by a user named "zhaoyushun1999," contains a DLL file named "SqzrFramework480[.]dll" that exhibits several concerning behaviors.
API's are the connective tissue behind digital moderization, helping applications and databases exchange data more effectively. The State of API Security in 2024 Report from Imperva, found that the majority of internet traffic (71%) in 2023 was API calls. What's more, a typical enterprise site saw an average of 1.5 billion API calls in 2023.
Since its discovery in 2022, the Agenda Ransomware group, also known as Qilin, has remained active and continually evolved. Trend Micro, tracking it as Water Galura, reports ongoing global infections with top targets including the US, Argentina, Australia, and Thailand, spanning various industries like finance and law.
Proofpoint has disclosed details of a new phishing campaign launched by Iran-affiliated threat actor TA450 (aka MuddyWater, Mango, Sandstorm, and Static Kitten) that targeted Israeli employees at large multinational organizations spanning global manufacturing,
Researchers at Sentinel Labs, uncovered a new variant of the destructive wiper malware AcidRain, called Acid Pour. AcidRain has been linked to Russian military intelligence and was notably used in a cyber-attack against Viasat's KA-SAT satellites in Ukraine in May 2022, causing widespread disruptions.
A new vulnerability dubbed GoFetch was discovered in Apple M-series chips, allowing attackers to extract secret keys used in cryptographic operations. This vulnerability exploits a feature called data memory-dependent prefetcher to target constant-time cryptographic implementations and access sensitive data from the CPU cache.
The Checkmarx Research team uncovered a sophisticated attack campaign targeting the software supply chain, affecting numerous victims, including the Top[.]gg GitHub organization with over 170k users and individual developers.
The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging CHM files as attack vectors in the delivery phase to deploy malware for harvesting sensitive data. Kimsuky has been active for over 10 years and is notorious for targeting entities in South Korea, North America, Europe, and Asia, gathering intelligence relative to North Korea's interests.
A new wave of phishing attacks has surfaced that endeavors to deliver a malicious and continually evolving information stealer malware known as StrelaStealer. Palo Alto Network's Unit 42 Researchers have identified multiple instances of StrelaStealer campaigns that have affected over a hundred organizations in Europe and the United States.
Sucuri, a website security firm, has issued a warning about a new malware strain called Sign1, which has infected more than 39,000 websites. The malware operates by redirecting visitors to scam domains and displaying unwanted advertisements.
Financially motivated hackers have been actively using SmokeLoader malware in a series of sophisticated phishing campaigns, with a particular focus on targeting Ukrainian government and administration organizations.
Cisco Talos has provided updated details on a new campaign where the Russian espionage group Turla deployed their custom backdoor dubbed TinyTurla-NG to infect multiple systems in the compromised network of a European non-government organization (NGO). While it's unclear how exactly the group gained initial access, Turla in the past has initiated drive-by compromises and employed phishing lures to obtain a foothold into victim environments.
Mandiant's investigation reveals a sophisticated cyber threat campaign attributed to a Chinese threat actor group named UNC5174, also known by the alias "Uteus." The group employs a combination of novel and known vulnerabilities to target a wide range of organizations globally, including U.S. defense contractors, government entities, research institutions, and NGOs.
Atlassian has released patches for more than two dozen security flaws, including a critical bug impacting Bamboo Data Center and Server that could leave user environments susceptible to exploitation which could have a massive impact on confidentiality, integrity, and availability without needing any user interaction.
Ivanti has revealed a critical remote code execution vulnerability affecting Standalone Sentry and has urged customers to promptly apply the available patches for protection against potential cyber threats. Tracked as CVE-2023-41724 with a CVSS score of 9.6 this flaw allows unauthenticated attackers to execute arbitrary commands on the appliance's operating system within the same network.
Researchers at CIPSPA Helmholtz-Center for Information Security have discovered a new denial-of-service attack known as ‘Loop DoS', which targets application layer protocols and exploits a vulnerability in the UDP. This attack can cause an indefinite communication loop between network services, resulting in a significant increase in traffic.
Juniper Threat Labs has released details on a Python-based tool, dubbed AndroxGh0st, designed to target Laravel applications and steal sensitive data. Laravel is an open-source PHP web application development framework that is used for designing web applications such as e-commerce platforms, APIs, content management systems, etc.
Microsoft has acknowledged a widespread issue affecting Windows domain controllers, attributing it to a memory leak introduced with the March 2024 Windows Server security updates. The problem stems from a Local Security Authority Subsystem Service (LSASS) process memory leak, causing affected servers to freeze and restart unexpectedly.
SentinelLab's security researcher Tom Hegel has spotted a new destructive malware dubbed AcidPour, which seems to be a variant of the AcidRain data wiper that was used to target satellite communications provider Viasat back in 2022. In a series of threads on X (formerly known as Twitter), Juan Andres Guerrero Saade, AVP of Research for SentinelLabs, provided details regarding the new data wiper, noting that it is designed to target Linux x86 IoT and networking devices.
Trend Micro has released details surrounding a campaign that has been ongoing since early 2022. The campaign has been attributed to a Chinese APT group dubbed ‘Earth Krahang,' who according to researchers has breached 70 organizations and targeted at least 116 entities across 45 countries since initiating operations.
Threat actors are exploiting various digital document publishing platforms to conduct phishing, credential theft, and session token hijacking. Cisco Talos researchers highlighted this trend, noting that using DDP sites increases phishing success rates due to their positive reputation, absence from web filters, and familiarity to users.
A novel cyberattack method called "Conversation Overflow" has recently surfaced, showcasing cybercriminals' attempts to bypass AI- and ML-enabled security platforms through sophisticated techniques. This attack tactic, analyzed by SlashNext researchers, is observed in multiple incidents, indicating a deliberate effort to evade advanced cybersecurity defenses.
The report provides an analysis of a njRAT (Remote Access Trojan) sample discovered in October 2023. The malware, written in .NET, allows attackers to remotely control infected machines. Basic static analysis reveals key file information and suspicious strings indicating registry manipulation, network communication, and process control.
A new phishing campaign is targeting U.S. organizations to deploy a remote access trojan called NetSupport RAT. This operation, which introduces a nuanced exploitation method that utilizes OLE template manipulation, is tracked by Israeli cybersecurity company Perception Point as “Operation PhantomBlu”.
A new report from Kaspersky noted that its anti-phishing system was able to deter over 709 million attempts to access phishing and scam websites in 2023, highlighting a 40 percent increase over 2022. A spike in phishing activity was observed between May and June, where actors used travel-related lures including counterfeit airline tickets and fake hotel deals to gain potential victims.
Credential-stealing phishing remains a persistent threat, with threat actors continually evolving their tactics. While various methods for hosting phishing pages exist, including third-party services and email attachments, traditional approaches involving internet-connected servers remain common. A recent trend observed involves an increase in phishing campaigns utilizing IPFS (InterPlanetary File System) and R2 buckets, a Cloudflare object storage service, to host malicious content.
The recent global IT outages experienced by McDonald's restaurants have caused significant disruptions to operations across multiple countries. These outages, which commenced overnight, have led to widespread difficulties in order-taking and payment processing, prompting some stores to close temporarily.
Wordfence, has cautioned that thousands of WordPress sites are vulnerable to takeover due to a critical bug in two MiniOrange plugins that were recently discontinued. The plugins, Malware Scanner and Web Application Firewall, were shut down on March 7 after a critical flaw was detected.
Researchers have discovered vulnerabilities in third-party plugins for OpenAI's ChatGPT, which could be exploited by attackers to gain unauthorized access to sensitive data. Salt Labs published research revealing security flaws in ChatGPT and its ecosystem, allowing attackers to install malicious plugins without user consent and take over accounts on platforms like Github.
StopCrypt (aka STOP) ransomware, known to be one of the most distributed ransomware strains out there, has recently been updated to evade security tools. The development comes after SonicWall's threat team uncovered a new variant of the STOP ransomware which now employs a multi-stage execution process to bypass defenses.
Blind Eagle, also known as APT-C-36, has been observed utilizing a loader malware named Ande Loader to distribute remote access trojans (RATs) like Remcos RAT and NjRAT. The attacks primarily target Spanish-speaking users in the manufacturing industry based in North America. These malicious activities are executed through phishing emails containing RAR and BZ2 archives, serving as the initial vectors of infection.
Researchers at Trendmicro, discovered the cybercriminal group RedCurl, also known as Earth Kapre and Red Wolf, has been exploiting the Program Compatibility Assistant, a legitimate Windows component to carry out malicious activities.
The U.S. Department of Health and Human Services is investigating whether protected health information was stolen in a ransomware attack that hit UnitedHealthcare Group (UHG) subsidiary Optum, which operates the Change Healthcare platform, in late February. This investigation is coordinated by HHS' Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA) rules that protect patients' health information from being disclosed without their knowledge or consent.
A high-severity vulnerability, CVE-2023-5528, with a CVSS score of 7.2, has been discovered by Akamai security researcher Tomer Peled in Kubernetes. This vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster, posing a significant threat. It can be exploited via malicious YAML files, potentially leading to full takeover of Windows nodes.
Windows has a security feature called SmartScreen that will display a warning when a user attempts to download an unrecognized or suspicious file from the internet. Last month, Microsoft fixed a bug (CVE-2024-21412) that allows actors to create specially crafted files to bypass displayed security checks.
Russia's Foreign Intelligence Service (SVR) alleges that the US is plotting to interfere in its upcoming presidential election scheduled this month. According to SVR, US nation-state actors plan to launch cyber attacks against Russian voting systems to disrupt operations and interfere with the vote-counting process, as reported by Reuters. “According to information received by the Foreign Intelligence Service of the Russian Federation, the administration of J. Biden is setting a task for American NGOs to achieve a decrease in turnout,” reads a statement issued by the SVR and reported by Reuters.
A recent phishing scheme has been detected distributing remote access trojans like VCURMS and STRRAT through a malicious Java-based downloader. The attackers utilized public services like AWS and Github to host malware, employing a commercial protector to evade detection. An unusual element of the campaign is VCURMS' use of a Proton Mail email address for communication with a C2 server.
According to Red Canary's 2024 Threat Detection Report, cloud account threats surged by 16 times in 2023, with attackers adopting new strategies tailored for cloud environments. Attacks exploiting T1078.004: Cloud Accounts, a technique outlined by MITRE ATT&CK for cloud account compromises, rose to become the fourth most prevalent method used by threat actors, a significant increase from its 46th position in 2022.
Identity management for a traditional on-premises enterprise network is usually handled by an on-premises directory service (e.g., Active Directory). When organizations leverage cloud solutions and attempt to integrate them with their on-premises systems (creating a “hybrid” environment), identity management can become significantly more complex.
A new report from GitGuardian notes that GitHub users accidentally leaked 12.8 million authentication and sensitive secrets during 2023, highlighting a 28 percent increase over the previous year. The IT sector accounted for the most secrets leaked (65.9%), followed by education, science, retail, manufacturing, etc. T
Despite a decrease in the number of publicly claimed ransomware attacks, ransomware activity remains a significant threat, with attackers adapting to disruption and refining their tactics. Vulnerability exploitation has emerged as the primary infection vector, with attackers targeting known vulnerabilities in public-facing applications. LockBit, Noberus, and Clop are among the most prolific ransomware operations, with LockBit being the largest threat, followed by Noberus and Clop.
In the ever-evolving landscape of cybersecurity threats, one tactic stands out for its enduring effectiveness: typosquatting. Since the dawn of the commercial internet, threat actors have leveraged this deceptive strategy to impersonate legitimate businesses, exploiting users' inattention and human errors to propagate malware, steal data, and pilfer funds.
A new report from Sophos highlighted that over three-quarters of cyber incidents in 2023 impacted small businesses. Ransomware in particular made up a good chunk of these incidents with groups like LockBit, Akira, BlackCat, and Play leading the forefront in terms of the attacks observed against small businesses. Sophos notes that tactics employed by ransomware groups evolved as 2023 progressed, including the employment of remote encryption, where these actors have been observed abusing unmanaged devices on organizations' networks to attempt files on other systems via network file access.
Security researchers have created a knowledge base repository for attack and defense techniques based on improperly setting up Microsoft's Configuration Manager, which could allow an attacker to execute payloads or become a domain controller. Configuration Manager (MCM), formerly known as System Center Configuration Manager (SCCM, ConfigMgr), has been around since 1994 and is present in many Active Directory environments, helping administrators manage servers and workstations on a Windows network.
A recent malware campaign has exploited a critical security flaw within the Popup Builder plugin for WordPress, injecting malicious JavaScript code. Over the past three weeks, more than 3,900 sites have fallen victim to this campaign, which utilizes domains registered as recently as February 12, 2024.
A financially motivated hacking group exploits newly disclosed 1-day vulnerabilities to infiltrate public-facing servers, deploying custom malware on both Windows and Linux systems. These vulnerabilities, publicly disclosed but not yet patched, are swiftly leveraged by threat actors before security updates can be applied. Analysts identified rapid exploitation of these vulnerabilities, sometimes within a day of a proof of concept exploit being released.
The BianLian ransomware operators are leveraging vulnerabiities within JetBrains TeamCIty software to orchestrate their attacks, as reported by GuidePoint Security. The incursion typically commences with the exploitation of a vulnerable TeamCity server, resulting in the deployment of a PowerShell iteration of the BianLian ransomware.
Earlier this year Microsoft disclosed that Russian state-sponsored actors, Midnight Blizzard, had breached its corporate email servers via a password spray attack, allowing the actors to gain access to a legacy non-production test tenant account.
As businesses transition towards hybrid and multi-cloud environments, the prevalence of cloud misconfigurations and security vulnerabilities has emerged as a significant concern. Cyber threat actors are capitalizing on these vulnerabilities, targeting misconfigured or inadequately secured cloud systems.
Security company Darktrace shared details around a new phishing campaign leveraging legitimate Dropbox infrastructure to bypass multi-factor authentication (MFA). Darktrace notes in their report that while it is common for attackers to exploit the trust of users by mimicking common services, this campaign took things a step further and actually used the legitimate cloud storage platform.
Switzerland's National Cyber Security Centre (NCSC) has released details surrounding a ransomware attack on Xplain which impacted thousands of sensitive government files. Xplain is a Swiss technology and software solutions company, which supports various government departments, administrative units, and even the country's military.
Public schools across the United States are facing a surge in sophisticated phishing campaigns, according to a new report by PIXM, a cybersecurity firm specializing in artificial intelligence solutions.
During a keynote presentation this week at CPX 2024 in Las Vegas, the vice president of research at Check Point, Maya Horowitz, highlighted the resurgence of USBs used by Nation-state actors to compromise highly secured government organizations and critical infrastructure facilities. According to Horowitz, three major threat groups employed USBs as their primary initial infection vector in 2023: Chinese Nation-state group Mustang Panda, Russian APT group Gamaredon, and the actors behind the Raspberry Robin worm.
The US National Security Agency (NSA) has released guidelines for zero-trust network security, aiming to provide a structured approach towards its adoption. Despite the increasing recognition of zero trust as a vital security strategy, its implementation remains slow, necessitating clear guidance and support.
Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data. "The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino said in a technical report.
Researchers at Zscaler have disclosed details on a campaign that has been ongoing since at least December 2023, where actors are distributing remote access trojans on Android and Windows operating systems with the help of fraudulent Skype, Google Meet, and Zoom websites.
Earlier this week, JetBrains disclosed CVE-2024-27198, a critical severity authentication bypass vulnerability in TeamCity On-Premise. According to researchers, hackers have begun mass exploiting of this vulnerability, with hundreds of new users being created on unpatched instances of TeamCity exposed on the public web.
The TA4903 group has been observed engaging in extensive spoofing of both US government agencies and private businesses across various industries. While primarily targeting organizations within the United States, TA4903 occasionally extends its reach globally through high-volume email campaigns.
The report issued on March 6, 2024, highlights the escalating cybercrime landscape in the United States, with a record number of complaints received by the Internet Crime Complaint Center (IC3) in 2023. Key points include a substantial increase in financial losses, with investment fraud, Business Email Compromise (BEC), and ransomware standing out as significant threats.
The cybercrime groups GhostSec and Stormous have collaborated to launch ransomware attacks across multiple sectors in over 15 countries. GhostSec, a member of The Five Families coalition, has been identified as the perpetrator behind the GhostLocker ransomware variant, developed using the Golang programming language.
Critical vulnerabilities have been uncovered in the on-premises deployments of JetBrains TeamCity, a widely used Continuous Integration/Continuous Deployment (CI/CD) pipeline tool. These vulnerabilities, known as CVE-2024-27198 and CVE-2024-27199, pose significant risks as they could enable threat actors to gain administrative control over TeamCity servers.
Researchers have developed a self-propagating worm dubbed “Morris II” specifically designed to target generative AI systems. This worm aims to exploit vulnerabilities within GenAI ecosystems, potentially spreading malware and extracting personal data.
The BlackCat ransomware gang appears to be orchestrating an exit scam, attempting to shut down their operation and abscond with affiliates' funds. They blame the FBI, falsely claiming their website and infrastructure were seized. The gang is now selling the source code for their malware for $5 million.
A threat actor specializing in establishing initial access to target organizations' computer systems and networks is using booby-trapped email attachments to steal employees' NTLM hashes. NT LAN Manager (NTLM) hashes contain users' (encoded) passwords. “User authentication in Windows is used to prove to a remote system that a user is who they say they are.
Late last month, ConnectWise addressed two flaws impacting its remote access software ScreenConnect, which could be exploited by actors to bypass authentication (CVE-2024-1709) and execute code remotely (CVE-2024-1708). Since then, several threat actors have abused the flaws, particularly CVE-2024-1709, in the wild to deploy various payloads including ransomware (Black Basta, Bl00dy, LockBit), remote access trojans, info stealers, and much more.
Security researcher HaxRob discovered a previously unknown Linux backdoor named GTPDOOR, designed for covert operations within mobile carrier networks. The threat actors behind GTPDOOR are believed to target systems adjacent to the GPRS roaming eXchange (GRX), such as SGSN, GGSN, and P-GW, which can provide the attackers direct access to a telecom's core network.
Researchers at Bleeping Computer have discovered a content farm that masquerades as reputable news sources, including a couple major news outlets. These sites plagiarize articles without attribution, essentially stealing content from credible news organizations and research institutes.
Proofpoint cybersecurity researchers have uncovered a new tactic employed by cybercriminal threat actor TA577, revealing a previously unseen objective in their operations. The group was found using an attack chain aimed at stealing NT LAN manager (NTLM) authentication information, which could potentially be used for sensitive data gathering and further malicious activities.
BleepingComputer has uncovered new developments regarding the ALPHV/BlackCat ransomware gang's activities. According to reports, the gang has taken the drastic step of shutting down its servers amidst accusations of defrauding an affiliate out of a staggering $22 million. This affiliate is believed to have been responsible for the attack on Optum's Change Healthcare platform.
Last Friday, Taiwan's Ministry of National Defense confirmed an attack on the country's largest telecom company, Chunghwa Telecom, enabling hackers to steal sensitive information including military and government contracts. The actors have advertised the data stolen on the dark web, allegedly claiming to have exfiltrated 1.7 TeraBytes of data from Chunghwa Telecom.
CISA, the FBI, and MS-ISAC have released a joint advisory warning against ongoing Phobos ransomware attacks targeting government, education, emergency services, healthcare, and other critical infrastructure sectors.
On February 29, government agencies from the Five Eyes countries, comprising Australia, Canada, New Zealand, the UK, and the US, issued an urgent warning regarding the active exploitation of vulnerabilities found in Ivanti products. These vulnerabilities, which include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, affect all supported versions of Ivanti gateways, spanning from 9.x to 22.x.
Observations made by researchers at Group-IB showcase cybercriminals increasingly harnessing the power of artificial intelligence to develop more advanced and potent malware, as evidenced by the escalating number of ransomware attacks and the collaborative efforts between ransomware groups and initial access brokers.
A new phishing kit has emerged, targeting cryptocurrency users by impersonating login pages of prominent cryptocurrency services, with a focus on mobile devices. The kit allows attackers to create fake single sign-on (SSO) pages, using a combination of email, SMS, and voice phishing to deceive victims into divulging sensitive information, including usernames, passwords, and even photo IDs.
A new variant of the Bifrost remote access Trojan (RAT) has emerged, specifically targeting Linux systems. This variant employs a sophisticated evasion technique by utilizing a deceptive domain, download.vmfare[.]com, which closely resembles a legitimate VMware domain.
The Lazarus APT group, strategically exploited a zero-day vulnerability within the Windows AppLocker driver to infiltrate target systems at the kernel level. This sophisticated technique allowed them to achieve direct kernel object manipulation granting the actors unprecedented access and the ability to disable security software.
The GTPDOOR is a newly discovered Linux malware specifically crafted to infiltrate telecom networks located near GPRS roaming exchanges. What sets it apart is its utilization of the GPRS Tunneling Protocol (GTP) for C2 communication, making it distinct from other malware strains.
A newly discovered threat actor, known as Savvy Seahorse, is orchestrating an investment scam by leveraging a sophisticated traffic distribution system (TDS) that exploits the Domain Name System (DNS). Savvy Seahorse impersonates reputable brands like Meta and Tesla through Facebook ads in multiple languages, enticing victims to create accounts on a fake investing platform.
Mandiant has shed light on a ongoing campaign, where UNC1549, an Iranian-suspected actor, has been targeting aerospace, aviation and defense industries in the Middle East countries since at least June 2022, including Israel and the United Arab Emirates (UAE) and potentially Turkey, India, and Albania.
A joint advisory from cybersecurity and intelligence agencies highlight the MooBot threat targeting users of Ubiquiti EdgeRouters. This botnet, orchestrated by Russia's APT28, has been operational since at least 2022 and has been employed in various cyber operations globally. APT28, known for its affiliation with Russia's Main Directorate of the General Staff, has been active since 2007 and is notorious for its sophisticated cyber campaigns.
The Black Basta and Bl00dy ransomware groups have recently been identified as participants in a wave of attacks targeting vulnerable ScreenConnect servers. These attacks exploit a critical authentication bypass vulnerability (CVE-2024-1709), which enables threat actors to create administrative accounts on internet-exposed servers.
CISA - Active Exploitation Ivanti Connect Secure and Ivanti Policy Secure Gateways
ISA, the FBI, and the Department of Human Services have released a joint advisory warning about the resurgence of BlackCat ransomware. Since December 2023, this group has compromised 70+ victims, the majority of which reside in the healthcare sector.
China's Ministry of Industry and Information Technology (MIIT) has unveiled a comprehensive strategy aimed at bolstering data security within the nation's industrial sector. This initiative, slated for completion by the end of 2026, is designed to mitigate major risks posed by cyber threats to over 45,000 companies operating in various industrial verticals.
A new emergence of the Xeno RAT Trojan, a highly intricate remote access tool that has surfaced on GitHub. Crafted by an individual moom825, this RAT developed entirely from scratch in C#, boasts a comprehensive suite of functionalities tailored for remote system management.
Morsphisec researcher Michael Dereviashkin has released more details on a phishing campaign disclosed in January by Ukraine's CERT-UA where threat actors were observed using war-themed lures to deliver Remcos Remote Access Trojan to targeted victims.
The LockBit ransomware gang has resurfaced less than a week after law enforcement announced that it had taken down the group's infrastructure, which included 34 servers hosting the data leak website and its mirrors, data stolen from victims, cryptocurrency addresses, decryption keys, and the LockBit affiliate panel.
Public disclosure of breaches like this raises awareness within the telecommunications industry and among consumers about the importance of data security, potentially prompting other companies to review and enhance their own security measures.
Health tech firm Change Healthcare was hit with a cyberattack on February 21, 2024, leading to a disruption of a number of its systems and services. According to Change Healthcare numerous applications across areas such as pharmacy, medical records, dental, payment services, and patient engagement are still experiencing connectivity issues. In particular, pharmacies have reported being unable to process patient prescriptions, preventing individuals from getting their medications on time.
Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems.
Charming Kitten, also known as Charming Cypress or APT42, is an Iran-backed group notorious for its sophisticated social engineering tactics, primarily targeting policy experts in the Middle East, Europe, and the US. Recently, they employed a fake webinar platform to ensnare their targets, particularly focusing on Middle East policy experts.
and government regulation in the digital age, particularly in countries like India where social and political tensions often spill over into online platforms. The global government affairs team at X, previously known as Twitter, has taken action to suspend certain accounts and posts within India as per directives received from the country's government.
According to researchers at Cybereason, almost four in five or (78%) of ransomware victims who paid a ransom were hit by a second ransomware attack, often by the same threat actor. These details are highlighted in Cybereason's Ransomware: The Cost to Business Study 2024.
The leak from I-Soon, a company contracting for various Chinese government agencies including the Ministry of Public Security, Ministry of State Security, and People's Liberation Army, occurred over the weekend of February 16th. The source of the leak and motives behind it remain unknown, but it offers unprecedented insight into the operations of a state-affiliated hacking contractor.
Researchers at Trend Micro have uncovered details on a new LockBit sample that the actors were secretly building prior to law enforcement's takedown of the group's infrastructure earlier this week. The new sample dubbed LockBit-NG-Dev, is written in the .NET programming language and appears to be compiled with CoreRT, whereas previous LockBit samples were written in C++.
German cybersecurity company DCSO has shed light on a malware sample that is believed to be part of North Korea-linked activity targeting the Russian Ministry of Foreign Affairs. Dubbed KONNI, the trojan was uploaded to VirusTotal in mid-January 2024 and is believed to have been used since as early as 2014.
A new iteration of the Lucifer botnet has emerged, specifically aimed at organizations utilizing Apache Hadoop and Apache Druid big data technologies. The variant combines the insidious traits of cryptojacking and distributed denial of service capabilities, posing a significant threat to vulnerable systems.
Cyber intelligence firm KELA uncovered a post on RAMP forums advertising source code for the Knight 3.0 ransomware. The post was made by a user who goes by the name ‘Cyclops,' a representative of the Knight ransomware gang.
According to a new report from IBM X-Force Threat Intelligence, valid accounts made up 30% of total initial access vectors employed by actors in 2023. Phishing also accounted for 30% but researchers note a 11% drop compared to 2022. When it comes to valid accounts, there are several ways actors are getting a hold of such credentials.
This article provides an update on recent revelations regarding the LockBit ransomware group. Law enforcement authorities have disclosed that nearly 200 "affiliates" have registered with the group over the past two years. Affiliates are individuals who participate in the gang's ransomware-as-a-service model, utilizing LockBit's tools in exchange for a share of the profits obtained from victims.
Technical details and proof-of-concept exploits are available for two vulnerabilities in ConnectWise ScreenConnect. A day after the vendor published the security issues, attackers started leveraging them in attacks.
The Bundesamt für Verfassungsschutz (BfV) of Germany and the National Intelligence Service (NIS) of the Republic of Korea (ROK) have issued a joint Cyber Security Advisory (CSA) to alert about cyber campaigns likely conducted by North Korean actors targeting the defense sector. North Korea's focus on military strength drives them to steal advanced defense technologies globally, using cyber espionage as a cost-effective method.
The Cactus ransomware group, who claimed responsibility for an attack on Schneider Electric, says they have stolen 1.5TBs of data from the energy management and industrial automation company. According to reports, the companies Sustainability Business division was targeted on January 17th. Impacts were felt as the companies cloud services faced outages, however, other divisions of the company were not impacted.
A recent trend of cybercriminals leveraging PDFs to distribute malware has been showcased in HP Wolf's security report, showcasing a notable 7% increase in PDF based threats during Q4 2023 compared to Q1. This surge in malicious activity includes the dissemination of notorious malware strains like WikiLoader, Ursnif, and DarkGate.
n January 2024, a court-authorized operation was able to take down Moobot Botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28. This court order enabled law enforcement to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.
This year, Ivanti has disclosed several vulnerabilities impacting its Connect Secure, Policy Secure, and ZTA gateways. Tracked as CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888, these flaws range from high to critical in severity and pertain to a case of authentication bypass, server-side-request forgery, arbitrary command execution, and command injection. S
Cisco Talos disclosed details of a three-month-long campaign where Russia-linked threat actor Turla has been targeting Polish non-governmental organizations with a new backdoor dubbed TinyTurla-NG. This campaign has been ongoing since December 18, 2023, with researchers suspecting that the activity may have actually commenced in November 2023 based on malware compilation dates.
A new variant of the Qbot malware has emerged utilizing a fake Adobe installer popup to deceive law enforcement takedowns, the malware's developers continue to experiment with new builds, observed in email campaigns since mid-December.
A Minnesota-based Internet Service Provider U.S. Internet Corp has suffered a significant data leak. Specifically, a business unit called Securence, which specializes in providing filtered, secure email services to business, educational institutions and government agencies worldwide was accidently publishing more than a decade's worth of it's own internal emails, and that of thousands of clients, in plain text on the Internet where anyone could view it.
In a recent article from ReversingLabs, the importance of Multifactor Authentication (MFA) in securing software development environments, particularly in light of recent high-profile attacks such as SolarWinds, Codecov, and Kaseya. The report highlights how attackers target developer accounts to manipulate code, access secrets, and wreak havoc on organizations and their customers.
On February 9, 2024, the Justice Department announced the seizure of internet domains selling the Warzone RAT malware, a sophisticated Remote Access Trojan. Domains including www[.]warzone[.]ws were seized, with two suspects arrested in Malta and Nigeria for selling the malware. The operation, led by the FBI and supported by Europol and J-CAT, aimed to disrupt cybercriminals using the malware.
The Federal Communications Commission (FCC) has made AI-generated voices in robocalls illegal under the Telephone Consumer Protection Act (TCPA), with a Declaratory Ruling that took effect immediately. This ruling aims to combat the rising trend of robocall scams that use AI-generated voices to deceive consumers, imitate celebrities, and spread misinformation.
The Bumblebee malware, known for its role as an initial access broker facilitating the download and execution of additional payloads like Cobalt Strike and Meterpreter, has made a comeback with fresh tactics after a period of dormancy. Proofpoint researchers observed a significant shift in the attack chain, diverging from previous Bumblebee patterns.
Bank of America is warning its customers of a data breach exposing their personal information after one of its third-party service providers, Infosys McCamish System (IMS) fell victim to a cyber attack in November of last year. LockBit claimed responsibility for the attack, listing IMS on its data leak site on November 4.
Proofpoint has disclosed details of a phishing campaign that it detected in late November 2023 which has compromised hundreds of user accounts in dozens of Microsoft Azure environments. In particular, the campaign has singled out employees who are likely to hold higher privileges, such as senior executives at organizations.
The FCC has updated their data breach reporting requirements, which now requires telecommunication companies to report data breaches that impact customer's personal identifiable information within 30 days. These new requirements go into effect on March 13th, 2024.
A group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA) uncovered an implementation vulnerability enabling them to reconstruct encryption keys and decrypt data locked by Rhysida ransomware. “Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data.
Last week, Ivanti disclosed a new vulnerability impacting its Connect Secure, Policy Secure, and ZTA gateway appliances. Tracked as CVE-2024-22024, the flaw impacts the SAML component of these appliances and can be exploited by actors to gain access to restricted resources without authentication. At the time of the disclosure, Ivanti noted that it had no evidence to suggest that the flaw was being actively exploited.
Researchers from Checkpoint have released a new report on the evolution of Raspberry Robin malware. The latest strains are stealthier and implement various 1-day exploits that are deployed on specific vulnerable systems. 1-day exploits are similar to zero-day exploits, but have a public disclosure and/or patch available by the vendor. Even though a patch may be available, threat actors will exploit these vulnerabilities soon after disclosure, before victims have installed the patch.
A critical vulnerability has been discovered in the shim bootloader used by nearly all Linux distributions. This flaw tracked as CVE-2023-40547, could allow remote code execution and bypass Secure Boot. Essentially, the flaw arises from the handling of HTTP protocol within shim, allowing attackers to execute man-in-the-middle attacks.
In 2023, ransomware payments soared to a record $1.1 billion, reversing the declining trend in 2022. According to researchers from Chainalysis, this trend is likely attributed to the escalating attacks against major institutions and critical infrastructure and Clop's massive MOVEit campaign, which compromised dozens of organizations across the globe.
A new report from the Dutch Military Intelligence and Security Service (MIVD) highlights a campaign that took place last year, where Chinese state-backed actors were able to infiltrate Dutch defense networks and steal sensitive information.
Mercedes-Benz faced a significant security breach when a private key was mistakenly left online, resulting in the exposure of sensitive internal data. The breach, discovered by RedHunt Labs security researchers, exposed critical internal information, intellectual property, and sensitive credentials. M
Verizon Communications issued an advisory this week that an insider data breach has impacted almost half it's workforce, exposing sensitive employee personal identifiable information (PII). A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.
A group known as ‘Resume Looters' has conducted SQL injection attacks on 65 legitimate job listing and retail websites, compromising the personal data of over two million job seekers, mainly in the APAC region, The group targeted sites in Australia, Taiwan, China, Thailand, India, and Vietnam to steal names, email addresses, phone numbers, employment history, education and other information.
A new campaign has been uncovered by Trustwave SpiderLabs where actors are using Facebook job advertisements to trick unsuspecting end users into installing a novel Windows-based stealer malware codenamed Ov3r_Stealer. For its part, Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.
Yesterday, the Biden administration announced it would be rolling out a new policy to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware. This includes those who have used spyware to target individuals such as journalists, activists, perceived dissidents, members of marginalized communities, or the family members of those who are targeted.
Scammers allegedly stole $25.5 million from a multinational company in Hong Kong by using a deepfake video call to deceive an employee into transferring the funds. The employee apparently attended a video conference call with deepfake recreations of the company's chief financial officer and other employees who instructed him to transfer the funds.
The US issues new sanctions against Iran after “destabilizing and potentially escalatory” cyber attacks against US critical infrastructure. The remarks were made in a statement that announced sanctions against six Iranians for last year's cyber-attack against Unitronics, an Israeli manufacturer of programmable logic controllers used in the water sector and other critical infrastructure organizations. Several organizations in the water sector were impacted by a group of hacktivists called the CyberAv3ngers.
The Government Computer Emergency Response Team of Ukraine (CERT-UA) took action under the law to assist a state-owned enterprise facing significant damage from the DIRTYMOE (PURPLEFOX) malicious program, affecting over 2,000 computers in the Ukrainian internet segment. Analysis of malware samples and reference to reports from Avast and Trendmicro aided in understanding the threat's intricacies.
A new malware linked to a China-based threat group, UNC-5221, has been detected by Mandiant, targeting Ivanti Connect Secure VPN and Policy Secure devices. This malware, including web shells like BUSHWALK and CHAINLINE, exploits vulnerabilities CVE-2023-46805 and CVE-2024-218867, allowing arbitrary command execution.
Temporary patches have been released to address a new Windows-zero flaw dubbed EventLogCrasher that lets attackers remotely crash the Event Log service on devices within the same Windows domain. According to security researcher Florian, who discovered and reported the flaw, Microsoft tagged the flaw as “not meeting servicing requirements” and said it's a duplicate of a bug that was disclosed in 2022 (no further details were provided).
According to Reuters, the US Justice Department and FBI have reportedly taken action against Chinese state-sponsored hackers attempting to infiltrate American critical infrastructure. Over several months, law enforcement conducted operations authorized by a court order, to disable parts of the Chinese hacking campaign. This campaign, known as Volt Typhoon, was revealed in May 2023 after it was found that the hackers accessed US critical infrastructure networks as far back as 2021.
In a recent report provided by Dragos, despite the takedown of prominent ransomware groups, the remaining threat actors have evolved their tactics and maintained the exploitation of zero-day vulnerabilities. This has allowed them to inflict more damage on industrial control systems (ICS) with fewer attacks, as highlighted in Dragos' latest industrial ransomware analysis for the last quarter of 2023.
A new set of flaws was disclosed by Ivanti today, which impact Ivanti Connect Secure, Policy Secure, and ZTA gateways. One of these flaws (CVE-2024-21888) pertains to a privilege escalation vulnerability which could allow a malicious actor to elevate privileges to that of an administrator.
AT&T's cybersecurity research team has uncovered a new wave of phishing attacks that abuse Microsoft Teams group chat requests to distribute malicious attachments designed to infect targeted systems with DarkGate malware. In total, attackers have used what seems to be a compromised team user (or domain) to send over 1,000 malicious group chat invites to unsuspecting users.
Rsearchers at Zscaler have uncovered a new campaign that is delivering a new variant ZLoader malware to targeted systems. This variant is said to have been in development since September 2023 and contains significant changes to the loader module, which added RC4 encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time.
Energy management and automation giant Schneider Electric recently suffered from a ransomware attack that targeted its Sustainability Business division, which provides services to enterprise organizations, advising on renewable energy solutions and helping them navigate complex climate regulatory requirements for companies worldwide.
Recent findings suggest that payloads discovered on compromised Ivanti Connect Secure appliances may originate from a single, highly skilled threat actor, according to incident response provider Synacktiv. A malware analysis by Synacktiv reveals that the 12 Rust payloads found in relation to two Ivanti Connect Secure VPN zero-day vulnerabilities share nearly identical code, suggesting a common origin.
Ukraine's Ministry of Defense says that pro-Ukrainian hacktivists have breached the Russian Center for Space Hydrometeorology (Planeta), and have wiped 2 petabytes of data from their systems. Planeta is a state funded research center that uses space satellite data, ground radars, and ground stations to provide accurate predictions about weather, climate, natural disasters, extreme phenomena, and volcanic monitoring.
In 2023, the cybersecurity landscape saw a resurgence of ransomware attacks, with a 27% increase in frequency during the first half of the year compared to the second half of 2022. May witnessed the highest number of ransomware claims in a single month in Coalition history. Ransomware also became the leading contributor to the overall increase in claims frequency, comprising 19% of all reported claims.
In summary the reports says that the surge in cloud migration, coupled with AI and machine learning, accelerated data use and storage in 2023. This led to significant breaches, with notable incidents including the MOVEit ransomware attack impacting 62 million individuals globally, the ICMR breach exposing 81.5 million Indian citizens' data, and 23andMe's unauthorized access compromising 9 million user accounts.
cyber criminals to collect money and valuables from victims of tech support and government impersonation scams. Many of the victims are senior citizens who are being targeted by scammers posing as employees of technology companies, financial institutions, or the U.S. government These victims are told by the actors that their financial accounts have been compromised or are under threat. T
Researchers at Fortinet uncovered a Python Package Index (PyPI) malware author who goes by the ID “WS” uploading malicious packages to PyPI, designed to infect developers with WhiteSnake Stealer. Several packages were identified including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, which researchers estimate to have impacted over 2000 victims.
Kaspersky researchers are warning of a notable surge in dark web discussions related to the use of ChatGPT and other Large Language Models (LLMs) to bolster cyber attacks. Nearly 3000 dark web posts were identified, focusing on a spectrum of cyber-threats, from creating malicious chatbot versions to exploring alternative projects like XXXGPT and FraudGPT. While the chatter apparently peaked in March of last year, there have been continued ongoing discussions about exploiting AI technologies for illegal activities.
Based on Menlo Security's browser security report for 2023, browser-based phishing attacks increased a whopping 198% in the second half of 2023. In general phishing attacks seem to have evolved in the last couple of years. According to researchers, they identified 11,000 zero-hour phishing attacks in a span of 30 days.
Two weeks ago, GitLab released patches to address a critical password reset vulnerability. Tracked as CVE-2023-7028, the bug can be exploited by actors to send password reset messages to unverified email addresses under their control. If the target organization does not have two-factor authentication, an actor in this case could initiate a potential account takeover by resetting the password. Patches for the bug
Researchers have uncovered the growing professionalization to the cybercrime ecosystem, highlighting an online redirection of service, VexTrio, as a major traffic broker for various threat groups. VexTrio operates malicious traffic distribution systems, accessing victims based on factors like device type and location, redirecting them to malicious sites based on client requirements.
According to a new report from cybersecurity firm Fortified Health Security, 116 million records were compromised across 655 breaches. In 2023, the number of patient records exposed in data breaches doubled in comparison to 2022, despite the number of breaches declining slightly. This is likely due to an increase in the number of large data breaches, where 16 breaches exposed more than two million patient records each.
A new ransomware strain, dubbed Kasseika, that was uncovered in December 2023 has joined the list of ransomware gangs to employ Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software on targeted systems. BYOVD attacks work by either implanting or abusing a vulnerable driver in victim environments to carry out malicious operandi.
According to recent reports Google Pixel smartphone owners are experiencing issues after installing the January 2024 Google Play system update. Problems include being unable to access internal storage, open the camera, take screenshots, or open apps. The issue affects various Pixel models, indicating it's not specific to a particular hardware architecture.
Exploit code has been released for a critical vulnerability in Fotra GoAnywhere MFT, a managed file transfer solution. Researchers from Horizon3 released exploit details for CVE-2024-0204, a critical authentication bypass vulnerability which was patched by Fortra on December 4, 2023, but only publicly revealed by the vendor on Monday.
Active Directory Certificate Services (AD CS) is a server role that enables organizations to leverage public key infrastructure (PKI) as part of their on-premises services to issue and use digital certificates for authenticating identities and endpoints in Active Directory environments. As highlighted by SpecterOps in 2021, AD CS has become a prime target and leverage point in the overall attack chain to achieve post-compromise objectives.
The Black Basta ransomware group has added the UK's Southern Water as a victim on their Tor based data leak site, and have threated to publish stolen data if ransom demands are not met by February 29, 2024. “Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area” (Security Affairs, 2024). The company provides water to a large portion of the UK, and employs over 6,000 people.
SentinelOne researchers have uncovered a new infection chain where North Korean actors are posing as a member of the North Korea Research Institute to trick recipients into opening a ZIP archive that contains malicious files designed to infect the targeted system with RokRAT backdoor malware.
A patched vulnerability (CVE-2023-35636) in Microsoft Outlook, allowing theft of NTLM v2 hashes, can be exploited through specially crafted email headers. Security researcher Dolev Taler and Varonis Threat Labs disclosed two additional unpatched vulnerabilities of “moderate” severity for obtaining NTLM v2 hashes.
A new blog post by Mandiant shines light on a campaign where UNC3886, a China-nexus espionage group, has been observed exploiting a zero-day in vCenter server since 2021. The vulnerability in question is being tracked as CVE-2023-34048 and relates to an out-of-bounds write bug that can be exploited by actors to gain remote code execution on targeted systems.
Mortgage lender loanDepot has confirmed that approximately 16.6 million individuals had their personal information stolen in a ransomware attack disclosed earlier this month. The attack, which occurred on January 6, led to the shutdown of some systems, affecting recurring automatic payments and causing delays in payment history updates. The company, acknowledging the breach as a ransomware incident, mentioned that files on compromised devices were encrypted by malicious actors.
Microsoft revealed this week that they were potentially targeted by the Russian state-sponsored hacking group Midnight Blizzard. The group targeted a senior employee at the company by utilizing a password spray attack to infiltrate a legacy non-production test tenant account. This allowed them to gain access to the email accounts of Microsoft's leadership team and employees in cybersecurity and legal departments.
VF Corporation, the parent company of brands like Vans and North Face, disclosed that 35.5 million customers were impacted when criminals breached their systems in December. The announcement, made in an SEC filing, didn't specify the type of information accessed. However, VF Corp assured that social security numbers, bank details, and payment card information were not compromised, as they are not stored in its IT systems. The company also stated that there is no evidence of consumer passwords being accessed, though the investigation is ongoing.
Security researchers at Bishop Fox have identified over 178,000 SonicWall next-generation firewalls with the management interface exposed online are vulnerable to two stack-based buffer overflow flaws. Tracked as CVE-2022-22274 and CVE-2023-0656, these two vulnerabilities are essentially the same and can be exploited by unauthenticated actors to perform denial of service and even remote code execution.
Last week, Europol announced the arrest of a 29-year-old Ukrainian national for using hacked accounts to create 1 million servers used in a worldwide crypto jacking scheme to illegally mine cryptocurrency. This individual is suspected to have been active since 2021 and is known for hijacking cloud computing resources for crypto-mining. Starting in 2021, the hacker infected one of the world's largest e-commerce companies and used automated tools to brute force the passwords of 1,500 accounts of a subsidiary of the e-commerce company.
A new backdoor named "FalseFont" has been discovered, attributed to the Iranian hacking group Peach Sandstorm. This backdoor poses a significant threat to Managed Service Providers (MSPs) and mid-market companies, particularly those with limited cybersecurity measures. Peach Sandstorm is a global threat actor known for sophisticated cyberattacks since 2013, targeting sectors like defense, aerospace, and energy.
A python-based hacking tool named Fbot has emerged, targeting various online platforms including web servers, cloud services, CMS, and SaaS. Fbot, distinct from similar tools, aims to compromise cloud and SaaS services by harvesting credentials for resale.
The Finish National Cybersecurity Center recently sent out an advisory warning of an uptick in Akira Ransomware activity. In the latest set of attacks, Akira actors are going after network-attached storage devices as well as tape devices and wiping backups saved, making it difficult for victims to recover files. As a result, the agency recommends organizations switch to offline backups instead and distribute backups across various locations to prevent unauthorized access.
Researchers at Malwarebytes have uncovered an updated version of Atomic Stealer, an information stealer designed to target macOS systems. The update was made in mid December, 2023, where authors behind the malware introduced a new payload encryption routine designed to hide certain strings that were previously used for detection and identifying the C2 server.
Cisco patched a critical vulnerability tracked as CVE-2024-20272 in their Unity Connection product. The flaw could allow an unauthenticated attacker to remotely gain root privileges on unpatched devices. Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.
Water Curupira, a threat actor, distributed the Pikabot loader malware in spam campaigns throughout 2023. Trend Micro reported that PikaBot's phishing attacks used a loader and a core module to gain remote access and execute commands via a connection to their server. This activity occurred from Q1 to June, earlier campaigns by cybercrime group TA571 and TA577 targeting victims with Qakbot.
Cybercriminals are now using “swatting” to pressure hospitals into paying ransom demands by targeting their patients. Swatting involves making false police reports and prompting armed responses to victims' homes. These criminals aim to coerce hospitals into paying by threatening patients, like in the Fred Hutchinson Cancer Center case, cybercriminals stole medical records and threatened to use swatting tactics on patients if their ransom demands weren't met.
Victims of Royal and Akira ransomware are being targeted by actors masquerading as cybersecurity researchers offering to delete the files stolen by the two ransomware gangs. According to Artic Wolf Labs, who have tracked several interactions, these actors contact victims stating they will hack into the server infrastructure of the original ransomware groups involved to delete the exfiltrated data.
Security researchers at Akamai have uncovered a new crypto-mining campaign that has been active since the beginning of 2023. These attacks include the use of a new Mirai-based botnet dubbed ‘NoaBot' which comes with various capabilities including a wormable self-spreader and an SSH key backdoor designed to download and execute additional binaries and spread itself to other systems.
In its 2023 Adversary Infrastructure Report, published on January 9, 2024, Recorded Future analyzed the effect of three malware takedown operations that took place in 2023 or before: The March 2023 attempt to take down unlicensed versions of commercial red-teaming product Cobalt Strike, a joint project between Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC), and Fortra, the software company that owns Cobalt Strike In the cases of Cobalt Strike and QakBot, law enforcement operations had a significant impact in the short term and malicious activity linked with the two tools dropped drastically in the month following the operation.
A group linked to Ukraine's SBU has allegedly launched a destructive cyber-attack against a Moscow ISP in retaliation to Russia's takedown of Kyivstar last month. According to reports, the group called “Blackjack” deleted 20 TBs of data at M9 Telecom, leaving some residents of Moscow without Internet service.
Paraguay's military has issued a warning about potential Black Hunt ransomware attacks following a cyberattack on Tigo Business, the largest mobile carrier in Paraguay. Tigo Business, which provides digital solutions to enterprises, suffered a security incident impacting cloud and hosting services.
For malware researchers, analysts, or reverse engineers, Checkpoint says the ability to alter the functionality of certain parts of code is a crucial step. Manipulating processes for code execution works well for non-managed native code, but becomes more challenging when dealing with managed code. By altering the functionality of managed code, specifically for applications that run on top of .NET, Checkpoint says the open-source library Harmony is the best option.
NIST highlights the rising security and privacy concerns linked to the growing usage of artificial intelligence (AI) systems. These challenges encompass threats such as tampering with training data, exploiting model vulnerabilities, or even malicious interaction or manipulation to extract sensitive information.
The NoName ransomware group recently posted a list of their latest DDoS attack victims on their data leak site. Many of these victims include Ukrainian entities such as Accordbank, Zaporizhzhya Titanium-Magnesium Plant, State Tax Service, Central Interregional Tax Administration, Western Interregional Tax Administration, and the Main Directorate of the State Tax Service in Kyiv.
Security researchers have uncovered a new campaign that has been delivering AsyncRAT malware to select targets for the last 11 months using hundreds of unique loader samples and more than 100 domains. The campaign was initially discovered by a security researcher from Microsoft, Igal Lytzki, who spotted attacks last summer that were delivered over hijacked email threads.
A threat actor who goes by the name ‘RET' is claiming to have access to the source code as well as a builder for the Zeppelin ransomware. Both are being advertised for sale on an underground forum for 500$, with screenshots to prove the legitimacy of the package. In the post, the actor claims to have simply cracked a builder version for the ransomware strain and had acquired the package without a license.
Research findings have been published by threat researcher Greg Lesnewich, who unpacked a new macOS backdoor dubbed ‘SpectralBlur,' potentially linked to North Korean actors. Initial samples of SpectralBlur were uploaded to VirusTotal in August 2023.
A recent strain of the Bandook remote access trojan is spreading through phishing attacks, targeting Windows systems, highlighting the malware's ongoing evolution. Fortinet FortiGuard Labs discovered this activity in October 2023.
Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a "big warning" to the West, Ukraine's cyber spy chief told Reuters. The attack, one of the most dramatic since Russia's full-scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days from Dec. 12.
Ivanti recently fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM). The flaw allows an unauthenticated attackers to hijack enrolled devices or the core server. The service helps manage client devices running a wide range of platforms from Windows and macOS to Chrome OS and other IoT operating systems.
Orange Spain suffered an internet outage today after a hacker breached the company's RIPE account to misconfigure BGP routing and an RPKI configuration. The routing of traffic on the internet is handled by Border Gateway Protocol (BGP), which allows organizations to associate their IP addresses with autonomous system (AS) numbers and advertise them to other routers they are connected to, known as their peers.
Cyber Toufan, a sophisticated threat actor claiming to be formed of Palestinian state cyber warriors, has managed to target over 100 entities in Israel in the last couple of months. These series of attacks have been fueled by geopolitical tensions between Israel and Hamas, a pro-Palestinian militant group. The latest intrusions carried out by Cyber Toufan have led to the exfiltration of large amounts of data which is being released to the public web.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog. The first is CVE-2023-7101, affecting the open-source Perl library Spreadsheet::ParseExcel, with a remote code execution flaw. This vulnerability was exploited by Chinese hackers in late December, targeting Barracuda ESG appliances. Mitigations were applied, and an update was released on December 29, 2023.
Shadowservers has released new vulnerability metrics surrounding the recently discovered Terrapin vulnerabilities that threaten the integrity of some SSH connections. The Terrapin flaws target the SSH protocol, affecting both clients and servers, and was developed by academic researchers from Ruhr University Bochum in Germany.
Researchers are warning that multiple information-stealing malware families are abusing an undocumented Google OAuth endpoint named “MultiLogin” to restore expired authentication cookies to log into user’s accounts. This technique can be used for persistent access even if the account’s password has been reset.
Researchers from Palo Alto Networks and Symantec warned of a new Go-based malware loader called JinxLoader, which is being used to deliver next-stage payloads such as Formbook and XLoader. The name of the threat comes from a League of Legends character. Palo Alto Networks’s Unit 42 first observed the malware in November 2023 reporting that it has been advertised on the hacking forum Hackforums since April 30, 2023.
A new phishing campaign utilizes Microsoft Word documents to deliver a Nim-based backdoor has emerged. Attackers disguise themselves as Nepali government officials, enticing victims to enable macros in Word documents, leading to the deployment of the Nim malware.
Yesterday, Microsoft posted a series of tweets on X (formerly known as Twitter) stating that it observed Iranian cyber-espionage group APT33 deploy a new backdoor dubbed FalseFont in attacks targeting organizations in the Defense Industrial Base (DIB) sector. According to the tech giant, FalseFont was first observed in attacks as early as November 2023.
A new report from cybersecurity firm Deep Instinct linked a threat actor known as UAC-0099 to a series of attacks aimed at Ukraine, some of which leverage a high-severity flaw in the WinRAR software to deliver a malware strain called LONEPAGE.
Researchers from ReversingLabs have observed an increase in threat actors using GitHub open source development platform to host malware. The use of public services as command-and-control (C2) infrastructure isn’t a revolutionary technique for malicious actors, but the researchers highlight two novel techniques deployed on GitHub.
UK Secretary of State for Justice, Robert Buckland, has voiced concerns about the threat of deepfakes to British democracy prior to upcoming elections. He cited that there is a “clear and present danger” regarding deepfakes and noted how they can be used to potentially erode trust in information and sway opinions. Buckland highlighted that with AI being easily accessible and the sheer scale of generative AI, individuals can create and share content rapidly
According to a new report from HackRead in October 2023 alone, there were over 867,072,300 breached data records, accounting for millions of dollars in lost data and having an irreparable impact on the reputation of all companies involved. Human factors account for around 82% of all breaches that occur in business environments.
With many shoppers rushing to order Christmas gifts, scammers are taking advantage of this opportunity by creating phishing sites impersonating delivery services. According to Group-IB, these fake delivery sites have surged by 34% in December alone, with the company identifying 587 sites designed to look like legitimate postal operators and delivery companies in the first 10 days of December.
Israel’s National Cyber Directorate (INCD) recently disclosed a new phishing campaign that is distributing Windows and Linux data wipers via emails pretending to be a warning about a zero-day vulnerability in F5 BIG-IP devices. According to INCD, the emails push out an executable named F5UPDATER[.]exe for Windows users, while a shell script named update[.]sh is used for Linux users.
The report highlights key insights into the evolving cybersecurity landscape. Drawing from data gathered from 65 trillion daily signals and involving over 10,000 security experts, the report emphasizes the growing threat of human-operated ransomware attacks, which have surged by over 200% since September 2022.
A recent malware campaign has targeted over 50,000 users across 40 banks in various regions, using Javascript injections to steal banking data. The attack, discovered by IBM’s security team, commenced its preparation in December 2022 and executed its malicious operation in March 2023.
Yesterday, the U.S Justice Department announced the disruption of the BlackCat ransomware group, which to date has managed to target the computer networks of more than 1,000 victims, including those that support U.S. critical infrastructure (government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities).
AT&T Alien Labs has uncovered a new Go-based information stealer malware dubbed JaskaGo designed to target both Windows and Apple macOS systems. According to researchers, the info-stealer comes equipped with an extensive array of commands from its C2 server that enable actors to execute shellcode, enumerate running processes, harvest information from the victim system, and download additional payloads.
AT&T Alien Labs has uncovered a new Go-based information stealer malware dubbed JaskaGo designed to target both Windows and Apple macOS systems. According to researchers, the info-stealer comes equipped with an extensive array of commands from its C2 server that enable actors to execute shellcode, enumerate running processes, harvest information from the victim system, and download additional payloads.
Secure Shell Protocol (SSH) was developed in early 1995, after a password sniffer was used to discover passwords store in plain text on Finland’s Helsinki University of Technology. SSH was one of the first network tools to route traffic through an impregnable tunnel fortified with a still-esoteric feature known as "public key encryption, SSH quickly caught on around the world.
Earlier this year, Mandiant's Managed Defense threat hunting team discovered a malicious advertising (malvertising) campaign linked to UNC2975, a threat actor group. The campaign involved sponsored search engine results and social media posts, using fake websites related to "unclaimed funds."
This article highlights common methods cybercriminals use to bypass multi-factor authentication, specifically receiving unprompted one-time passcodes (OTP). Receiving an OTP sent as an email or text should be a cause for concern as it likely means your credentials have been stolen.
In 2022, Israeli organizations faced a wave of cyberattacks orchestrated by OilRig, an Iranian advanced persistent threat group also known as APT34, Helix Kitten, or Cobalt Gypsy. These attacks showcased the deployment of novel downloaders SampleCheck5000, ODAgent, and OilBooster crafted to exploit Microsoft cloud services for communication and data extraction.
Researchers at SentinelOne have uncovered an updated version of a backdoor dubbed Pierogi which is being used by the Gaza Cyber Gang, a pro-Hamas threat actor, to target Palestinian entities. The new variant, referred to as Pierogi++, is written in the C++ programming language. Similar to its predecessor, Pierogi++ is designed to take screenshots, execute commands, and download other payloads.
The FBI issued an advisory that they are closely monitoring threats to public safety during the holiday season, which may be amplified by the ongoing Israel-Hamas conflict. The FBI, Department of Homeland Security (DHS), and National Counterterrorism Center (NCTC) are issuing this Public Service Announcement to highlight elements posing potential threats in the United States from a variety of actors during the winter season.
Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore (and other victims), Resecurity (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.
The US cybersecurity landscape faces a critical challenge with the emergence of a highly resilient botnet operated by the Chinese-backed Volt Typhoon group. This botnet has ingeniously repurposed end of life Small Office/Home Office (SOHO) routers from Cisco, Netgear, and Fortinet, and set up a Tor-like covert data transfer network to perform malicious operations. Notably, these routers, lacking security updates, now serve as a central element in Volt Typhoon’s penetration strategy across critical sectors like communications, manufacturing and government.
Microsoft recently announced that it seized multiple domains used by the cybercrime group Storm-1152 to sell fraudulent Outlook accounts. According to the vendor, Storm-1152 has registered over 750 million fraudulent Microsoft accounts, enabling the group to generate millions of dollars in sales. After obtaining a court order from the Southern District of New York on December 7, 2023.
Email security firm Abnormal uncovered a new wave of BazarCall attacks abusing Google Forms to target users. First documented in 2021, BazarCall is a type of phishing attack that utilizes fake payment/subscription invoices in emails impersonating known brands. In this case, victims are notified that their account has been charged and should contact customer support if they don’t recognize the transaction. Rather than including a link in the email, the actors will leave behind a phone number that the victim can call.
In a joint advisory published on December 13, 2023, six security and intelligence agencies in the US, the UK and Poland warned that Cozy Bear has been exploiting an authentication bypass vulnerability in TeamCity (CVE-2023-42793) since at least September 2023. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes. The access could also be used to conduct software supply chain attacks.
Cybersecurity insurance provider Corvus reports that ransomware actors are switching tactics and are choosing to exploit vulnerabilities rather than leverage phishing emails to breach victim organizations. Analyzing metrics from claims data this year, Corvus was able to examine threat actor activity. The company claims that vulnerability exploitation rose as an initial access method from nearly 0% of ransomware claims in H2 2022 to almost a third in the first half of 2023.
Microsoft has warned that adversaries are using OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and to launch phishing attacks. Adversaries compromise user accounts, gaining access to OAuth apps to conceal their malicious actions and maintain control even if the original account is lost.
ZeroFox Researchers have identified a new online marketplace dubbed ‘OLVX’ which has become a popular place for cybercriminals to purchase tools and services that can be used to launch cyberattacks.
A new report by Cyjax warns of an increase in cyberattacks from Russia targeting Ukraine and its allies as the Winter season approaches. According to researchers, Russia’s missile production is struggling to keep pace with its tactical, operational, and strategic usage, due to economic sanctions and a shortage of workers.
This article examines different scenarios where your company may be mentioned on the darkweb, and what you can do to navigate and mitigate the potential risks associated. Specifically, the article focuses on the sale of compromised accounts, internal databases and documents, as well as access to corporate infrastructure, and the sale of personal identifiable information like ID photos, drivers licenses, etc.
A new blog post from IBM’s X-Force highlights APT28’s, a group of Russian military hackers, use of Israel-Hamas conflict lures to deliver Headlace malware. For its part, Headlace is a multi-component malware that includes a dropper, a VBS launcher, and a backdoor using MSEdge in headless mode, designed to download second-stage payloads and exfiltrate credentials as well as other sensitive details.
In mid-November, researchers at SonarCloud uncovered three flaws in pfSense, a popular open-source firewall and software, which if chained together can allow actors to execute code remotely on targeted appliances.
Ukraine’s largest mobile network operator Kyivstar was impacted by a cyber event that lead to significant shutdowns. The company, which is owned by Amsterdam-based Veon, announced on December 12th, that a powerful cyber attack caused technical failure, which impacted Internet access and mobile communications for customers.
A report published by Crowdstrike researchers indicates that insider threats are escalating, with Crowdstrike’s report indicating a surge in unauthorized actions using privilege escalation flaws. Approximately 55% of these threats leverage privilege scalation exploits, while 45% stem from downloading risky tools or misusing them.
Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.
Toyota Financial Services recently warned its customers about a data breach, where actors were able to gain unauthorized access to some of its systems in Europe and Africa, allowing the actors to steal sensitive personal and financial data. Medusa ransomware has claimed responsibility for the attack, demanding a 8 million ransomware be paid in exchange for the data stolen.
Last Friday, cyber security firm RedSense disclosed on X (formerly known as Twitter) that BlackCat Ransomware’s Tor data leak site had been taken down after police action. As of writing no official disclosure from law enforcement authorities has been published to the public regarding such a takedown.
wo years after its disclosure, the Log4j vulnerability remains a potent tool for North Korean hackers. A recent report by Cisco’s Talos Intelligence Group reveals that a hacking campaign, conducted throughout 2023 by a Lazarus umbrella group, utilized the Log4Shell exploit to target manufacturing, agricultural, and physical security entities.
University researchers from Singapore have discovered a set of vulnerabilities in 5G modems produced by Qualcomm and MediaTek, which they are collectively calling 5Ghoul. These vulnerabilities impact 710 5G smartphone models from Android, Apple, various routers, and USB modems.
An Iranian proxy hacking group named Polonium, operating from Lebanon poses a serious threat to Israel’s critical infrastructure. Despite being less known than other hacking groups, Polonium has intensified its attacks, targeting multiple Israeli sectors and evolving its tactics over time. Microsoft reported that Polonium spied on over 20 Israeli organizations, including key sectors like Transportation, IT, Finance, and Healthcare in Spring 2022.
APT28, a group of Russian military hackers have been exploiting a Microsoft Outlook zero-day (CVE-2023-23397) since March 2022 to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Over the course of 20 months, researchers at Palo Alto Networks’ Unit 42 have observed this group launch three different campaigns targeting at least 30 organizations across 14 nations deemed of probable strategic intelligence significance to Russia's military and government.
New data gathered by Veeam indicates that a surge in ransomware attacks has caused businesses in the UK to increase prices, adding to the already high inflation. Veeam surveyed 100 UK businesses with over 500 employees that had been compromised by ransomware. According to the software company, large companies had to increase costs to customers by an average of 17% following an attack.
A critical vulnerability in Bluetooth allows attackers to take control of Android, Linux, macOS, and iOS devices, including devices in Lockdown Mode. This vulnerability is tracked as CVE-2023-45866 and disclosed by security researcher Marc Newlin.
Advances in cloud technology, artificial intelligence and machine learning, and Web3 are reshaping the threat landscape, urging organizations to re-strategize their defenses and stay up to date with the latest trends and threats. A new blog post by Trend Micro highlights the new challenges that will come with these emerging technologies and what to expect for the upcoming new year.
Security Scorecard recently analyzed the cybersecurity posture of the largest coal, oil, natural gas, and electric companies in the US, UK, France, Germany, and Italy, as well as their suppliers. According to the vendor, UK energy firms received the high average security rating (80% holding a B or above). However, a third of global firms received a rating of C or lower, making them susceptible to a breach.
As companies increasingly adopt cloud computing, a report by Ermetic and IDC reveals that 80% of CISOs experienced cloud data breaches in the last 18 months, with 43% facing 10 or more breaches. The report emphasizes the need for a robust understanding of cloud security to safeguard organizations, personnel, and customers during the transition. Cloud security involves principles like access controls and system audits. Key reasons to embrace it include scalability, reliability, and protection against DDoS attacks.
Group-IB researchers discovered a previously undetected Linux remote access trojan called Krasue being employed in attacks aimed at telecom companies in Thailand. The Krasue Remote Access Trojan (RAT) emerged in 2021 according to samples found on VirusTotal. The name “Krasue,” comes from the Thai name of a nocturnal native spirit known throughout Southeast Asian folklore.
An influence operation dubbed Doppelganger associated with Russia has emerged, the campaign is actively targeting Ukrainian, U.S, and German audiences. Using a combination of fake news websites and social media accounts, seeking to undermine Ukraine while spreading sentiments questioning U.S. military competence, and highlighting Germany’s social and economic issues.
A new report from ZeroFox highlights LockBit’s continued dominance in the ransomware landscape, with the group accounting for 25% of all ransomware and digital extortion attacks worldwide between January 2022 and September 2023. In particular, LockBit poses a big threat to entities in North America, with an average of 40% of LockBit victims based in this region, spanning the manufacturing, construction, retail, legal & consulting, and healthcare sectors. Researchers note this is expected to increase to 50% by the end of 2023.
CISA recently published an advisory warning that hackers are exploiting a critical vulnerability in Adobe ColdFusion to gain initial access to government servers. Tracked as CVE-2023-26360, the flaw relates to an improper access control vulnerability in Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), which could result in arbitrary code execution.
Senator Ron Wyden has raised concerns that unidentified governments are surveilling smartphone users through push notifications on apps, demanding data from Google and Apple. Push notifications, used by various apps for updates, messages, and news alerts, often travel through Google and Apple servers. This unique access gives the companies insight into app traffic and user activity, potentially facilitating government surveillance.
Forescout researchers have discovered a set of 21 vulnerabilities impacting Sierra OT/IoT routers which threaten critical infrastructure with remote code execution, unauthorized access, cross-site scripting, authentication bypass, and denial of service attacks.
Microsoft issued a warning regarding the exploitation of CVE-2023-23397 by APT 28, a Russian state sponsored group. The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East. CVE-2023-23397 was first disclosed and patched as a zero-day bug in Microsoft’s March 2023 Patch Tuesday update round.
A new report by VulnCheck indicates that over 15,000 Go module repositories on GitHub are vulnerable to Repojacking attacks. In such attacks, actors take advantage of GitHub username changes and account deletions to create a repository with the same name and the pre-existing username to trick unsuspecting users.
Cyber security firm Blackberry has uncovered a campaign targeting an aerospace organization in the United States. Researchers are tracking the actors behind this campaign as ‘AeroBlade.” Based on the observed attack, the actors used spear-phishing as their delivery mechanism, where they employed a weaponized document, sent as an email attachment.
Cybercriminals are currently targeting SaaS services and utilizing AI technology, social media phishing, and brand impersonation to pilfer from various sectors, impacting the reputations of legitimate businesses. It is crucial to adopt proactive measures, such as manual or automated takedown services, to maintain consumer trust during the bustling holiday shopping season. The USPS phishing attack encompasses over 3,000 phishing domains that mimic reputable brands like Walmart, with scammers exploiting stolen data to entice victims into revealing sensitive banking details.
A regulatory agency in Florida confirmed they responded to a recent cyber attack last week as US cybersecurity agencies warn of foreign attacks against water utilities. A spokesperson for the St. Johns River Water Management District, which works closely with utilities on water supply issues, confirmed that it “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.”
The ShadowServer Foundation is warning that tens of thousands of Microsoft Exchange email servers in Europe, the United States, and Asia are exposed on the public internet and vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer receives any updates, being vulnerable to multiple security issues, some with a critical severity rating.
In a recent blog from Check Point, Outlook, the desktop app in the Microsoft Office suite, is highlighted as one of the world's most widely used applications for organizational communication. However, it poses significant security risks, acting as a critical gateway for cyber threats. The blog categorizes attack vectors into three types: the "obvious" Hyperlink attack vector, the "normal" Attachment attack vector, and the "advanced" Email Reading and Special Object attack vectors.
The DOJ and FBI collaborated to dismantle the Qakbot malware and its botnet, successfully disrupting a long standing threat. However, concerns linger as Qakbot may still pose a risk, although in a reduced form. The takedown removed the malware from a significant number of devices, including 700,000 globally and 200,000 in the U.S. Yet, recent findings suggest Qakbot remains active but weakened.
Researchers from Google DeepMind, Cornell University, and other institutions found that the widely used generative AI chatbot, ChatGPT, is susceptible to data leaks. By prompting ChatGPT to repetitively say words like "poem," "company," and others, the researchers were able to make the chatbot regurgitate memorized portions of its training data.
On Thursday the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for facilitating sanctions evasion including revenue generation and missile-related technology procurement that support the Democratic People’s Republic of Korea’s (DPRK) weapons of mass destruction programs.
Several vendors on VirusTotal have detected a new ransomware dubbed Turtle which is capable of not only targeting Windows and Linux systems but also macOS. Cybersecurity researcher Patrick Wardle who analyzed this new strain, says that Turtle Ransomware is currently not sophisticated. The malware was developed in the Go programming language.
Researchers from Satori Threat Intelligence discovered a new version of the ScrubCrypt obfuscation tool being used to target organizations with the RedLine stealer malware. This latest version of ScrubCrypt is for sale on dark web marketplaces, and is being used in account takeover and fraud attacks.
Researchers at Perception Point recently unveiled a sophisticated malware attack aimed at bypassing threat detection systems. The attack involves impersonating a financial services company via a fake invoice email. The email includes a button that leads to an unavailable website which urges users to visit a seemingly legitimate link for the invoice.
According to a new blog post by researchers at Artic Wolf, a set of known vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform, are being exploited to deploy ransomware. Tracked as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the flaws are being chained together to achieve remote code execution on targeted systems.
Based on research conducted by Hornetsecurity, there has been an increasing trend of cybercriminals embedding malicious web links in emails to target victims. From an analysis of 45 billion emails, researchers concluded a 144% increase in this type of attack compared to 2022.
The Iran-backed Cyber Av3ngers, affiliated with the IRGC, has been actively exploiting Programmable Logic Controllers (PLCs) in Water and Wastewater treatment plants, targeting critical infrastructure installations in the U.S. The group, known for making false claims, initiated attacks on various water authorities, an aquarium, and a brewery. They focus on Unitronics PLCs, leveraging open source tools and exploiting vulnerabilities. The recent campaign expanded to target critical infrastructure globally, particularly those using equipment associated with Israel.
Last month, Okta disclosed that attackers breached its customer support system, gaining unauthorized access to files associated with 134 Okta customers, some of which were HAR files containing session tokens that could be used for session hijacking attacks. After re-examining the actions taken by the actors,
Researchers from Eurecom have developed six next attacks they have collectively named “BLUFFS.” These vulnerabilities can be used for device impersonation and man-in-the-middle (MitM) attacks. BLUFFS exploits two previously unknown flaws in Bluetooth, related to how session keys are derived to decrypt data in exchange.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is responding to a cyber attack on the Municipal Water Authority of Aliquippa, Pennsylvania. The attack involved the exploitation of Unitronics programmable logic controllers (PLCs) and has been attributed to the Iranian-backed hacktivist group Cyber Av3ngers.
CTS is a trusted provider of IT services to the legal sector in the UK. The company announced that it is investigating a cyber attack that caused a service outage. The incident impacted a portion of the services. The security incident potentially impacted hundreds of British law firms.
General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA) are reported to have experienced security breaches, with stolen data allegedly available for sale on the Dark Web. The compromised information includes access credentials, DARPA-related military data, SQL files, and more. GE has acknowledged the breach and is actively investigating the matter. DARPA, known for collaborating with GE on various projects, may have classified information on weapons programs and artificial intelligence research in its data stores.
General Electric, an American multinational conglomerate that has several divisions including aerospace, power, and renewable energy, is investigating claims that a threat actor breached its development environment and leaked allegedly stolen data. The development comes after a threat actor named IntelBroker posted to a dark forum claiming to have access to General Electric’s development and software pipelines.
A joint operation carried out by Europol and law enforcement agencies has led to the arrest of 5 key suspects in Ukraine believed to be core members of various ransomware operations including LockerGoga, MegaCortex, Dharma, and the now defunct Hive ransomware. Since 2019, these individuals have targeted over 1,800 victims across 71 countries, compromising large corporations.
The Daixin Team, a group known for carrying out ransomware attacks, has listed the North Texas Municipal Water District (NTMWD) as a victim on their data leak site. The actors claim to have stolen large amounts of sensitive data from the company and are threatening to release it publicly. The information stolen is said to include board meeting minutes, internal project documentation, personnel details, audit reports, and more. The leak of the data puts the company at risk of frauds in the next months.
The Idaho National Laboratory (INL) announced this week that they suffered a cyberattack after SiegedSec hacktivists leaked stolen human resources data online. INL is a nuclear research center run by the U.S. Department of Energy that employs 5,700 specialists in atomic energy, integrated energy, and national security.
A critical vulnerability (CVE-2023-43177) in CrushFTP, allowing hackers to access files, execute code, and steal passwords. Although a fix was issued in version 10.5.2, a recent public exploit by Converge demands immediate updates for CrushFTP users. This exploit lets attackers read, delete files, and potentially gain total control over systems using specific web ports and functions in CrushFTP.
In a report released this week, Carbon Black shared details of a recent rise in infections related to the NetSupport RAT over the past few weeks. Specifically, the RAT was being deployed against targets in the education, government, and business services sectors.
A new variant of the Agent Tesla malware has been identified, employing a ZPAQ compression format lure file to extract data from multiple email clients and nearly 40 web browsers. ZPAQ, known for its superior compression ratio and journaling function, offers efficient file transfers but has limited software support.
According to Cybersecurity firm VMware Carbon Black, NetSupport RAT infections have been on the rise, with researchers detecting no less than 15 new infections in the last couple of weeks. NetSupport RAT is a remote access trojan that started off as a legitimate remote administration tool to provide users with technical support.
Last Friday, Cisco Talos published a blog post, highlighting that 8Base ransomware actors are using a variant of the Phobos ransomware to carry out financially motivated attacks. Although most Phobos variants have been distributed using SmokeLoader, a backdoor trojan, researchers note that in 8Base campaigns, the actors are embedding the ransomware component into encrypted payloads, which are then decrypted and loaded into the SmokeLoader process memory.
For years, a group based in New Delhi called Appin conducted hacking operations globally, targeting various individuals and organizations for clients such as private investigators, government agencies, and corporations. Their operations were sophisticated at times, but also unrefined showcasing a brazen approach to hacking.
APT29, a Russian state-sponsored actor has been leveraging WinRAR vulnerability CVE-2023-38831 in cyber attacks. Specifically, the group has been targeting embassy entities with BMW car sale lures. The vulnerability has been exploited by various groups as a zero-day since April, mostly going after cryptocurrency and stock trading forums.
Retailers like Amazon have promoted affordable Android devices for children, such as the Dragon Touch KidzPad Y88X 10 tablet. However, research by the Electronic Frontier Foundation (EFF) revealed malware and riskware on the device, leading to Amazon removing it from the platform. Other Y88X models remain available. This is not the first instance; in January 2023, Amazon sold a T95 Android TV box with preinstalled malware. Both instances involved the Corejava malware.
The ‘Ddostf’ malware botnet is attacking MySQL servers to turn them into a DDoS service. AnhLab Security Emergency Response Center (ASEC) discovered this while tracking threats against database servers. Ddostf infiltrates MySQL servers either through vulnerabilities in unpatched systems or by cracking weak administrator account passwords. These attackers search the web for exposed MySQL servers, trying to breach them through brute forcing administrator credentials.
Cybersecurity company Securonix has uncovered a new campaign dubbed SEO#LURKER, where actors are tricking WinSCP users into installing malware via SEO poisoning and bogus Google ads. In particular, the actors are using dynamic search ads which automatically generate ads based on a site's content to serve the malicious ads that take the victims to an infected site, which in this case is a compromised WordPress site (gameeweb[.]com). Researchers say this WordPress site will redirect the victim to a phishing site advertising a fake installation for WinSCP, in turn infecting the victim with malware.
A new joint advisory from CISA and the FBI has been issued detailing observed TTPs and IOCs to help organizations protect against Rhysida Ransomware. Rhysida is a fairly new ransomware that was first detected in May 2023. Like any other ransomware gang, the group engages in double extortion schemes where it will encrypt and exfiltrate victims’ files, threatening to publish the data online unless a ransom is paid.
FBI is warning of cybercriminals taking advantage of the war in Gaza to solicit funds from unsuspecting victims. According to alerts sent out by the agency, these fraudsters are using various schemes including emails, social media, cold calls, and websites masquerading as fundraisers and charities to convince end users to donate money, stating that the funds will go to victims of the ongoing conflict. These donations are requested in the form of gift cards, wire transfers, and cryptocurrency, making it difficult to trace back.
The hacking group known as DarkCasino was observed utilizing the recently disclosed security flaw in WinRAR as a zero day attack, redefining itself as an advanced persistent threat. This financially motivated actor, identified in 2021, possesses significant technical prowess and blends various APT attack technologies in their operations.
In May 2023, a two-phase cyber-attack targeted 22 Danish critical infrastructure companies. The attackers exploited Zyxel firewall vulnerabilities to gain control of the systems and carry out DDoS attacks.
Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity These changes have been influenced by both internal factors like military restructuring and changes in domestic regulations, as well as external factors including reporting by Western governments and the cybersecurity community.
About a month ago, Citrix fixed a critical information disclosure flaw (CVE-2023-4966), “Citrix Bleed,” impacting Citrix NetScaler ADC and NetScaler Gateway. As of writing thousands of internet-exposed endpoints are still running vulnerable appliances despite patches being released. As such threat actors are using this opportunity to launch attacks. One of these actors is the LockBit Ransomware group, which researchers say is using publicly available exploits for CVE-2023-4966 to breach the systems of large organizations, steal data, and encrypt files.
A new report from Sophos indicates that cyber-criminals are disabling or wiping out logs in 82% of incidents, making it difficult for organizations to backtrace and determine what happened on systems during a crisis. What’s more is that based on a case study conducted by Sophos, nearly a quarter of organizations investigated didn’t have the appropriate logging available in place for incident responders. Researchers say this was due to several factors, including insufficient retention, re-imaging, or a lack of configuration. “In an investigation, not only would this mean the data would be unavailable for examination, but the defenders would have to spend time figuring out why it wasn’t available” stated researchers in a recent blog post.
ALPHV/BlackCat ransomware threat actors have been seen using Google Ads to distribute malware. By masquerading as popular software products like Advanced IP Scanner and Slack, the group has been luring professionals to attacker controlled websites. The victims, thinking they are downloading legitimate software, are unknowingly installing a piece of malware called Nitrogen. Nitrogen serves as initial-access malware providing intruders with a foothold into the target organization’s IT environment.
In today's complex cybersecurity landscape, cyberattacks are inevitable. Organizations, regardless of size or industry, must establish detailed playbooks for effective response. Chief Information Security Officers (CISOs) play a crucial role in preparing for attacks by fostering relationships, educating leaders, and developing comprehensive frameworks.
International logistics firm DP World Australia announced that a cyber attack has severely disrupted it’s regular freight movement in multiple Australian ports. DP World specialized in cargo logistics, port terminal operations, maritime services, and free trade zones, they have an annual revenue of over $10 billion. In total, the firm operates 82 marine and inland terminals in 40 countries, handles 70 million containers annually carried by 70,000 vessels, and manages roughly 10% of all global container traffic. DP World has the largest presence in Australia, handling over 40% of the nation’s container trade.
Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm and Yellow Liderc, has launched a new campaign targeting transportation, logistics, and technology companies in the Middle East. Associated with the Iranian Revolutionary Guard Corps (IRGC), this threat actor, using the online persona Marcella Flores, has been active since at least 2017, conducting cyberattacks across sectors like defense technology, telecommunications, maritime, energy, and consulting.
Hunters International, a newly emerged ransomware group, has acquired the source code and infrastructure from the dismantled Hive operation, a once-prolific ransomware-as-a-service (RaaS) group. The Hive group's operations were halted as part of a coordinated law enforcement effort in January 2023. This move allowed Hunters International to start its own cyber threat activities with a mature toolkit.
The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures (TTPs) employed by Asian Advanced Persistent Threat (APT) groups. In a report published today, Kaspersky reveals TTPs found from their examination of one hundred global cybersecurity incidents.
Dragos recently highlighted the UK National Cyber Security Centre's Cyber Assessment Framework (CAF) in a report, emphasizing its global applicability. The CAF, designed to enhance government cybersecurity, outlines top-level outcomes for good cybersecurity. While initially aimed at the UK, its principles are valuable globally.
Microsoft says Cl0p ransomware operators have begun exploiting a zero-day vulnerability in the service management software SysAid to access corporate servers for data theft and to deploy ransomware. SysAid is an IT Service Management (ITSM) solutions that helps organizations manage IT services within their environment.
According to a report from cybersecurity company Group-IB, a threat actor known as 'farnetwork' has operated under various usernames like farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand. They actively sought affiliates for different ransomware operations on Russian-speaking hacker forums. In March, farnetwork started recruiting affiliates for their ransomware-as-a-service (RaaS) program based on the Nokoyawa locker.
According to a new report from Checkmarx, throughout 2023 threat actors have been distributing malicious Python packages disguised as legitimate obfuscation tools to execute BlazeStealer malware on targeted systems. Once executed, BlazeStealer will retrieve a malicious script from an external source and run a discord bot designed to enable the threat actor to gain complete control over the victim’s computer.
According to a new advisory from the FBI, the agency noted that ransomware actors continue to gain access through third-party vendors and services. Between 2022 and 2023, the FBI observed ransomware attacks compromising casinos through third-party gaming vendors. In particular, small and tribal casinos were targeted, with the threat actors encrypting the PII data of employees and patrons which would be held for ransom payments.
The growing use of digital technology makes cybersecurity more important than ever. Ethical hackers, who identify and prevent cyber threats, are increasingly using AI tools like ChatGPT. A report by Bugcrowd reveals that many hackers believe AI will change how they work in the coming years. While AI can't replace human creativity in security, it helps in tasks like data analysis and vulnerability detection.
The “Soldiers of Solomon” are a Pro-Palestinian hacking group. On their X (previously Twitter) page, the group announced that it had breached the infrastructure of Flour Mills Ltd, a multinational company engaged in the processing and marketing of flour and related food products.
In a recent statement from Okta security chief David Bradbury, Bradbury confirmed that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers. These files contained session tokens, which the threat actor was able to use to hijack the legitimate Okta sessions of 5 customers.
Last Tuesday, Atlassian released security updates to address a critical improper authorization vulnerability impacting all versions of Confluence Data Center and Server. Tracked as CVE-2023-22518, the vulnerability can be used in data destruction attacks targeting internet-exposed and unpatched instances. While initially, Atlassian noted that it is unaware of reports of active exploitation, the vendor updated its advisory on Friday, stating that threat actors are starting to exploit the flaw in attacks in the wild.
A report from Infosecurity magazine says that Cloud native development practices are creating dangerous new security blind spots for organizations in the US, UK, France and Germany. A study by Venafi polled 800 security and IT leaders from large organizations based in these four countries. It found that 59% of respondents have experienced security incidents in their Kubernetes or container environments.
Researchers from ThreatFabric have identified a new dropper-as-a-service (DaaS) operation which they have named SecuriDropper. The service uses a method to bypass the “Restricted Settings” feature in Android to install malware on devices and obtain access to Accessibility Services.
Researchers at Google have issued a warning about various threat actors using the google calendar service for command-and-control purposes. Additionally, there’s a public proof-of-concept exploit called “Google Calendar RAT” that relies on the calendar service for its command-and-control infrastructure.
The United States, Japan, and South Korea are set to establish a high-level consultative body designed to counter North Korea’s cyber activities. The development comes after the US Deputy National Security Adviser, Anne Neuberger engaged in discussions with her South Korean and Japanese counterparts in Washington last week.
According to a new report by Cybersecurity firm Bitsight, threat actors are using PrivateLoader and Amadey loaders to distribute a proxy botnet, dubbed Socks5Systemz. Socks5Systemz’s infrastructure is extensive and encompasses 53 proxy bot, backconnect, DNS, and address acquisition servers, which are distributed across France, Bulgaria, Netherlands, and Sweden.
MacPaw, a Ukrainian software company, faced the challenge of maintaining business continuity during the Russian invasion. Their CTO, Vira Tkachenko, explained how they prepared for wartime cyber resilience, including forming an emergency team, prioritizing employee safety and service delivery, fortifying their headquarters, ensuring power and connectivity options, building hardware reserves, setting up redundant communications, freezing code changes, and dealing with increased cyberattacks.
AOE servers that are not properly secured are susceptible to a security vulnerability that could potentially grant unauthorized access to the server via the AOE Server Admin user account. Such compromised servers are consequently vulnerable to ransomware attacks, posing a significant security risk.
MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. The goal of MITRE ATT&CK is to catalog and categorize the known tactics, techniques, and procedures (TTPs) used by adversaries in real-world attacks.
FIRST, the Forum of Incident Response and Security Teams, will release this week version 4.0 of the Common Vulnerability Scoring System (CVSS). CVSS is an open framework that allows organizations and researchers to communicate specific characteristics and severities of software vulnerabilities.
President Joe Biden has signed an executive order aimed at regulating generative AI systems like ChatGPT, recognizing their transformative potential and potential risks. The order focuses on ensuring the safe and responsible development and use of AI. It directs various federal agencies and departments to create standards and regulations for AI in various areas, including criminal justice, education, health care, housing, and labor, with an emphasis on protecting civil rights and liberties.
Last week, Citrix warned that threat actors are actively exploiting a critical information disclosure vulnerability impacting Citrix NetScaler ADC and Gateway instances. Tracked as CVE-2023-4966, the vulnerability can be exploited by unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or gateway. In the past couple of days, security researchers have noticed an alarming increase in exploitation attempts, with several threat actors including ransomware groups, targeting vulnerable instances.
As part of the upcoming third annual meeting of the International Counter-Ransomware Initiative, the Biden administration and dozens of its foreign allies will pledge to stop paying ransomware gangs. Representatives from 48 countries, the European Union, and Interpol are expected to attend this week’s summit, which will focus on strategies to block funds used by ransomware gangs to fuel their operations.
A report by Infoblox uncovers a concerning trend involving a link-shortening service called "Prolific Puma." This service assists cyber attackers and scammers by providing them with top-level .us domains, enabling them to run phishing campaigns with reduced visibility. Over the past 18 months, Prolific Puma has generated up to 75,000 unique domain names, often sidestepping regulations to offer malicious actors .us URLs.
In a recent blog post, cybersecurity firm Proofpoint disclosed that it observed two campaigns on October 11 and 18, 2023, in which TA571, a sophisticated cybercriminal threat actor, delivered the Forked variant of IceID. The forked variant was observed being delivered via emails containing 404 TDS URLs that would lead to the download of a password-protected archive, with the password listed in the email. “The zip file contained a VBS script and a benign text file.
Researchers at Security Joes have uncovered a new Linux Wiper malware dubbed “BiBi-Linux Wiper,” being used by a pro-Hamas Hacktivist group to target Israeli entities in the ongoing Israeli-Hamas conflict. BiBi-Linux Wiper is an x64 ELF executable that is designed to render files unusable by overwriting their contents, further appending targeted files with an extension that uses the following structure “[RANDOM_NAME].BiBi[NUMBER].”
The significant rise in attacks on operational technology (OT) systems is primarily due to two key factors: increasing global threats from nation state actors and the involvement of profit-driven cybercriminals often backed by the former. The lack of success in defending against these attacks can be attributed to several factors, including the complexity of OT environments, the convergence of information technology and OT, insider attacks, supply chain vulnerabilities, and more.
The Russian government is developing its own malware scanning platform, similar to VirusTotal, to address concerns that the U.S. government might access data from the popular Google-owned service. This new platform, called "Multiscanner," is being created by Russia's National Technology Center for Digital Cryptography in collaboration with other organizations and private enterprises, including companies like Kaspersky, AVSoft, and Netoscope.
We wanted to let members know that CISA has introduced a valuable toolset designed to assist companies with their logging requirements. "Logging Made Easy (LME)," LME is a reimagined offering by CISA, that transforms a well-established log management solution into a reliable, centralized log management alternative.
Earlier this year, a software vendor fell victim to a Lazarus malware attack due to unpatched legitimate software. Despite previous warnings and patches from the vendor, vulnerabilities remained, allowing the threat actor to exploit them. Fortunately, proactive measures detected and thwarted an attack on another vendor. Further investigation revealed that the software vendor had been repeatedly targeted by Lazarus, indicating a persistent and determined threat actor likely seeking valuable source code or tampering with the software supply chain. The adversary used advanced techniques and introduced the SIGNBT malware for victim control.
Summary: Researchers at Microsoft released a comprehensive profile of Octo Tempest, a native English speaker known for advanced social engineering skills. Octo Tempest primarily focuses on data extortion and ransomware attacks against various companies. This threat actor’s tactics have been continuously evolving since early 2022, with expanded targeting encompassing organizations offering cable telecommunications, email, and tech services.
Google has announced that it's expanding its Vulnerability Rewards Program (VRP) to compensate researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.
Cloudflare says the number of hyper-volumetric HTTP DDoS (distributed denial of service) attacks recorded in the third quarter of 2023 surpasses every previous year, indicating that the threat landscape has entered a new chapter” (Bleeping Computer, 2023). DDoS attacks are a type of cyber attack that sends large amounts of traffic towards hosting apps, websites, and online services in an attempt to overwhelm and make them unavailable to legitimate visitors.
A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency ANSII” (The Record, 2023). According to the agency, APT28 (Fancy Bear) has been breaching French networks since the second half of 2021 looking for sensitive data. The group chose not to leverage backdoors and instead compromised devices like routers that aren’t as closely monitored.
Chile's telecommunications company, Grupo GTD, has experienced a cyberattack that affected its Infrastructure as a Service (IaaS) platform. The attack caused disruptions to various online services, including data centers, internet access, and Voice-over-IP (VoIP). The attack has been attributed to the Rorschach ransomware gang, which has led to the disconnection of their IaSS platform from the internet.
A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.
Researchers have exposed multiple cyber scams exploiting the Israeli-Hamas conflict. These scams involve more than 500 deceptive emails and fraudulent websites that take advantage of people’s desire to support those affected by the conflict. Many of these emails contain links to counterfeit websites claiming to provide information about the ongoing situation and encouraging individuals to donate using various cryptocurrency payment methods, as reported by Kaspersky researchers.
There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements.
A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.
As per a report by ESET security, a well-known cybersecurity endpoint protection vendor, the threat actor identified as Winter Vivern, also known as TA473 and UAC-0114, has been detected exploiting a zero-day vulnerability in Roundcube webmail software on October 11, 2023, for the purpose of gathering email messages from victims' accounts. Telemetry data indicates that the campaign specifically aimed at Roundcube Webmail servers owned by governmental entities and a think tank, all located in Europe.
A recent TrendMicro report highlights that IT teams are currently grappling with a deluge of software patches, which are being released on a regular basis, ranging from monthly to daily. As per statistics, contemporary enterprises are burdened with managing an average of 1,061 applications, and due to the frequent issuance of patches by various software vendors, the need for strategic prioritization has become imperative.
Security flaws in the use of OAuth by Grammarly, Vidio, and Bukalapak could potentially put the financial and credential information of millions of users at risk. These issues also raise concerns that other online services may face similar problems, potentially leading to account takeovers, credential theft, and financial fraud for users across various websites. Salt Labs researchers found serious API misconfigurations on websites like Grammarly, Vidio, and Bukalapak, indicating that numerous other sites might be similarly affected.
Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months. According to NCC Group data, ransomware groups launched 514 attacks in September. This surpasses March 2023 activity, which counted 459 attacks, and was heavily skewed by Clop's MOVEit Transfer data theft attacks.
Cybersecurity firm WithSecure, has discovered a connection between recent DarkGate malware attacks targeting its clients and Vietnam-based threat actors engaged in a campaign to compromise Meta business accounts and pilfer sensitive data. WithSecure's Detection and Response Team (DRT) reported multiple DarkGate malware infection attempts against their clients' organizations in the UK, USA, and India on August 4, 2023. The attack methods closely resemble those seen in recent DuckTail infostealer campaigns, which WithSecure has been monitoring for over a year.
A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris[.]exe, which is bundled on an unencrypted part of the USB drive.
In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.
Google is set to introduce a new "IP Protection" feature in its Chrome browser to enhance user privacy by concealing their IP addresses through the use of proxy servers. This move aims to address privacy concerns related to IP addresses, which can be used for covert tracking, and marks Google's effort to strike a balance between user privacy and web functionality.
In a recent statement from Okta Security, they've reported the discovery of malicious activity involving the unauthorized use of a stolen credential to access Okta's support case management system. The threat actor was able to access files uploaded by specific Okta customers as part of recent support cases. It's essential to clarify that the support case system operates independently of the primary Okta service, which remains fully functional and unaffected. Notably, the Auth0/CIC case management system has not been impacted by this incident.
A hacktivist group supporting Israel, known as Predatory Sparrow, has resurfaced recently. Last week, the group broke its year-long silence by posting a tweet referencing the ongoing Gaza conflict, warning of its return and sharing a link to a report about the United States sending fighter planes and warships to aid Israel. Predatory Sparrow is recognized as a relatively advanced Israeli hacking operation, and it has a track record of conducting disruptive attacks in Iran, aimed at undermining the Iranian government.
In a report from Fortinet, they detail a new information-stealing malware named ExelaStealer that has recently emerged in the cybersecurity landscape. ExelaStealer is described as a low-cost, mostly open-source infostealer with the option for paid customizations. This affordability and openness make it accessible to a wide range of cybercriminals, from novices to more seasoned threat actors. The malware is predominantly coded in Python and offers support for JavaScript. It possesses the capability to exfiltrate a variety of sensitive data, including passwords, Discord tokens, credit card information, cookies, session data, keystrokes, screenshots, and clipboard content.
In a recent report from TrendMicro, researchers delve into critical vulnerabilities and risks associated with 5G and its infrastructure. They take a particular focus on the control plane and the susceptibility of the NGAP protocol to ASN.1-related issues. The first part of the report reveals how GTP-U tunnels can be exploited by user devices, potentially leading to core network crashes. In the second part, the report discusses how attackers can leverage these vulnerabilities by disguising control messages as user traffic, resulting in the transition from the user plane to the control plane.
North Korean hackers have notably increased their emphasis on the IT industry, by infiltrating companies involved in software development and organizations seeking IT professionals. On Wednesday, Microsoft disclosed that North Korean affiliated hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been exploiting a critical authentication bypass vulnerability (CVE-2023-42793) within JetBrains TeamCity server.
Hoxhunt released the results of their Hoxhunt Challenge, an exercise conducted in 38 organizations across nine industries and 125 countries. Their study revealed that 22% of phishing attacks in the first weeks of October 2023 used QR codes to deliver malicious payloads.
Sandu Diaconu, the operator of the E-Root marketplace, has been extradited to the U.S. to face a maximum imprisonment penalty of 20 years for selling access to compromised computers. The Moldovan defendant was arrested in the U.K. in May 2021 while attempting to flee the country following the authorities' seizure of E-Root's domains in late 2020. Last month, Diaconu consented to be extradited to the United States for wire fraud, money laundering, computer fraud, and access device fraud
The OilRig threat group, connected to Iran, conducted an eight-month-long cyber campaign against an unspecified Middle Eastern government from February to September 2023. This operation resulted in the theft of files and passwords, and at one point, they used a PowerShell backdoor called PowerExchange. The Symantec Threat Hunter Team refers to this operation as "Crambus." The attackers used the PowerExchange implant to monitor emails from an Exchange Server, execute commands, and send the results to themselves. They compromised at least 12 computers and installed backdoors and keyloggers on an additional dozen machines, indicating a significant breach.
In a recent report from Check Point, the focus is on escalating cyber activities during the Israel-Hamas conflict. The key points include a surge in cyberattacks targeting Israel, diverse cyber threats like DDoS attacks and hack-and-leak incidents, and the involvement of various hacktivist groups aligned with geopolitical interests. These developments are causing heightened risks and tensions in the cyber domain.
wo North Korean nation-state actors, Lazarus (or Zinc) and Plutonium (or Andariel), have been exploiting a known remote code execution vulnerability in the TeamCity continuous integration and continuous deployment tool. The vulnerability, CVE-2023-42793, was patched by JetBrains in version 2023.05.4. These actors have been targeting on-premises instances of TeamCity, deploying backdoors, stealing credentials, and more. Microsoft's threat intelligence group observed these attacks and noted that both groups may be opportunistically compromising vulnerable servers, but they have also used techniques that could provide persistent access to victim environments.
Marquis Hooper, a former U.S. Navy IT manager, has received a sentence of five years and five months in prison for illegally obtaining US citizens' personally identifiable information (PII) and selling it on the dark web. The man was indicted with his wife, Natasha Renee Chalk, in February 2021 and pleaded guilty to aggravated identity theft and conspiracy to commit wire fraud in March 2023.
A group of cyber activists under the Ukrainian Cyber Alliance (UAC) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available. The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys.
Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month. The attacker claims to have stolen source code for D-Link's D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company's CEO.
Last week, CISA warned organizations about critical and high-severity vulnerabilities in a human-machine interface (HMI) product made by Taiwan-based Weintek. According to CISA, the impacted product, the Weintek cMT HMI, is used worldwide, including in critical manufacturing organizations, which are considered part of critical infrastructure.
Amid the COVID-19 pandemic, as remote work became a necessity, IT teams had to rapidly implement protocols and software suites to maintain business continuity and efficiency. This involved enabling routing configurations and adjusting inbound and outbound policies on appliances that previously didn't support remote connections. This allowed networking appliances and software packages to be accessed and configured on-the-fly, enabling staff to access the necessary resources for their work from locations outside the traditional office spaces.
In a recent report from Cofense, the significance of using voice messages for communication was brought to the forefront. The report highlighted an ongoing phishing campaign where threat actors strategically included an access key in the email content, alluring users into accessing what appeared to be a genuine voice message intended for them.
The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023. That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers.
Researchers from Sekoia have released details on a new campaign from the threat group behind SocGholish. This latest activity leverages compromised WordPress sites to push malicious fake browser updates. The campaign, which has been called ClearFake, injects Javascript into compromised WordPress websites so that it downloads another Javascript payload from an attacker controlled domain.
Colonial Pipeline has reported that there has been no disruption to its pipeline operations or systems following threats from a ransomware group known as Ransomed.vc. Colonial Pipeline is responsible for operating the largest pipeline system for refined oil products in the United States. The Ransomed.vc gang claimed that they had stolen data from Colonial Pipeline's systems.
In a recent report by SentinelOne, they've highlighted a noteworthy shift in the behavior of macOS malware. The trend we're observing is a move away from the concept of persistence, particularly in many malware families. Specifically, infostealers have taken center stage, aiming to accomplish their objectives in a single execution. This includes the theft of valuable data such as admin passwords, browsing history, and cookies, all achieved without relying on traditional methods of maintaining persistence.
A less detectable version of the RomCom backdoor was used to target attendees of the Women Political Leaders Summit in Brussels, which centers on gender equality and women in politics. The attackers created a fake website resembling the official WPL portal to lure individuals looking to participate or learn about the summit.
Like the Russia-Ukraine conflict, Hacktivism has appeared on the threat landscape as a result of the ongoing Israel-Hamas crisis. While early attacks were focused on DDoS and defacement, cybersecurity experts are now warning of signs that more impactful attacks are being attempted.
Microsoft says their Microsoft Defender for Endpoint helped block a large-scale hacking campaign carried out by the Akira ransomware group, which they track as Storm-1567. The attack which took place in early June was aimed at an industrial engineering organization.
The Environmental Protection Agency will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys. “In a letter to state drinking water administrators on Thursday, the EPA said litigation from Republican states and trade associations, which raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities, drove the decision to rescind a March memorandum implementing the rule.
Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.
The DarkGate malware is being spread through messaging platforms like Skype and Microsoft Teams. It disguises itself as a PDF document, but contains a harmful script that downloads and runs the malware. It’s uncertain how the attackers compromised the messaging app accounts, but it’s suspected to be due to leaked credentials or a previous compromise of the organization.
In a recent report from Check Point, it was observed that ransomware actors can rapidly incapacitate systems through partial encryption. You might be wondering, what is partial encryption and why is it effective? Generally, encryption, especially for large data volumes, can be a time-consuming process. Consequently, attackers are seeking more efficient and effective methods to make victims' data inaccessible until the ransom is paid.
According to recent reporting, the majority of organizations facing ransomware attacks are choosing to pay ransoms, with over half paying more than $100,000 to regain access to their systems and data. A Splunk study found that 96% of respondents had encountered a ransomware attack, and 52% described the impact on their business as significant.
North Korea’s state-sponsored hackers, under the direction of its ruling regime, are constantly improving their tactics for conducting cyber operations. This information comes from a recent report by Google’s Mandiant threat intelligence team. The report reveals how the Pyongyang-based regime, despite its small population of 25 million, utilizes cyber intrusions for both espionage and financial crimes, thereby bolstering its power and financing its cyber and kinetic capabilities.
Microsoft threat intelligence experts are seeing a trend of Chinese threat groups deploying less desktop malware and prioritizing in stealing passwords and tokens that can be used to access sensitive systems used by remote workers. Ever since the COVID-19 pandemic, work from home has become a norm with organizations granting employees remote access to sensitive systems and resources.
Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it.
On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.
Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn's domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” .
On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.
Microsoft says a Chinese-backed threat group tracked as 'Storm-0062' (aka DarkShadow or Oro0lxy) has been exploiting a critical privilege escalation zero-day in the Atlassian Confluence Data Center and Server since September 14, 2023.
The People’s Republic of China (PRC) is likely prioritizing disruptive cyber capabilities against five key U.S. critical infrastructure sectors: Energy, Water and Wastewater systems, Communications, Transportation systems, and Financial services.
Last week, researchers warned of a critical flaw in curl, the popular command line transfer tool. Curl project founder and lead developer Daniel Stenberg called it “probably the worst curl security flaw in a long time.” While details were initially withheld, a patch released today fixed two separate vulnerabilities tracked as CVE-2023-38545 and CVE-2023-38546.
Researchers from GitHub security lab have discovered a critical vulnerability in a library used within the GNOME desktop environment for Linux systems. GNOME is a popular open-source desktop environment found in distributions like Ubuntu and Fedora. The vulnerability, rated 8.8 out of 10, resides in a library called "libcue," which is used for parsing metadata related to CD or DVD track layouts.
Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.
Microsoft says it is in the works of removing VBScript (Visual Basic Script), a scripting language that was introduced by the tech giant approximately 30 years ago. Although VBScript was originally designed for Windows automation and administrative tasks, over the years, threat actors have misused it to create and distribute malicious payloads.
Security researchers have revealed evidence of a newly discovered APT group that primarily targeted Taiwanese organizations during a cyber-espionage campaign spanning at least four months. Known as "Grayling" according to Symantec, this group initiated their operations in February 2023 and persisted until at least May 2023.
As we approach the holiday season, we've remained vigilant in warning our members about the recent surge in phishing attacks targeting U.S. Postal Service (USPS) customers. These malicious campaigns are disseminated through SMS, email, and various other phishing methods. In these attacks, criminals impersonate USPS services with the intent to deceive individuals and pilfer personal and financial information.
According to Microsoft’s latest Digital Defense Report, Ukraine, the United States, and Israel were the most targeted countries based on state-sponsored threat activity observed by the tech giant against organizations in more than 120 countries. Based on intel gathered between July 2022 and June 2023, the majority of cyber attacks observed were fueled by nation-state spying and influence operations, with 40% of all observed attacks targeting critical infrastructure organizations.
The District of Columbia Board of Elections (DCBOE) is currently probing a data leak involving an unknown number of voter records following breach claims from a threat actor known as RansomedVC. DCBOE operates as an autonomous agency within the District of Columbia Government and is entrusted with overseeing elections, managing ballot access, and handling voter registration processes.
According to reports, several hacker groups have joined in on the Israel-Hamas conflict. State-sponsored threat actors have ramped up their cyber efforts, but so to have hacktivist groups supporting both sides of the war.
Hackers are conducting a large-scale campaign to exploit the recent CVE-2023-3519 flaw in Citrix NetScaler Gateways to steal user credentials. The flaw is a critical unauthenticated remote code execution bug discovered as a zero-day in July that impacts Citrix NetScaler ADC and NetScaler Gateway. By early August, the flaw had been leveraged to backdoor at least 640 Citrix servers, and the figure reached 2,000 by mid-August.
The UK's National Cyber Security Centre (NCSC) has released guidance to assist medium to large organizations in mapping their supply chains, with a focus on boosting confidence in managing vulnerabilities related to suppliers. Additionally, a report by Picus Security highlights the growing prevalence of multipurpose malware, which possesses multiple functionalities.
GitHub recently updated its secret scanning feature to extend validity checks to popular services including Amazon Web Services (AWS), Microsoft, Google, and Slack. The feature was introduced earlier this year to help alert users whether exposed tokens found by the secret scanning are active. While the feature was first enabled for GitHub tokens, the cloud-based code hosting and version control service is now including support for more tokens.
Sony Interactive Entertainment (Sony) has informed both current and former employees and their family members regarding a cybersecurity incident that resulted in the exposure of personal information. The company has dispatched data breach notifications to approximately 6,800 individuals, verifying that the breach transpired due to an unauthorized entity exploiting a zero-day vulnerability in the MOVEit Transfer platform.
A recent report highlights the growing presence of drones above sensitive maritime facilities, signaling a common occurrence. The report also criticizes the effectiveness of current federal counter-UAS legislation, citing a lack of authorities and capabilities to intercept suspicious drones. U.S. Coast Guard Capt. Andrew J. Meyers emphasized the importance of Area Maritime Security Committees (AMSCs) in safeguarding the nation's ports, praising their role in fostering relationships, collaborative planning, communication, and unity of effort.
Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library's dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. Dubbed 'Looney Tunables' and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness, and it affects default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38.
Yesterday, Apple rolled out emergency security updates to fix a new zero-day flaw impacting iOS and iPadOS. Tracked as CVE-2023-42824, the bug stems from a weakness in the XNU kernel which could allow local attackers to escalate privileges on unpatched iPhones and iPads.
Atlassian has published security updates to fix an actively exploited zero-day vulnerability in its Confluence Data Center and Server software. Tracked as CVE-2023-22515, the flaw relates to a case of privilege escalation. Although Atlassian did not specify the root cause of this flaw, the vulnerability could allow a regular user account to elevate to admin.
In a recent report from Menlo Security, it was discovered that Indeed, a widely recognized global job search platform headquartered in the US, boasting over 350 million monthly visitors and a global workforce of more than 14,000 employees, has become the focus of a significant phishing campaign. This campaign underscores how threat actors can exploit the platform's credibility and popularity.
About 100,000 industrial control systems (ICS) were found on the public web, exposed to attackers probing them for vulnerabilities and at risk of unauthorized access. Among them are power grids, traffic light systems, security and water systems.
The commonality among "bank transfer request[.]lnk," "invoice OTP bank[.]pdf[.]lnk," and "URGENT-Invoice-27-August[.]docx[.]lnk" is that they are all names of Windows shortcut files found in Zip archives attached to phishing emails, as reported by Cisco Talos researchers.
A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings. The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.
Security researchers discovered a new malware-as-a-service (MaaS) named 'BunnyLoader' advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard. The malware is under rapid development, with updates adding new features and bug fixes. It can currently download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands.
According to a recent report from Malwarebytes, it was found that ransomware attacks don't typically originate as a fresh problem for organizations; instead, they are the grim culmination of unresolved network compromises. Threat actors gain initial access through stolen login credentials, deployed malware, or established backdoors—akin to leaving an unlocked door for future visits.
Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.
The FBI issued a public service announcement warning of a significant increase in 'phantom hacker' scams targeting senior citizens across the United States. ‘This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,’ the FBI said.
Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction.
In a recent report from Forbes, the nation's cybersecurity was in a tight spot when Congress passed a bill to keep the government running for the next 45 days. A government shutdown could have caused problems for many government functions, including those responsible for protecting the country from cyberattacks. Depending on how long the shutdown lasted, it could have led to a crisis for companies and organizations across the country.
Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. The first bug is a flaw tracked as CVE-2023-4863 and is caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution.
In a recent report by SentinelOne, it's highlighted that Microsoft's security business has seen substantial growth, generating over $20 billion annually. The International Data Corporation (IDC) reported that Microsoft holds the largest market share in 2022, at 18.9%, with a 7.2% increase. Similarly, Gartner estimated that in 2021, Microsoft controlled 8.5% of the entire security software market, outperforming its competitors.
This report was filed under "Vendor Reports" because it was investigated by Microsoft (being the vendor) as a notable incident, "Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email." Microsoft corrected the issue in its products by, "Revoking all valid MSA signing keys to prevent attackers from accessing other compromised keys."
An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. ‘Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device,’ Kaspersky said in an analysis published last week.
A critical zero-day vulnerability was disclosed in the Exim mail transfer agent (MTA) software, which if successfully exploited could enable an unauthenticated attacker to gain remote code execution on Internet-exposed servers. Tracked as CVE-2023-42115, the flaw resides in the SMTP service, which listens on TCP port 25 by default. According to Trend Micro’s Zero Day Initiative, which uncovered the flaw, CVE-2023-42115 results from a lack of proper validation of user-supplied data which could result in a write past the end of a buffer and further allow an attacker to execute code in the context of the service account.
Over the weekend, security researchers uncovered a critical vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server. They released a proof-of-concept (PoC) exploit along with technical details. The flaw stems from a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to execute remote commands via a simple HTTP request. Assetnote researchers, who discovered the issue, expressed surprise at how long it remained unpatched.
Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction.
The Lazarus APT, associated with North Korea, gained access to a Spanish aerospace company's network through a spearphishing campaign in which they posed as a Meta recruiter (the parent company of Facebook, Instagram, and WhatsApp). Their ultimate objective was cyberespionage.
Hackers targeted the European Telecommunications Standards Institute (ETSI), a nonprofit organization responsible for developing communication standards, and stole a user database. The motive behind the attack remains unclear, with suspicions ranging from financial gain to potential espionage. ETSI engaged France's cybersecurity agency ANSSI to investigate and enhance its information systems' security.
China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.
A Chinese cyber-espionage group known as Budworm has recently been detected engaging in cyberattacks. They have specifically targeted a telecommunications company in the Middle East and a government organization in Asia. What's noteworthy is that they've deployed a new version of their customized 'SysUpdate' malware.
The Cybersecurity and Infrastructure Security Agency is preparing to furlough more than 80% of its workforce under a government shutdown, potentially leaving the lead U.S. cyber agency with a skeleton crew to initially respond to attacks on the networks of federal agencies and critical infrastructure.
Yesterday, Google released emergency security updates to address a zero-day flaw impacting its Chrome Browser. Tracked as CVE-2023-5217, the flaw relates to a heap buffer overflow weakness in the VP8 encoding of libvpx, an open-source video codec library from Google and the Alliance for Open Media (AOMedia). A successful exploit of this flaw could lead to browser crashes or arbitrary code execution.
Multiple vulnerabilities have been identified in Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage). These vulnerabilities could potentially allow attackers to access an affected instance or cause a denial of service (DoS) condition on the affected system. Cisco has taken action to address these vulnerabilities through software updates, "Although exploiting this vulnerability demands significant access to the target environment, threat actors have already initiated attacks, as reported by the company in the same advisory.
US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks. The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.
Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers. The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.
Researchers at Proofpoint have uncovered a new malware strain dubbed ZenRAT which is being distributed via bogus installation packages of the Bitwarden password manager. ZenRAT is a modular remote access trojan that comes with various modules designed to steal information from victims’ systems. Although researchers noted that ZenRAT is being hosted on fake websites pretending to be associated with Bitwarden, it’s unclear how end users are being directed to these sites.
Threat actors are employing a novel tactic by incorporating zero-point fonts within emails, creating the illusion that malicious emails have undergone successful security scans in Microsoft Outlook. While the ZeroFont phishing method has been previously observed, its current application marks a significant development. ISC Sans analyst Jan Kopriva, in a recent report, cautions that this technique could greatly enhance the success rate of phishing attacks, underscoring the importance of user awareness regarding its deployment in real-world scenarios.
Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day in attacks and patched two weeks ago. The company initially disclosed the flaw as a Chrome weakness, tracked as CVE-2023-4863, rather than assigning it to the open-source libwebp library used to encode and decode images in WebP format.
Security researchers have identified ShadowSyndicate as a threat actor using seven ransomware families in attacks over the past year. They suggest it could be an initial access broker and affiliate to ransomware operations. Their findings are based on a distinct SSH fingerprint found on 85 IP servers, discovered using tools like Shodan and Censys. This fingerprint was first seen in July 2022 and still in use in August 2023. Researchers also found eight different Cobalt Strike watermarks on ShadowSyndicate servers.
The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware's MOVEit hacking spree. BORN is a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.
An updated version of an Android banking trojan called Xenomorph has set its sights on more than 35 financial institutions in the U.S. The campaign, according to Dutch security firm ThreatFabric, leverages phishing web pages that are designed to entice victims into installing malicious Android apps that target a broader list of apps than its predecessors.
Resecurity research has uncovered that the 'Smishing Triad' cybercrime group, known for conducting phishing attacks via SMS (smishing), has expanded its operations into the United Arab Emirates (UAE).
The number of victim organizations hit by Cl0p via vulnerable MOVEit installations has surpassed 2,000, and the number of affected individuals is now over 60 million. The victim organizations are overwhelmingly based in the US.
Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. ‘Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.
According to a joint investigation conducted by Citizen Lab and Google’s Threat Analysis Group, three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an exploit chain to deliver Predator spyware on the device of a former Egyptian member of parliament Ahmed Eltantawy.
A highly advanced backdoor malware called 'Deadglyph' was recently employed in a cyber espionage operation targeting a Middle Eastern government agency. This sophisticated malware, known as Deadglyph, has been linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as Project Raven or FruityArmor.
Researchers at Kaspersky Lab have uncovered a new backdoor called "SessionManager" that has been used in attacks targeting Microsoft IIS Servers since March 2021. This backdoor allows threat actors to maintain persistent, update-resistant, and stealthy access to a targeted organization's IT infrastructure. It has been deployed in over 20 organizations, and as of late April 2022, many samples were not yet flagged as malicious by online file scanning services.
The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.
Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity. Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well.
Pro-Russia hacker group NoName is suspected of launching a DDoS cyberattack that caused significant disruptions at several Canadian airports. The attack affected check-in kiosks and electronic gates, leading to delays in the processing of arrivals at border checkpoints across the country. The Canada Border Services Agency (CBSA) confirmed the DDoS attack and is investigating the incident, assuring that no personal information has been compromised. No evidence of a data breach has been found at this time.
The P2PInfect botnet worm has entered a phase of significantly increased activity, with a notable surge observed from late August through September 2023. Initially documented by Unit 42 in July 2023, P2PInfect is categorized as a peer-to-peer malware that exploits a remote code execution vulnerability to breach Redis instances on internet-exposed Windows and Linux systems.
A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).
Today, T-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application. According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.
Chinese-speaking individuals have become the focus of numerous email phishing campaigns, with the objective of disseminating various malware types like Sainbox RAT, Purple Fox, and a newly identified trojan named ValleyRAT.
GitLab recently rolled out security updates to address a critical vulnerability impacting its enterprise edition. Tracked as CVE-2023-5009, the flaw could enable an attacker to run pipelines as an arbitrary user via scheduled security scan policies. As such, the actor could use elevated permissions of the impersonated user to further access sensitive information, modify source code, or even run arbitrary code on the targeted system.
Finnish law enforcement authorities have announced the takedown of PIILOPUOTI, a dark web marketplace that specialized in illegal narcotics trade since May 2022. ‘The site operated as a hidden service in the encrypted TOR network,’ the Finnish Customs (aka Tulli) said in a brief announcement on Tuesday. ‘The site has been used in anonymous criminal activities such as narcotics trade.’
Threat actors exploited a recently disclosed WinRAR vulnerability (CVE-2023-40477) by repurposing an older proof-of-concept (PoC) code. The Zero Day Initiative initially reported the WinRAR vulnerability to the vendor on June 8, 2023, but publicly disclosed it on August 17, 2023. Within four days of the public disclosure, an actor known as "whalersplonk" uploaded a fake PoC script to their GitHub repository.
Snatch is a ransomware group primarily targeting Windows-based systems. They employ various tactics, including exploiting vulnerabilities, brute force attacks, and data exfiltration to compromise and extort victims. Snatch operates under a ransomware-as-a-service (RaaS) model and has targeted critical infrastructure sectors such as Defense Industrial Base (DIB), Food and Agriculture, and Information Technology.
Telecommunications companies have increasingly become the focus of state-sponsored actors and advanced adversaries in recent years. In 2022, the telecommunications sector consistently ranked as one of the most targeted verticals in Talos IR (Incident Response) engagements. Telecom companies control critical infrastructure assets, which make them attractive targets for adversaries seeking to create significant disruptions.
Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro's Apex One endpoint protection solution that was actively exploited in attacks. Apex One is an endpoint security solution catering to businesses of all sizes, and the 'Worry-Free Business Security' suite is designed for small to medium-sized companies.
China-linked threat group Earth Lusca has deployed a new Linux malware called SprySOCKS in a recent cyber espionage campaign. Researchers at Trend Micro discovered this malware while tracking Earth Lusca's activities. SprySOCKS, based on an open-source Windows backdoor called Trochilus, was adapted for Linux. Earth Lusca continues to develop it, as evidenced by different versions detected.
CISA has published an additional malware analysis report associated with malicious Barracuda activity.
In the Middle East, telecommunication service providers are facing a new cyber threat known as ShroudedSnooper. This intrusion set employs a stealthy backdoor called HTTPSnoop, as reported by Cisco Talos. HTTPSnoop is a backdoor that uses innovative techniques to interface with Windows HTTP kernel drivers and devices.
The malware loader 'Bumblebee' has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that enables clients to perform remote authoring operations such as creating, accessing, updating, and deleting web server content.
Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.
A new cloud-native cryptojacking operation, known as AMBERSQUID, is targeting less common AWS services like AWS Amplify, AWS Fargate, and Amazon SageMaker for illicit cryptocurrency mining. Sysdig, a security firm, identified this campaign while analyzing 1.7 million Docker Hub images and attributed it to Indonesian attackers due to their use of the Indonesian language in scripts and usernames.
“Researchers at vx-underground have uncovered a major data breach involving the hacker known as "USDoD," who leaked highly sensitive data from TransUnion, a leading consumer credit reporting agency. The breach exposed personal information of 58,505 individuals globally, including names, passport details, financial data, and more, dating back to March 2022.
The pro-Russian cybercrime group named NoName057(16) has been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, a fresh government alert warns. Since March 2022, the threat actor – also known as NoName05716, 05716nnm or Nnm05716 – has been launching disruptive attacks in support of Russia’s invasion of Ukraine.
The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage. While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials. After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies
Since February 2023, Microsoft has reported that an Iranian-backed threat group known as APT33 (or Peach Sandstorm, HOLMIUM, Refined Kitten) has been conducting password spray attacks against thousands of organizations in the U.S. and globally. These attacks involve attempting to access multiple accounts using a single or commonly used password, increasing the chances of success without triggering account lockouts.
Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets. ORBCOMM is a solutions provider for freight companies to manage fleets and track transported assets. The company also provides Electronic Logging Devices (ELD) that truckers use to log their hours to adhere to federal safety regulations.
An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. ‘The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.
A major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software, according to researchers. The European aerospace giant said it has launched an investigation into the incident.
Despite authentication being a cornerstone of cybersecurity, risk mitigation strategies remain outdated, according to new research from Enzoic. With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches.
The "Scattered Spider" threat group is believed to be responsible for the cyberattack on MGM Resorts that occurred on September 10. This attack has left systems offline in over 30 hotels and casinos owned by the conglomerate worldwide, and the disruption continues even days later. As reported by Reuters, the Scattered Spider ransomware group, as identified by sources familiar with the situation, is believed to consist of young individuals based in the US and UK.
The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around February 10, 2023. Timchenko is the executive editor and owner of Meduza, an independent news publication based in Latvia.
Adobe recently addressed a critical flaw in Acrobat and Reader that could enable actors to execute malicious code on targeted systems. Tracked as CVE-2023-26369, the vulnerability has been rated 7.8 out of 10 on the CVSS scale, indicating a high level of severity. According to the vendor, CVE-2023-26369 relates to an out-of-bounds write issue and can be exploited to execute arbitrary code via specially crafted PDF documents.
Auckland Transport's Hop card system has been hit by a suspected ransomware attack, leading to disruptions in card top-up services and limited functionality at customer service centers. The attack is under investigation, and there is no indication that personal or financial data has been compromised. Commuters can still use their cards to tag on and off, but online top-ups and services on the AT website are unavailable.
Akamai researchers recently discovered a high-severity vulnerability in Kubernetes tracked as CVE-2023-3676 (CVSS 8.8). This identification of this issue led to the discovery of two more vulnerabilities tracked as CVE-2023-3893, and CVE-2023-3955 (CVSS 8.8). All three vulnerabilities were caused by insecure function call and the lack of user input sanitization.
A new strain of macOS malware is targeting enterprise users, as indicated by file names and content. Some versions of this malware, called MetaStealer, masquerade as Adobe files, while others use deceptive methods like password-protected ZIP files sent by fake clients. Once opened, these files reveal an app disguised as a PDF.
Microsoft has reported a change in tactics by an initial access broker, previously associated with ransomware groups. This actor, identified as Storm-0324, has shifted its focus to Microsoft Teams phishing attacks as a means to infiltrate corporate networks. Storm-0324 is a financially motivated threat group with a history of deploying ransomware such as Sage and GandCrab in previous campaigns.
A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network. 3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime.
As part of the September Patch Tuesday, Microsoft addressed 59 flaws, including two zero-days that were exploited in attacks in the wild. In total, Microsoft released fixes for 3 Security Feature Bypass Vulnerabilities, 24 Remote Code Execution Vulnerabilities, 9 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, 5 Spoofing Vulnerabilities, and 5 Edge - Chromium Vulnerabilities.
Mozilla released emergency security updates today to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client. Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution.
Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. The attackers trick the targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored in the victim's browser.
Yesterday, Google released security updates to fix a critical zero-vulnerability in its Chrome web browser. Tracked as CVE-2023-4863, the flaw relates to a heap-based buffer overflow in the WebP image format. Successful exploitation of this issue could result in browser crashes or arbitrary code execution.
Security researchers at Kaspersky have exposed the activities of the infamous ransomware group Cuba. In a recent advisory, Kaspersky revealed that this cyber-criminal gang has been targeting organizations across different industries worldwide. In December 2022, Kaspersky detected a suspicious incident on a client's system, which led to the discovery of three mysterious files triggering the komar65 library, also known as BUGHATCH.
Apple released security updates for older iPhones to fix a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to infect iOS devices with NSO's Pegasus spyware. CVE-2023-31064 is a remote code execution flaw that is exploited by sending maliciously crafted images via iMessage.
An espionage threat group tracked as 'Redfly' hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months. These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization's network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers.
A recent phishing scheme has exploited Microsoft Teams messages as a means to distribute harmful attachments that deploy the DarkGate Loader malware. This campaign commenced in late August 2023, as phishing messages originating from two compromised external Office 365 accounts were observed, targeting various organizations. These accounts were employed to deceive Microsoft Teams users into downloading and launching a ZIP file titled "Alterations to the holiday calendar."
Several malicious Telegram clones for Android on Google Play were installed over 60,000 times, infecting people with spyware that steals user messages, contacts lists, and other data. The apps appear to be tailored for Chinese-speaking users and the Uighur ethnic minority, suggesting possible ties to the well-documented state monitoring and repression mechanisms. The apps were discovered by Kaspersky, who reported them to Google.
The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, threatening to leak 1 TB of data allegedly stolen during the cyberattack. The cyberattack on Mayanei Hayeshua occurred in early August, disrupting the hospital's record-keeping system and preventing new patients from receiving care.
Sri Lanka's government cloud system, Lanka Government Cloud (LGC), has fallen victim to a massive ransomware attack that began on August 26, 2023. The attack resulted in the encryption of LGC services and backup systems, affecting approximately 5,000 email addresses using the "gov[dot]lk" domain, including those of the Cabinet Office.
The United States, in coordination with the United Kingdom, sanctioned eleven more individuals who are members of the Russia-based Trickbot cybercrime group. The sanctions were provided by the U.S. Department of the Treasury’s Office of Foreign Assets Control. The sanctioned TrickBot members worked as administrators, managers, developers, and coders, who have materially supported the operations of the group. The group has been tied to Russian intelligence services and has targeted the U.S. government, companies and hospitals.
A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users.
Yesterday, Apple issued emergency security updates to address two zero-day flaws that were exploited in attacks targeting iPhone and Mac users. The vulnerabilities are being tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple) and were found in the Image I/O and Wallet frameworks. CVE-2023-41064 relates to a validation issue in Wallet which can be exploite
Attackers operating from IP addresses in France, Luxembourg, and Germany have been utilizing the legitimate Windows tool, Advanced Installer, to create software packages that deliver cryptocurrency mining malware onto computers in various sectors. The malware payloads, as reported by Cisco Talos researchers on September 7, include the M3_Mini_RAT client stub. This remote access trojan enables the attackers to establish backdoors, download, and execute additional threats, including PhoenixMiner for Ethereum cryptocurrency mining and IOIMiner, a multi-coin mining threat.
A variant of the Mirai malware botnet has been observed infecting affordable Android TV set-top boxes that are widely used for media streaming by millions of users. Dr. Web's antivirus team reports that this trojan represents a fresh iteration of the 'Pandora' backdoor, initially seen in 2015. The primary focus of this campaign is on economical Android TV boxes such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.
Cisco has addressed multiple security vulnerabilities, including a critical bug (CVE-2023-20238), which could be exploited by remote attackers to gain control of affected systems or cause a denial-of-service (DoS) condition. The most severe vulnerability allows an attacker to bypass authentication, potentially leading to unauthorized access and misuse of the system.
State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command (USCYBERCOM) revealed on Thursday.
As part of the September 2023 Android security updates, Google addressed 33 vulnerabilities, including a high-severity zero-day that is actively being exploited in the wild. Tracked as CVE-2023-35674, the zero-day flaw impacts the Android Framework and could allow threat actors to escalate privileges on vulnerable devices without requiring user interaction or additional execution privileges
The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations. The TrickBot malware operation launched in 2015 and focused on stealing banking credentials. However, over time, it developed into a modular malware that provided initial access to corporate networks for other cybercrime operations, such as Ryuk and, later, Conti ransomware operations.
China has developed a new capability using artificial intelligence to automatically generate images for influence operations in the United States and other democracies. These images aim to mimic U.S. voters across the political spectrum and create controversy along racial, economic, and ideological lines. Microsoft's Threat Analysis Center (MTAC) has observed China-affiliated actors using AI-generated visual media in campaigns that focus on politically divisive topics and denigrate U.S. political figures and symbols.
In July, Microsoft announced it had mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails. Storm-0558 threat actors focus on government agencies in Western Europe and were observed conducting cyberespionage, data theft, and credential access attacks.
Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. ‘It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,’ Morphisec said in a new detailed technical write-up shared with The Hacker News.
An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. ‘New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,’ Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month.
An entity identified as W3LL created a phishing toolkit capable of evading multi-factor authentication and employed various tools to compromise over 8,000 corporate Microsoft 365 accounts. Over the course of ten months, security experts detected the utilization of W3LL's resources and infrastructure in the establishment of approximately 850 phishing campaigns, targeting login credentials for more than 56,000 Microsoft 365 accounts.
The "Smishing Triad" cybercriminal group, believed to be Chinese-speaking, has been targeting individuals worldwide through a package tracking text scam sent via iMessage. Impersonating various postal services and government agencies, including the Royal Mail, New Zealand Postal Service, Correos, Postnord, Poste Italiane, and the Italian Revenue Service, the group aims to collect personal and payment information for identity theft and credit card fraud.
The government computer emergency response team of Ukraine, CERT-UA, recorded a targeted cyber attack against a critical energy infrastructure facility in Ukraine. To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, "photo.zip", was distributed. Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim's computer.
A new open source tool designed to emulate cyber-attacks against operational technology (OT) has been released by MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA). The MITRE Calder for OT is now publicly available as an extension to the open-source Caldera platform on GitHub.
Summoning Team’s Sina Kheirkhah recently published a proof-of-concept exploit code for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool. Tracked as CVE-2023-34039, the vulnerability can be exploited by remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface.
The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday. BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.
Two recent vulnerabilities in MinIO have been exploited by threat actors to breach object storage systems. This access allows the actors to view private information, execute arbitrary code, and potentially take over servers. MinIO is a open-source storage service that is compatible with various cloud containers including Amazon S3.
Researchers at Okta issued a warning regarding social engineering attacks directed at IT service desk agents serving U.S.-based clients. The aim of these attacks was to deceive these agents into resetting multi-factor authentication (MFA) for users with elevated privileges. The attackers' ultimate objective was to gain control of Okta Super Administrator accounts, which have extensive privileges. This access would enable them to exploit identity federation functionalities, permitting impersonation of users within the compromised organization.
North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector. The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools.
Researchers found a vulnerability in the widely-used plugin, All-in-One WP Migration, employed for migrating WordPress sites, and having an active user base of 5 million. This vulnerability involves unauthorized manipulation of access tokens, potentially granting attackers access to sensitive site data. All-in-One WP Migration is a user-friendly tool tailored for WordPress site migration.
Researchers at ESET recently disclosed details of a new campaign where threat actors are using the Google Play Store and Samsung Galaxy Store to advertise malicious Android apps for Signal and Telegram, with the end goal of infecting unsuspecting users with BadBazaar spyware.
American entertainment giant Paramount Global disclosed a data breach after its systems got hacked and attackers gained access to personally identifiable information (PII). Paramount said in breach notification letters signed by Nickelodeon Animation Studio EVP Brian Keane sent to affected individuals that the attackers had access to its systems between May and June 2023.
Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances, “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday.
According to a new report from the National Security and Defense Council of Ukraine, the Russian Gamaredon group has intensified their cyber espionage activities ahead of and during Ukraine’s current counter-offensive operations.
Yesterday afternoon, the FBI announced the disruption of the Qakbot botnet. Through an international law enforcement operation, authorities were able to not only seize infrastructure used by operators, but were able to uninstall the malware from infected devices.
VMware recently rolled out security updates to fix two vulnerabilities impacting Aria Operations for Networks, which could enable actors to bypass authentication and execute code remotely.
A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate. ‘The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates,’ Telekom Security said in a report published last week.
ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools.
A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret. The security vulnerability has been discovered by a security researcher named Yossi, who privately reported it to Microsoft and demonstrated its effective exploitation to journalist Joseph Cox.
The Spanish National Police has issued an alert about an active ransomware campaign known as 'LockBit Locker,' which is currently targeting architecture firms in the country using phishing emails. According to the translated police statement, a series of emails have been identified as being sent to architecture companies.
Researchers from ReliaQuest found that cybercriminals relied primarily on seven different malware loaders to carry out attacks in the first half of 2023. QakBot, SocGholish, and Raspberry Robin were the most commonly used loaders, accounting for roughly 80% of all intrusions. GootLoader, ChromeLoader, Guloader, and Ursnif were also commonly seen.
According to Sophos, an unknown threat actor believed to be linked to the FIN8 hacking group, has been exploiting a critical remote code execution flaw (CVE-2023-3519) to compromise unpatched Citrix NetScaler systems in domain-wide attacks.
Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs. The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document (.doc). Polyglots are files that contain two distinct file formats that can be interpreted and executed as more than one file type, depending on the application reading/opening them.
Microsoft has detected a new hacking collective referred to as Flax Typhoon. This group focuses on government bodies, educational institutions, vital manufacturing units, and IT organizations, presumably with the aim of espionage. The attackers avoid heavy usage of malware for infiltrating and controlling victim networks. Instead, they opt for utilizing existing components within the operating system, often referred to as living-off-the-land binaries (LOLBins), along with legitimate software.
An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. ‘The binary now includes support for Telnet scanning and support for more CPU architectures,’ Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors.
The Rhysida ransomware group recently claimed responsibility for a cyberattack targeting Prospect Medical Holdings, a US healthcare company operating 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island and a network of 166 outpatient clinics and centers. The attack allegedly took place on August 3rd, with employees finding ransom notes on their systems stating that their network was hacked and devices had been encrypted. Due to the attack, the hospitals were forced to shut down their IT networks to mitigate the impact, causing employees to use paper charts.
Emsisoft released a report this week detailing the massive ransomware campaign carried out by the Cl0p ransomware group, which targeted the MOVEit Transfer file transfer platform. According to Emsisoft, “the attacks impacted approximately 1,000 Organizations and 60,144,069 individuals.
Poland's Internal Security Agency (ABW) and national police are investigating a hacking attack on the country's state railway network. The attack disrupted railway traffic overnight and triggered an emergency status that stopped trains near the city of Szczecin. The attack is suspected to be part of broader destabilization efforts by Russia, possibly in conjunction with Belarus.
Cybersecurity experts have revealed an intricate network of interconnected ransomware types that all stem from a shared origin: the Adhubllka ransomware group. Netenrich, a cybersecurity firm, conducted a study exploring the lineage of various ransomware versions, such as LOLKEK, BIT, OBZ, U2K, and TZW. The researchers discovered significant resemblances in code, tactics, and infrastructure among these apparently distinct ransomware types. By tracking the evolution of these variants, the experts established a genealogical link connecting them to the original Adhubllka ransomware, which emerged in January 2020.
A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye, a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals.
WordPress security company Patchstack discovered two critical vulnerabilities affecting Jupiter X Core, a premium visual editor plugin for setting up Wordpress and WooCommerce websites. The first flaw tracked as CVE-2023-38388, allows unauthenticated threat actors to upload files, which could lead to arbitrary code execution on the server.
Researchers from Secureworks Counter Threat Unit (CTU) have identified a new Wi-Fi scanning malware named Whiffy Recon, which has been dropped by the Smoke Loader botnet. This malicious code employs nearby Wi-Fi access points as reference points for Google's geolocation API to triangulate the positions of infected systems.
Ransomware threat actors are reducing the time they spend within compromised networks before being detected by security solutions. In the first half of this year, the median dwell time for these hackers decreased to five days from nine days in 2022. However, the overall median dwell time for all cyberattacks dropped to eight days from ten in 2022, indicating a general trend of quicker detection. Ransomware attacks constituted nearly 69% of all recorded cyberattacks during this period.
The FBI in the United States issued a cautionary notice regarding the potential efforts of threat actors associated with North Korea to convert pilfered cryptocurrency, totaling over $40 million in value. In a disclosure, the Federal Bureau of Investigation outlined the actions of six cryptocurrency wallets operated by entities connected to North Korea. These wallets possess approximately 1,580 Bitcoin, equivalent to around $41 million based on current valuations. Authorities suspect these funds are connected to the recent heist of a substantial sum of cryptocurrency, amounting to hundreds of millions of dollars.
A toolkit possibly developed by Russian individuals, known as Telekopye to security experts, aims to let fraudsters focus on refining their social engineering skills, freeing them from the technical aspects of online scams. Eset researchers uncovered a tool they named Telekopye, derived from the combination of "Telegram" and "kopye," the Russian word for spear.
Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times. On May 23, 2023, it was disclosed that the software was impacted by an authentication bypass issue that affected version 3.10.0, released in April 2015, until that point.
Danish hosting firms CloudNordic and AzeroCloud recently disclosed that they suffered from a ransomware attack, causing the firms to lose a majority of customer data and shut down all systems, including websites, emails, and customer sites. Since the attack took place last Friday, IT teams have only managed to restore some of the servers without any data, with CloudNordic stating that the restoration process isn’t going smoothly and that many of their customers’ data seems irrecoverable.
The Barracuda Email Security Gateway (ESG) vulnerability, identified as CVE-2023-2868, has been exploited by a Chinese state-sponsored cyberespionage group named UNC4841. This vulnerability affects Barracuda ESG versions 5.1.3.001 to 9.2.0.006, enabling attackers to perform command injections via specially crafted TAR file attachments in emails. Despite Barracuda's patch release in May 2023, the FBI has found that the patches are ineffective, and the vulnerability remains actively exploited.
The North Korean state-backed hacker group Lazarus has been exploiting a critical vulnerability (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk software to compromise an internet backbone infrastructure provider and healthcare organizations. This campaign began in early 2023, targeting entities in the U.S. and U.K. The attackers employed the QuiteRAT malware and a newly identified remote access trojan (RAT) named CollectionRAT. The latter was discovered through the analysis of the group's infrastructure.
ESET researchers found the Spacecolon toolkit spreading Scarab ransomware across global organizations. It exploits weak web servers or RDP credentials for entry, with Turkish elements hinting at a Turkish-speaking developer. Spacecolon dates back to May 2020, with ongoing campaigns and a recent May 2023 build. ESET hasn’t linked it to any known group naming it “CosmicBeetle”.
The TP-Link Tapo L530E smart bulb and its corresponding mobile app are affected by four vulnerabilities, leaving users susceptible to hacking. Researchers from the University of Catania and the University of London have identified these vulnerabilities, which could potentially enable attackers to pilfer users' WiFi passwords.
There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.
According to Group-IB a WInRaR zero-day vulnerability was actively exploited to install malware when clicking on harmless files in an archive, allowing hackers to breach online cryptocurrency trading accounts. Tracked as CVE-2023-38831, the vulnerability is triggered by creating specially crafted archives with a slightly modified structure compared to safe files, which causes WinRAR's ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file.
The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information. Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide. In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500. This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.
US based software company Ivanti has issued a warning to its customers about an ongoing exploitation of a critical Sentry API authentication bypass vulnerability. The vulnerability affects Ivanti Sentry, which serves as a gatekeeper for enterprise ActiveSync and Sharepoint servers, as well as a Kerberos Key Distribution Center Proxy server. The cybersecurity firm Mnemonic discovered the vulnerability (CVE-2023-38035), allowing unauthorized attackers to access sensitive admin portal configuration APIs through port 8443 used by Mobile Iron Configuration Service (MICS).
An undisclosed Advanced Persistent Threat (APT) hacking collective known as 'Carderbee' has been detected launching assaults on various institutions situated in Hong Kong and other parts of Asia. This group employs authentic software to infiltrate victims' machines with the PlugX malware. According to findings from Symantec, the legitimate software involved in this supply chain breach is Cobra DocGuard, designed by the Chinese developer 'EsafeNet.' This software is typically employed in security applications for tasks like data encryption and decryption.
CISA has added a critical flaw in Adobe ColdFusion to its catalog of actively exploited vulnerabilities. Tracked as CVE-2023-26359, the flaw relates to a deserialization bug residing in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier).
A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results. The advertisement shows Amazon's legitimate URL, just like in the company's typical search result.
A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called ‘OfficeNote.’ ‘The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg, SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis.
The Cuba ransomware group has been observed launching attacks against critical infrastructure organizations in the US and IT firms in Latin America. They utilize a mix of both old and new tools. In early June 2023, Blackberry’s Threat Research and Intelligence Team identified this recent campaign. They have noted that Cuba now uses CVE-2023-27543 to extract credentials from configuration files.
The Kimsuky APT, believed to have ties to North Korea, initiated a spear-phishing effort directed at American contractors participating in a war simulation center. The South Korean police recently revealed this, clarifying that although the state-affiliated hackers did engage in the campaign, no sensitive information was compromised.
The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week.
An international law enforcement operation led by Interpol has led to the arrest of 14 suspected cybercriminals in an operation codenamed 'Africa Cyber Surge II,' launched in April 2023. The four-month operation spanned 25 African countries and disrupted over 20,000 cybercrime networks engaged in extortion, phishing, BEC, and online scams, responsible for financial losses of over $40,000,000.
RARLAB recently fixed a high-severity vulnerability in WinRAR, a popular file archiver utility for Windows used by millions of users worldwide. Tracked as CVE-2023-40477, the flaw was discovered by security researcher “goodbyeselene” from Zero Day Initiative, who reported the bug to RARLab on June 8th, 2023.
Microsoft has identified a new variant of the BlackCat ransomware which incorporates the Impacket networking framework and the Remcom hacking tool. These tools facilitate the ransomware’s ability to propagate within a compromised network.
Since at least 2019, Mandiant has tracked threat actor interest in, and use of, AI capabilities to facilitate a variety of malicious activity. Based on our own observations and open source accounts, adoption of AI in intrusion operations remains limited and primarily related to social engineering.
The Cybernews research team delved into an often overlooked aspect of website security—HTTP security headers. These headers guide browsers in interacting with web pages, defending against cyber threats. They studied the top 100 sites, including Pinterest, IMDB, and Facebook. Results revealed many popular websites lacking crucial security measures, raising concerns for both site owners and users.
Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware.
A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia.
The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations. Researchers at Trend Micro analyzing the new encryption tool from Monti found that it has ‘significant deviations from its other Linux-based predecessors.
CVE-2023-2868 is a critical command injection vulnerability in Barracuda Email Security Gateway (ESG), a platform used for email management and filtering malicious emails. Threat actors can exploit this vulnerability to compromise Barracuda ESG and access targets' email records and content.
Hudson Rock, a threat intelligence firm, uncovered cybercrime forum credentials on about 120,000 computers infected with various info-stealer malware. These compromised computers, spanning from 2018 to 2023, were largely owned by threat actors themselves. The analysis of over 14.5 million infected computers revealed hackers' identities through additional credentials, autofill data, and system info.
As part of a joint effort with Dutch Institute of Vulnerability Disclosure (DIVD), researchers at cybersecurity company Fox-IT (NCC Group) have uncovered a large-scale campaign that planted webshells on Citrix Netscaler servers vulnerable to CVE-2023-3519, a critical remote code execution flaw that was patched on July 18. By scanning the internet, they uncovered 2491 webshells across 1952 distinct NetScaler servers, which made up 6% of all Netscalers (31,127) vulnerable to CVE-2023-3519, on a global scale, as of July 21, 2023.
A phishing campaign was observed predominantly targeting a notable energy company in the US, employing QR codes to slip malicious emails into inboxes and bypass security. Roughly one-third (29%) of the 1,000 emails attributed to this campaign targeted a large US energy company, while the remaining attempts were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). According to Cofense, who spotted this campaign, this is the first time that QR codes have been used at this scale, indicating that more phishing actors may be testing their effectiveness as an attack vector.
Linkedin is facing a surge of account breaches, leading to numerous accounts being either locked for security concerns or seized by malicious actors. According to a recent report from Cyberint, numerous LinkedIn users have expressed frustration over compromised accounts or access issues, with attempts to address these problems through LinkedIn support. Although, LinkedIn’s support response time has lengthened, no official statement has been made yet.
CISA recently added a critical flaw to its known catalog of actively exploited vulnerabilities. Tracked as CVE-2023-24489, the flaw relates to an improper access control bug in Citrix ShareFile storage zones controller and can be exploited by an unauthenticated threat actor to remotely compromise the controller.
Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users. Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged. However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material. F
The Clorox Company, a prominent multinational consumer goods firm known for its household and professional cleaning, health, and personal care products, recently faced a cybersecurity breach that compelled them to take specific systems offline. Detecting unauthorized activity on their Information Technology (IT) systems, Clorox swiftly initiated measures to halt and rectify the situation, including offline system shutdowns, as stated in an 8-K filing.
The resurgence of the Raccoon Stealer malware is marked by the release of version 2.3.0 after a 6-month hiatus. Raccoon Stealer is a well-known information-stealing malware that has been active since 2019, offered to threat actors through a subscription model at $200 per month. The malware targets over 60 applications to collect sensitive data such as login credentials, credit card details, browsing history, cookies, and cryptocurrency wallets.
Researchers have discovered a widespread operation that distributed proxy server applications to over 400,000 Windows systems. These devices function as residential exit nodes without obtaining users’ permission, and a company is making money by charging for the proxy traffic that passes through these machines. Threat actors find residential proxies useful for carrying out extensive credential stuffing attacks using new IP addresses.
The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram and Discord platforms. According to the experts, QwixxRAT is meticulously designed to steal a broad range of information, including data from browser histories, credit card details, screenshots, and keystrokes.
Multiple vulnerabilities have been discovered in data center power management systems and supply technologies, enabling unauthorized access and remote code injection by threat actors. These vulnerabilities can be exploited to gain full access to data center systems, perform remote code injection, and create backdoors, potentially compromising connected devices and the broader network. The vulnerabilities were found in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management platform and Dataprobe's iBoot Power Distribution Unit.
The FBI has raised an alert about a new strategy employed by cybercriminals. They are now pushing harmful “beta” editions of cryptocurrency investment applications on widely used mobile app stores. These apps are subsequently exploited to pilfer cryptocurrency. The perpetrators introduce these harmful apps to the mobile app stores under the guise of “beta” versions.
E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. ‘The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days,’ Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin.
Researchers from New York University, New York University Abu Dhabi, and KU Leuven University have discovered several vulnerabilities affecting most VPN products that can be exploited by attackers to read user traffic, steal user information, or attack user devices. The attacks, known as TunnelCrack attacks, are independent of the VPN protocol being used and can reveal which websites a user is visiting, posing a significant privacy risk even if the user is using additional encryption such as HTTPS.
Researchers from UC Irvine and Tsinghua University have introduced a cache poisoning attack named 'MaginotDNS' that targets Conditional DNS (CDNS) resolvers, potentially compromising entire top-level domains (TLDs). This attack capitalizes on security inconsistencies in various DNS software and server modes, rendering around one-third of CDNS servers vulnerable.
Microsoft recently disclosed 15 high-severity vulnerabilities in CODESYS V3 software development kit (SDK), which is a software development environment widely used to program and engineer programmable logic controllers.
A cyberattack on MOVEit file-transfer servers since late May has affected over 637 organizations. German cybersecurity company KonBriefing reported this number. It includes groups directly hacked through their MOVEit servers and others connected to users of Progress Software's file-transfer tool. The Clop ransomware group, thought to be Russian, is behind the attacks. They've taken data with personal details of about 41 million people.
An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. ‘The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure,’ Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said.
Researchers at Zscaler recently disclosed details of a new information-stealing malware dubbed Statc Stealer that has been observed infecting Windows devices. Written in the C++ programming language, Statc Stealer is capable of performing filename discrepancy checks to prevent sandbox detection and reverse engineering analysis by security professionals.
The U.S. government released a report after analyzing simple techniques, e.g. SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture. Reviewing the group’s operations started in December last year following a long trail of incidents attributed to or claimed by Lapsus$ after leaking proprietary data from alleged victims.
The newly surfaced Rhysida ransomware faction has swiftly become a concerning addition to the growing threat landscape. Its involvement in a series of impactful assaults since its emergence in May of this year has been linked to the well-known Vice Society ransomware group, which has been operating since 2021. Among the entities targeted by Rhysida are the Chilean Army and Prospect Medical Holdings. In a recent incident, the group’s attack had a far reaching impact, affecting 17 hospitals and 166 clinics across the United States.
This week, the Missouri Department of Social Services (DSS) disclosed that Medicaid healthcare information was potentially exposed after IBM suffered a data breach. The attack was carried out by the Clop ransomware gang, which has been hacking vulnerable MOVEit Transfer servers worldwide by exploiting a SQL injection vulnerability (CVE-2023-34362) in the file transfer solution.
The Government Computer Emergency Response Team of Ukraine (CERT-UA) recently published an advisory warning against attacks targeting state organizations using Merlin, an open-source post-exploitation and command and control framework. Merlin was developed in the Go programming language and is available for free on GitHub.
The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation. The NIST Cybersecurity Framework (CSF) 2.0 is the first refresh since it was launched in 2014. It is designed to help organizations “understand, reduce and communicate about cybersecurity risk,” the standards body said.
EvilProxy has emerged as a widely used phishing platform for attacking MFA-secured accounts. According to Proofpoint’s recent findings, over 120,000 phishing emails have been sent to more than a hundred organizations in an attempt to compromise Microsoft 365 accounts. Proofpoint’s research highlights a significant increase in successful cloud account takeovers, especially affecting top-level executives, over the last five months.
The U.K. Electoral Commission on Tuesday disclosed a "complex" cyber attack on its systems that went undetected for over a year, allowing the threat actors to access years worth of voter data belonging to 40 million people. ‘The incident was identified in October 2022 after suspicious activity was detected on our systems," the regulator said.
As part of the August Patch Tuesday, Microsoft patched 87 flaws, two of which were actively exploited zero-days. In total, the tech giant released fixes for 18 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 23 Remote Code Execution vulnerabilities, 10 Information Disclosure vulnerabilities, 8 Denial of Service vulnerabilities, and 12 Spoofing vulnerabilities.
A phishing-as-a-service (PaaS) platform which may have been responsible for over 150,000 phishing domains has been taken offline after an Interpol-led operation, the policing group said. Interpol teamed up with investigators in Indonesia, Japan and the US and industry partners the Cyber Defense Institute, Group-IB, Palo Alto Networks Unit 42, Trend Micro and Cybertoolbelt to make the arrests.
The LockBit ransomware group has claimed responsibility for hacking Varian Medical Systems, a healthcare company that designs and manufactures medical devices and software for cancer treatment. The group threatens to leak medical data belonging to cancer patients. Varian Medical Systems operates globally and is owned by Siemens Healthineers, generating significant revenue.
The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone's screen was off, running down a device's battery. McAfee's Mobile Research Team discovered the malicious Android apps and reported them to Google as they violated Google Play Store's policies.
An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023. Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin.
The cyberattack on the IT systems and email server of NPO Mashinostroyeniya, a Russian organization specializing in space rocket design and intercontinental ballistic missile engineering, has been attributed to the North Korean state sponsored hacking group ScarCruft. This group has a history of engaging in cyber activities with links to various targets.
Horizon3 researchers recently disclosed a new high-severity vulnerability in PaperCut print management software for Windows that could result in remote code execution in certain configurations. Tracked as CVE-2023-39143, the flaw impacts PaperCut NG/MF prior to version 22.1.3. A successful exploit of CVE-2023-39143 could potentially allow unauthenticated attackers to read, delete, and upload arbitrary files to the PaperCut MF/NG application server.
The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in June. In a 'Notice of Data Incident' published on the CDHE website, the Department says they suffered a ransomware attack on June 19th, 2023. When ransomware gangs breach an organization, they quietly spread through a network while stealing sensitive data and files from computers and servers.
The Clop ransomware gang has changed their extortion approach once more, now employing torrents to release the data they stole during MOVEit attacks. The ransomware gang started extorting victims on June 14 by gradually adding names to their Tor data leak site and eventually making the files public. However, the slow download speed on Tor sites limited the potential damage.
A leading Spanish research institute has become the latest organization in the country to come under cyber-attack from Russia, after a weeks-long DDoS campaign that appears to be geopolitically motivated. Local reports claimed that prolific hacktivist group NoName057 is responsible for the DDoS blitz, which impacted at least 72 websites between July 19 and 30.
A team of researchers from British universities has developed a deep learning model called 'CoAtNet' that can perform acoustic attacks by stealing data from keyboard keystrokes recorded using a microphone. The model achieved an alarming accuracy of 95% in predicting the keystrokes, showcasing the potential danger of sound-based side-channel attacks. The study reveals that even when using platforms like Zoom for training, the prediction accuracy only dropped slightly to 93%, which is still a significant threat.
Malware-related cyber-threats in operational technology (OT) and Internet of Things (IoT) environments jumped tenfold year-on-year in the first six months of 2023, according to Nozomi Networks. In their latest “OT & IoT Security Report” the researchers shared ICS vulnerabilities, data from IoT honeypots and attack statistics from OT environments. “Specific to malware, denial-of-service (DoS) activity remains one of the most prevalent attacks against OT systems,” the vendor explained in a blog post announcing the report.
Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems. Air-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either physically or through software and network devices. Researchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group APT31, a.k.a. Zirconium.
The number of ransomware attacks targeting industrial organizations and infrastructure has doubled since the second quarter of 2022, according to data from industrial cybersecurity firm Dragos. In a report analyzing data from the second quarter of 2023, Dragos said it saw 253 ransomware incidents, up 18% from the first quarter of 2023, when it observed 214 attacks.
Hackers are using a fake Android app named 'SafeChat' to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. The Android spyware is suspected to be a variant of "Coverlm," which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. CYFIRMA researchers say the Indian APT hacking group 'Bahamut' is behind the campaign, with their latest attacks conducted mainly through spear phishing messages on WhatsApp that send the malicious payloads directly to the victim.
In July, researchers from Palo Alto Networks Unit 42 discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers on Linux and Windows systems. P2PInfect is written in Rust and exploits the CVE-2022-0543 vulnerability to gain initial access. It establishes P2P communication to the network and has been found on over 307,000 unique public Redis systems in the past two weeks, with 934 possibly vulnerable. The worm's goal and the threat actors behind it remain unclear.
In the wake of WormGPT, a ChatGPT clone trained on malware-focused data, a new generative artificial intelligence hacking tool called FraudGPT has emerged, and at least another one is under development that is allegedly based on Google's AI experiment, Bard. Both AI-powered bots are the work of the same individual, who appears to be deep in the game of providing chatbots trained specifically for malicious purposes ranging from phishing and social engineering, to exploiting vulnerabilities and creating malware.
Canon is warning users of home, office, and large format inkjet printers that their Wi-Fi connection settings stored in the devices' memories are not wiped, as they should, during initialization, allowing others to gain access to the data.
Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE) tracked as CVE-2023-24489 (CVSS score of 9.1). The flaw impacts the customer-managed ShareFile storage zones controller, an unauthenticated, remote attacker can trigger the flaw to compromise the controller by uploading arbitrary file or executing arbitrary code.
In May, Network and email security firm Barracuda disclosed that a recently patched remote command injection zero-day vulnerability had been exploited since October 2022 to gain access to a subset of its Email Security Gateway appliances. The flaw tracked as CVE-2023-2868, was further exploited to deploy previously unknown malware dubbed Saltwater and SeaSpy as well as a malicious tool called SeaSide to establish reverse shells for easy remote access. In light of the attacks, Barracuda offered replacement devices to all affected customers at no charge.
The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in attacks on the enterprise. As the enterprise shifts from individual servers to virtual machines for better resource management, performance, and disaster recovery, ransomware gangs create encryptors focused on targeting the platform.
In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet, which targeted small office/home office (SOHO) routers and infected over 70,000 devices across 20 countries. The threat actors behind the campaign aimed to build a botnet for various criminal activities, including password spraying and digital advertising fraud.
Microsoft fixed a known issue impacting WSUS (Windows Server Update Services) servers upgraded to Windows Server 2022, causing them not to push Windows 11 22H2 updates to enterprise endpoints. While the updates would successfully download to the WSUS server, they failed to propagate further to client devices. The root cause stems from the accidental removal of .msu and .wim MIME types during the upgrade process to Windows Server 2022.
The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday.
Zimbra recently addressed a zero-day vulnerability that was exploited in attacks targeting Zimbra Collaboration Suite email servers. Tracked as CVE-2023-38750, the flaw relates to a case of reflected Cross-Site Scripting impacting Zimbra Collaboration Suite Version 8.8.15, which could enable threat actors to steal sensitive information or execute arbitrary code on vulnerable systems. The flaw was uncovered by security researcher Clément Lecigne of Google Threat Analysis Group and was initially disclosed to the public two weeks ago.
Multiple critical vulnerabilities have been detected in Ninja Forms. a widely used WordPress forms builder plugin with more than 900,000 active installations. The plugin, created by Saturday Drive, enables users to generate a wide range of forms such as contact forms, event registration, file uploads, and payments. Security researchers from Patchstack published a new advisory revealing the presence of the first vulnerability which is a reflected cross site scripting flaw based on POST requests.
While consumers are usually the ones worried about their information being exposed in data breaches, it's now the hacker's turn, as the notorious Breached cybercrime forum's database is up for sale and member data has been shared with Have I Been Pwned. Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.
The Australian and US governments have issued a joint advisory about the growing cyber-threats to web applications and application programming interfaces (APIs). The guidance, Preventing Web Application Access Control Abuse was released by the Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) on July 27, 2023/
The incidence of vendor email compromise attacks has surged, as recent data reveals a significant uptick in these cyber threats. A new report released yesterday by Abonormal Security, a cybersecurity firm, highlight the growing risk posed by VEC attacks, which are a variant of business email compromise.
A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. The goal of the Nitrogen malware is to provide the threat actors initial access to corporate networks, allowing them to conduct data-theft, cyberespionage, and ultimately deploying the BlackCat/ALPHV ransomware.
NATO has confirmed that its IT team is investigating claims about an alleged data-theft hack on the Communities of Interest (COI) Cooperation Portal by a hacking group known as SiegedSec. The COI Cooperation Portal (dnbl.ncia.nato.int) is the military alliance's unclassified information-sharing and collaboration environment, dedicated to supporting NATO organizations and member nations. Yesterday, the hacking group 'SiegedSec' posted on Telegram what they claimed to be hundreds of documents stolen from the COI Cooperation Portal.
Generative AI models are becoming very attractive for crooks, Netenrich researchers recently spotted a new platform dubbed FraudGPT which is advertised on multiple marketplaces and the Telegram Channel since July 22, 2023. According to Netenrich, this generative AI bot was trained for offensive purposes, such as creating spear phishing emails, conducting BEC attacks, cracking tools, and carding.
Microsoft announced a new Defender for IoT feature that will allow analyzing the firmware of embedded Linux devices like routers for security vulnerabilities and common weaknesses. Dubbed Firmware Analysis and now available in Public Preview, the new capability can detect a wide range of weaknesses, from hardcoded user accounts and outdated or vulnerable open-source packages to the use of a manufacturer's private cryptographic signing key.
ALPHV ransomware gang, aka BlackCat, is now providing an API for their leak site to increase visibility for their attacks. Earlier this week, several researchers spotted a new page within the BlackCat leak site with instructions for using their API to collect timely updates about new victims. APIs, or Application Programming Interfaces, are typically used to enable communication between two software components based on agreed definitions and protocols .
VMware recently fixed an information disclosure bug impacting its VMware Tanzu Application service for VMs (TAS for VMs) and Isolation Segment. “TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack). Tracked as CVE-2023-20891, the issue seems to be caused by credentials being logged and exposed via system audit logs.
Security experts have discovered numerous vulnerabilities in a widely employed radio communication system, which is extensively used by law enforcement and critical infrastructure for transmitting data. These vulnerabilities could potentially enable remote decryption of cryptographically protected communications. Five vulnerabilities in Terrestrial Trunked Radio, a European radio communication standard have been identified by researchers from the Dutch security firm Midnight Blue.
A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected. The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.
The analysis of nearly 20 million information-stealing malware logs sold on the dark web and Telegram channels revealed that they had achieved significant infiltration into business environments. Information stealers are malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients, and gaming services. The stolen information is packaged into archives called 'logs,' which are then uploaded back to the threat actor for use in attacks or sold on cybercrime marketplaces.
The Biden-Harris Administration has taken a new step towards ensuring the responsible development of artificial intelligence (AI) technology by securing voluntary commitments from leading AI companies. As part of the new initiative, Amazon, Anthropic, Google, Inflection, Meta, Microsoft and OpenAI have pledged to prioritize safety, security and trust in their AI systems.
Apple has released security updates to address a zero-day vulnerability that was exploited in attacks targeting iPhones, Macs, iPads. Tracked as CVE-2023-38606, the flaw relates to a shortcoming in the kernel that could allow a malicious application to potentially modify sensitive kernel states.
The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country. The Norwegian Security and Service Organization (DSS) said on Monday that the cyberattack did not affect Norway's Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.
The Lazarus hacking group, sponsored by the North Korean state, is currently involved in breaching Windows Internet Information Service (IIS) web servers with the intention of taking control of these servers for distributing malware. IIS is a web server solution developed by Microsoft, commonly used to host websites or application services, including Microsoft Exchange’s Outlook on the web.
The Clop ransomware group is emulating the tactics of the ALPHV ransomware gang by constructing dedicated internet accessible websites for individual victims. “To overcome these obstacles, last year, the ALPHV ransomware operation, also known as BlackCat, introduced a new extortion tactic of creating clearweb websites to leak stolen data that were promoted as a way for employees to check if their data was leaked.
According to researchers at Avast, a new variant of AsyncRAT is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. Dubbed HotRat, the remote access trojan has been seen in the wild since October 2022, with majority of the infections being located in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attack chain disclosed by Avast entails bundling cracked software available online via torrent sites with a malicious AutoHotKey (AHK script).
Qualys Threat Research Unit recently uncovered a remote code execution vulnerability impacting OpenSSH’s forwarded ssh-agent, a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again. Tracked as CVE-2023-38408, the vulnerability impacts OpenSSH before 9.3p2 and can be exploited to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. A successful exploit requires certain libraries to be present on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system.
In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector. These attacks targeted specific components in web assets used by banks, according to the experts the attackers used advanced techniques. A threat actor leverage the NPM platform to upload malicious packages that included malicious objects upon installation.
Recently, American Megatrends International, a hardware and software company, identified two critical severity vulnerabilities in their MegaRAC Baseboard Management Controller software. The MegaRac BMC software is designed to offer administrators “out of band” and “lights out” remote system management capabilities. This functionality allows administrators to troubleshoot servers as if they were physically present in front of the devices, even when operating remotely.
VirusTotal apologized on Friday for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month. The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses. Emiliano Martines, the online malware scanning service's head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.
Researchers at FortiGuard Labs have observed several distributed denial-of-service botnets exploiting a critical flaw in Zyxel devices to gain remote control of vulnerable systems. Tracked as CVE-2023-28771, the vulnerability is related to a command injection bug affecting multiple firewall models that could enable an unauthorized actor to execute arbitrary code via specially crafted packets sent to the targeted appliance.
Researchers at Lookout released a report on July 19, 2023, revealing that the Chinese espionage group APT41 is associated with the advanced Android surveillanceware known as WyrmSpy and DragonEgg. The report emphasized APT41’s well documented past of conducting espionage and seeking financial advantages by targeting government institutions and private companies.
A new .NET-based backdoor dubbed DeliveryCheck (aka CAPIBAR or GAMEDAY) was observed targeting the defense sector in Ukraine and Eastern Europe, capable of delivering next-stage payloads.
Adobe recently published an emergency ColdFusion security update that addressed several vulnerabilities, including a new zero-day that was exploited in attacks in the wild. The zero-day tracked as CVE-2023-38205 is being described as an instance of improper access control that could result in a security bypass. Two other flaws were addressed, one of which was rated critical in severity while the other was rated medium in severity.
Palo Alto Networks Unit 42 researchers have discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms.
US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne and CrowdStrike. In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report.
Threats actors have extensively employed an advanced web-inject kit known as drlBAN to orchestrate fraudulent assaults on corporate banking institutions and their customers. As stated in a recent advisory from Cleafy security researchers, drlBAN was initially discovered in 2019. It utilizes customized JavaScript code to specifically target different entities within the corporate banking sector. Functioning as part of a Man-in-the-Browser attack, these web injects enable cyber criminals to manipulate the content of legitimate web pages in real time, circumventing the TLS protocol.
Ukraine’s Cyber Police Department has dismantled another massive bot farm linked to more than 100 individuals after researching nearly two dozen locations. The bots were allegedly used to promote Russian propaganda, justifying Russia’s invasion of Ukraine. The bots were also leveraged to spread illegal content and personal information and conduct other fraudulent activities.
Cybersecurity researcher MalwareHunterTeam recently uncovered a new ransomware as a service (RaaS) dubbed SophosEncrypt which is allegedly impersonating Sophos. MalwareHunterTeam Initially thought SophosEncrypt to be part of a red team exercise by Sophos, however, Sophos followed up on Twitter stating that they did not create the encryptor and are conducting an investigation. Taking a closer look at the sample uncovered by MalwareHunterTeam, the encryptor is written in the Rust programming language.
GitHub has identified a low-volume social engineering campaign targeting personal accounts of employees in technology firms. The attackers use GitHub repository invitations and malicious npm package dependencies. The targets are often associated with blockchain, cryptocurrency, online gambling, or cybersecurity sectors. The threat actor behind this campaign is likely linked to North Korean objectives and has been identified as Jade Sleet or TraderTraitor.
A new cybersecurity certification and labeling program called U.S. Cyber Trust Mark is being shaped to help U.S. consumers choose connected devices that are more secure and resilient to hacker attacks. A proposal from the Federal Communications Commission, the program is expected to roll out next year with smart device vendors committing to it voluntarily.
A critical vulnerability in the widely used WooCommerce Payments plugin is being exploited by hackers, enabling them to gain unauthorized privileges of any user, including administrators, on vulnerable WordPress installations. WooCommerce Payments is a highly popular WordPress plugin that facilitates credit and debit card payments in WooCommerce stores, with over 600,000 active installations as, reported by WordPress.
An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews. Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022.
The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. NoEscape launched in June 2023 when it began targeting the enterprise in double-extortion attacks. As part of these attacks, the threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers. The threat actors then threaten to publicly release stolen data if a ransom is not paid. BleepingComputer is aware of NoEscape ransomware demands ranging between hundreds of thousands of dollars to over $10 million. Like other ransomware gangs, NoEscape does not allow its members to target CIS (ex-Soviet Union) countries, with victims from those countries receiving free decryptors and information on how they were breached.
A critical design flaw in Google Cloud Build has been discovered by cloud security firm Orca Security, allowing hackers to launch supply chain attacks. The flaw, named Bad.Build, enables attackers to escalate privileges and gain unauthorized access to Google Artifact Registry code repositories. By impersonating the service account for Google Cloud Build, threat actors can run API calls against the artifact registry, inject malicious code into applications, and potentially compromise the entire supply chain.
A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version. Tracked as FIN8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, focusing on targeting industries such as retail, restaurants, hospitality, healthcare, and entertainment.
Last week, the computer emergency response team of Ukraine (CERT-UA) released an article disclosing details about a Russian-linked threat actor known as Gamaredon (Aka Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010). Active since at least 2013, Gamaredon is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014.
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. ‘LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015.
New research conducted by security firm SlashNext reveals that cyber-criminals are utilizing a potent tool called WormGPT, a generative AI system, for carrying out business email compromise (BEC) attacks. Security expert Daniel Kelley, observed a worrisome trend in online forums where cyber-criminals are offering “jailbreaks” for interfaces like ChatGPT. These jailbreaks are specialized prompts that aim to exploit ChatGPT by manipulating it to generate outputs involving sensitive information disclosure, inappropriate content generation, or even the execution of harmful code.
US-based enterprise software firm JumpCloud has disclosed a breach by a state-backed hacking group that occurred almost one month ago. The attack was highly targeted and focused on a limited set of customers. The breach was discovered on June 27 after the attackers gained access through a spear-phishing attack. Although no evidence of customer impact was found initially, JumpCloud decided to rotate credentials and rebuild compromised infrastructure.
5G technology has bolstered productivity in modern-day factories, allowing multiple devices to be connected simultaneously, but 5G networks are not immune to cyberattacks. In our recent joint research effort with CTOne and the Telecom Technology Center (TTC), the official advisory group to Taiwan's National Communications Commission and Ministry of Digital Affairs, Trend Micro looked into ZDI-CAN-18522, a packet reflection vulnerability in the UPF of 5G cores (5GC).
Colorado State University (CSU) has confirmed that the Clop ransomware operation stole sensitive personal information of current and former students and employees during the recent MOVEit Transfer data-theft attacks. Colorado State University is a public research university with nearly 28,000 students and 6,000 academic and administrative staff members, operating on an endowment of $558,000,000.
A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year.
Shutterfly, an online retail and photography manufacturing platform, has become the latest victim of the Clop ransomware attack. The Clop ransomware gang has been exploiting a vulnerability in the MOVEit File Transfer utility to breach numerous companies and steal their data for extortion purposes.
The Cisco SD-WAN vManage management software is impacted by a flaw that allows an unauthenticated, remote attacker to gain read or limited write permissions to the configuration of the affected instance. Cisco SD-WAN vManage is a cloud-based solution allowing organizations to design, deploy, and manage distributed networks across multiple locations.
On Wednesday, SonicWall disclosed several critical vulnerabilities impacting its Global Management System firewall management and Analytics network reporting engine software suites. In total 15 vulnerabilities were addressed, four of which were rated critical, four rated high, and seven rated medium in severity.
A popular WordPress plugin dubbed All-In-One Security (AIOS) was found to log plaintext passwords from login attempts. With over one million installs on WordPress sites, AIOS is a security and firewall plugin designed to log user activity and prevent cyberattacks such as brute-force attempts by warning admins when the default admin username is used for login. Approximately two weeks ago, user reports started coming in about an insecure design flaw in the plugin.
Citrix has recently fixed a critical vulnerability, known as CVE-2023-24492, in its Secure Access client for Ubuntu. The vulnerability, which has a CVSS score of 9.6, could potentially be exploited by attackers to achieve remote code execution.
The Russian state-backed hacking collective known as APT29 has been employing unique tactics such as offering car listings to attract diplomats in Ukraine into clicking on harmful links, which ultimately distribute malware. APT29 is affiliated with Russia’s Foreign Intelligence Service (SVR), and it has gained notoriety for executing multiple cyber-espionage operations aimed at influential individuals worldwide.
Fortinet recently disclosed a critical severity flaw impacting FortiOS and FortiProxy that could enable remote attackers to execute arbitrary code on vulnerable devices. Tracked as CVE-2023-33308, the flaw was uncovered to disclosed to Fortinet by cybersecurity firm Watchtowr. According to Fortinet, CVE-2023-33308 relates to a stack-based overflow vulnerability and could allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.
As part of the July Patch Tuesday, Microsoft addressed 132 vulnerabilities, six of which were actively exploited zero-days. In total, there were 33 Elevation of Privilege Vulnerabilities, 13 Security Feature Bypass Vulnerabilities, 37 Remote Code Execution Vulnerabilities, 19 Information Disclosure Vulnerabilities, 22 Denial of Service Vulnerabilities, and 7 Spoofing Vulnerabilities. Out of the 132 flaws addressed, nine have been rated critical in severity.
Malware attacks using Microsoft SQL (MSSQL) Server as an intrusion vector have risen sharply in the last six months, as experts report hackers moving away from blocked methods. Researchers at cyber security firm ESET revealed the absolute count of MSSQL attacks increased by 84% between H2 2022 and H1 2023.
Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small. According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline, "In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June."
Microsoft has mitigated an attack by a China-based threat actor Microsoft tracks as Storm-0558 which targeted customer emails. Storm-0558 primarily targets government agencies in Western Europe and focuses on espionage, data theft, and credential access,
A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released. The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit it to potentially execute arbitrary code and interrupt UPnP service to a vulnerable device.
Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk. The vulnerabilities were discovered in Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967), two open-source platforms written in Go. The first vulnerability was discovered in Owncast, an open-source, self-hosted, decentralized, single-user live video streaming and chat server written in Go.
VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments. The flaw (CVE-2023-20864) is a deserialization weakness patched in April, and it allows unauthenticated attackers to gain remote execution on unpatched appliances.
The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.
Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. ‘This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage,’ Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.
Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. The campaign started in May and relies on a different infection chain than previously observed, with LNK files deploying the payloads instead of the typical malicious Word documents seen in past attacks from the group.
Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what's needed to offer the promised functionality. The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.
or the month of June, Google released 46 new software vulnerabilities, some of which were actively exploited in attacks in the wild. Among the vulnerabilities addressed is a memory leak flaw impacting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. Tracked as CVE-2023-26083, the bug was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022. Another serious vulnerability addressed is CVE-2021-29256 which relates to a high-severity issue impacting specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers.
Researchers at Proofpoint have revealed that a cyber espionage group associated with the Iranian government has been engaging in phishing attacks targeting Middle Eastern nuclear weapons experts by impersonating employees of think tanks. The group, known by various names such as TA453, Charming Kitten, or APT35, has a history of targeting government officials, politicians, think tanks, and critical infrastructure entities in the United States and Europe.
MOVEit Transfer, the software at the center of the recent massive spree of Clop ransomware breaches, has received an update that fixes a critical-severity SQL injection bug and two other less severe vulnerabilities. SQL injection vulnerabilities allow attackers to craft special queries to gain access to a database or tamper with it by executing code. For these attacks to be possible, the target application must suffer from a lack of appropriate input/output data sensitization.
International law enforcement agencies have announced the arrest of the leader of a cybercriminal syndicate called Opera1er, responsible for over 30 successful cyberattacks targeting financial institutions, banks, mobile banking services, and telecommunications companies. The group, also known as Desktop-Group and NXSMS, was involved in various scams, including malware, phishing, and business email compromise, resulting in an estimated $30 million in stolen funds. Interpol, along with AFRIPOL, Group-IB, Direction de L'information et des Traces Technologiques, and the Orange CERT Coordination Center, led the operation named Nervone. The arrest took place in early June in Abidjan, Côte d'Ivoire, Mali. Group-IB, who had been tracking the Opera1er group since 2018, provided crucial intelligence that helped identify the leader's identity and potential location.
Researchers are raising concerns about the vulnerability of over 130,000 photovoltaic monitoring and diagnostic systems accessible through the public internet. This accessibility exposes them to potential attacks from hackers. These systems play a crucial role in remote performance monitoring, troubleshooting, optimizing system efficiency, and enabling the remote management of renewable energy production units.
Researchers at Peking University recently disclosed details of a new flaw in the Linux Kernel that could enable a threat actor to elevate privileges on a targeted host. Dubbed StackRot, the flaw is being tracked as CVE-2023-3269 and impacts Linux versions 6.1 through 6.4. According to security researcher Ruihan Li, “As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger…However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging.”
Yesterday, Cisco released an advisory warning its customers of an unpatched vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode that could be exploited by an unauthenticated remote attack to read or modify intersite encrypted traffic. Tracked as CVE-2023-20185, the flaw received a CVSS score of 7.4, indicating a high level of severity. According to Cisco, the vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches.
Microsoft is investigating an ongoing issue preventing Outlook[.]com users from searching their emails and triggering 401 exception errors. When searching, users see an error saying, "Sorry, something went wrong. Please try again later." "Our initial review of Outlook[.]com server logs, in parallel with HTTP Archive format (HAR) logs captured during an internal reproduction of impact, indicates 401 errors are occurring due to an exception when users attempt to perform the search," Microsoft says on the service health portal.
Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks against energy utilities, oil, gas, telecom, and machinery sectors. The malware has the capabilities to steal information from various Internet browsers, but can also support ransomware activities. In this recent campaign, threat actors are masquerading as fake web browser updates to lure victims into installing the malware.
Since December 2022, a Chinese threat actor has been conducting a phishing campaign referred to as SmugX, which specifically targets embassies and foreign affairs ministries in the UK, France, Sweden Czech Republic, Hungary, and Slovakia. Security researchers at Check Point, a cybersecurity company, conducted analysis of the attacks and identified similarities with previous activities carried out by APT groups known as Mustang Panda and RedDelta.
A member of U.S. Navy's red team has published a tool called TeamsPhisher that leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization, the so-called external tenants. The tool exploits a problem highlighted last month by Max Corbridge and Tom Ellson of UK-based security services company Jumpsec, who explained how an attacker could easily go around Microsoft Teams' file-sending restraints to deliver malware from an external account.
An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net, according to security researcher Pol Thill.
The Port of Nagoya, the largest and busiest port in Japan, has been targeted in a ransomware attack that currently impacts the operation of container terminals. The port accounts for roughly 10% of Japan's total trade volume. It operates 21 piers and 290 berths. It handles over two million containers and cargo tonnage of 165 million every year. The port is also used by the Toyota Motor Corporation, one of the world’s largest automakers, to export most of its cars.
The BlackCat ransomware-as-a-service group is developing a threat activity cluster by deploying malicious malware using chosen keywords on webpages of legitimate organizations. They engage in unauthorized activities within company networks using cloned webpages of legitimate applications like WinSCP and SpyBoy. These cybercriminals hijack keywords to display malicious ads and lure unsuspecting users into downloading malware, a technique known as malvertising.
The ALPHV ransomware group, also known as the BlackCat, is engaging in malvertising activities to trick individuals into visiting counterfeit websites that closely resemble the legitimate WinSCP file-transfer application for Windows. However, these deceptive pages distribute installers infected with malicious software. WinSCP, a widely-used application for secure file transfer on Windows, is an open-source client and file manager supporting SFTP, FTP, S3, and SCP protocols. It boasts a significant user base, with approximately 400,000 weekly downloads from SourceForge alone. The BlackCat group is leveraging the WinSCP program as bait to potentially infiltrate the computers of system administrators, web administrators, and IT professionals, aiming to gain initial entry into valuable corporate networks.
A newly discovered information-stealing malware known as Meduza Stealer has been identified by researchers. The creators of this malware utilize advanced marketing tactics to promote its distribution. Meduza Stealer is designed to extract various browser-related data, such as login credentials, browsing history, and bookmarks, thereby compromising the victim’s browsing activities. Additionally, the malware targets specific extensions related to cryptocurrency wallets, password managers, and two-factor authentication (2FA). The authors of Meduza Stealer actively work on developing the malware in order to evade detection. However, no specific attacks have been attributed to this malware as of now.
Chipmaking giant TSMC (Taiwan Semiconductor Manufacturing Company) denied being hacked after the LockBit ransomware gang demanded $70 million not to release stolen data. TSMC is one of the world's largest semiconductor manufacturers, with its products used in a wide variety of devices, including smartphones, high performance computing, IoT devices, automotive, and digital consumer electronics/
Hundreds of thousands of FortiGate firewalls are vulnerable to a critical security issue identified as CVE-2023-27997, almost a month after Fortinet released an update that addresses the problem. The vulnerability is a remote code execution with a severity score of 9.8 out of 10 resulting from a heap-based buffer overflow problem in FortiOS, the operating system that connects all Fortinet networking components to integrate them in the vendor's Security Fabric platform.
Researchers from Elastic Security Labs have discovered a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using this new malware. BlueNoroff operates under the control of the notorious Lazarus APT group, also linked to North Korea. The RustBucket malware enables the operators to download and execute different payloads. The attribution to BlueNoroff APT is based on similarities found in Kaspersky's analysis.
MITRE recently published its list of the top 25 most dangerous software weaknesses for 2023. Every year, this list is calculated by analyzing public vulnerability data in the National Vulnerability Database for root cause mappings to CWE weaknesses for the previous two years. In total, 43,996 CVE entries were examined, with a score being assigned to each entry based on the prevalence and severity of the flaw.
An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. ‘This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain,’ Akamai researcher Allen West said in a Thursday report. Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node.
Security analysts have discovered a previously undocumented remote access trojan (RAT) named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group. Andariel (aka Stonefly) is believed to be part of the Lazarus hacking group known for employing the DTrack modular backdoor to collect information from compromised systems, such as browsing history, typed data (keylogging), screenshots, running processes, and more
The victims of the Clop ransomware group's supply chain attack include a wide range of organizations, such as healthcare software firm Vitality Group International, Talcott Resolution Life Insurance Company, and several universities including Georgia, Johns Hopkins, Missouri, Rochester, and Southern Illinois. Government departments like the U.S. Department of Energy, Department of Agriculture, and Office of Personnel Management were also targeted.
The lack of metadata validation in the npm registry, which is widely used by developers to download Javascript code, has raised concerns about potential cyber threats. Despite being the largest software registry globally, with 17 million developers relying on it, the registry fails to perform checks on package metadata.
Wordfence recently disclosed a critical flaw in miniOrange's Social Login and Register plugin for WordPress, which could be leveraged by a malicious threat actor to access any account on websites running the vulnerable plugin. Tracked as CVE-2023-2982 (CVSS score: 9.8), the flaw has been described as an authentication bypass flaw and impacts all versions of the plugin, including and prior to 7.6.4.
Operators behind the Akira Ransomware have released a new Linux variant that is capable of encrypting VMware ESXi virtual machines. The Linux variant was discovered by malware analyst rivitna, who shared a sample of the new encryptor on VirusTotal last week. According to analysts, Linux encryptor shows it has a project name of 'Esxi_Build_Esxi6,’ indicating that is specially designed to target VMware ESXi servers.
Microsoft has resolved a Windows bug that was causing freezes in the File Explorer application. The issue primarily affected non-consumer environments and was observed in Windows 11 21H2/22H2 and Windows Server 2022. Users experienced freezes in File Explorer after installing Windows updates released since May 9th, 2023. Microsoft released an optional cumulative update (KB5027303) this month to address the issue for Windows 11 22H2 users, with a plan to make it available to all affected Windows users in the July Patch Tuesday cumulative updates.
The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) published a joint Cybersecurity Information Sheet (CSI) titled, “Defending Continuous Integration/Continuous Delivery Environment,” which can help organizations improve their defenses in cloud implementations of development, security, and operations (DevSecOps). Specifically, this joint guide explains how to integrate security best practices into typical software development and operations (DevOps) CI/CD environments, without regard for the specific tools being adapted.
Group-IB recently uncovered the operations of a scam ring dubbed CryptoLabs that has allegedly made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018. The syndicate is known for impersonating well-known banks, fin-techs, asset management firms, and crypto platforms, setting up scam infrastructure spanning over 350 domains hosted on more than 80 servers. According to researchers, the threat actors have been experimenting with different landing pages, since 2015, ultimately launching their campaign around June 2018.
A ransomware threat called **8Base** that has been operating under the radar for over a year has been attributed to a ‘massive spike in activity’ in May and June 2023. ‘The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms,’ VMware Carbon Black researchers Deborah Snyder and Fae Carlisle [said](https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player) in a report. ‘8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries.’
On Tuesday, Europol announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds. The operation was carried out by French and Dutch authorities which intercepted and analyzed over 115 million conversations made between approximately 60,000 users using the encrypted messaging platform.
Researchers have recently detected a new info stealer known as ThirdEye, which exhibits various variants, all designed to target and steal victims’ data. During a preliminary analysis, FortiGuard Labs came across this highly malicious yet, relatively unsophisticated info stealer while examining suspicious files. The researchers, became suspicious after encountering a Russian archive file translated to “time sheet” in English.
Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies.
Researchers at ThreatFabric recently disclosed details of a new mobile campaign that has been pushing Anatsa, an Android banking trojan, to online banking customers in the U.S., the U.K., Germany, Austria, and Switzerland since March 2023. The malware is being distributed via the Play Store by masquerading as PDF viewer and editor apps and office suites, having over 30,000 installations in the last couple of months. Although ThreatFabric reported the malicious applications to Google, which ended up removing them altogether from the play store, the attackers were observed uploading new malware samples soon after under the guise of other applications.
Researchers have identified a novel malicious tool reffered to as PindOS. This tool acts as a delivery mechanism for the Bumblebee and IcedID malware, which are commonly associated with ransomware attacks. PindOS operates as a JavaScript malware dropper, seemingly designed with the sole purpose of retrieving subsequent-stage payloads that ultimately deliver the perpetrators’ final malicious payload.
The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments. SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.
A new process injection technique called "Mockingjay" has been discovered by researchers at cybersecurity firm Security Joes. This technique allows threat actors to bypass EDR (Endpoint Detection and Response) systems and execute malicious code on compromised systems without detection. Unlike traditional process injection methods, Mockingjay does not rely on commonly abused Windows API calls, special permissions, or memory allocation, making it more difficult to detect.
The Clop ransomware group added five new victims of MOVEit attacks to its dark web leak site, including the industrial giants Schneider Electric and Siemens Energy. Both Schneider Electric and Siemens Energy provide Industrial Control Systems (ICS) that are used in critical national infrastructure worldwide.
American Airlines and Southwest Airlines, two of the largest airlines in the world, recently experienced data breaches caused by the hack of a third-party vendor called Pilot Credentials. The breach occurred on April 30, and both airlines were informed on May 3. The unauthorized individual gained access to Pilot Credentials' systems and stole documents containing information provided by pilot and cadet applicants. American Airlines reported that the breach affected 5,745 pilots and applicants, while Southwest reported a total of 3,009. The stolen information included personal details such as names, Social Security numbers, driver's license numbers, passport numbers, and more. Both airlines have terminated their relationship with the vendor and are directing applicants to self-managed internal portals. They have also notified law enforcement and are cooperating with investigations.
PBI Research Services has experienced a data breach, resulting in the disclosure of sensitive information for approximately 4.75 million individuals. This breach occured during the recent series of data-theft attacks targeting MOVEit Transfer. The attacks, initiated by the Clop ransomware gang, commenced on May 27th, 2023. Exploiting a previously unknown vulnerability in MOVEit Transfer, the gang proceeded to extract data from nemerious companies, including PBI and its three clients. In recent days, the Clop gang has adopted an extortion strategy gradually revealing the names of affected organizations on their data leak site. The tactic aims to exert pressure on victims, compelling them to meet the gang's ransom demands.
In a series of Twitter posts last week, Microsoft stated that it has observed an uptick in credential-stealing attacks from Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes), a notorious Russian state-affiliated hacker group that was behind the 2020 SolarWinds attack. The latest intrusions are using a variety of password spray, brute force, and token theft techniques, with the group also conducting session replay attacks to gain initial access to cloud resources leveraging stolen sessions. Targets highlighted by Microsoft include governments, IT service providers, NGOs, the defense industry, and critical manufacturing.
CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
Over the weekend, Suncor, one of Canada’s largest synthetic crude producers, disclosed it suffered from a cyberattack, stating that it is working on resolving the incident and that some transactions with customers and suppliers may have been impacted. Although no additional details were reported in Suncor’s notice, Petro-Canada, a subsidiary of Suncor that operates 1,500 gas stations across Canada, stated it is facing technical issues, preventing customers from paying with credit cards or rewards points. According to a post on Twitter, the company warned customers that they cannot currently log in to their accounts via the app or website and apologized for the inconvenience caused. This outage also prevents earning points when refueling at the company's gas stations.
CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.
Researchers from Palo Alto Networks’ Unit 42 have detected a modified version of the Mirai botnet, which is actively exploiting nearly 20 vulnerabilities. The primary objective of this botnet is to compromise devices manufactured by D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. These compromised devices are then utilized to launch distributed of denial of service attacks (DDoS) attacks.
Cybersecurity firm Deep Instinct has uncovered a new JavaScript dropper, dubbed PindOS, that is being used to deliver next-stage payloads like BumbleBee and IceID, both of which are loaders that have also been leveraged to deploy other malware on hosts, including ransomware. “Bumblebee, notably, is a replacement for another loader called BazarLoader, which has been attributed to the now-defunct TrickBot and Conti groups. A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including that of Conti, Emotet, and IcedID.
Security researchers from Jumpsec have discovered a vulnerability in Microsoft Teams that enables attackers to deliver malware directly to employees' inboxes. The bug allows external users to send malicious payloads that appear as downloadable files. By combining this vulnerability with social engineering tactics, attackers can increase the success rate of their attacks. This method bypasses anti-phishing security controls and takes advantage of the trust employees have in messages received through Microsoft Teams. This vulnerability affects every organization using Teams in the default configuration.
“RedEyes, a state-sponsored APT group also known as APT37, ScarCruft, and Reaper, has been identified as targeting individuals such as North Korean defectors, human rights activists, and university professors. Their objective is to monitor the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered RedEyes distributing and utilizing an Infostealer with wiretapping capabilities and a GoLang-based backdoor that exploits the Ably platform. The backdoor allowed the threat actor to send commands through the Ably service, with the API key value required for communication stored in a GitHub repository. This key value allowed anyone with knowledge of it to subscribe to the threat actor's channel”
During the DFIR investigation conducted in May 2023, a significant intrusion was observed, involving the deployment of Truebot, Cobalt Strike, FlawedGrace (also known as GraceWire & BARBWIRE), and the subsequent deployment of the MBR Killer wiper. The threat actors executed their attack swiftly, successfully exfiltrating data and rendering numerous systems inoperable with the wiper within a span of 29 hours after gaining initial access.
A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. ‘This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,’ Defiant's Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system.
Multinational company UPS is notifying customers in Canada that certain personal details could have been compromised through its online package tracking tools, potentially leading to their misuse in phishing attempts. The communication sent by UPS Canada titled “An Update from UPS: Combatting Phishing and Smishing,” appears to be initially aimed at cautioning customers about the risk associated with phishing. However, the communication is, in fact, a notification of a data breach. UPS Canada discreetly includes a disclosure within the message, revealing that they have been receiving reports of SMS phishing messages containing recipients’ names and address information.
Apple recently addressed three zero-day vulnerabilities that were exploited in attacks to install spyware on iPhones via iMessage zero-click exploits. Below is a list of the CVEs:
The North Korean APT37 hacking group, also known as StarCruft, Reaper, or RedEyes, has recently deployed a new information-stealing malware called "FadeStealer." This malware includes a wiretapping feature, allowing the threat actors to eavesdrop and record from victims' microphones. APT37 has a history of conducting cyber espionage attacks aligned with North Korean interests, targeting North Korean defectors, educational institutions, and EU-based organizations.
A proof-of-concept exploit code has been released for a high-severity vulnerability in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw, tracked as CVE-2023-20178, allows authenticated attackers to escalate privileges to the SYSTEM account, which is used by the Windows operating system. The vulnerability can be exploited without user interaction and takes advantage of a specific function in the Windows installer process.
A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez. ‘The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code,’ security researchers Joie Salvio and Roy Tay said.
Zxyel recently published security updates to address a critical command injection vulnerability impacting its Network Attached Storage (NAS) devices, warning customers to update their firmware. Tracked as CVE-2023-27992, the vulnerability is due to a pre-authentication command injection problem that could enable an unauthenticated attacker to execute operating system commands on the impacted device via specially crafted HTTP requests.
An unidentified malicious entity is employing brute-force techniques to gain unauthorized access to Linux SSH servers, enabling the installation of various forms of malicious software. The malware includes the Tsunami DDoS bot, ShellBot, log cleaners, tools for privilege escalation, and an XMRig coin miner designed to mine Monero. SSH (Secure Socket Shell) is a secure and encrypted network communication protocol used for remote administration of Linux devices. It facilitates activities such as executing commands, modifying configurations, updating software, and resolving issues for network administrators.
3CX, a popular Voice over Internet Protocol (VoIP) comms provider, was exposed due to the negligence of a third-party vendor. The vendor's open server left instances of Elasticsearch and Kibana vulnerable, leading to the discovery of the exposed data on May 15th. This discovery came to light nearly two months after the initial cyberattacks on 3CX, which had previously been targeted by North Korean hackers. The exposed data included call metadata, license keys, and encoded database strings, posing significant risks.
The recent Clop ransomware attack targeted the MOVEit Transfer file-transfer platform, resulting in compromised networks worldwide. The attack exploited a vulnerability in the Managed File Transfer (MFT) application using a structured query language (SQL) attack vector. The compromised platforms contained sensitive data, potentially exposing a wide range of sensitive customer information from various industries and geographies. Affected entities included U.S. government agencies, airlines, media companies, an oil giant, health services, and international consulting firms.
Bitdefender Labs has discovered a cyberespionage and hacking campaign called 'RedClouds' that utilizes custom malware known as 'RDStealer' to automatically steal data from drives shared through Remote Desktop connections. The campaign has been active since at least 2020, primarily targeting systems in East Asia. While the specific threat actors behind RedClouds have not been identified, Bitdefender suggests that their interests align with China and that they possess the sophistication of a state-sponsored Advanced Persistent Threat (APT) group.
Today, the Threat Hunter Team at Symantec, part of Broadcom, reports that APT15's latest campaign targets foreign affairs ministries in Central and South American countries. The researchers report that the new Graphican backdoor is an evolution of an older malware used by the hackers rather than a tool created from scratch. It is notable for using Microsoft Graph API and OneDrive to stealthily obtain its command and control (C2) infrastructure addresses in encrypted form, giving it versatility and resistance against take-downs.
Des Moines Public Schools, Iowa's largest school district, confirmed today that a ransomware attack was behind an incident that forced it to take all networked systems offline on January 9, 2023. While the school district also received a ransom demand following the attack from an unnamed ransomware group, the ransom has not been paid. Almost 6,700 individuals whose data was affected in the resulting data breach will be contacted this week with details regarding what personal information was exposed.
A cyber-espionage group known as APT28, which is associated with Russia's General Staff Main Intelligence Directorate (GRU), has successfully infiltrated Roundcube email servers belonging to various Ukrainian organizations, including government entities. This threat group, also identified as BlueDelta, Fancy Bear, Sednit, and Sofacy, took advantage of the ongoing Russia-Ukraine conflict to deceive recipients.
Yesterday, ASUS released firmware updates to address vulnerabilities impacting several of its router models, warning customers to update their devices or restrict WAN access until they’re secure. In total, 9 vulnerabilities were addressed, some of which have been rated high and critical in severity. Most severe of the flaws include CVE-2022-26376 and CVE-2018-1160, which have both received a 9.8 score out of 10 on the CVSS scale. CVE-2022-26376 relates to a critical memory corruption weakness in the Asuswrt firmware used in Asus routers. Successful exploitation of this flaw could enable a threat actor to trigger a denial of service or gain code execution.
The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. ‘Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia,’ cybersecurity company Team Cymru said in a new analysis shared with The Hacker News. Vidar is a commercial information stealer that's known to be active since late 2018. It's also a fork of another stealer malware called Arkei and is offered for sale between $130 and $750 depending on the subscription tier. Typically delivered through phishing campaigns and sites advertising cracked software, the malware comes with a wide range of capabilities to harvest sensitive information from infected hosts.
On Thursday, Progress software disclosed yet another vulnerability in its MOVEit Transfer application, making this the third vulnerability the company has addressed since May 2023. Similar to the previous flaws (CVE-2023-34362 (May 31, 2023) & CVE-2023-35036 (June 9, 2023)), the latest vulnerability (CVE-2023-35708 (June 15, 2023)) also relates to a case of SQLi injection and could allow threat actors to escalate privileges and potentially gain unauthorized access to MOVEit Transfer’s database.
The group responsible for a recent ransomware operation named Rhysida has released online a set of documents they claim were stolen from the network of the Chilean Army (Ejército de Chile). After confirming a security incident on May 29, where their systems were compromised over the weekend of May 27, the Chilean Army took immediate action by isolating the network. Military security experts have begun the process of restoring the affected systems. The incident was promptly reported to Chile's Computer Security Incident Response Team (CSIRT), which operates under the Joint Chiefs of Staff and the Ministry of National Defense. Shortly after the disclosure of the attack, local media reported the arrest and charges filed against an Army corporal in connection with the ransomware attack.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released joint guidance on hardening Baseboard Management Controllers (BMCs). Published this week, the document aims to address the overlooked vulnerabilities in BMCs, which can serve as potential entry points for malicious actors seeking to compromise critical infrastructure systems.
Ruslan Magomedovich Astamirov, a 20-year-old Russian national from the Chechen Republic, has been arrested in Arizona and charged by the U.S. Justice Department for his alleged involvement in deploying LockBit ransomware on the networks of victims in the United States and abroad. According to the criminal complaint, Astamirov participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud, intentionally damage protected computers, and make ransom demands through the use of ransomware.
The hacking group UNC4841 has been connected to data theft incidents targeting Barracuda ESG appliances. These attacks exploited a zero-day vulnerability, CVE-2023-2868, which allowed remote command injection in Barracuda’s email attachment scanning module. The vendor became aware of the vulnerability on May 19th and promptly disclosed the exploitation. CISA issued an alert urging the U.S Federal agencies to apply the necessary security updates. Barracuda took the decision earlier this month to offer affected customers free device replacements instead of reimaging them with new firmware.
As part of the June Patch Tuesday, Microsoft rolled out the Windows 11 22H2 KB5027231 update to fix several vulnerabilities. According to Malwarebytes, the patch is blocking Chrome from loading on updated systems running the vendor’s anti-exploit module. “On June 13, 2023, Microsoft's KB5027231 update installed on Windows 11 caused a conflict between Google Chrome and exploit protection, resulting in browser crashes, stated Malwarebytes in an advisory.
An updated version of an Android remote access trojan dubbed GravityRAT has been found masquerading as messaging apps BingeChat and Chatico as part of a narrowly targeted campaign since June 2022. ‘Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files,’ ESET researcher Lukáš Štefanko said in a new report published today.
In a joint advisory, U.S. and international cybersecurity authorities have revealed that the LockBit ransomware gang has extorted approximately $91 million from U.S. organizations through around 1,700 attacks since 2020. LockBit, a Ransomware-as-a-Service (RaaS) operation, emerged as the leading global ransomware threat in 2022, with the highest number of victims reported on their data leak site.
The Russian state-sponsored hacking group Gamaredon (aka Armageddon or Shuckworm) continues to target critical organizations in Ukraine's military and security intelligence sectors, employing a refreshed toolset and new infection tactics. Previously, the Russian hackers, who have been linked to the FSB, were observed using information-stealers against Ukrainian state organizations, employing new variants of their "Pteranodon" malware, and also using a default Word template hijacker for new infections. Symantec's threat research team, part of Broadcom, reports today that the threat actors have recently begun using USB malware to propagate to additional systems inside infected networks.
In April 2023, credible sources such as Bleeping Computer and TechRadar began disseminating alarming accounts of cybercriminals who ingeniously breached WordPress websites. Exploiting the vulnerabilities of the widely-admired plugins, Elementor Pro Premium (webpage builder) and WooCommerce (online storefront), these malicious actors gained unauthorized access with devastating consequences.
As part of the June Patch Tuesday, Microsoft addressed 78 flaws which include 17 Elevation of Privilege Vulnerabilities, 3 Security Feature Bypass Vulnerabilities, 32 Remote Code Execution Vulnerabilities, 5 Information Disclosure Vulnerabilities, 10 Denial of Service Vulnerabilities, 10 Spoofing Vulnerabilities, and 1 Edge - Chromium Vulnerability. Out of the 78 flaws fixed, 6 have been rated critical in severity, 63 rated Important, 2 rated moderate, and 1 rated low in severity.
Hackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware. These malicious exploits are promoted by alleged researchers at a fake cybersecurity company named 'High Sierra Cyber Security,' who promote the GitHub repositories on Twitter, likely to target cybersecurity researchers and firms involved in vulnerability research. The repositories appear legitimate, and the users who maintain them impersonate real security researchers from Rapid7, and other security firms, even using their headshots.
Mihai Ionut Paunescu, a 39-year-old Romanian national, has been sentenced to 36 months in a U.S. federal prison for his role in hosting the digital infrastructure used for banking Trojans that led to the theft of tens of millions of dollars. He pleaded guilty to conspiring to commit computer intrusion with the intent to defraud. Paunescu, also known as "Virus," played a critical role in providing the necessary IT infrastructure, which involved renting IP addresses and relocating customer data to different networks and IP addresses to avoid detection by law enforcement.
Cybersecurity experts at Orca Security have identified two critical cross-site scripting (XSS) vulnerabilities in Microsoft Azure services. The vulnerabilities are related to an identified weakness in the postMessage iframe. Abusing this flaw could expose Azure users to potential security breaches. These vulnerabilities were found in both Azure Bastion and the Azure Container Registry, which are two commonly used services in the Azure ecosystem.
The UK’s communication regulator, Ofcom, revealed a data breach caused by a Clop ransomware attack. Exploiting a zero-day vulnerability in the MOveit file transfer system, the attackers successfully infiltrated Ofcom’s infrastructure. A representative from Ofcom stated “A limited amount of information about certain companies we regulate – some of it confidential – along with personal data of 412 Ofcom employees, was downloaded during the attack,” the spokesperson told The Record.
On Monday, Fortinet issued a security advisory warning that a recently patched vulnerability may have been exploited in attacks in the wild. Tracked as CVE-2023-27997, the flaw relates to a heap buffer over in FortiOS and FortiProxy SSL-VPN and could be exploited by a remote attacker to execute arbitrary code or commands via specially crafted requests.
A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and others. According to Bolster's threat research team, who discovered the campaign, it relies on at least 3,000 domains and roughly 6,000 sites, including inactive ones.
Microsoft revealed in an update to the Azure status page that the preliminary root cause behind an outage that impacted the Azure Portal worldwide on Friday was what it described as a traffic "spike." Customers who wanted to access the Azure Portal on Friday afternoon at portal.azure[.]com reported issues connecting and seeing a warning saying,
Researchers using a Remote Desktop Protocol honeypot found that exposed connections are so attractive to attackers that they were targeted around 37,000 times a day from various IP addresses. The attacks are completely automated, but once the right access credentials were found via brute-forcing, hackers will manually begin looking for important or sensitive files.
Microsoft researchers have issued a warning about a new form of cyber attack known as "adversary-in-the-middle" (AiTM) phishing and business email compromise (BEC), specifically targeting banking and financial institutions. These attacks involve threat actors creating a proxy server that sits between a user and their desired website. The proxy server, controlled by the attackers, intercepts and captures the user's password and session cookie, allowing the attackers to gain unauthorized access to sensitive information.
A group of Ukrainian hackers known as the Cyber.Anarchy.Squad claimed an attack that took down Russian telecom provider Infotel JSC on Thursday evening. Among other things, Moscow-based Infotel provides connectivity services between the Russian Central Bank and other Russian banks, online stores, and credit institutions.
Fortinet has released new Fortigate firmware updates that fix an undisclosed, critical pre-authentication remote code execution vulnerability in SSL VPN devices, tracked as CVE-2023-27997. The security fixes were released on Friday in FortiOS firmware versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5.
The Play ransomware attack suffered by the IT services provider Xplain has proven to be worse than initially estimated. The incident has also impacted the national railway company of Switzerland (FSS) and the canton of Aargau. In early June, Swiss police initiated an investigation into the cyber attack that targeted Xplain, a Bernese IT company providing services to various federal and cantonal government departments, the army, customs, and the Federal Office of Police (Fedpol).
On Friday, Progress Software released security fixes to address several SQL injection vulnerabilities impacting its file transfer application, MOVEit. Although the company has yet to assign individual CVEs for the flaws, successful exploitation could enable an un-authenticated attacker to gain unauthorized access to the MOVEit Transfer database.
The personal information of approximately 100,000 Nova Scotia Health employees was unlawfully obtained by hackers who exploited a zero-day vulnerability in Progress Software's MOVEit managed file transfer application. The recent disclosure made by the women's and children's health center is a sign that other healthcare organizations may also announce data breaches caused by ransomware hackers who exploited a previously fixed vulnerability in the software.
esterday, VMware addressed several critical and high-severity vulnerabilities impacting its VMware Aria Operations for Networks. “Previously known as vRealize Network Insight (vRNI), this network visibility and analytics tool helps admins optimize network performance or manage and scale various VMware and Kubernetes deployments.
Researchers at SentinelOne have uncovered a new Kimsuky-backed social-engineering campaign targeting experts in North Korean affairs to steal Google and subscription credentials for NK news, an American-based news website that provides analysis and news focusing on North Korea. In the latest campaign, the group was observed sending emails impersonating Chad O’Carroll, the founder of NK News. The emails request victims to review a draft article analyzing the nuclear threat posed by North Korea. If the victim replies to the email, a follow up email is sent by Kimsuky which contains a spoofed URL to a Google document, designed to redirect the target to a malicious website crafted to capture Google credentials.
The Microsoft Windows vulnerability CVE-2023-29336 (CVSS score 7.8) is an elevation of privilege issue that resides in the Win32k component. Win32k.sys is a system driver file in the Windows operating system. The driver is responsible for providing the interface between user-mode applications and the Windows graphical subsystem. The vulnerability is actively exploited in attacks. The issue can be chained with a code execution bug to spread malware. The vulnerability was reported by researchers Jan Vojtěšek, Milánek, and Luigino Camastra from Avast Antivirus firm. The researchers believe this flaw was used as part of an exploit chain to deliver malware.
he Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021, according to Kroll security experts. While analyzing logs on some clients' compromised networks during the investigation of recent Clop data theft attacks targeting vulnerable MOVEit Transfer instances, they found malicious activity matching the method used by the gang to deploy the newly discovered LemurLoot web shell.
Researchers suggest that a hacking collective, believed to have connections to the Belarusian government, is engaging in a fusion of illicit cyber activities involving both criminal endeavors and espionage in the digital realm. There is evidence to suggest that a hacking organization linked to the Belarusian government is blending cybercrime activities with cyberespionage. Referred to as Asylum Ambuscade, this group has been identified as "a cybercrime group that engages in some cyberespionage activities on the side" since 2020, as stated in a recent report by cybersecurity firm ESET, authored by malware researcher Matthieu Faou.
The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation's usual encryptor. Since late April, there have been rumbles that the Royal ransomware operation was getting ready to rebrand under a new name. This escalated further after they began to feel pressure from law enforcement after they attacked the City of Dallas, Texas. A new BlackSuit ransomware operation was discovered in May that used its own branded encryptor and Tor negotiation sites.
Cisco recently addressed a high-severity flaw in its Cisco Secure Client software that could allow threat actors to escalate privileges to the SYSTEM account used by the operating system. “Cisco Secure Client enables employees to work from anywhere via a secure Virtual Private Network (VPN) and provides admins with endpoint management and telemetry features.
Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company warned in a Tuesday update to the initial advisory. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG.
A cybercriminal affiliated with the Magecart group has successfully infected an undisclosed number of e-commerce websites across the United States, United Kingdom, and five other countries with malware designed to skim credit card numbers and personally identifiable information (PII) from unsuspecting individuals who engage in online purchases on these platforms. However, a novel twist in this malicious campaign involves the exploitation of the same compromised websites as hosts for distributing the card-skimming malware to other targeted sites.
Outlook.com is suffering a series of outages today after being down multiple times yesterday, with hacktivists known as Anonymous Sudan claiming to perform DDoS attacks on the service. This outage follows two major outages yesterday, creating widespread disruptions for global Outlook users, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app.
Thousands of adware apps for Android have been found to masquerade as cracks or modded versions of popular applications to serve unwanted ads to users as part of a campaign ongoing since October 2022. ‘The campaign is designed to aggressively push adware to Android devices with the purpose to drive revenue,
The open redirect vulnerability plaguing NASA's Astrobiology website was independently discovered by the Cybernews research team. Upon finding the flaw, it was revealed that a researcher from an open bug bounty program had already identified it a few months earlier on January 14th, 2023. However, the agency failed to address and fix the vulnerability, exposing global users to risks until May 2023. Attackers could have exploited the flaw to redirect unsuspecting users to malicious websites, luring them into providing sensitive data such as login credentials and credit card numbers.
A new cyber-attack technique using the OpenAI language model ChatGPT has emerged, allowing attackers to spread malicious packages in developers' environments. Vulcan Cyber's Voyager18 research team described the discovery in an advisory published today. "We've seen ChatGPT generate URLs, references and even code libraries and functions that do not actually exist. These large language model (LLM) hallucinations have been reported before and may be the result of old training data," explains the technical write-up by researcher Bar Lanyado and contributors Ortal Keizman and Yair Divinsky.
A new PowerShell malware called "PowerDrop" specifically targets the U.S. aerospace defense industry. The cybersecurity firm Adlumin, found a sample of this malware in the network of a defense contractor in the U.S. PowerDrop utilizes PowerShell and Windows Management Instrumentation (WMI) to establish a persistent remote access trojan (RAT) within the compromised networks. The tactics employed by the malware fall somewhere between "off-the-shelf" malware and sophisticated advanced persistent threat (APT) techniques. Based on the timing and targets of the attacks, it is highly probable that the perpetrator behind the malware is a state-sponsored entity.
Threat actors associated with the Cyclops ransomware have been observed offering an information stealer malware that's designed to capture sensitive data from infected hosts. ‘The threat actor behind this [ransomware-as-a-service] promotes its offering on forums," Uptycs said in a new report.' ‘There it requests a share of profits from those engaging in malicious activities using its malware.’ The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number of processes, and files of interest matching specific extensions.
Yesterday, Google released security updates to address a zero-day flaw in its Chrome web browser. Tracked as CVE-2023-3079, the bug has been assessed as a high-severity issue and is related to a type confusion bug in the Chrome V8 JavaScript engine. “Type confusion bugs arise when the engine misinterprets the type of an object during runtime, potentially leading to malicious memory manipulation and arbitrary code execution.
The state government of Iowa has recently reported its third major health data breach since April, all involving third-party vendors. The most recent breach occurred at dental health insurer MCNA Insurance Co., with the Iowa Department of Health and Human Services disclosing that hackers compromised the protected health information of nearly 234,000 Iowa residents.
VMware’s Carbon Black Managed Detection and Response (MDR) team saw a surge in TrueBot activity in May 2023. TrueBot is a botnet that has been active since 2017 and is linked to the Silence group, a cybercriminal group that is known for targeting banks and financial institutions, in addition to the educator sector. According to VMware’s MDR team, TrueBot has been under active development by Silence, with the latest versions now leveraging a Netwrix vulnerability (CVE-2022-31199, CVSS score: 9.8) as a delivery vector.
On Sunday night, Microsoft's Threat Intelligence team tweeted that they have linked the recent attacks that exploit a zero-day vulnerability in the MOVEit Transfer platform to the Clop ransomware gang, which is also known as Lace Tempest. This particular gang has gained a reputation for conducting ransomware operations and managing the Clop extortion site. BleepingComputer was the first to report last Thursday that threat actors have been exploiting a previously unknown vulnerability in MOVEit Transfer servers to illicitly obtain data from targeted organizations.
Zyxel has published a security advisory containing guidance on protecting firewall and VPN devices from ongoing attacks and detecting signs of exploitation. This warning comes in response to multiple reports of widespread exploitation of the CVE-2023-28771 and the exploitability and severity of CVE-2023-33009 and CVE-2023-33010, all impacting Zyxel VPN and firewall devices.
Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack against the IT systems in Dallas, Texas. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.
Toyota, the automobile manufacturer, apologized for leaking customer records online due to a misconfigured cloud environment. This is the second time Toyota has apologized for a cloud leak in recent weeks. The company said the leak was caused by "insufficient dissemination and enforcement of data handling rules." Toyota said there is no evidence that the data has been misused.
The Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which dubbed the Go-based malware TinyNote, said it functions as a first-stage payload capable of ‘basic machine enumeration and command execution via PowerShell or Goroutines.’ What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers.
Google has removed from the Chrome Web Store 32 malicious extensions that could alter search results and push spam or unwanted ads. Collectively, they come with a download count of 75 million. The extensions featured legitimate functionality to keep users unaware of the malicious behavior that came in obfuscated code to deliver the payloads. Cybersecurity researcher Wladimir Palant analyzed the PDF Toolbox extension (2 million downloads) available from Chrome Web Store and found that it included code that was disguised as a legitimate extension API wrapper.
A previously unknown campaign involving the Hotabot botnet malware has targeted Spanish-speaking users in Latin America since at least November 2020, infecting them with a banking trojan and spam tool. The malware enables the operators to take control of the victim's Gmail, Outlook, Hotmail, or Yahoo email accounts, steal email data and 2FA codes arriving in the inbox, and send phishing emails from the compromised accounts. The new Horabot operation was discovered by analysts at Cisco Talos, who report that the threat actor behind it is likely based in Brazil. The multi-stage infection chain begins with a tax-themed phishing email sent to the target, with an HTML attachment that is supposedly a payment receipt. Opening the HTML launches a URL redirection chain that lands the victim on an HTML page hosted on an attacker-controlled AWS instance.
The application programming interface (API) is an unsung hero of the digital revolution. It provides the glue that sticks together diverse software components in order to create new user experiences. But in providing a direct path to back-end databases, APIs are also an attractive target for threat actors. It doesn’t help that they have exploded in number over recent years, leading many deployments to go undocumented and unsecured. According to one recent study, 94% of global organizations have experienced API security problems in production over the past year with nearly a fifth (17%) suffering an API-related breach. It’s time to gain visibility and control of these digital building blocks.
Cybercriminals are taking advantage of a zero-day vulnerability in the MOVEit Transfer software. This vulnerability allows them to illicitly obtain data from targeted organizations. MOVEit Transfer is a managed file transfer (MFT) software designed by Ipswitch, a subsidiary of Progress Software Corporation based in the United States. It facilitates secure file transfers between enterprises, business partners, and customers using protocols like SFTP, SCP, and HTTP-based uploads.
Security researchers have recently detected a novel Android Trojan that has the potential to compromise a staggering 421 million devices. In a recently released advisory on Monday, the Doctor Web team revealed details about this Trojan, referred to as Android[.]Spy.SpinOk. Android[.]Spy.SpinOk possesses numerous spyware capabilities, such as gathering files and capturing clipboard content. This Trojan spreads by being concealed within other applications, thereby infecting a vast number of devices.
This should be treated as Critical if you are a user of Gigabyte systems. We may upgrade this to High severity should reports of active exploitation occur.
Researchers from firmware security firm Eclypsium have discovered a suspected backdoor-like behavior within Gigabyte systems. The experts discovered that the firmware in Gigabyte systems drops and executes a Windows native executable during the system startup process. The executable is utilized for insecure downloading and execution of additional payloads. The experts pointed out that this is the same behavior observed for other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) and firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK,.
A threat actor known as Spyboy is promoting a tool called "Terminator" on a Russian-speaking hacking forum that can allegedly terminate any antivirus, XDR, and EDR platform. However, CrowdStrike says that it's just a fancy Bring Your Own Vulnerable Driver (BYOVD) attack.
A critical command injection flaw in Zyxel networking devices is being exploited by hackers in widespread attackers to install malware. Tracked as CVE-2023-28771, the flaw resides in the default configuration of impacted firewall and VPN devices and can be abused to perform unauthenticated remote code execution via a specially crafted IKEv2 packet to UDP port 500 on the impacted device.
The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals. The new version, dubbed Sphynx and announced in February 2023, packs a ‘number of updated capabilities that strengthen the group's efforts to evade detection,’ IBM Security X-Force said in a new analysis. The ‘product’ update was first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that's ‘focused primarily on its encryption routine.
In 2023, the Dark Pink APT hacking group remains highly active, focusing its attacks on government, military, and education organizations in Indonesia, Brunei, and Vietnam. This threat group has been operational since around mid-2021, primarily concentrating its efforts on targets in the Asia-Pacific region. However, it was only in January 2023 that the group gained public attention following a report by Group-IB. According to the researchers, a thorough analysis of the group's past activities has revealed further instances of breaches.
The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets. Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant). ‘
Researchers at Microsoft, Jonathan Bar Or, Michael Pearse, and Anurag Bohra, recently disclosed details of a now-patched flaw in Apple macOS that could be exploited by threat actors with root access to bypass security enforcements and perform arbitrary actions on unpatched devices. Tracked as CVE-2023-32369 (aka ‘Migraine’), the flaw could permit actors to bypass a security feature dubbed System Integrity Protection (SIP) which is designed to limit the actions a root user can perform on protected files and folders. By abusing this flaw, “an attacker can create files that are protected by SIP and therefore undeletable by ordinary means.
Cybersecurity firm Kaspersky has identified the primary factors contributing to advanced persistent threat (APT) attacks in industrial sectors. The first of them, discussed in a new report published today, is the absence of isolation in operational technology (OT) networks” (Info Security Magazine, 2023). Kaspersky observed engineering workstations being connected to both the IT and OT networks. Previously air-gapped OT/ICS environments are being more commonly connected to the Internet.
Mikhail Matveev, 31, the Russian national whom prosecutors accused of wielding not one but three strains of ransomware. Two federal indictments unsealed this month accuse Matveev - aka Wazawaka, m1x, Boriselcin, Uhodiransomwar - of operating as an affiliate for the LockBit, Babuk and Hive ransomware groups. Security experts say the indictments are notable because they don't target ransomware-as-a-service group chiefs but rather a foot soldier who was directly responsible for hacking into victims' networks and using the ransomware to extort them.
Phishers have devised a novel phishing technique known as "file archiver in the browser" that capitalizes on victims visiting a .ZIP domain. This method involves emulating a file archiver software within a web browser, as revealed by security researcher mr.d0x. Recently, Google introduced eight additional top-level domains (TLDs), including .zip and .mov. However, cybersecurity professionals are cautioning about potential malicious activities associated with these domains.
A database for the notorious RaidForums hacking forums has been leaked online, allowing threat actors and security researchers insight into the people who frequented the forum. RaidForums was a very popular and notorious hacking and data leak forum known for hosting, leaking, and selling data stolen from breached organizations. Threat actors who frequented the forum would hack into websites or access exposed database servers to steal customer information.
CISA has added a recently patched zero-day zero vulnerability to its know catalog of actively exploited flaws, urging federal agencies to apply the fixes by June 16, 2023. Tracked as CVE-2023-2868, the flaw is related to a remote code injection impacting Barracuda Email Security Gateway (ESG) appliances, versions 5.1.3.001 through 9.2.0.006.
Losses to fraud reported by the organization's more than 300 member firms, which provide credit, banking, markets and payment services in the U.K., declined 8% from 2021, although still involved 3 million cases of fraud. "These numbers are big but slightly down on where we were in 2021, both in terms of the number of cases and the value of losses," said Lee Hopley, director of economic insight and research at UK Finance. The industry reported preventing about $1.5 billion worth of fraud in 2022, although she said the actual amount is likely higher, given the challenges of measuring fraud prevention.
The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services (IIS) web servers to gain initial access to corporate networks. Lazarus is primarily financially motivated, with many analysts believing that the hackers' malicious activities help fund North Korea's weapons development programs. However, the group has also been involved in several espionage operations. The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center (ASEC).
COSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT. Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. COSMICENERGY accomplishes this via its two derivative components, which we track as PIEHOP and LIGHTWORK. PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU. PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands "ON" or "OFF" to the remote system and then immediately deletes the executable after issuing the command.
The City of Augusta in Georgia, USA, has verified that the recent disruption to its IT system was a result of unauthorized intrusion into its network. While the administration has not revealed specific details about the nature of the cyberattack, the BlackByte ransomware group has publicly acknowledged the city of Augusta as one of its targeted victims.
Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. RPMSG files (also known as restricted permission message files) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS) and offer an extra layer of protection to sensitive info by restricting access to authorized recipients. To access and read the encrypted contents of RPMSG attachments, recipients are required to either authenticate using their Microsoft account or acquire a one-time passcode for decryption.
A relatively new ransomware operation calling itself Buhti appears to be eschewing developing its own payload and is instead utilizing variants of the leaked LockBit and Babuk ransomware families to attack Windows and Linux systems. While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types. Buhti, which first came to public attention in February 2023, was initially reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.
A report from Sentinel Labs has revealed the details of this campaign, shedding light on the tools utilized by the threat actor, the different methods of infection employed, and the techniques employed to distribute their malware. The analyst obtained information regarding the origin and tactics of the threat actor through the discovery of a server misconfiguration that inadvertently exposed files, directories, internal correspondence, and other sensitive data.
Researchers at AnhLab Security Emergency Response Center (ASEC) have revealed that the Lazarus APT Group, a cybercriminal organization associated with North Korea, has been focusing its attention on exploiting vulnerable Microsoft IIS servers. Through the use of DLL side-loading, the attackers deploy a malicious Dll file named msvcr100[.]dll, which is strategically placed in the same directory as a legitimate application called Wordconv[.]exe. By exploiting the Windows ISS web server process the malicious library is executed to carry out their nefarious activities.
This advisory highlights the recent state-sponsored cyber activity by the People's Republic of China (PRC) and provides crucial information for network defenders to identify and mitigate this activity. The advisory focuses on network and host artifacts, particularly command lines used by the cyber actor, and includes indicators of compromise (IOCs) for reference. However, defenders should exercise caution and evaluate matches to determine their significance, considering the possibility of false positive indicators resulting from benign activity.
FortiEDR research lab has identified a targeted attack against a government entity in the United Arab Emirates, involving a custom PowerShell-based backdoor called PowerExchange. The backdoor utilizes the victim's Microsoft Exchange server as its command and control (C2) server, operating through an email-based C2 protocol. The investigation revealed multiple implants and a unique web shell named ExchangeLeech, capable of credential harvesting. The indicators point to an Iranian threat actor as the perpetrator of these attacks. The attack chain starts with email phishing and the execution of a malicious .NET executable. The backdoor establishes communication with the Exchange server, sends and receives commands through mailboxes, and executes malicious payloads.
North Korean hackers belonging to the Kimsuky group are employing custom-built malware to carry out information exfiltration campaigns against organizations supporting human rights activists and North Korean defectors. The cybersecurity firm SentinelOne discovered a new variant of the RandomQuery malware, which is commonly used by the Pyongyang threat actor. Kimsuky specializes in targeting think tanks and journalists. The distribution of the malware is facilitated through compiled HTML files, a tactic frequently utilized by North Korean hackers. The objective of this particular campaign is file enumeration and information exfiltration, “The variation of RandomQuery in this campaign has the "single objective of file enumeration and information exfiltration," in contrast to recently observed North Korean use of the malware to support a wider array of functions such as keylogging and the execution of additional malware.
Kaspersky recently disclosed the activities of a lesser-known advanced persistent threat group called GoldenJackal. This group has been engaged in espionage against government and diplomatic organizations in Asia since 2019. To maintain a cover presence, the threat actors have been cautious in their operations. They carefully choose their targets and limit the frequency of their attacks, aiming to minimize the risk of detection. Kaspersky, which has been monitoring GoldenJackal since 2020, has revealed that the group is active in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey.
A large-scale operation focused on harvesting credentials has emerged, utilizing a legitimate email newsletter program called SuperMailer to distribute a substantial volume of phishing emails. The intention behind this campaign is to bypass secure email gateway protections. Recent findings from Cofense, as of May 23, reveal that SuperMailer-generated emails account for a significant portion of all credential phishing attempts, constituting approximately 5% of the firm's telemetry for May.
A former IT employee of an Oxford-based company has been convicted of blackmailing his employer and unauthorized access to a computer for personal gain. After a cyber security incident at the company, the employee took advantage of the breach by accessing a board member's private emails, altering the original blackmail email, and changing the payment address.
Proofpoint researchers have discovered that advanced persistent threat (APT) actors are increasingly targeting small and medium-sized businesses (SMBs), governments, militaries, and major corporations through compromised SMB infrastructure in phishing campaigns. These threat actors are also launching financially motivated attacks against SMB financial services firms and carrying out supply chain attacks affecting SMBs. Proofpoint emphasizes the tangible risk that APT actors pose to SMBs today through the compromise of their infrastructure.
Barracuda, a company specializing in email and network security solutions, informed its customers that some of their Email Security Gateway (ESG) appliances were breached due to a recently patched zero-day vulnerability. The vulnerability was discovered on May 19 and was promptly addressed with security patches on May 20 and 21. Barracuda confirmed unauthorized access to a subset of ESG appliances but assured customers that its other products were unaffected. Impacted organizations were notified, and Barracuda advised them to review their environments for any potential spread of the threat actors to other devices on the network. Details regarding the number of affected customers and potential data impact were not provided.
Researchers warn of a threat actor known as CloudWizard APT, which is actively targeting organizations operating in the Russo-Ukraine conflict region. In March 2023, Kaspersky reearchers dicovered the new APT group, referred to as Bad Magic or Red Stinger, engaging in cyber attacks against entities in the same area. The attackers utilized PowerMagic and CommonMagic implants in their operations. During their investigation, the researchers discovered another set of highly advanced malicious activities linked to the same threat actor, demonstrating even greater sophistication.
A multinational company headquartered in Houston, Texas, Sysco is one of the largest distributors of food products, kitchen equipment, smallware, and tabletop products to restaurants, lodging establishments, healthcare and education organizations, and other entities” (Security Week, 2023). The company initially disclosed the incident in early May, in a Form 10-Q filing with the US Securities and Exchange Commission (SEC), when it revealed that the data breach was identified on March 5, 2023, but said that the attackers likely had unauthorized access to its systems starting January 14, 2023.
In early May, researchers at eSentire Threat Response Unit (TRU) spotted an ongoing BatLoader campaign using Google Search Ads to redirect victims to imposter web pages for AI-based services like ChatGPT and Midjourney” (Info Security Magazine, 2023). Threat actors are using BatLoader in the form of an MSIX Windows App Installer file to deliver Redline Stealer.
In the campaign observed by the researchers, threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer. In February 2023, eSentire reported another BatLoader campaign targeting users searching for AI tools.“Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord). This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps.
Rapid7 researchers have issued a warning regarding a recently patched command injection vulnerability (CVE-2023-28771) in various Zyxel firewalls. They have published a technical analysis and a Proof of Concept (PoC) script that demonstrates the vulnerability, enabling the attacker to gain a reverse root shell. The affected devices include Zyxel APT, USG FLEX, and VPN firewalls running ZDL firmware versions v4.60 to v5.35, as well as Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73. These firewall devices perform network traffic monitoring and control, possess VPN and SSL inspection capabilities, and provide additional protection against malware and other threats.
A large-scale phishing-as-a-service operation is shifting tactics to allow attackers to avoid anomaly detection by using localized IP addresses, warns Microsoft. The computing giant discovered the provider in 2021 after detecting a phishing campaign that used more than 300,000 domains and unique subdomains in a single run. BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost.”
Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated. This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade “impossible travel” alerts used to identify and block anomalous login attempts and other suspicious account activity.
CISA warned last Friday of a security vulnerability affecting Samsung devices which has been used in attacks to bypass Android address space layout randomization (ASLR) protection. ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device's memory. This makes it more difficult for attackers to exploit memory-related vulnerabilities and successfully launch attacks like buffer overflow, return-oriented programming, or other memory-based exploits.
New findings reveal a significant increase in cyber espionage attacks targeting Taiwanese organizations, coinciding with recent political tensions. According to research by Trellix, the number of malicious phishing emails aimed at Taiwanese companies surged between April 7 to the 10th of this year. The most affected sectors were networking/IT, manufacturing, and logistics.
The LockBit ransomware group has leaked 1.5 terabytes of personal and financial data from Bank Syariah Indonesia (BSI) after failed ransom negotiations. The stolen data includes information from approximately 15 million customers and employees of the country's largest Islamic bank. BSI has restored its key banking services under the supervision of Bank Indonesia. BSI initially experienced disruptions due to a cyberattack, but LockBit claims the bank misled customers by attributing the issues to technical maintenance.
The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely. ‘This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,’ Trend Micro researcher Sunil Bharti said in a report published this week. 8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.
Apple recently patched three new zero-day flaws which were exploited in attacks targeting vulnerable iPhones, Macs, and iPad. Tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, the vulnerabilities reside in the multi-platform WebKit browser engine.
Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites. The flaw that impacted over a million websites was discovered by PatchStack on May 8th, 2023, and fixed by the vendor on May 11th, with the release of the plugin's version 5.7.2.
Every day, numerous Android phone users worldwide unknowingly contribute to the financial gains of an organization known as the Lemon Group simply by owning their devices. What these users are unaware of is that the Lemon Group has pre-infected their phones even before they purchase them. As a result, the Lemon Group secretly exploits these devices, utilizing them to steal and sell SMS messages and one-time passwords (OTPs), display unwanted advertisements, create online messaging and social media accounts, and carry out various other activities.
The U.S. cybersecurity agency has warned that the BianLian ransomware group is shifting from malicious encryption to pure extortion. Instead of double extortion, the group now demands a ransom for keeping stolen data secret. The group's change in tactics is likely influenced by the release of a free decryptor by cybersecurity firm Avast. BianLian gains initial access to networks through compromised remote desktop protocol credentials, acquired from brokers or through phishing. They implant a customized backdoor and install remote management tools like TeamViewer.
A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted.
Yesterday, Cisco published an advisory, warning customers of four critical remote code execution vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) impacting several of its Small Business Series Switches. The four flaws received a CVSS score of 9.8 out of 10 and are due to an improper validation of requests sent to the targeted switches’ web interfaces. A successful exploit of the issues could enable unauthenticated actors to execute arbitrary code with root privileges on targeted devices.
Cybersecurity researchers and IT admins have raised concerns over Google's new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery. Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.
A recent collaboration between government agencies in the United States and Australia, led by CISA, has resulted in a joint Cybersecurity Advisory. The advisory highlights the latest tactics, techniques, and procedures (TTPs) employed by the BianLian ransomware group, which has been actively targeting critical infrastructure in both countries since June 2022. As part of the broader #StopRansomware initiative, this advisory draws on investigations conducted by the FBI and the Australian Cyber Security Centre (ACSC) up until March 2023.
The U.S Justice Department of The Treasury recently imposed sanctions on Mikhail Matveev, a Russian citizen, for his role in launching cyberattacks against U.S law enforcement, businesses, and critical infrastructure. Matveev is known for his affiliation with various Russia-linked ransomware variants such as Hive LockBit and Babuk. According to the Treasury,
Group-IB recently uncovered a previously undocumented attack infrastructure utilized by the SideWinder, a prolific state-sponsored group, to target entities located in Pakistan and China. The infrastructure unearthed encompasses 55 domains and IP addresses which were identified by researchers as phishing domains mimicking various organizations in the news, government, telecommunications, and financial sectors.
U.S. federal prosecutors have announced indictments and arrests related to illegal technology exports to Russia, China, and Iran. The cases involve individuals accused of smuggling military and dual-use technology, including tactical military antennas, lasers, pressure sensors, and other electronics. The Biden administration has vowed to crack down on export violations and has created the Disruptive Technology Strike Force. The cases highlight the efforts to prevent advanced technology from falling into the hands of foreign adversaries who may use them to threaten national security and democratic values.
A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations. The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks.
During last week’s Black Hat Asia 2023 conference, Israeli industrial cybersecurity firm OTORIO disclosed several vulnerabilities in cloud management platforms associated with three industrial cellular router vendors that could expose OT networks to external attacks. In total 11 vulnerabilities were disclosed, which could enable threat actors to execute code remotely and take control over hundreds of thousands of devices and OT networks. In particular, the flaws impact cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices.
Security experts have discovered a fresh advancement in business email compromise tactics aimed at intensifying the recipient's urgency to settle a counterfeit invoice. Referred to as "VIP Invoice Authentication Fraud" by Armorblox, this strategy involves deceptive emails that imitate reputable vendors or familiar third parties regularly receiving payments from the targeted organization. The scammer initiates an invoice request targeting an individual, often in the finance team of the targeted organization. What sets this tactic apart from others is that the scammer also includes the recipient's boss in the email thread, using a fake email domain that closely resembles the boss's actual email address.
A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea. The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs.
PharMerica, an institutional pharmacy, suffered a significant data breach in March, affecting nearly 6 million current and deceased patients. Hackers, allegedly from the Money Message ransomware group, accessed personal information such as names, birthdates, Social Security numbers, medications, and health insurance details. The group leaked spreadsheets containing patient data on the dark web and also posted internal business documents,
Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet. While this security bug (CVE-2023-25717) was addressed in early February, many owners are likely yet to patch their Wi-Fi access points. Furthermore, no patch is available for those who own end-of-life models affected by this issue.
A newly uncovered hacking group with a string of cyberespionage successes is targeting Ukrainian and pro-Russian targets alike, its motivations uncertain in a conflict that offers little to no middle ground. Malwarebytes in a Wednesday blog post dubs the threat actor "Red Stinger," saying the group is the same as the "Bad Magic" threat actor revealed by Kaspersky in March. Malwarebytes says it traced Red Stinger activities back to 2020, while Kaspersky says it spotted the group in October 2022 - the dates suggesting an investment in stealthy techniques and operational security.
Discord, a popular communication platform, recently experienced a data breach after one of its support agents was hacked. The incident was reported by Discord on their official blog. The breach occurred due to unauthorized access to the support agent's account, which allowed the attacker to gain access to certain user data. Discord confirmed that the breach did not affect the entire user database and that only a small portion of users were impacted.
Symantec recently disclosed details of a year-long running campaign targeting government, aviation, education, and telecom sectors located in South and Southeast Asia. Dubbed Lancefly, the operation commenced in mid-2022 and continued until the first quarter of 2023. According to researchers, they observed the actors deploying a powerful backdoor dubbed Merdoor, which has been around since 2018.
Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. ‘The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis.
ABB, a leading provider of electrification and automation technology, has suffered a Black Basta ransomware attack that has reportedly impacted its business operations. The multinational company, headquartered in Zurich, Switzerland, employs approximately 105,000 workers and recorded $29.4 billion in revenue for 2022. ABB's services include the development of industrial control systems and SCADA systems for energy suppliers and manufacturing.
A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications. BPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by security researchers around 12 months ago. The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions.
U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.
A malvertising campaign was recently detected using an in-browser Windows update simulation to deceive users and distribute the Aurora information-stealing malware. Aurora which is coded in Golang, has been advertised on hacker forums for over a year as a highly capable info stealer with low anti-virus detection rates. The campaign, as reported by Malwarebytes researchers, relies on popunder ads on adult content websites with high traffic to redirect unsuspecting users to a location where they are served malware.
Federal authorities have issued a warning about an increase in cyberattacks targeting Veeam's backup application in the healthcare sector. The attacks exploit a high-severity vulnerability (CVE-2023-27532) in Veeam Backup & Replication, potentially leading to unauthorized access, data theft, or ransomware deployment. The vulnerability affects all versions of the software and poses a significant threat to healthcare environments that rely on Veeam for protecting and restoring files and applications.
A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption. Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim.
Microsoft issued an optional patch Tuesday as part of its monthly dump of fixes that addresses for the second time a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware. In all, the Redmond giant pushed out 38 security fixes in its May patch cycle, addressing three zero-day flaws - two of which are under active exploitation, including the UEFI flaw - and six bugs rated critical. Security researchers earlier this year spotted the BlackLotus bootkit for sale on hacker forums for $5,000.
Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature. ‘An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server,’ Barnea said in a report shared with The Hacker News.
Industrial cybersecurity company Dragos today disclosed what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices. While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company's SharePoint cloud service and contract management system” (Bleeping Computer, 2023). "On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform," the company said.
The platform Greatness, which offers a phishing-as-a-Service, witnessed a surge in its activities as it focuses on targeting organizations that use Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa. As a widely cloud-based productivity platform, Microsoft 365 is highly coveted by cybercriminals who seek to pilfer data or login credentials for exploitation in network intrusions. According to a recent report from Cisco Talos, researchers have revealed that the Greatness phishing platform was established in the middle of 2022, with a significant upsurge in its operations in December 2022, and then again in March 2023.
A new malware botnet named 'AndoryuBot' is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks. Tracked as CVE-2023-25717, the flaw impacts all Ruckus Wireless Admin panels version 10.4 and older, allowing remote attackers to perform code execution by sending unauthenticated HTTP GET requests to vulnerable devices. The flaw was discovered and fixed on February 8, 2023. Still, many have not applied the available security updates, while end-of-life models impacted by the security problem will not get a patch.
Sysco, a major global food distribution company, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data. In an internal memo sent to employees on May 3rd and seen by BleepingComputer, the company revealed that customer and supplier data in the U.S. and Canada, as well as personal information belonging to U.S. employees, may have been impacted in the incident.
Phishing is often stated as the most successful initial access method for both cybercriminals and more sophisticated nation state actors. Gaining access to valid accounts is one of the easiest and most powerful tools for a threat actors. Why spend the resources breaching powerful security tools, when you can simply trick an employee into clicking a bad link, or by cracking their password?
Multiple vulnerabilities have been discovered in Aruba Products, the most severe of which could allow for arbitrary code execution. Aruba Mobility Conductor is an advanced WLAN deployed as a virtual machine (VM) or installed on an x86-based hardware appliance. Aruba Mobility Controller is a WLAN hardware controller in a virtualized environment managing WLAN Gateways and SD-WAN Gateways that are managed by Aruba Central.
Abnormal Security researchers have identified a threat group based in Israel that is responsible for a series of business email compromise (BEC) campaigns. The group's primary targets are large and multinational corporations with annual revenue exceeding $10 billion. Since February 2021, the group has launched approximately 350 BEC campaigns, with email attacks directed at employees in 61 countries spanning six continents. The attackers impersonate the targeted employee's CEO and subsequently redirect the communication to a second external persona, typically a mergers and acquisitions attorney who oversees the payment process. In certain cases, when the attack advances to the second state, the perpetrators may ask to switch from email communications to a WhatsApp voice call to expedite the attack and minimize the chances of leaving behind any traceable evidence.
The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as 'booter' or 'stressor' services. This week's seizures are part of a coordinated international law enforcement effort (known as Operation PowerOFF) to disrupt online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for the right amount of money.
Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access.
The cyber-attack on US firm Viasat’s KA-SAT satellites in Ukraine on February 24, 2022, prompted one of the largest formal attributions of a cyber-attack to a nation-state in history. Nearly 20 countries accused Russia of being responsible, including a dozen EU member states and the Five Eyes countries (US, UK, Australia, New Zealand and Canada). This cyber intrusion, which preceded Russia’s invasion of its neighbor by just a few hours, was thoroughly discussed during the third edition of CYSAT, an event dedicated to cybersecurity in the space industry that took place in Paris, France on April 26-27, 2023.
Western Digital Co. has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. The company emailed the data breach notifications late Friday afternoon, warning that customers' data was stored in a Western Digital database stolen during the attack.
The Google Play store was found to have hosted Android malware disguised as legitimate applications, which have been downloaded over 620,000 times since 2022. The malicious apps were disguised as photo-editing apps, camera editors and smartphone wallpaper packs, and infected 11 legitimate applications before being taken down. Once downloaded, the malware executes a payload from the app asset, which sends the infected device's mobile code to a command-and-control server. The server then sends a paid subscription page, which the Trojan opens in an invisible web browser to subscribe the user.
The Akira ransomware operation is gradually expanding its list of victims by infiltrating corporate networks globally, encrypting files, and demanding ransoms amounting to millions of dollars. The operation began in March 2023 and has already targeted 16 companies in diverse industries such as finance, education, real estate, manufacturing, and consulting. Although there was ransomware named Akira released in 2017, there is no connection between these two operations.
The cybercriminals who breached Taiwanese multinational MSI last month have apparently leaked the company’s private code signing keys on their dark web site. MSI (Micro-Star International) is a corporation that develops and sells computers (laptops, desktops, all-in-one PCs, servers, etc.) and computer hardware (motherboards, graphics cards, PC peripherals, etc.). The company confirmed in early April that it had been hacked. A ransomware group called Money Message claimed responsibility for the breach, said they grabbed (among other things) some of the company’s source code, and asked for $4 million to return/delete it.
Researchers at Kroll corporate investigation have uncovered a new ransomware operation dubbed Cactus which is exploiting known vulnerabilities in Fortinet VPN appliances to gain initial access to the networks of large commercial entities. What’s more is that this group employs an unusual tactic of evading defenses and scanning from antivirus solutions.
Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS). The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.
The Kimusky hacking group, known by aliases such as Thalium and Velvet Chollima, has been using a new version of its reconnaissance malware called ReconShark to conduct a cyberespionage campaign on a global scale. According to Sentinel Labs, the group has broadened its target range to include government organizations, research centers, universities, and think tanks in the US, Europe, and Asia. South Korean and German authorities warned in March 2023 that Kimusky had distributed malicious Chrome extensions and Android spyware as a remote access trojan to target Gmail accounts. Kaspersky previously reported in August 2022 that the group had targeted politicians, diplomats, university professors, and journalists in South Korea using a multi-stage target validation scheme to ensure the successful infection of only valid targets.
Microsoft has patched three vulnerabilities in its Azure cloud platform that could have allowed attackers to access sensitive info on a targeted service, deny access to the server, or scan the internal network to mount further attacks, researchers have found. Researchers from the Ermetic Research Team discovered the flaws in the Azure API Management Service, which allows organizations to create, manage, secure, and monitor APIs across all of their environments, they revealed in a blog post published Thursday.
The Russian 'Sandworm' hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices. In a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian hackers used compromised VPN accounts that weren't protected with multi-factor authentication to access critical systems in Ukrainian state networks. Once they gained access to the network, they employed scripts that wiped files on Windows and Linux machines using the WinRar archiving program.
The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread. Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data. Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack. This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system. The Dallas County Police Department's website was also offline for part of the day due to the security incident but has since been restored
A group of hackers, also known as Dragon Breath, Golden Eye Dog, or APT-Q-27, is utilizing multiple sophisticated versions of the traditional DLL sideloading technique to avoid detection. These attack variations start with an initial approach that uses legitimate applications, such as Telegram, to sideload a second-stage payload, which may also be legitimate, and in turn, loads a malicious malware loader DLL.
Orqa, a maker of First Person View (FPV) drone racing goggles, claims that a contractor introduced code into its devices' firmware that acted as a time bomb designed to brick them. On early Saturday, Orqa started receiving reports from customers surprised to see their FPV.One V1 goggles enter bootloader mode and become unusable.
n September 2023, Google Chrome will stop showing the lock icon when a site loads over HTTPS, partly due to the now ubiquitous use of the protocol. It took many years, but the unceasing push by Google, other browser makers and Let’s Encrypt to make HTTPS the norm for accessing resources on the Web resulted in an unmitigated success; according to Google, over 95% of page loads in Chrome on Windows are now over an encrypted, secure channel using HTTPS.
In a recent announcement from the FBI, the agency stated it carried out an operation alongside with the Virtual Currency Response Team, the National Police of Urkaine, and legal prosecutors in the country to seize several cryptocurrency exchange sites that were being used by scammed and cybercriminals, including ransomware actors to launder money from victims.
Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. BGP is a gateway protocol that's designed to exchange routing and reachability information between autonomous systems. It's used to find the most efficient routes for delivering internet traffic. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms.
APT41 is a well-known Chinese cyber threat that is made up of various subgroups. The group has previously used a variety of tactics over the years to carry out espionage attacks against government agencies, businesses, and individuals. The group's attacks against the US government have led to indictments of its members by US law enforcement. On May 2, Trend Micro researchers reported that Earth Longzhi, a suspected subgroup of APT41, has launched a new campaign after almost a year of inactivity with more advanced stealth tactics to carry out espionage campaigns against the same types of targets.
T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023. Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers.
Apple has launched the first Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices. As the company describes in a recently published support document, RSR patches are small-sized updates that target the iPhone, iPad, and Mac platforms and patch security issues between major software updates. Some of these out-of-band security updates may also be used to address vulnerabilities actively exploited in attacks.
A newly discovered malware named 'LOBSHOT' can discreetly take control of Windows devices using hVNC and is being distributed through Google Ads. Cybersecurity researchers had earlier reported an increase in threat actors using Google ads to distribute malware through fake websites for popular applications such as 7-ZIP, VLC, OBS, Notepad ++, CCleaner, TradingView, Rufus, and others. These malicious sites pushed malware, including Gozi, RedlLine, Vidar, Cobalt Strike, SectoRAT, and the Royal Ransomware, instead of the intended applications.
Pre-RSA social media gaming predicted it. Many predicted they would loath it. And it happened: Discussions at this year's RSA conference again and again came back to generative artificial intelligence - but with a twist. Even some of the skeptics professed their conversion to the temple of AI, whose overlord, for better or worse, is poised to preside over human activity with indifference about good or evil intent. Count Israeli cryptographer Adi Shamir - the S in the RSA cryptosystem - as a convert. One year ago, speaking at RSA, he thought AI might have some defense use cases but didn't see it being an offensive threat.
Check Point researchers released new attack details attributed to North Korea’s ScarCruft APT (APT37, Reaper, Group123) group. Since 2022, the group has shifted tactics away from using malicious documents to deliver malware, and instead has been adopting oversized LNK files which are embedded with malicious payloads.
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates.
According to researchers at WithSecure, a Finnish cybersecurity and privacy company, threat actors have been leveraging a recently fixed vulnerability in Veeam Backup and Replication software to target unpatched Veeam backup servers. The vulnerability in question is being tracked as CVE-2023-27532 and allows unauthenticated users in the backup infrastructure to obtain encrypted credentials stored in the VeeamVBR configuration database.
A safety net hospital system in New York City faces a proposed class action lawsuit tied to a late 2022 cybersecurity incident that breached the personal information of more than 235,000 patients. The incident affected three One Brooklyn Health System hospitals and several other facilities. First discovered on Nov 19, 2022, the incident caused patient rerouting and disrupted access to electronic health records and patient portals for more than a month.
The ransomware group known as ALPHV or BlackCat has shared screenshots of internal emails and video conferences taken from Western Digital's systems. This suggests that the hackers maintained access to the company's networks even as Western Digital worked to address the cyber attack. The leak occurred after the group had issued a warning to Western Digital on April 17, stating they would escalate their actions until the company paid a ransom or could no longer withstand the consequences.
Americold, a leading cold storage and logistics company, has been facing IT issues since its network was breached on Tuesday night. The company said it contained the attack and is now investigating the incident that also affected operations per customer and employee reports. It also estimated that its systems will be down until at least next week.
According to a recent blog post by Guardio Labs, a Vietnamese threat actor is conducting a malverposting campaign, which has been ongoing for several months. It's estimated that this campaign has infected more than 500,000 devices worldwide within the last three months alone. Malverposting is the act of using social media posts and tweets to spread malicious software and other security threats. In this instance, the attacker abused Facebook's Ad service to distribute malware. Guardio Labs' head of cyber security, Nati Tal, stated that the high number of infections was made possible by using Facebook's Ad service as the initial delivery mechanism.
Researchers from the Trend Micro's Zero Day Initiative said telemetry from Eastern Europe indicates that Mirai operators are exploiting a flaw in the TP-Link Archer AX21 firmware. The bug, CVE-2023-1389, allows attackers to inject a command into the router web management interface. A handful of teams competing in the December 2022 Pwn2Own competition in Toronto identified the flaw.
Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. ‘The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,’ Cyble researchers said in a technical report.
In a new report by Uptycs, researchers analyzed a Linux variant of the RTM Locker that is based on the leaked source code of the now-defunct Babuk ransomware. The RTM Locker Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains numerous references to commands used to manage virtual machines. When launched, the encryptor will first attempt to encrypt all VMware ESXi virtual machines by first gathering a list of running VMs. The encryptor then terminates all running virtual machines and starts to encrypt files that have the following file extensions - .log (log files), .vmdk (virtual disks), .vmem (virtual machine memory), .vswp (swap files), and .vmsn (VM snapshots). All of these files are associated with virtual machines running on VMware ESXi. Like Babuk, RTM uses a random number generation and ECDH on Curve25519 for asymmetric encryption, but instead of Sosemanuk, it relies on ChaCha20 for symmetric encryption.
Researchers from TRAPA Security have discovered a critical remote code execution vulnerability, tracked as CVE-2023-28771 (CVSS score 9.8), impacting Zyxel Firewall. The vulnerability is an improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. A remote, unauthenticated attacker can trigger the flaw by sending specially crafted packets to a vulnerable device and execute some OS commands remotely.
Security researchers from ESET have linked a Chinese APT hacking group, Evasive Panda, to an attack that distributed the MsgBot malware via an automatic update for the Tencent QQ messaging app. Evasive Panda has been active since at least 2012, targeting organizations and individuals in mainland China, Hong Kong, Macao, Nigeria, and several countries in Southeast and East Asia. ESET discovered the latest capagin in January 2022, but evidence suggest it began in 2020. The victims of the campaign, primarily are members of an international NGO, are concentrated in the provinces of Gangsu, Guangdong, and Jiangsu, indicating a specific and targeted approach.
An obscure routing protocol codified during the 1990s has come roaring back to attention after researchers found a flaw that would allow attackers to initiate massive distributed denial-of-service attacks. Researchers from Bitsight and Curesec say they found a bug in Service Location Protocol. Service Location Protocol, the brainchild of executives from Sun Microsystems and a now-defunct internet service provider, was envisioned as a dynamic method of discovering resources such as printers on a closed enterprise network.
Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks. This server management utility enables admins to perform migration or upgrade tasks on servers in their organization's inventory.
On April 19th, PaperCut, a printing management software company, disclosed that threat actors were actively exploiting two flaws in PaperCut MF or NG, urging admins to upgrade their servers to the latest version as soon as possible. The flaws, tracked as CVE-2023-27350 and CVE-2023-27351, were fixed last month in the PaperCut Application Server and allow remote attackers to perform unauthenticated remote code execution and information disclosure.
Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team) made the headlines in 2014 when experts at iSight issued a report describing the most elaborate net-based spying campaign organized by Iranian hackers using social media.
Fresh Linux malware variations are being utilized by hackers in cyber espionage attacks, including a novel PingPull version and an undocumented backdoor known as Sword2033. Last year, PingPull was initially observed as a RAT ( remote access trojan) in espionage operations by the Chinese state-sponsored group, Gallium or Alloy Taurus, targeting government and financial institutions in Australia, Russia, Belgium, Malaysia, Vietnam and the Philippines.
Microsoft is investigating ongoing Microsoft 365 issues preventing some Exchange Online customers from accessing their mailboxes. "We've identified an issue affecting Exchange Online connectivity for users in North America and are investigating further," the company tweeted earlier.
VMware has released security updates to address zero-day vulnerabilities that could be chained to gain code execution systems running unpatched versions of the company's Workstation and Fusion software hypervisors. The two flaws were part of an exploit chain demoed by the STAR Labs team's security researchers one month ago, during the second day of the Pwn2Own Vancouver 2023 hacking contest.
Bitsight and Curesec researchers Pedro Umbelino and Marco Lux recently uncovered a high-severity vulnerability impacting Service Location Protocol, a service discovery protocol that allows devices to find services in a local area network such as printers, file servers, and other network resources. The vulnerability in question is being tracked as CVE-2023-29552 (CVSS score: 8.6) and could be exploited to launch large scale denial-of-service (DoS) amplification attacks with a factor of 2,200 times, making it one of the largest amplification attacks to date.
Canada confirmed that one of it’s gas pipelines suffered a cyber security incident. The Pro-Russian hacking group Zarya has claimed responsibility for the attack, which reports claim could have resulted in an explosion. Across various forums, Pro-Russian hackers have made known their efforts to target organizations in the critical sector.
Threat actors are exploiting several vulnerabilities in the print management software, PaperCut MF/NG, to install Atera remote management software and take over servers. The vulnerabilities in question are being tracked as CVE-2023-27350 and CVE-2023-27351 and allow remote attackers to bypass authentication and execute arbitrary code on compromised PaperCut servers with SYSTEM privileges in low-complexity attacks that don't require user interaction.
Researchers at Secureworks recently discovered a new campaign using Google advertisements that promote trojanized versions of popular apps to deliver BumbleBee malware to unsuspecting victims. Bumblebee is a malware loader discovered in April 2022, thought to have been developed by the Conti team as a replacement for the BazarLoader backdoor, used for gaining initial access to networks and conducting ransomware attacks.
The attack works as a side channel to Meltdown, a critical security flaw discovered in 2018, impacting many x86-based microprocessors. Meltdown exploits a performance optimization feature called “speculative execution” to enable attackers to bypass memory isolation mechanisms to access secrets stored in kernel memory like passwords, encryption keys, and other private data.
The TP-Link Archer A21 (AX1800) WiFi router vulnerability, known as CVE-2023-1389, is being exploited by the Mirai malware botnet to add devices to their DDoS attacks. The vulnerability was first exploited by two hacking teams during the Pwn2Own Toronto event in December 2022 using different methods of access to the route's LAN and WAN interfaces. TP- Link was made aware of the flaw in January 2023, and a patch was released last month via a firmware update. Last week, the Zero Day Initiative detected exploitation attempts in the wild, targeting Eastern Europe and spreading globally.
Symantec researchers reported that the campaign conducted by North Korea-linked threat actors that included the 3CX supply chain attack also hit two critical infrastructure organizations in the energy sector.
Researchers have uncovered a novel malware toolkit called Decoy Dog, which specifically targets enterprises. This toolkit is designed to bypass standard detection mechanisms by generating anomalous DNS traffic that is different from regular internet activity. Decoy Dog utlizes techniques like strategic domain aging and DNS query dribbling to establish a good reputation with security vendors before pivoting to conducting cybercrime operations.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.
A new "all-in-one" stealer malware named EvilExtractor (also spelled Evil Extractor) is being marketed for sale for other threat actors to steal data and files from Windows systems. ‘It includes several modules that all work via an FTP service," Fortinet FortiGuard Labs researcher Cara Lin said.‘ It also contains environment checking and Anti-VM functions. Its primary purpose seems to be to steal browser data and information from compromised endpoints and then upload it to the attacker's FTP server.
Yellow Pages recently disclosed that it was the target of a cyber attack, resulting in the sensitive data of its customers and employees being accessed. Founded in 1908, Yellow Pages is a Canadian director publisher which currently owns and operates the YP.ca and YellowPages.ca websites, along with Canada411 online service.
APC's Easy UPS Online Monitoring Software is vulnerable to unauthenticated arbitrary remote code execution, allowing hackers to take over devices and, in a worst-case scenario, disabling its functionality altogether. Uninterruptible Power Supply (UPS) devices are vital in safeguarding data centers, server farms, and smaller network infrastructures by ensuring seamless operation amidst power fluctuations or outages. APC (by Schneider Electric) is one of the most popular UPS brands.
Researchers have uncovered a fresh Lazarus campaign, known as “Operation DreamJob”, that has set its sights on Linux users with malware. This marks the first time Linux users have been targeted by this campaign. Researchers noted that this discovery has given them a high level confidence that Lazarus was responsible for the recent supply-chain attack on VoIP provider 3CX. Multiple companies were compromised in March 2023 when they used a trojanized version of the 3CX client, which contained information-stealing trojans.
VMware recently patched a critical vulnerability that could enable remote actors to gain remote execution on vulnerable appliances. Tracked as CVE-2023-20864, the flaw impacts VMware Aria Operations for Logs, a log analysis tool that is used to manage terabytes worth of application and infrastructure logs in large-scale environments.
This week, Cisco addressed several flaws impacting its Industrial Network Director, which is designed to help “operations teams gain full visibility of network and automation devices in the context of the automation process and provides improved system availability and performance, leading to increased overall equipment effectiveness.” Most severe of the flaws is CVE-2023-20036, a critical (CVSS: 9.9) command injection vulnerability in the web UI of Cisco IND that could allow unauthenticated remote attackers to execute arbitrary commands with administrative privileges on the compromised devices.
The American Bar Association (ABA) has suffered a data breach after hackers compromised its network and gained access to older credentials for 1,466,000 members. The ABA is the largest association of lawyers and legal professionals globally, with 166,000 members as of 2022. The organization provides continuing education and services for lawyers and judges, as well as initiatives to improve the legal system in the USA
Ukraine should brace for more Russian wiper and ransomware attacks, concluded a panel of cyber threat intel experts and government officials in a report assessing the cyber dimensions of Moscow's ongoing war of conquest against its European neighbor. The report, commissioned by the U.K. National Cyber Security Center, finds the tempo of destructive cyberattacks has ebbed and flowed across the first year of the Russian invasion.
Aukill, a newly developed hacking tool, is being utilized by threat actors to disable Endpoint Detection & Response (EDR) Software on targeted systems. This is done in preparation for the deployment of backdoors and ransomware in what is known as Bring Your Own Vulnerable Driver (BYOVD) attacks. During such attacks, the perpetrators implant legitimate drivers that have been signed with a valid certificate and can operate with kernel privileges on the victims’ devices. This allows them to disable security solutions and take control of the system.
Mandiant investigators hired by 3CX now say the source of the infection was a decommissioned but still downloadable trading software package called X_Trader, made by Chicago-based Trading Technologies. A 3CX employee downloaded the trading package, said Charles Carmakal, Mandiant chief technology officer, during a Wednesday afternoon press briefing.
Elite hackers associated with Russia's military intelligence service have been linked to large-volume phishing campaigns aimed at hundreds of users in Ukraine to extract intelligence and influence public discourse related to the war. Google's Threat Analysis Group (TAG), which is monitoring the activities of the actor under the name FROZENLAKE said the attacks continue the "group's 2022 focus on targeting webmail users in Eastern Europe." The state-sponsored cyber actor, also tracked as APT28, Fancy Bear, Forest Blizzard, Iron Twilight, Sednit, and Sofacy, is both highly active and proficient. It has been active since at least 2009, targeting media, governments, and military entities for espionage.
Attackers are hacking into poorly secured and Interned-exposed Microsoft SQL (MS-SQL) servers to deploy Trigona ransomware payloads and encrypt all files. The MS-SQL servers are being breached via brute-force or dictionary attacks that take advantage of easy-to-guess account credentials. After connecting to a server, the threat actors deploy malware dubbed CLR Shell by security researchers from South Korean cybersecurity firm AhnLab who spotted the attacks. This malware is used for harvesting system information, altering the compromised account's configuration, and escalating privileges to LocalSystem by exploiting a vulnerability in the Windows Secondary Logon Service (which will be required to launch the ransomware as a service). In the next stage, the attackers install and launch a dropper malware as the svcservice[.]exe service, which they use to launch the Trigona ransomware as svchost[.]exe
Over half (56%) of corporate network devices sold second-hand still contain sensitive company data, according to a new study from ESET. The security vendor bought 16 recycled devices routers and found that nine of them contained one or more IPsec or VPN credentials, or hashed root passwords, as well as enough information to identify the previous owner.
According to a recent report from Microsoft’s Threat Intelligence team, Mint Sandstorm, a hacking group previously known as Phosphorous and believed to have ties to the Iranian government and the Islamic Revolutionary Guard Corps (IRGC), has shifted its focus from surveillance to direct attacks on critical infrastructure in the United States. The report states that a specific subgroup of Mint Sandstorm is responsible for this change in tactics. The new subgroup typically exploits newly publicized proof-of-concept exploits.
A new report from Citizen Lab states that the Israeli surveillance firm NSO Group used at least three zero-click zero-day exploits to deliver its Pegasus spyware. In 2022, the Citizen Lab analyzed the NSO Group activity after finding evidence of attacks on members of Mexico’s civil society, including two human rights defenders from Centro PRODH, which represents victims of military abuses in Mexico.
The Play ransomware group has developed two custom tools in .NET, namely Grixba and VSS Copying Tool, which it uses to improve the effectiveness of its cyberattacks. Grixba is a network-scanning and information-stealing tool used to enumerate users and computers in a domain. When performing the scan function, Grixba will check for anti-virus and security programs, EDR suites, backup tools, and remote administration tools. Also, the scanner checks for common office applications and DirectX, potentially to determine the type of computer being scanned.
On Tuesday, Google released security updates to address a high-severity vulnerability in the Chrome browser. Tracked as CVE-2023-2136, the flaw is related to an integer overflow vulnerability in Skia, a Google-owned open-source multi-platform 2D graphics library written in C++. For its part, Skia is a key component of Chrome’s rendering pipeline as it provides the browser a set of APIs for rendering graphics, text, shapes, images, and animations.
The US, UK, and Cisco are warning of Russian state-sponsored APT28 hackers deploying a custom malware named 'Jaguar Tooth' on Cisco IOS routers, allowing unauthenticated access to the device. APT28, also known as Fancy Bear, STRONTIUM, Sednit, and Sofacy, is a state-sponsored hacking group linked to Russia's General Staff Main Intelligence Directorate (GRU).
Across all BEC attacks seen over the past year, 57% relied on language as the main attack vector to get them in front of unsuspecting employees, according to Armorblox. In other trends to watch, vendor compromise and fraud are rising as a new attack vector and graymail is wasting 27 hours of time for security teams each week. The report is based on data gathered across more than 58,000 customer tenants, analyzing over 4 billion emails and stopping 800,000 threats every month. SMBs are particularly vulnerable to vendor fraud and supply chain email attacks.
Former Members of the Conti ransomware group have collaborated with FIN7 threat actors to spread a fresh kind of malware called ‘Domino’ to target corporate networks. The Domino malware is a recent addition to the malware family and includes two parts: the Domino Backdoor and the Domino Loader. The backdoor is responsible for dropping the Domino Loader, which then injects a malicious DLL into the memory of another process to extract confidential information.
Across all BEC attacks seen over the past year, 57% relied on language as the main attack vector to get them in front of unsuspecting employees, according to Armorblox. In other trends to watch, vendor compromise and fraud are rising as a new attack vector and graymail is wasting 27 hours of time for security teams each week. The report is based on data gathered across more than 58,000 customer tenants, analyzing over 4 billion emails and stopping 800,000 threats every month.
The Chinese state-sponsored hacking group APT41 was found abusing the GC2 (Google Command and Control) red teaming tool in data theft attacks against a Taiwanese media and an Italian job search company. APT 41, is a Chinese state-sponsored hacking group known to target a wide range of industries in the USA, Asia, and Europe. Mandiant has been tracking the hacking group since 2014, saying its activities overlap with other known Chinese hacking groups, such as BARIUM and Winnti.
Palo Alto Unit 42 team identified observed the Vice Society ransomware gang exfiltrating data from a victim network using a custom-built Microsoft PowerShell (PS) script. Threat actors are using the PowerShell tool to evade software and/or human-based security detection mechanisms. PS scripting is often used within a typical Windows environment, using a PowerShell-based tool can allow threat actors to hide in plain sight and get their code executed without raising suspicion.
Researchers caution that hackers are utilizing the Action1 remote access software more frequently to ensure their presence on breached networks and execute commands, scripts, and binaries. The Action1 is typically employed by managed service providers (MSPs) and businesses to remotely monitor and manage endpoints on a network. Although remote access tools are highly beneficial for system administrators, they also hold significant value for threat actors, who can exploit them to establish persistence on networks or distribute malware.
In a move that one Italian minister has called “disproportionate”, Italy has temporarily banned ChatGPT due to data privacy concerns. Italy has made the decision to temporarily ban ChatGPT within the country due to concerns that it violates the General Data Protection Regulation (GDPR). GDPR is a law concerning data and data privacy which imposes security and privacy obligations on those operating within the European Union (EU) and the European Economic Area (EEA). The Italian data protection agency, Garante per la Protezione dei Dati Personali (also known as Garante) said there was an “absence of any legal basis that justifies the massive collection and storage of personal data” to “train” ChatGPT, in addition to accusing OpenAI of failing to verify the age of users of ChatGPT. Italy’s ban has led to privacy regulators in Ireland and France contacting the country’s data privacy agency to find out more regarding the decision to ban ChatGPT.
The LockBit ransomware gang has created encryptors targeting Macs for the first time, likely becoming the first major ransomware operation to ever specifically target macOS. The new ransomware encryptors were discovered by cybersecurity researcher MalwareHunterTeam who found a ZIP archive on VirusTotal that contained what appears to be most of the available LockBit encryptors. Historically, the LockBit operation uses encryptors designed for attacks on Windows, Linux, and VMware ESXi servers. However, as shown below, this archive [VirusTotal] also contained previously unknown encryptors for macOS, ARM, FreeBSD, MIPS, and SPARC CPUs.
On Friday, Google released security updates to address a high-severity zero-day in Chrome web browser. Tracked as CVE-2023-2033, the vulnerability is related to a type confusion bug in the Chrome V8 JavaScript engine. “Although type confusion flaws would generally allow attackers to trigger browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution on compromised devices” (Bleeping Computer, 2023). To address CVE-2023-2033, Google has released Chrome version 112.0.5615.121. Users have been advised to upgrade to the latest version as soon as possible.
Between June 30 and July 5, 2022, a cyber attack on the computer systems of a contractor exposed the personal information of 20,800 Iowans who are Medicaid recipients. The contractor, Telligen, had subcontracted part of its work to Independent Living Systems, which was targeted in the attack. Furthermore, the attack didn’t affect the Iowa Medicaid system itself.
CISA recently added two vulnerabilities (CVE-2023-20963, CVE-2023-29492) to its catalog of known exploited flaws. CVE-2023-20963 relates to a privilege escalation vulnerability in the Android Framework. According to Ars Technica, the tech news site disclosed last month that Android applications signed by China’s e-commerce company Pinduoduo weaponized the flaw to compromise devices and siphon sensitive data.
Microsoft is warning of a phishing campaign targeting accounting firms and tax preparers with remote access malware allowing initial access to corporate networks. With the USA reaching the end of its annual tax season, accountants are scrambling to gather clients' tax documents to complete and file their tax returns. Due to this, it makes it an ideal time for threat actors to target tax preparers.
Chinese video surveillance giant Hikvision addressed an access control vulnerability, tracked as CVE-2023-28808, affecting its Hybrid SAN and cluster storage products. An attacker with network access to the device can exploit the issue to obtain admin permission. The attacker can exploit the vulnerability by sending crafted messages to vulnerable devices.
Researchers from cybersecurity firm Trellix have detailed the tactics, techniques, and procedures of an emerging cybercriminal gang called ‘Read The Manual RTM Locker. The group provides a ransomware-as-a-service (RaaS) and provides its malicious code to a network of affiliates by imposing strict rules. The group aims at flying below the radar, and like other groups, doesn’t target systems in the CIS region.
The Lazarus Group, a notorious hacking group believed to be based in North Korea, has been observed a new cyber espionage campaign called DeathNote, targeting defense and government organizations in South Korea and Russia. Kaspersky’s senior security researcher, Seongsu Park, has been tracking the campaign, also known as Operation DreamJob or NukeSped, since 2019. The Lazarus group uses decoy documents related to cryptocurrency, such as questionnaires about buying crypto, to distribute malware. However, in April 2020, Kaspersky found a shift in targets and infection vectors.
Fortinet has addressed a critical vulnerability, tracked as CVE-2022-41331 (a CVSS score of 9.3), in its Fortinet FortiPresence data analytics solution. FortiPresence is a comprehensive data analytics solution designed for analyzing user traffic and deriving usage patterns. Successful exploitation can lead to remote, unauthenticated access to Redis and MongoDB instances via crafted authentication requests.
Poland's Military Counterintelligence Service and its Computer Emergency Response Team have linked APT29 state-sponsored hackers, part of the Russian government's Foreign Intelligence Service (SVR), to widespread attacks targeting NATO and European Union countries. As part of this campaign, the cyberespionage group (also tracked as Cozy Bear and Nobelium) aimed to harvest information from diplomatic entities and foreign ministries.
Security researchers and experts warn of a critical vulnerability in the Windows Message Queuing (MSMQ) middleware service patched by Microsoft during this month's Patch Tuesday and exposing hundreds of thousands of systems to attacks. MSMQ is available on all Windows operating systems as an optional component that provides apps with network communication capabilities with "guaranteed message delivery," and it can be enabled via PowerShell or the Control Panel.
Hyundai, a multinational automotive manufacturer recently disclosed a data breach impacting its Italian and French car owners as well as those those booked a test drive. According to several posts on Twitter, the following data was stolen in the attack:
E-mail addresses
Physical addresses
Telephone numbers
Vehicle chassis numbers
Thankfully, Hyundai noted in its notification letter that no financial data or identification numbers were stolen by the hacker who managed to gain access to the company’s database. Since the attack, Hyundai says it has reached out to IT experts to conduct an incident response and to determine the full scope of the impact.
Microsoft and Citizen Lab discovered commercial spyware created by an Israel-based company dubbed QuaDream. The spyware, which utilizes a zero-click exploit known as ENDOFDAYS, is used to compromise the iPhones of high-risk individuals. The attackers were able to exploit a zero-day vulnerability affecting iPhones running iOS 1.4 up to 14.4.2 from January 2021 to November 202, using iCloud calendar invitations that were backdated and invisible, according to Citizen Lab. The attacks affected at least five civil society victims in various regions and targeted journalists, political opposition figures, and an NGO worker. The surveillance malware (dubbed KingsPawn by Microsoft) used in the campaign can self-delete and clean out any tracks from victims' iPhones. The spyware contains a self-destruct feature that erases traces left behind. Further, the spyware contains features that can record environmental audio and calls.
Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors. The campaign has been underway since November 2022, and according to NTT's security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish. BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores.
As part of the April Patch Tuesday, Microsoft addressed 97 flaws, including a zero-day vulnerability that is actively being exploited in attacks in the wild. Of the 97 flaws fixed, there was 20 Elevation of Privilege Vulnerabilities, 8 Security Feature Bypass Vulnerabilities, 45 Remote Code Execution Vulnerabilities, 10 Information Disclosure Vulnerabilities, 9 Denial of Service Vulnerabilities, and 6 Spoofing Vulnerabilities. 7 of the vulnerabilities are rated critical in severity and relate to remote code execution.
The Australian extender of consumer credit said in a Tuesday update on its ongoing ransomware incident that paying hackers "would not result in the return or destruction of the information that has been stolen." The company continues to experience service disruptions "as we secure our IT platforms," it said. Latitude Financial disclosed late last month that hackers said they stole approximately 7.9 million Australian and New Zealand driver's license numbers and an additional 6.1 million records -including names, addresses, phone numbers and birthdates - in a database containing information dating back to at least 2005. "Latitude will not pay a ransom to criminals," said CEO Bob Belan. The company on March 16 told regulators about the hacking incident, which is under investigation by the Australian Federal Police. Australian Minister of Home Affairs Clare O'Neil called Latitude's decision "consistent with Australian government advice.
Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform. In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins.
The irrigation controllers responsible for managing water distribution fields in the Jordan Valley, operated by the Gaili Sewage Corporation, were paralyzed by a cyber attack. These controllers are critical for monitoring the irrigation process as well as wastewater treatment in the region. "The company experts spent the entire day recovering the operations, at this time the source of the attack is still unclear. “The management for both major systems was pushing all of Sunday morning to work through the issue and bring the systems back into full operation.” reported the Jerusalem Post.
Yum! Brands, the brand owner of the KFC, Pizza Hut, and Taco Bell fast food chains, is now sending data breach notification letters to an undisclosed number of individuals whose personal information was stolen in a January 13 ransomware attack. This comes after the company said that although some data was stolen from its network, it has no evidence that the attackers exfiltrated any customer information.
SD Work, a European HR and payroll management company based in Belgium, recently suffered from a cyberattack, forcing the company to the shutdown of all of its IT systems for its UK and Ireland services. Due to the attack the company’s UK customer login portal is currently inaccessible. As of writing, It is unclear what type of attack occurred nor how the attackers gained access to SD Work’s systems. SD Work has already taken measures to isolate impacted systems and is currently investigating the scope of the attack.
A tranche of over 100 documents, some marked "Top Secret," appear to have been leaked in multiple batches beginning in January via the Discord messaging service. Apparently unnoticed at the time, the documents subsequently spread via 4Chan, Telegram and Twitter accounts. U.S. officials say the leaked documents may be genuine, although security experts who have reviewed them say some appear to have been doctored, sometimes crudely. The Pentagon has referred the matter to the Department of Justice, which confirmed Sunday that it has launched a criminal investigation into the leaks. Experts say the leaks reveal not just intelligence assessments but also certain capabilities, such as U.S. intelligence visibility into high-level Russian military planning, as well as the activities of the Wagner Group of mercenaries.
On April 10, 2023, CISA added five new security issues to its list of threats used by hackers, with three of them relating to Veritas Backup Exec, used in ransomware attacks. One of the vulnerabilities is a zero-day, which was exploited in an attack on Samsung's web browser, while another allowed attackers to increase privileges on Windows machines. One of the newly added vulnerabilities added to the known vulnerabilities catalog by CISA is considered critical. This vulnerability is CVE-2021-27877, found in Veritas data protection software, and enables remote access and command execution privileges.
Last Friday, Apple released security updates to address two zero-day vulnerabilities (CVE-2023-28206 and CVE-2023-28205) that were exploited in attacks to compromise iPhones, Macs, and iPads. CVE-2023-28206 is related to an out-of-bounds write flaw in an IOSurfaceAccelerator which could lead to potential data corruption or a system crash. In a hypothetical situation, an attacker can exploit the flaw by using a maliciously crafted app to execute arbitrary code with kernel level privileges. The second flaw addressed is related to a use after free bug in WebKit. It can be exploited by tricking victims into loading malicious web pages under the attacker’s control. Using these web pages, the attacker can further execute arbitrary code on the targeted system.
A threat group called ARES is gaining notoriety on the cybercrime scene by selling and leaking databases stolen from corporations and public authorities. The actor emerged on Telegram in late 2021 and has been associated with the RansomHouse ransomware operation and the data leak platform, KelvinSecurity, and the network access group Adrastea. ARES Group manages its own site with database leaks and a forum, which may fill the void left by the now defunct Breached forum.
A common thread in ransomware incidents is hackers' use of penetration testing tool Cobalt Strike. U.S. federal agencies have issued repeated warnings, particularly to the health sector, to be vigilant for its presence. Google in late 2022 released code allowing antivirus engines to detect it. Now, Cobalt Strike maker Fortra, Microsoft and the Health Information Sharing and Analysis Center have obtained a U.S. federal court order redirecting into sinkhole servers the internet traffic from Cobalt Strike-infected computers sent to command-and-control centers controlled by bad actors. The order affects server internet protocol addresses hosted by data centers across the United States and a slew of malicious domains. "Instead of disrupting the command and control of a malware family, this time we are working with Fortra to remove illegal legacy copies of Cobalt Strike so they can no longer be used by cybercriminals, said Amy Hogan-Burney, general manager of Microsoft's Digital Crimes Unit. A complaint filed in the U.S. District Court for the Eastern District of New York by the three plaintiffs details a history of unlicensed versions of Cobalt Strike being used by hackers to pave the way for ransomware attacks by the likes of LockBit and Conti and its many spinoff groups.
The Microsoft Threat Intelligence team observed a series of destructive attacks on hybrid environments that were carried out by the MuddyWater APT group (aka MERCURY). The threat actors masqueraded the attacks as a standard ransomware operation” (Security Affairs, 2023). MuddyWater has been active since around 2017. Back in January of 2022, USCCYERCOM officially linked the Iranian APT group to Iran’s Ministry of Intelligence and Security (MOIS).
US trauma centers have been targeted in a recent distributed denial of the service attack campaign, known as Killnet. The attack involves flooding targeted websites with traffic from botnets, making them inaccessible to legitimate users. Most of the targeted organizations had one or more level 1 trauma centers, suggesting that the attackers aimed to cause disruptions to critical care for the most seriously ill and injured patients.
Medusa ransomware has claimed responsibility for a cyberattack targeting the Open University of Cyprus (OUC). OUC is a online university located in Nicosia, Cyprus which offers 30 high-level education programs to 4,200 students and participates in various scientific research activities. In a public announcement last week, the university stated that the attack took place on March 27, causing several central services and critical services to go offline.
Sophos recently published security updates to address several vulnerabilities in the Sophos Web Appliance, a security solution that is used by administrators to set web access policies from a single interface. The most severe of the flaws is being tracked as CVE-2023-1671 (CVSS score of 9.8) and is related to a pre-authentication command infection vulnerability in the warn-proceed handler. Successful exploitation could lead to potential arbitrary code execution.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published eight Industrial Control Systems (ICS) advisories warning of critical flaws affecting products from Hitachi Energy, mySCADA Technologies, Industrial Control Links, and Nexx.
ow many sites the NCA is running and what it offers aren't exactly clear - a ploy at the heart of this newly disclosed effort, part of Operation PowerOff. Authorities say it's designed to sow confusion and doubt and undermine trust in the criminal market. Paranoia, they hope, runs deep. Call it an escalation in the never-ending fight against booter sites, which allow individuals with little technical ability to easily commit cybercrimes. "Booter/stresser services are like grass: You can mow the lawn, but the grass will grow back," Daniel Smith, head of research for cybersecurity firm Radware's threat intelligence division, said. "The problem with enforcement is the reaction. As law enforcement worldwide steps up their efforts to reduce crime, the criminals will escalate in lockstep, as there is too much profit involved in cybercrime for everyone to be scared away." Fostering uncertainty among customers is another way to attempt to reduce the proliferation of booter sites.
Telegram has emerged as a preferred platform for phishing bots and kit creators to promote their products and attract unpaid collaborators. Previously, the messaging platform was for cybercriminal activities for several years. It appears that threat actors in the phishing business are increasingly depending on it for their operations. Researchers at the cybersecurity firm Kaspersky have noted a surge in the popularity of phishing on Telegram, with a growing community of actors offering services, advice, and free instructions for newcomers. This active community of phishing actors on Telegram is involved in various activities related to illicit practice.
Taiwanese PC parts maker MSI (Micro-Star International) has been listed on the extortion portal of a new ransomware gang known as "Money Message," which claims to have stolen source code from the company's network. MSI is a global hardware giant that makes motherboards, graphics cards, desktops, laptops, servers, industrial systems, PC peripherals, and infotainment products, with an annual revenue that surpasses $6.5 billion. The threat actor has listed MSI on its data leak website and posted screenshots of what they claim to be the hardware vendor's CTMS and ERP databases and files containing software source code, private keys, and BIOS firmware. Money Message now threatens to publish all these allegedly stolen documents in about five days unless MSI meets its ransom payment demands.
Authors behind Typhon Reborn recently updated the information stealing malware, coming out with version 2, which features defense evasion capabilities. First documented by Cyble in August 2022, Typhon is capable of hijacking clipboard content, capturing screenshots, logging keystrokes, and stealing data from crypto wallet, messaging, FTP, VPN, browser, and gaming apps. According to researchers, the latest version features increased anti-analysis techniques and an improved stealer and file grabber.
Researchers have found multiple vulnerabilities in Nexx smart devices, which can be exploited to control garage doors, disable home alarms, and control smart plugs. Five security issues ranging in severity have been disclosed publicly, the vendor has yet to acknowledge and fix them. Most concerning is the use of universal credentials that are hardcoded into the devices firmware. Researchers say these credentials can easily be obtained via the client communication with Nexx’s API. The vulnerability can also be exploited to identify Nexx users, allowing an attacker to collect email addresses, device IDs, and first names.
U.S. authorities say Genesis Market since 2018 has offered access to more than 1.5 million compromised computers around the world containing more than 80 million account credentials. For sale on the site weren't just username and password combinations but device fingerprints including browser cookies and system information that allowed hackers to bypass security measures such as multifactor authentication.
Researchers observed an affiliate of ALPHV exploiting three vulnerabilities in Veritas Backup products to gain initial access to target networks. The ALPHV ransomware group was founded in December 2021 and is believed to be run by former members of the Darkside and Blackmatter ransomware groups who shut down their operations to avoid law enforcement pressure.
Security researchers at Check Point uncovered a new ransomware strain, dubbed Rorschach, which features encryption speeds never seen before. “The encryption scheme blends the curve25519 and eSTREAM cipher hc-128 algorithms and follows the intermittent encryption trend, meaning that it encrypts the files only partially, lending it increased processing speed.
In a security bulletin this week, HP announced that it would take up to 90 to fix a critical vulnerability impacting several of its business-grade printers with IPsec enabled and running FutureSmart firmware version 5.6. Nearly 50 HP Enterprise LaserJet and HP LaserJet managed printer models are vulnerable to the flaw. According to HP, successful exploitation of CVE-2023-1707 could lead to information disclosure, allowing threat actors to access sensitive information transmitted between the vulnerable HP Printers and other devices on the network.
The Royal ransomware group - another offshoot of the disbanded Conti group - appears to have targeted over 1,000 organizations with a social engineering attack designed to trick victims into trusting the attackers. The firm last month identified a spam campaign that appears to trace to Royal and that layers on the deception, first by falsely notifying victims that a ransomware group has attacked them and then by pressuring them into opening a file that purportedly lists what was stolen but is a malware loader. The scheme may have even concocted a fake ransomware group: the Midnight Group. The group's claims to have infected victims with ransomware appeared fake. Victims of this fraud campaign receive emails claiming the Midnight Group was behind the original ransomware attack and their data will be posted on the dark web if they do not pay. Midnight is itself a fake scheme likely cooked up by Royal. This assessment is based in part on the attack telemetry and malware used by the attackers and the emails received by victims.
Researchers have noticed cyber activity against the private sector has shifted from financial extortion to more nuanced attacks that aim to disrupt essential public services, steal state secrets, spread disinformation, and/or invoke national embarrassment.
CISA is warning organizations to patch against an actively exploited vulnerability in Zimbra, a cloud-based collaboration suite. Tracked as CVE-2022-2726, the bug is related to a cross-site scripting flaw which can exploited by unauthenticated actors to execute arbitrary web script or HTML via specially crafted requests. According to cybersecurity firm ProofPoint CVE-2022-2726 was leveraged by a Russian hacking group, Winter Vivern or TA473, in attacks against several NATO-aligned governments’ webmail portals to access the emails of officials, governments, military personnel and diplomats.
Researchers at Symantec recently disclosed details of a campaign that has been targeting Palestinian entities with a variety of malware toolkits since September 2022. The campaign has been attributed to Arid Viper ( aka Moniker Mantis, APT-C-23, Desert Falcon) which is known for launching attacks against entities in Palestine and the Middle East, dating back as early as 2014. Based on attacks observed by this group, Mantis relies custom malware tools including ViperRat, FrozenCell (VolatileVenom), Adird Gopher, and Micropsia to target users of Windows, Android, and iOS platforms.
Cybercriminals are incorporating harmful features into self-extracting winRAR archives, which contain benign files as a disguise, enabling them to implant backdoors undetected by security measures on target systems. Self-extracting archives are made with compression programs such as WinRAR or 7-Zip, and they function like executables that include archived data with a built-in decompression stub. These archives can be safeguarded with passwords to restrict unauthorized access.
eFile is a service provider authorized by the IRS to assist in submitting tax returns. Security researchers claim malicious JavaScript code has been pushed by the website for the last couple of weeks. The impacted website is eFile[.]com only, not the IRS’s e-file infrastructure. The malware in question is popper[.]js, which attempts to load JavaScript returned by infoamanewonliag[.]online. This malware comes at an impactful time as U.S. taxpayers are trying to wrap up their IRS tax returns before the April 18th deadline. The malicious JavaScript uses Math[.]random() which prevents caching and will load a fresh copy of the malware every time eFile is visited. BleepingComputer confirmed that the malicious JavaScript file was being loaded on almost every page of eFile up until at least April 1st.
Fake extortionists are attempting to take advantage of data breaches and ransomware incidents to threaten US companies. They, are demanding payment in exchange for not publishing or selling data they claim to have stolen. Additionally, the threat actors may threaten to launch DDoS attack if demands, are not made. Since March 16, the group dubbed Midnight has applied email impersonation attacks to pass themselves off as ransomware and data extortion groups. In some instances, they claimed responsibility for the attack and stated they have stolen significant amounts of data.
A new ransomware gang named 'Money Message' has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor. The new ransomware was first reported by a victim on the BleepingComputer forums on March 28, 2023, with Zscaler's ThreatLabz soon after sharing information on Twitter. Currently, the threat actor lists two victims on its extortion site, one of which is an Asian airline with annual revenue close to $1 billion.
Last week, NinTechNet security researcher Jerome Bruandet shared a technical write up regarding an actively exploited high severity vulnerability in Elementor Pro, a WordPress builder plugin that allows users without any coding experience to easily build professional looking sites. According to Bruandet, the vulnerability relates to an improper validation/access control in the plugin’s WooCommerce module and can be abused to modify WordPress options in the database without authentication.
Security researchers have uncovered more evidence that the North Korean Lazarus group is responsible for the software supply chain attack on 3CX, a voice and video calling desktop client used by major multinational companies. Attribution to the Lazarus group became evident during an analysis of the tools used in the attack, said cybersecurity firm Volexity, Sophos, Crowdstrike and others. "The shellcode sequence appears to have been only used in the ICONIC loader and the APPLEJEUS malware, which is known to be linked to Lazarus," Volexity said. "The code in this incident is a byte-to-byte match to those previous samples," Sophos said. Researchers at CrowdStrike also analyzed and reverse-engineered the code and identified the threat actor as Labyrinth Chollima, another name for the Lazarus cyberespionage group. "Once active, the HTTPS beacon structure and encryption key match those observed by CrowdStrike in a March 7, 2023, campaign attributed with high confidence to DPRK-nexus threat actor LABYRINTH CHOLLIMA.
Western Digital announced today that its network has been breached and an unauthorized party gained access to multiple company systems. The California-based computer drive maker and provider of data storage services says in a press release that the network security incident was identified last Sunday, on March 26. An investigation is in its early stages and the company is coordinating efforts with law enforcement authorities.
Threat actors have hijacked Bing search results by exploiting a misconfigured Microsoft app. The vulnerability allowed the attackers to manipulate search results and redirect users to malicious websites, putting them at risk of phishing attacks and malware downloads. Wiz researchers discovered the vulnerability, dubbed BingBang, and informed Microsoft on January 31, 2023.
On March 10, Microsoft announced that it would be bringing forth enhanced security measures to protect against known phishing file types including OneNote files, which have become a popular distribution method ever since the company blocked Word and Excel macros by default and patched a MoTW bypass zero-day exploited to drop malware via ISO and ZIP files. Yesterday, the tech giant published an update, providing more details regarding what specific file extensions will be blocked when the improvements are rolled out. In total, Microsoft will be blocking 120 extensions deemed dangerous.
Yesterday, CISA added several security vulnerabilities to its catalog of known exploited vulnerabilities. According to a new blog post by Google’s Threat Analysis Group, the flaws were leveraged as part of several exploit chains in two separate campaigns, ultimately leading to the installment of spyware on targeted devices. The first of the the campaigns was first spotted in November 2022, where actors used the exploit chains to compromise iOS and Android devices. The second campaign took place one month later, abusing several 0-days and n-days exploits to target Samsung Android phones running up-to-date Samsung Internet Browser versions.
Cybersecurity researchers from ExaTrack recently discovered a previously undetected malware family, dubbed Mélofée, targeting Linux servers. The researchers linked with high-confidence this malware to China-linked APT groups, in particular the Winnti group.
The leaked files, dating from 2016 to 2021, include emails, internal documents, project plans, budgets, and contracts. One of Vulkan's clients is the hacking group Sandworm, a project dubbed Amezit or Amesit is designed to help the Russian military automate large-scale disinformation operations across social media and other channels such as email and SMS texts using fake accounts populated by avatars that sport stolen photographs and extensive backstories. Another, called Krystal-2B, includes tools for training hacking teams to attack railways, pipelines, and other operational technology environments.
An ongoing supply chain attack is reportedly using a trojanized version of the 3CX VOIP desktop client, which is digitally signed, to target the customers of the company. 3CX is a software development company that provides VOIP IPBX services. Its 3CX Phone System is popular among businesses, with over 12 million daily users and 600,000+ companies worldwide using the software. Attackers are targeting both WindowsOS and MacOS users.
Researchers at SentinelOne have uncovered a new modular toolkit dubbed AlienFox which enables actors to scan misconfigured servers and steal authentication secrets and credentials for cloud-based email services. The toolkit is currently being sold to cybercriminals via a private Telegram channel and is capable of targeting online hosting frameworks including Laravel, Drupal, Joomla, Magento, Opencart, Prestashop, and WordPress hosted on misconfigured servers for secrets. According to researchers, they identified three different versions of AlienFox, indicating that the authors behind the toolkit are actively developing and improving the tool.
QNAP recently published security updates to address a high-severity Sudo privilege escalation vulnerability in their Linux-powered network-attached storage devices. Tracked as CVE-2023-2280, the flaw was discovered by Synacktiv security researchers, who describe the vulnerability as a “sudoers policy bypass in Sudo version 1.9.12p1 when using sudoedit.” Successful exploitation of this flaw could enable attackers to escalate privileges on impacted devices by editing unauthorized files after appending arbitrary entries to the list of files to process.
The US Food and Drug Administration (FDA) staff has published new guidelines to strengthen the cybersecurity levels of internet-connected products used by hospitals and healthcare providers. According to a guidance document published earlier today, applicants seeking approval for new medical devices must submit a plan designed to “monitor, identify and address” possible cybersecurity issues associated with them.
On Mar. 29 open sources reported that a version of the 3CX Voice Over Internet Protocol (VOIP) desktop client application is being used to target the company’s customers in an ongoing supply chain attack. 3XC’s VOIP software is used by more than 600,000 companies worldwide with over 12 million users.
Recent targets of the group have included U.S. elected officials and staffers, multiple European governments - including Ukrainian and Italian foreign ministry officials - plus Indian government officials and private telecommunications firms that support Ukraine, researchers at security firms Proofpoint and SentinelOne report. The hackers exploit hosted Zimbra portals as part of island hopping attacks, seeking to move through a chain of victims to eventually access their desired target, which might be government systems or energy systems they would try to disrupt.
Google's Threat Analysis Group (TAG) discovered several exploit chains using Android, iOS, and Chrome zero-day and n-day vulnerabilities to install commercial spyware and malicious apps on targets' devices. The attackers targeted iOS and Android users with separate exploit chains as part of a first campaign spotted in November 2022. They used text messages pushing bit.ly shortened links to redirect the victims to legitimate shipment websites from Italy, Malaysia, and Kazakhstan after first sending them to pages triggering exploits abusing a WebKit remote code execution zero-day (CVE-2022-42856) and a sandbox escape (CVE-2021-30900) bug. On compromised devices, the threat actors dropped a payload allowing them to track the victims' location and install .IPA files. In this campaign, an Android exploit chain was also used to attack devices featuring ARM GPUs with a Chrome GPU sandbox bypass zero-day (CVE-2022-4135), an ARM privilege escalation bug (CVE-2022-38181), and a Chrome type confusion bug (CVE-2022-3723) with an unknown payload.
A new North Korean hacking group has been revealed to be targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea for the past five years. The moderately-sophisticated threat actor is tracked as 'APT43' and is seen engaging in espionage and financially-motivated cybercrime operations that help fund its activities. Mandiant analysts who disclosed the activities of APT43 for the first time assess with high confidence that the threat actors are state-sponsored, aligning their operational goals with the North Korean government's geopolitical aims. The researchers have been tracking APT43 since late 2018 but have disclosed more specific details about the threat group only now.
Crown Resorts, which operates hotels and casinos in Australia, confirmed a data breach. The resort accrues an annual revenue that surpasses 8 billion, and operates in Melbourne, Perth, Sydney, Macau, and London. The attackers employed the GoAnywhere file transfer software to access sensitive data, including financial and personal information. They subsequently demanded a ransom payment to prevent them from disclosing the stolen data.
In a filing to the Securities and Exchange Commission, on March 27, 2023, Lumen announced two cybersecurity incidents. One of the incidents is a ransomware attack that impacted a limited number of its servers that support a segmented hosting service. The company did not provide details about the family of ransomware that infected its systems, it only admitted that the incident “is currently degrading the operations of a small number of the Company’s enterprise customers.
This week, Microsoft published investigation guidance to help Outlook customers search for attacks exploiting a recently patched vulnerability tracked as CVE-2023-23397. The flaw in Microsoft Outlook, allows for spoofing attacks that can lead to authentication bypass. Using the vulnerability, a remote attacker can gain access to a user’s Net-NTLMv2 hash by sending a specially crafted email to an impacted system.
Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form” (Bleeping Computer, 2023). WiFi frames are data containers that contain a header, data payload, and trailer. These frames include source and destination MAC addresses, control information, and management data.
A U.S. federal judge sentenced a Nigerian national to four years in prison for running several cyber-enabled schemes aimed at defrauding U.S. citizens out of more than $1 million. The men were arrested four years ago and extradited to Arizona in 2022 from Malaysia and the United Kingdom. Solomon Ekunke Okpe, 31, of Lagos and his co-conspirator, Johnson Uke Obogo, orchestrated business email compromise phishing attacks and a variety of schemes including work-from-home offers, check cashing, romance and credit card scams that targeted individuals, banks and other businesses, the U.S. Department of Justice said Monday.
Australian loan giant Latitude Financial Services (Latitude) is warning customers that its data breach has worsened. They've released an updated data breach notification warning customers that those impacted have increased from 328,000 to 14 million. "As our forensic review continues to progress, we have identified that approximately 7.9 million Australian and New Zealand driver's license numbers were stolen, of which approximately 3.2 million, or 40%, were provided to us in the last ten years. Approximately 6.1 million records dating back to 2005 were also stolen, of which approximately 5.7 million, or 94%, were provided before 2013.
Researchers at Proofpoint reported the discovery of new variants of IcedID malware that do not include the usual functionality for online banking fraud. Instead, the malware installs further malware on compromised systems, with a particular emphasis on ransomware. According to Proofpoint, two new variants of the IcedID loader, called Lite and Forked, were identified. Lite was observed in February 2023, while Forked was seen in February 2023. Both variants deliver the IcedID bot but with a more limited set of features. By removing unnecessary functions from the IcedID malware used in various campaigns, the threat actors can make it more streamlined and harder to detect. This approach could help attackers evade detection by security software.
Security researchers at Uptycs recently uncovered a new information stealing malware, designed to target macOS systems, primarily those running macOS versions Catalina and subsequent versions running on M1 and M2 CPU chips. Dubbed, MacStealer, the malware is capable of stealing documents, cookies from the victim’s browser, login information, and much more. MacStealer is being distributed as a malware-as-a-service (MaaS), where the developer is currently selling premade builds for a $100. According to the developer, MacStealer is still in the early development phase as it offers no panels or builders. However the developer is planning on updating the malware to incorporate more features including the ability to capture data from Apple’s Safari Browser and the Notes application.
Apple recently published security updates to backport an actively exploited zero-day bug that was disclosed earlier in February, 2023. Tracked as CVE-2023-23529, the zero-day is related to a WebKit type confusion bug that could enable attackers to trigger OS crashes and gain code execution on compromised iOS and iPadOS devices after tricking victims into opening malicious web pages.
OpenAI revealed that a Redis bug caused the recent disclosure of user personal information and chat titles in the ChatGPT chatbot service. The bug enabled unauthorized access to a Redis instance that contained metadata linked to ChatGPT's training data. On March 20, 2023, several ChatGPT users started reporting seeing conversation histories of other users appearing in their accounts. The same day, the history function showed the error message “Unable to load history,” and the chatbot service was temporarily interrupted.
A new ransomware operation named 'Dark Power' has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid. The ransomware gang's encryptor has a compilation date of January 29, 2023, when the attacks started. Furthermore, the operation has not been promoted on any hacker forums or dark web spaces yet; hence it's likely a private project. According to Trellix, which analyzed Dark Power, this is an opportunistic ransomware operation that targets organizations worldwide, asking for relatively small ransom payments of $10,000.
A widespread ongoing malicious JavaScript injection campaign first detected in 2020 has targeted over 51,000 websites, redirecting victims to malicious content such as adware and scam pages. Unit 42 researchers have been tracking this activity through 2022 and it continues to infect websites in 2023. They suspect the campaign "has impacted a large number of people, since hundreds of these infected websites were ranked in Tranco's top million websites." Victims are typically redirected to an adware or a scam page, mostly masquerading as a well-known video-sharing platform or deceptive content that tricks victims into allowing an attacker-controlled website to send browser notifications.
The US Internal Revenue Service issued a warning to taxpayers about a new phishing campaign that employs Emotet malware to steal personal information. The emails, which appear to come from the IRS, include a malicious attachment or link that, if clicked, will download the Emotet malware on a victim's machine.
Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to have been undertaken as a measure to prevent any bad actor from impersonating the service or eavesdropping on users' operations over SSH.
Content Management Platform WordPress has force installed security updates on hundreds of thousands of websites running WooCommerce, a popular payment plugin for online stores. The security update addresses a critical flaw (CVSS 9.8) that allows unauthenticated attackers to gain admin access to vulnerable stores.
Utility companies increasingly refrain from purchasing large power transformers from China given greater awareness of the security risks, a U.S. Department of Energy official told a Senate panel. Puesh Kumar said Thursday the U.S. government is analyzing the prevalence of Chinese-made components in the electric grid but wouldn't indicate when he expects the work to the done, frustrating senators on both sides of the aisle. The head of the department's Office of Cybersecurity, Energy Security, and Emergency Response testified before the Senate Energy and Natural Resources Committee.
Horizon3's Attack Team published a technical root cause analysis for this high-severity vulnerability, which includes a detailed proof-of-concept (PoC). Cross-platform exploit code is now available for a high-severity Backup Service vulnerability impacting Veeam's Backup & Replication (VBR) software. The flaw (CVE-2023-27532) affects all VBR versions and can be exploited by unauthenticated attackers to breach backup infrastructure after stealing cleartext credentials and gaining remote code execution as SYSTEM.
A malicious version of the legitimate ChatGPT extension for Chrome is increasing in popularity in the Chrome Webstore. The extension hijacks Facebook accounts by stealing login credentials and cookies. Advertisements in Google search results promote the extension mainly featured when searching for Chat GPT 4.
Researchers at SentinelOne and QGroup have uncovered a new campaign targeting telecommunication providers in the Middle East since the first quarter of 2023. The attacks have been attributed to a Chinese cyber espionage actor which researchers associate with a long running campaign dubbed “Operation Soft Cell, that has been under the radar since 2012. Given the toolset deployed, it is likely that this cyberespionage actor is the nexus of Gallium and APT41 which have a history of targeting telecommunication entities across the globe.
German and South Korean government agencies have warned about cyber attacks mounted by a threat actor tracked as Kimsuky using rogue browser extensions to steal users' Gmail inboxes. The joint advisory comes from Germany's domestic intelligence apparatus, the Federal Office for the Protection of the Constitution (BfV), and South Korea's National Intelligence Service of the Republic of Korea (NIS). The intrusions are designed to strike ‘experts on the Korean Peninsula and North Korea issues’ through spear-phishing campaigns, the agencies noted.
Fresh produce giant Dole Food Company has confirmed threat actors behind a February ransomware attack have accessed the information of an undisclosed number of employees. Dole employs around 38,000 people worldwide, providing fresh fruits and vegetables to customers in more than 75 countries. The company revealed that last month's cyberattack directly impacted its employees' information in the annual report filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday.
The global shift into cloud computing may come under increased scrutiny by U.S. regulators following an announcement by the U.S. Federal Trade Commission that it is studying cloud industry market dynamics, including potential security risks. The oversight agency issued a request for information asking whether cloud providers use contractual or technological measures to entrench customers. It also asks for public response by May 22 to questions such as what representations cloud providers make about data security and contractual divisions of responsibility for the security of consumer personal information stored in the cloud.
Group-IB security researchers have discovered over 2400 scam pages that target Arabic-speaking job seekers in 13 countries between January 2022 and January 2023. Cybercriminals have created fake job listings and websites to target job seekers and steal personal information. Firms based in Egypt, Saudi Arabia, and Algeria are the most impersonated by scammers. The new scam campaign targets over 40 well-known brands from 13 countries in the MEA region, with the majority of scam pages impersonating companies in the logistics sector (64%), followed by the food and beverage sector (20%), and the petroleum industry (12%). The scheme involves an initial phishing attempt that guides victims to fake web pages with a similar job vacancy description.
oogle suspended popular budget e-commerce application Pinduoduo from the Play Store after detecting malware on versions of the Chinese app downloadable from other online stores. In a statement on Tuesday, Google said it took action to block the installation of Pinduoduo on Android devices and that it would scan smartphones for malicious versions through its Google Play Protect service. Google's action hasn't stopped Android app stores run by Huawei, Xiaomi and others from offering the app, reported the South China Morning Post. Google Play is blocked in China.
Cybersecurity firm Kaspersky has uncovered a new campaign dubbed Bad Magic which is targeting government, agriculture, and transportation organizations in Donetsk, Lugansk, and Crimea. First spotted in October 2022, the attack chain starts off with a booby-trapped URL pointing to a ZIP archive hosted on a malicious web server. When launched, the archive contains a decoy document as well as a malicious LNK file that is responsible for deploying a backdoor dubbed PowerMagic.
On March 15, 2023 law enforcement arrested 21-year old, Conor Brian Fitzpatrick (aka “Pompompurin”), the administrator of “Breach Forums,” an infamous underground forum that has been known for hosting stolen databases belonging to several companies often including sensitive information. Fitzpatrick was later released a day later on a 300,000 bond signed by his parents and is scheduled to appear for a hearing on March 24, 2023 before the District Court for the Eastern District of Virginia. Following the the arrest of Fitzpatrick, Baphomet, the current administrator posted an update on March 21, 2023 stating that they have decided to take down the forum, emphasizing ‘this is not the end.” This take down is suspected to be prompted by suspicions that law enforcement may have obtained access to the site’s configurations, source code, and information about the forum’s users.
Proof-of-concept exploits for vulnerabilities in Netgear’s Orbi 750 series router and extender satellites have been released, with one flaw a critical severity remote command execution bug. Netgear Orbi is a popular network mesh system for home users, providing strong coverage and high throughput on up to 40 simultaneously connected devices across spaces between 5,000 and 12,500 square feet.
A banking trojan dubbed Mispadu has been linked to multiple spam campaigns targeting countries like Bolivia, Chile, Mexico, Peru, and Portugal with the goal of stealing credentials and delivering other payloads. The activity, which commenced in August 2022, is currently ongoing, Ocelot Team from Latin American cybersecurity firm Metabase Q said in a report shared with The Hacker News. Mispadu (aka URSA) was first documented by ESET in November 2019, describing its ability to perpetrate monetary and credential theft and act as a backdoor by taking screenshots and capturing keystrokes.
talian luxury sports car marker, Ferrari recently disclosed a data breach after attackers gained accessed to some of its IT systems. The company stated that certain data relating to its clients was exposed including names, addresses, email addresses and telephone numbers. Based on investigations conducted so far, Ferrari has yet to find any evidence of payment details/bank account numbers or other sensitive payment information being stolen. Since the company learned of the breach, the company has reached out to relevant authorities to investigate the full scope of the attack.
The Clop ransomware gang has claimed responsibility for yet another cyber attack, this time against a luxury retailer Saks Fifth Avenue. The enterprise was founded in 1867 by Andrew Saks and headquartered in New York City City Fifth avenue remains a notable luxury brand retailer serving the U.S., Canada, and parts of the Middle East. The ransomware group claims to have stolen sensitive data during the attack, but Saks has stated that the data is only mock data and no actual customer data was compromised. The retailer has not yet disclosed whether threat actors have apprehended employee or corporate data. Further, details have not been released about any ongoing ransom negotiations.
Hackers continue to target zero-day vulnerabilities in malicious campaigns, with researchers reporting that 55 zero-days were actively exploited in 2022, most targeting Microsoft, Google, and Apple products. Most of these vulnerabilities (53 out of 55) enabled the attacker to either gain elevated privileges or perform remote code execution on vulnerable devices.
Hitachi Energy, a subsidiary of the Japanese multinational conglomerate Hitachi, has confirmed a data breach that occurred after being hit by the Clop ransomware group's GoAnywhere attacks. Hitachi is a department of Japanese engineering and technology with an annual revenue of 10 billion. The attack resulted in the theft of sensitive data from several business units in the United States, Thailand, and Japan.
U.S. law enforcement arrested on Wednesday a New York man believed to be Pompompurin, the owner of the BreachForums hacking forum. According to court documents, he was charged with one count of conspiracy to solicit individuals to sell unauthorized access devices. During the arrest, the defendant allegedly admitted that his real name was Connor Brian Fitzpatrick and that he was Pompourin, the owner of the Breach Forums cybercrime forum.
Researchers at Akamai have spotted a new botnet dubbed “HinataBot” that is leveraging known flaws to compromise routers and servers, which in turn after being used to stage distributed denial-of-service attacks. Among the vulnerabilities exploited include, CVE-2014-8361 that impacts Realtek SDK devices and CVE-2017-17215 that impacts Hauwei HG532 routers.
The Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security restrictions and infect more targets. Emotet is a notorious malware botnet historically distributed through Microsoft Word and Excel attachments that contain malicious macros. If a user opens the attachment and enables macros, a DLL will be downloaded and executed that installs the Emotet malware on the device. Once loaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also download other payloads that provide initial access to the corporate network. This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.
Chinese threat actors are turning security appliances into penetration pathways, forcing firewall maker Fortinet to again attempt to fend off hackers with a patch. Researchers from Mandiant say suspected Beijing hackers it tracks as UNC3886 has been targeting chip-based firewall and virtualization boxes. The group, it said in a Thursday blog post, exploited a now-patched path transversal zero-day vulnerability tracked as CVE-2022-41328 in the Fortinet operating system in order to gain persistence on FortiGate and FortiManager products. Such penetrations can give hackers years of interrupted access to internal networks. A threat cluster related to UNC3886 also targeted a Fortinet zero-day in a campaign that involved delivery of a custom backdoor "specifically designed to run on FortiGate firewalls.
Cybercriminals are abusing the Adobe Acrobat Sign service to distribute Redline malware, a powerful information-stealing Trojan. Adobe Acrobat Sign is a cloud-based e-signature service that enables users to create, send, track, and manage electronic signatures. It is a free-to-try service that allows users to sign documents securely and remotely without physical paperwork. Avast researchers observed threat actors sending phishing emails to trick victims into opening malicious PDF documents.
A decryption tool for a modified version of the Conti ransomware could help hundreds of victims recover their files for free. The utility works with data encrypted with a strain of the ransomware that emerged after the source code for Conti was leaked last year in March [1, 2]. Researchers at cybersecurity company Kaspersky found the leak on a forum where the threat actors released a cache of 258 private keys from a modified version of the Conti ransomware.
A suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware. The security flaw allowed threat actors to deploy malware payloads by executing unauthorized code or commands on unpatched FortiGate firewall devices, as Fortinet disclosed last week. Further analysis revealed that the attackers could use the malware for cyber-espionage, including data exfiltration, downloading and writing files on compromised devices, or opening remote shells when receiving maliciously crafted ICMP packets.
British intelligence reports that since early in January, the Russian military appears to have been "attempting to restart major operations" with a focus on capturing "the remaining Ukrainian-held parts of Donetsk Oblast," a territory the size of Massachusetts located in the eastern part of the country. In new analysis, Microsoft reports Russia in recent months appears to have increased cyberespionage efforts aimed at nations helping with the defense of Ukraine, mostly governments of European nations. Based on a recent flurry of activity by Russia, Microsoft foresees an uptick in ransomware, an emphasis on obtaining initial access to systems, and increased influence operations.
The BianLian ransomware group has shifted its focus from encrypting its victims' files to only exfiltrating data found on compromised networks and using them for extortion. This operational development in BianLian was reported by cybersecurity company Redacted, who have seen signs of the threat group attempting to craft their extortion skills and increase the pressure on their victims.
Last year, a U.S. federal agency's Microsoft Internet Information Services (IIS) web server was hacked by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI for ASP[.]NET AJAX component. According to a joint advisory issued today by CISA, the FBI, and MS-ISAC, the attackers had access to the server between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unnamed federal civilian executive branch (FCEB) agency's network.
CISA recently added a critical bug to its catalog of known exploited vulnerabilities. Tracked as CVE-2023-26360, the vulnerability relates to a Improper Access Control issue impacting Adobe ColdFusion versions 2021 (update 5 and earlier versions) and 2018 (Update 15 and earlier versions. Successful exploitation of the flaw could enable actors to elevate their privileges, access sensitive information, and even execute arbitrary code remotely. The vulnerability has been fixed in ColdFusion 2018 version 16 and ColdFusion 2021 version 6. Given the severity of the flaw, CISA is giving federal agencies three weeks, until April 5, to apply the security updates.
Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device, "A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 Routers could allow an unauthenticated, remote attacker to bypass authentication on an affected device.
An advanced hacking group named 'Winter Vivern' targets European government organizations and telecommunication service providers to conduct espionage. The group's activities align with the interests of the Russian and Belarusian governments, so it is believed that this is a pro-Russian APT (advanced persistent threat) group. Sentinel Labs reports that the threat group functions on limited resources; however, their creativity compensates for these limitations.
On 7 March 2023, Veeam published a knowledge base article outlining CVE-2023-27532, a vulnerability in the Veeam Backup & Replication component that allowed an unauthenticated user to retrieve host credentials stored in the configuration database. This weakness could ultimately enable an attacker to gain access to hosts and devices managed by the Veeam Backup server. With access to the open TCP port 9401, any individual could obtain credentials and potentially move laterally throughout the network with the newly exposed username and passwords.
The Securities and Exchange Commission proposed a slew of new cybersecurity rules for the companies underpinning the U.S. stock market, the latest sign of increasing unhappiness among Biden administration officials about the private sector's management of digital risk. The commission approved a proposal that would place market entities under a mandate to report significant cybersecurity incidents to the agency after having concluded with "reasonable basis" that the incident occurred, or even is still in progress.
According to researchers, a new group of cybercriminals dubbed Yorotrooper is targeting European Union embassies, Central Asian diplomatic organizations, and energy companies in Ukraine and Kazakhstan. The threat actors access victims' networks through phishing emails containing malicious LNK attachments and decoy PDF documents. Researchers at Cisco Talos observed YoroTrooper exfiltrating significant amounts of data from infected endpoints, along with credentials, cookies, and browsing histories. "While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, Cisco's analysts have enough indications to believe this is a new cluster of activity.
Cybersecurity company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform. Rubrik is a cloud data management service that offers enterprise data backup and recovery services and disaster recovery solutions. In a statement from Rubrik CISO Michael Mestrovichon, the company disclosed that they were victims of a large-scale attack against GoAnywhere MFT devices worldwide using a zero-day vulnerability.
As part of the SAP Security Patch Day for the month of March, the software vendor addressed 19 vulnerabilities, five of which have been rated critical in severity. The critical vulnerabilities impact SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver.
The top U.S. cybersecurity agency says it's testing out scanning critical infrastructure organizations to detect vulnerabilities exploitable by ransomware hackers in a bid to have them patched before extortionists also catch them out. Congress called on the Critical Infrastructure and Security Agency to conduct a pilot scanning for ransomware vulnerabilities in legislation that became law last March. The Ransomware Vulnerability Warning Pilot became active on Jan. 30.
SpyCloud has released their 2023 Annual Identity Exposure Report. The report identified over 22 million unique devices infected by malware last year. Of the 721.5 million exposed credentials recovered by SpyCloud, roughly 50% came from botnets, tools commonly used to deploy highly accurate information-stealing malware. The researchers warn of a distinctive spike in malware designed to exfiltrate data directly from devices and browsers, which has led to continued user exposure.
A critical vulnerability in the ubiquitous Microsoft Outlook/365 applications suite is being actively abused in the wild and demands urgent patching. CVE-2023-23397, a CVSS 9.8 bug, lets a remote and unauthenticated attacker breach systems merely by sending a specially crafted email that allows them steal the recipient’s credentials
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Researchers discovered 13 security flaws in smart intercoms that could allow hackers to access people's homes or listen in on conversations. These vulnerabilities include the ability for remote code execution, network access, and other types of unauthorized access.
It has come to attention that attackers leveraged a new FortiOS bug patched this month as a zero-day in attacks targeting government and large organizations, resulting in data loss and OS and file corruption. The vulnerability (CVE-2022-41328) in question has been rated medium in severity and can enable threat actors to execute unauthorized code or commands.
Ransomware continues to be a pertinent threat to critical infrastructure with actors leveraging known vulnerabilities to target organizations across the globe. As a countermeasure CISA has announced a new pilot program to help critical infrastructure entities protect their information systems from ransomware attacks. The program dubbed “Ransomware Vulnerability Warning Pilot (RVWP), having started in January 30, 2023, will help organizations identify vulnerabilities in their systems that might by exploited by ransomware threat actors.
Adversary-in-the-middle (AiTM) phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication (MFA) through reverse-proxy functionality. DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, which other cybercriminals can buy or rent. The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime.
Business social media platform LinkedIn continues to pay dividends for North Korean hackers, including one group historically concentrated on South Korean targets that has expanded into pursuing security researchers and media industry workers in the West. A Pyongyang group tracked by Google threat intelligence unit Mandiant as UNC2970 masquerades as recruiters on LinkedIn in a bid to entice victims into opening a phishing payload disguised as a job description or skills assessment.
The Biden administration's spending blueprint for the coming federal fiscal year includes increased funding for cybersecurity at federal agencies and for Ukraine. The $1.7 trillion proposal for discretionary federal spending starting Oct. 1 includes $753 million in assistance for Ukraine. The money would be used by Kyiv to "counter Russian malign influence and to meet emerging needs related to security, energy, cybersecurity, disinformation, macroeconomic stabilization, and civil society resilience," a White House budget overview states. Additional budget documents containing more detail are set for release on Monday.
The Medusa ransomware gang is gaining momentum as it targets companies worldwide. The group first emerged in 2021 and has been observed utilizing a variety of tactics to compromise organizations, including phishing emails, exploiting vulnerable remote desktop services, and exploiting vulnerabilities in software. Bleeping Computer has analyzed Medusa's encryptor for Windows, but it is not transparent whether or not the group has an encryptor for Linux. The windows encryptor has command-line options that enable the attackers to customize how files get encrypted on infected devices. Additionally, the ransomware terminates over 280 Windows services and processes to prevent interference with file encryption, including services for mail servers, database servers, backup servers, and security software.
The Dark Pink advanced persistent threat (APT) actor has been linked to a fresh set of attacks targeting government and military entities in Southeast Asian countries with a malware called KamiKakaBot. Dark Pink, also called Saaiwc, was extensively profiled by Group-IB earlier this year, describing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate sensitive information.
The Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution. In February, the GoAnywhere MFT file transfer solution developers warned customers that a zero-day remote code execution vulnerability was being exploited on exposed administrative consoles. GoAnywhere is a secure web file transfer solution that allows companies to securely transfer encrypted files with their partners while keeping detailed audit logs of who accessed the files.
The Xenomorph Android malware has upgraded with new capabilities, including an automated transfer system framework and the ability to steal login credentials from 400 banks. The malware was first discovered on the Google Play store in February 2022 with over 50,000 downloads. The latest version of the malware targets financial institutions in the United States, Spain, Turkey, Poland, Australia, Canada, Italy, Portugal, France, Germany, UAE, and India. "Some examples of targeted institutions include Chase, Citibank, American Express, ING, HSBC, Deutsche Bank, Wells Fargo, Amex, Citi, BNP, UniCredit, National Bank of Canada, BBVA, Santander, and Caixa. The list is too extensive to include here, but ThreatFabric has listed all targeted banks in the appendix of its report. Moreover, the malware targets 13 cryptocurrency wallets, including Binance, BitPay, KuCoin, Gemini, and Coinbase.
In 2022, investment scam losses were the most (common or dollar amount) scheme reported to the Internet Crime Complaint Center (IC3),” the FBI shared in its 2022 Internet Crime Report. This category includes crypto-investment scams such as liquidity mining, celebrity impersonation, “pig butchering, “and many more. Business email compromise (BEC) scams are the second most financially destructive overall, followed by tech support scams and personal data breaches.
This week, as part of a global law enforcement operation, federal authorities in Los Angeles successfully confiscated www[.]worldwiredlabs[.]com, a domain utilized by cybercriminals to distribute the NetWire remote access trojan (RAT), allowed perpetrators to assume control of infected computers and extract a diverse range of sensitive information from their unsuspecting victims.
Microsoft’s Security Intelligence team recently investigated a business email compromise (BEC) attack and found that attackers move rapidly, with some steps taking mere minutes. The whole process, from signing in using compromised credentials to registering typosquatting domains and hijacking an email thread, took the threat actors only a couple of hours. This rapid attack progression ensures that the targets will have minimal opportunity to identify signs of fraud and take preventive measures.
Mandiant researchers reported that alleged China-linked threat actors, tracked as UNC4540, deployed custom malware on a SonicWall SMA appliance. The malware allows attackers to steal user credentials, achieve persistence through firmware upgrades, and provides shell access. The compromised device contained a set of files used by the attacker to gain highly privileged access to the appliance. The code itself contained a variety of bash scripts and a single ELF binary identified as a TinyShell variant.
Fortinet has patched 15 vulnerabilities in a variety of its products, including CVE-2023-25610, a critical flaw affecting devices running FortiOS and FortiProxy. None of the patched vulnerabilities is actively exploited, but Fortinet’s devices are often targeted by ransomware gangs and other cyber attackers, so implementing the offered security updates quickly is advised. Discovered by Fortinet infosec engineer Kai Ni, CVE-2023-25610 is a buffer underwrite (‘buffer underflow’) vulnerability found in the FortiOS and FortiProxy administrative interface. Linux-based FortiOS powers many Fortinet’s products, including its FortiGate firewalls and various switches. FortiProxy is a secure web proxy that protects users against internet-borne attacks.
ChatGPT has garnered a lot of questions about its security and capacity for manipulation, partly because it is a new software that has seen unprecedented growth (hosting 100 million users just two months following its launch). Security concerns vary from the risk of data breaches to the program writing code on behalf of hackers. From malvertising, extension installation, hijacking Facebook accounts, and back again to propagation The fake ChatGPT extension discovered by Guardio is the latest security concern, affecting thousands daily. The scam starts with the malicious stealer extension, “Quick access to Chat GPT,” showing up on Facebook-sponsored posts as a quick way to get started with ChatGPT directly from your browser.
The FBI is investigating a data breach that has affected US House members and staff. Hackers have gained sensitive personal information from DC Health Link's servers, which administers health plans. The US House Chief Administrative Officer notified impacted individuals via email. The email stated that "DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through D.C. Health Link, your data may have been comprised" (Bleeping Computer, 2023). The scope and severity of the breach are currently unclear, and it does not appear that Members or the House of Representatives were the specific targets of the attack.
QR codes are increasingly being used by cybercriminals in attacks. “Invented in the 1990s, QR codes surged during the pandemic. They offered a way for people to access information and conduct activities in a touchless way. Insider Intelligence reports US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025.
Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor. SentinelLabs security researchers found that the gang has breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February.
Emotet, a notorious malware active since 2014, has resumed its attacks after a three-month break. The malware gets primarily distributed through phishing emails containing Microsoft word and Excel document attachments utilized for apprehending victims' emails and contacts for use in future Emotet campaigns or downloading additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.
A dozen U.S. senators on Tuesday introduced bipartisan legislation backed by the White House charging the federal government with initiating a process to systematically block foreign technology from reaching the domestic market when the tech poses a national security threat. Backers say the bill, the Restricting the Emergence of Security Threats that Risk Information Communications Technology Act, could result in restrictions for the social media platform TikTok, which is owned by Chinese company ByteDance. The short form video app has operated under a cloud of Washington, D.C.-driven opposition dating to fears by the Trump administration that TikTok shares data with the Chinese government and could be used in Beijing influence operations.
This campaign is significantly smaller than some of the more prominent botnets such as Emotet or Chaos – both of which indiscriminately target vulnerable devices on the internet. It's been assessed that the threat actor most likely chose to keep the campaign small to evade detection, "As of mid-February 2023, there were approximately 2,700 DrayTek Vigor 2960 routers and approximately 1,400 DrayTek Vigor 3900 routers exposed on the internet, and Hiatus had compromised approximately 100 of these routers.
Matsu, an outlying island close to neighboring China leverages two undersea cables to provide Internet to it’s 14,000 residents. In the past five years, the Island has seen it’s Internet cables cut 27 times. Residents have struggled with paying electricity bills, making doctors appointments, and receiving packages due to the constant destruction of their Internet backbone.
The Sharp Panda cyber-espionage hacking group is targeting high-profile government entities in Vietnam, Thailand, and Indonesia with a new version of the ‘Soul’ malware framework. The particular malware was previously seen in espionage campaigns targeting critical Southeast Asian organizations, attributed to various Chinese APTs.
Researchers at Proofpoint have discovered Russian-aligned hackers known as TA499 targeting individuals and organizations through video call requests. TA499 lures prominent business people and individuals who have supported Ukranian humanitarian efforts or have criticized the Russian Government. Threat actors will send fake video conferencing invitations that appear legitimate. The attacks primarily focus on organizations in the United States and Europe.
Last week, the credit card market BidenCash, which sells compromised payment card data, released free details of 2 million payment cards. The market for carders - aka credit and debit card thieves - trumpets that the release is intended to celebrate its first anniversary. Whether actual fraudsters find that data dump useful is questionable, the payment cards included in the mess are nearing expiration or are likely already rendered useless by a security alert. BidenCash's leak is more akin to a free food sample you get on a toothpick at the grocery store than a genuine freebie.
Nvidia confirmed today that it's working to fix a driver issue causing high CPU usage and blue screens of death (BSODs) on Windows systems. The buggy driver is the GeForce Game Ready 531.18 WHQL driver released on February 28th that introduced support for RTX Video Super Resolution. This comes after customers have been complaining for days on the company's forums and on social media that the Nvidia Game Session Telemetry Plugin (NvGSTPlugin.dll) loaded by the Nvidia Display Container service leads to CPU spikes of 10% or more on Windows systems after closing games or rendering apps. In the Nvidia forum thread asking for feedback on this driver version, users are also reporting experiencing constant blue screens on up-to-date Windows installations and that reverting to an older driver version fixes the BSOD problems.
A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control (UAC) bypass discovered over two years ago. The use of mock trusted directories to bypass Windows User Account Control stands out in the attack as it's been known since 2020 but remains effective today
Serious security vulnerabilities have been identified in multiple DJI drones. These weaknesses had the potential to allow users to modify crucial drone identification details such as its serial number and even bypass security mechanisms that enable authorities to track both the drone and its pilot. In special attack scenarios, the drones could even be brought down remotely in flight.
An ongoing hacking campaign called' Hiatus' targets DrayTek Vigor router models 2960 and 3900 to steal data from victims and build a covert proxy network. DrayTek Vigor devices are business-class VPN routers used by small to medium-size organizations for remote connectivity to corporate networks. The new hacking campaign, which started in July 2022 and is still ongoing, relies on three components: a malicious bash script, a malware named "HiatusRAT," and the legitimate 'tcpdump,' used to capture network traffic flowing over the router.
Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Threat actors had previously abused macros in Microsoft Word and Excel, but after Microsoft disabled macros by default, threat actors turned towards other file formats to distribute malware. ISO files and password protected ZIP archives became popular choices.
The Royal ransomware group targeting critical infrastructure in the United States and other countries is made up of experienced ransomware attackers and has strong similarities to Conti, the infamous Russia-linked hacking group, according to a new alert issued by U.S. authorities. The group is targeting major industries including manufacturing, communications, education and healthcare organizations in the U.S. and other countries, according to a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency and the FBI. The attackers appear to be particularly interested in hitting the U.S. healthcare sector, demanding ransoms from $250,000 to over $2 million.
The Biden administration announced on Friday that it will make it mandatory for states to conduct cyber security audits of public water systems. Water systems are critical infrastructures that are increasingly exposed to the risk of cyberattacks by both cybercriminal organizations and nation-state actors, the US Environmental Protection Agency reported. “Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox, as reported by the Associated Press. “Cyberattacks have the potential to contaminate drinking water.”
The phishing campaigns target job seekers by sending emails that purport to belong to a recruitment agency, asking them to provide personal information or login credentials. The malware campaign attempts to drop prominent malware like AgentTesla, Emotet, Cryxos Trojans and Nemucod on victims' devices. Trellix researchers also observed that attackers are posing as job seekers to target employers.
Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of almost 140,000 customers from the company's Fortra GoAnywhere MFT secure file-sharing platform. Hatch Bank is a financial technology firm allowing small businesses to access bank services from other financial institutions.
American fast food restaurant chain Chick-fil-A has started notifying roughly 71,000 individuals that their user accounts have been compromised in a two-month-long credential stuffing campaign. In a notification letter to impacted customers, a copy of which was submitted to multiple Attorney General offices, Chick-fil-A says the accounts were compromised in a series of automated attacks targeting both its website and mobile application.
Microsoft has released out-of-band security updates for 'Memory Mapped I/O Stale Data (MMIO)' information disclosure vulnerabilities in Intel CPUs. The Mapped I/O side-channel vulnerabilities were initially disclosed by Intel on June 14th, 2022, warning that the flaws could allow processes running in a virtual machine to access data from another virtual machine.
Security researchers uncovered an investment scam network that draws on an online infrastructure of hundreds of hosts and thousands of domains to target primarily Indian victims by impersonating Fortune 100 companies. Resecurity dubs the criminal group behind the fraud "Digital Smoke" and says it targeted victims across the globe but focused on India; in 2022, the researchers say, the groups took tens of billions of dollars from victims, and there has been a notable uptick in damages in the first months of this year. Digital Smoke used more than 350 hosting providers, and most domain names and hosting platforms were registered via the Chinese company Alibaba.
Trezor is a hardware cryptocurrency wallet where users can store their crypto offline rather than through cloud-based wallets on their devices. Trezor is a tempting alternative to those who'd rather not have their crypto wallet connected to their PC to avoid malware and compromised devices. However, an ongoing phishing campaign masquerading as Trezor data breach notifications attempts to steal users' cryptocurrency and wallets.
Cisco recently addressed several vulnerabilities impacting its IP phones which could enable unauthenticated remoted threat actors to execute arbitrary code or cause a denial of service condition. The most severe of the flaws is being tracked as CVE-2023-20078 and can allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges.
Russian government officials will no longer be able to use messaging apps developed and run by foreign companies, according to a new law which went into effect yesterday. Parts 8–10 of Article 10 of the new law – On Information, Information Technologies and Information Protection – apply to government agencies and organizations. “The law establishes a ban for a number of Russian organizations on the use of foreign messengers (information systems and computer programs owned by foreign persons that are designed and (or) used for exchanging messages exclusively between their users, in which the sender determines the recipients of messages and does not provide for placement by internet users publicly available information on the internet),” said regulator Roskomnadzor.
The satellite broadcaster Dish Network experienced a multi-day network outage. The outage affected multiple services provided by Dish Network, such as Dish[.]com, the dish anywhere app, Boost Mobile, and other websites owned and operated by the provider. At first, Dish Network suspected that the cause of the outage was VPN issues.
Romanian cybersecurity company Bitdefender has released a free universal decryptor for a nascent file-encrypting malware known as MortalKombat. MortalKombat is a new ransomware strain that emerged in January 2023. It's based on a commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey. Xorist, detected since 2010, is distributed as a ransomware builder, allowing cyber threat actors to create and customize their own version of the malware. This includes the ransom note, the file name of the ransom note, the list of file extensions targeted, the wallpaper to be used, and the extension to be used on encrypted files.
CISA recently added a new vulnerability to its “Known Exploited Vulnerabilities Catalog.” Tracked as CVE-2022-36537 (CVSSL 7.5), the vulnerability was discovered last year by Markus Wulftange and is related to a remote code execution flaw impacting the ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1.
Last year, the FBI's Internet Complaint Center received 870 complaints that "indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack," said David Scott, deputy assistant director of the FBI's Cyber Division, speaking at the Futurescot conference Monday in Glasgow, Scotland. Critical manufacturing and the government, including schools, followed healthcare as the most-attacked sectors, IC3 data shows. The top strain of observed ransomware was LockBit, followed by BlackCat and Hive, IC3 found. "That's just a small portion of the overall ransomware attacks; there are many, many more that didn't impact critical infrastructure," Scott said.
Threat actors are promoting a new 'Exfiltrator-22' post-exploitation framework designed to spread ransomware in corporate networks while evading detection. Threat analysts at CYFIRMA claim that this new framework was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution in exchange for a subscription fee. The prices for Exfiltrator-22 range between $1,000 per month and $5,000 for lifetime access, offering continuous updates and support. Buyers of the framework are given an admin panel hosted on a bulletproof VPS (virtual private server) from where they can control the framework's malware and issue commands to compromised systems.
Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. The Houzez theme is a premium plugin that costs $69, offering easy listing management and a smooth customer experience. The vendor's site claims it is serving over 35,000 customers in the real estate industry. The two vulnerabilities were discovered by Patchstack's threat researcher Dave Jong and reported to the theme's vendor, 'ThemeForest,' with one flaw fixed in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022). However, a new Patchstack report warns that some websites have not applied the security update, and threat actors actively exploit these older flaws in ongoing attacks.
On February 17, the U.S. Marshals Service suffered a ransomware and data exfiltration event affecting a stand-alone USMS system. The USMS bureau is a federal law enforcement agency operated within the Justice Department. The agency supports all elements of the Federal justice system by providing security for the Federal court facilities, executing federal court orders, apprehending criminals, assuring the safety of government witnesses and their families, and more.
LastPass revealed more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months. LastPass disclosed a breach in December where threat actors stole partially encrypted password vault data and customer information, “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.
Security researchers have recorded a 76% year-on-year (YoY) increase in financial losses stemming from phishing attacks, as sophisticated tactics and user knowledge gaps give threat actors the upper hand. Proofpoint compiled its 2023 State of the Phish report from interviews with 7500 consumers and 1050 IT security professionals across 15 counties, as well as 135 million simulated phishing attacks and over 18 million emails reported by customer end users over the past year.
Researchers at the Anhlab Security Emergency Response Center observed a new technique applied in the ChromeLoader browser hijacking and adware campaign, which now employs VHD files titled after popular games.
Mass media and publishing giant News Corporation (News Corp) says that attackers behind a breach disclosed in 2022 first gained access to its systems two years before, in February 2020. This was revealed in data breach notification letters sent to employees affected by the data breach, who had some of their personal and health information accessed, while the threat actors had access to an email and document storage system used by several News Corp businesses. The incident affected multiple news arms of the publishing conglomerate, including The Wall Street Journal, the New York Post, and its U.K. news operations.
A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. Researchers at Menlo Security discovered that the threat actor used Discord to host the initial payload and compromised a non-profit organization to store additional hosts used in the campaign.’The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware,’ the researchers say. According to the researchers, the observed PureCrypter campaign targeted multiple government organization in the Asia-Pacific (APAC) and North America regions.
Organizations around the world are once again learning the risks of not installing security updates as multiple threat actors race to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.
Russian hackers breached and modified several Ukrainian state websites on Thursday morning using a backdoor planted nearly two years ago. The incident did not cause significant disruption, says the State Service of Special Communications and Information Protection of Ukraine. But discovery of an encrypted web shell created no later than Dec. 23, 2021, hiding on the server of an official website led to an investigation revealing several additional backdoors.
Numerous amount of malicious libraries were discovered by researchers at Reversing Labs on the Python PyPi repository. "According to an advisory published Wednesday by Lucija Valentic, a software threat researcher at ReversingLabs, most of the discovered files were malicious packages posing as HTTP libraries. "The descriptions for these packages, for the most part, don't hint at their malicious intent," Valentic explained. "Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries." In particular, the ReversingLabs spotted 41 malicious PyPI packages, which the security researchers divided into two types.
The Computer Emergency Response Team of Ukraine (CERT-UA) says Russian state hackers have breached multiple government websites this week using backdoors planted as far back as December 2021. CERT-UA spotted the attacks after discovering a web shell on Thursday morning on one of the hacked websites that the threat actors (tracked as UAC-0056, Ember Bear, or Lorec53) used to install additional malware. This web shell was created in December 2021 and was used to deploy CredPump, HoaxPen, and HoaxApe backdoors one year ago, in February 2022, according to CERT-UA. The threat actors also used the GOST (Go Simple Tunnel) and the Ngrok tools during the early stages of their attack to deploy the HoaxPen backdoor.
Canada's second-largest telecom, TELUS, is investigating a potential data breach after a threat actor shared samples online of what appears to be employee data. The threat actor subsequently posted screenshots that apparently show private source code repositories and payroll records held by the company.TELUS has so far not found evidence of corporate or retail customer data being stolen and continues to monitor the potential incident. On February 17, a threat actor put up what they claim to be TELUS' employee list (comprising names and email addresses) for sale on a data breach forum.
Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. As many as 24 different products, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM), are affected by the issue.
Microsoft says admins should remove some previously recommended antivirus exclusions for Exchange servers to boost the servers' security. As the company explained, exclusions targeting the Temporary ASP[.]NET Files and Inetsrv folders and the PowerShell and w3wp processes are not required since they're no longer affecting stability or performance. However, admins should make a point out of scanning these locations and processes because they're often abused in attacks to deploy malware.
Symantec Researchers have been tracking a hacking group dubbed Clasiopa. The threat actors have been targeting entities in the materials research sector by employing a remote access trojan called Atharvan. Currently, there is no indication of an initial access vector. However, "Symantec researchers found hints suggesting that Clasiopa uses brute force to gain access to public-facing servers.
A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories.
Dole Food Company, one of the world’ largest producers and distributors of fresh fruit and vegetables, has announced that it is dealing with a ransomware attack that impacted its operations. There are few details at the moment and the company is currently investigating "the scope of the incident," noting that the impact is limited. The company employs around 38,000 people and has an annual revenue of $6.5 billion. In a statement on its website, Dole says that it has already engaged with third-party experts who help with the remediation and security of impacted systems.
Research revealed numerous high-severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively. This includes high-profile vulnerabilities with publicly known exploits. Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known used vulnerabilities catalog, including CVE-2021-42013, CVE-2021-41773, and CVE-2019-17558.
The U.S. National Security Agency (NSA) has issued guidance to help remote workers secure their home networks and defend their devices from attacks. The guide published by the Defense Department's intelligence agency on Wednesday includes a long list of recommendations, including a short list of highlights urging teleworkers to ensure their devices and software are up to date.
Researchers have discovered six vulnerabilities on macOS and iOS and a new bug class. The new class of privilege escalation bugs, stems from the ForcedEntry attack, which abused a feature of macOS and iOS to distribute Pegasus Malware. The bugs include, various zero-day vulnerabilities similar to the ones exploited in the previous ForcedEntry attack. The bugs allow bypassing code signing to execute arbitrary code in several platforms, leading to escalation of privileges and sandbox escape on macOS and iOs. The CVSS scores of the vulnerabilities range between 5.1 and 7.1.
CISA has added three new vulnerabilities to their Known Exploited Vulnerabilities Catalog. One of which resides in IBM’s Aspera Faspex, and two others in Mitel’s MiVoice.
Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed Hydrochasma. The activity, which has been ongoing since October 2022, "relies exclusively on publicly available and living-off-the-land tools," Symantec, by Broadcom Software, said in a report shared with The Hacker News. There is no evidence available as yet to determine its origin or affiliation with known threat actors, but the cybersecurity company said the group may be having an interest in industry verticals that are involved in COVID-19-related treatments or vaccines.
Yesterday, VMware patched a critical security vulnerability impacting its Carbon Black App Control product. Tracked as CVE-2023-20858 (CVSS score: 9.1), the flaw was discovered and disclosed to VMware by bug bounty hunter, Jari Jääskelä (@JJaaskela), and impacts App Control versions 8.7.x, 8.8.x, and 8.9.x. According to VMware, “a malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system.
Samsung announced the implementation of a new security feature called Message Guard that aims at protecting users from malicious code that can be installed via zero-click attacks. Zero-click exploits allow attackers to compromise the target device without any user interaction, for example, a threat actor can exploit a zero-day issue by sending an image to the victims.
Norwegian authorities confiscated crypto assets worth nearly $5.68 million tied to the 2022 Ronin cryptocurrency bridge hack by North Korean state threat actor Lazarus Group. Norway's National Authority for Investigation and Prosecution of Economic and Environmental Crime - in Norwegian, it's known as the Økokrim - on Thursday revealed it had retrieved a part of the hacked amount from the Ronin attackers, who in March 2022 stole $620 million worth of cryptocurrency.
The upgraded version of HardBit ransomware attempts to broker a ransom payment covered by its victim's insurance. Once on the victim's system, the threat group will drop a note that does not inform the entities how much the hackers want in exchange for the decryption key. Instead, victims get 48 hours to contact the attacker over an open-sourced encryption peer-to-peer messaging app. However, the ransomware gang employs complex instructions for companies that possess cyber insurance. The ransomware group explains that sneaky insurance providers advise entities to keep their premiums a secret to derail negotiations and never pay the maximum amount of ransom leaving the companies to deal with cyber criminals. Further, the note clarifies that if the victim shares their insurance information with the HardBit ransomware group, it benefits both the ransomware group and the victim. The benefit described by HardBit is that if they knew exact insurance details, they could ask the insurer for said amount, and the insurance agent would be required to cover it.
A new information stealer called Stealc that's being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. ‘The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers,’ SEKOIA said in a Monday report. The French cybersecurity company said it discovered more than 40 Stealc samples distributed in the wild and 35 active command-and-control (C2) servers, suggesting that the malware is already gaining traction among criminal groups.
A sophisticated botnet known as MyloBot has compromised thousands of systems, with most of them located in India, the U.S., Indonesia, and Iran. That's according to new findings from BitSight, which said it's "currently seeing more than 50,000 unique infected systems every day," down from a high of 250,000 unique hosts in 2020. Furthermore, an analysis of MyloBot's infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter.
Cybersecurity researchers have discovered a new malware that leverages a legitimate feature of Microsoft’s Internet Information Services (IIS) to install a backdoor in targeted systems. According to an advisory published last Thursday by Symantec, the malware, dubbed "Frebniis," was used by a previously unknown threat actor against targets in Taiwan.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild. Two of them impact Microsoft products and allows attackers to gain remote code execution (CVE-2023-21823) and escalate privileges (CVE-2023-23376) on unpatched Windows systems by abusing flaws in the Common Log File System Driver and graphics components. A third one (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies to deliver malicious payloads via untrusted files.
Researchers have discovered a new malware dubbed Frebniiss on Microsoft's Internet Information Services. Symantec's Threat Hunter team observed the malware and found an unknown threat actor utilizing the malware against Taiwan-based targets. "In the attacks seen by Symantec, the hackers abuse an IIS feature called 'Failed Request Event Buffering' (FREB), responsible for collecting request metadata (IP address, HTTP headers, cookies). Its purpose is to help server admins troubleshoot unexpected HTTP status codes or request processing problems. The malware injects malicious code into a specific function of a DLL file that controls FREB ("iisfreb[.]dll") to enable the attacker to intercept and monitor all HTTP POST requests sent to the ISS server. When the malware detects specific HTTP requests the attacker sends, it parses the request to determine what commands to execute on the server.
A hacking group known as SiegedSec recently leaked data on Telegram, claiming to have stolen it from Atlassian, a software company based in Australia. “We are leaking thousands of employee records as well as a few building floorplans. These employee records contain email addresses, phone numbers, names, and lots more~!,” stated the hackers on Telegram. Shortly after, Atlassian stated that one of its third-party vendors, Envoy, was breached, which the company uses for in-office functions.
Yesterday, Fortinet released security updates to address two critical vulnerabilities in its FortiNAC and FortiWeb products that could enable unauthenticated threat actors to perform arbitrary code or command execution. The first flaw, tracked as CVE-2022-39952 (CVSS 9.8), impacts FortiNAC, a network access control solution that organizations use to gain real-time network visibility, enforce security policies, and detect/mitigate threats.
A new Mirai botnet variant tracked as ‘V3G4’ targets 13 vulnerabilities in Linux-based servers and IoT devices to use in DDoS (distributed denial of service) attacks. The malware spreads by brute-forcing weak or default telnet/SSH credentials and exploiting hardcoded flaws to perform remote code execution on the target devices. Once a device is breached, the malware infects it and recruits it into its botnet swarm.
The LockBit ransomware group has published a log of their negotiations with Royal Mail. Royal Mail fell victim to LockBit's attack on January 7, 2023. However, the mail delivery service refused to pay the ransom demand of 65.7 million euros. The conversations display LockBit operators attempting to persuade Royal Mail to pay the ransom by using various techniques.
Chinese-speaking individuals in Southeast and East Asia are the targets of a new rogue Google Ads campaign that delivers remote access trojans such as FatalRAT to compromised machines. The attacks involve purchasing ad slots to appear in Google search results that direct users searching for popular applications to rogue websites hosting trojanized installers, ESET said in a report published today. The ads have since been taken down. Some of the spoofed applications include Google Chrome, Mozilla Firefox, Telegram, WhatsApp, LINE, Signal, Skype, Electrum, Sogou Pinyin Method, Youdao, and WPS Office.
Citrix recently addressed several vulnerabilities in its Virtual Apps and Desktops, and Workspace App products. In total, patches were released for four vulnerabilities, all of which have been rated high in severity. Successful exploitation of the flaws could potentially enable threat actors with local access to the targeted system to elevate their privileges and take complete control over the system.
Russian national Vladislav Klyushin was found guilty of participating in a global scheme that involved hacking into U.S. computer networks to steal confidential earnings reports, which helped the criminals net $90,000,000 in illegal profits. Klyushin was extradited to the U.S. in December 2021 to face charges of hacking into the systems of two U.S.-based filing agents that American companies used to file earnings reports through the Securities and Exchange Commissions (SEC) system.
A vulnerability has been identified that, if exploited, could result in a local user elevating their privilege level to NT AUTHORITY\SYSTEM on a Citrix Virtual Apps and Desktops Windows VDA.
Security researchers have warned that a growing number of versatile malware variants are capable of performing multiple malicious actions across the cyber-kill chain. Picus Security compiled its Red Report 2023 by analyzing over 500,000 malware samples last year, identifying their tactics, techniques and procedures (TTPs) and extracting over 5.3 million “actions.”
A North Korean hacking group known as APT37, Red Eyes, or StarCruft has implemented a new M2RAT malware and uses steganography for intelligence collection. Researchers at the AnhLab Security Emergency Response Center (ASEC) explained that the M2RAT uses a shared memory section for command and data exfiltration while leaving few operational traces on the compromised machine.
On Feb 1, 2023, the following vulnerability in the ClamAV scanning library was disclosed: A vulnerability in the HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier could allow an unauthenticated, remote attacker to execute arbitrary code.
A new stealthy malware named 'Beep' was discovered last week, featuring many features to evade analysis and detection by security software. The malware was discovered by analysts at Minerva after a flurry of samples were uploaded to VirusTotal, an online platform for file scanning and malicious content detection. Although Beep is still in development and missing several key features, it currently allows threat actors to download and execute further payloads on compromised devices remotely.
Intel recently released patches for dozens of vulnerabilities impacting its products, including a critical flaw that was identified last year. Tracked as CVE-2021-39296, this flaw has been rated a 10 on the CVSS scale and impacts the Integrated Baseboard Management Controller (BMC) and OpenBMC firmware of several Intel platforms. In particular CVE-2021-39296 affects the netipmid (IPMI Ian+) interface and could enable a threat actor to obtain root access to the BMC by bypassing authentication via specially crafted IPMI messages. Also addressed in BMC and OpenBMC firmware are four other vulnerabilities including a high-severity out-of-bounds read issue that could cause denial of service on the impacted device. Intel says it has fixed these issues in the latest releases of Integrated BMC firmware versions 2.86, 2.09 and 2.78, and OpenBMC firmware versions 0.72, wht-1.01-61, and egs-0.91-179.
Yesterday was Microsoft's February 2023 Patch Tuesday; security updates corrected three actively exploited zero-day vulnerabilities and a total of 77 flaws. Nine vulnerabilities were classified as 'Critical' as they could result in remote code execution if leveraged by an attacker. Although some of the vulnerabilities were classified as more severe than others, successful exploitation of those listed could have a diverse range of effects. As reported by the tech giant, the vulnerabilities, if utilized, could have an impact equivalent to Denial of Service, Remote Code Execution, Privilege Escalation, or a combination of all three.
Security researchers have discovered dozens of new regional targets and new cyber-attack tools linked to Indian APT group SideWinder. The suspected state-sponsored group – also known as Rattlesnake, Hardcore Nationalist (HN2) and T-APT4 – comes under the spotlight in a new report from Group-IB, Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021
Hackers conducting a new financially motivated campaign are using a variant of the Xortist commodity ransomware named 'MortalKombat,' together with the Laplas clipper in cyberattacks. Both malware infections are used to conduct financial fraud, with the ransomware used to extort victims to receive a decryptor and Laplas to steal cryptocurrency by hijacking crypto transactions. Laplas is a cryptocurrency hijacker released last year that monitors the Windows clipboard for crypto addresses and, when found, substitutes them for addresses under the attacker's control. As for MortalKombat, Cisco Talos says the new ransomware is based on the Xorist commodity ransomware family, which utilizes a builder that lets threat actors customize the malware. Xorist has been decryptable for free since 2016
Yesterday, Apple released fixes to address a new actively exploited zero-day flaw being used to target impacted iPhones, iPads, and Macs. Tracked as CVE-2023-23529, the vulnerability is related to a WebKit confusion issue that can allow a threat actor to trigger OS crashes and obtain code execution on compromised devices.
This weekend, Cloudflare blocked what it describes as the largest volumetric distributed denial-of-service (DDoS) attack to date. The company said it detected and mitigated not just one but a wave of dozens of hyper-volumetric DDoS attacks targeting its customers over the weekend, The majority of attacks peaked in the ballpark of 50-70 million requests per second (rps) with the largest exceeding 71 million rps. This is the largest reported HTTP DDoS attack on record, more than 35% higher than the previous reported record of 46M rps in June 2022. The attacks were launched using over 30,000 IP addresses from multiple cloud providers against various targets, including gaming providers, cloud computing platforms, cryptocurrency firms, and hosting providers.
The Lazarus Group is responsible for $100 million in stolen Bitcoin through the implementation of; a crypto-mixing service dubbed Sinbad. Sinbad is a custodial mixer meaning "that all cryptocurrency that goes into the service is under the control of the operator; so owners have sufficient confidence to give up command of their funds.
The U.S. Federal Trade Commission (FTC) says Americans once again reported record losses of $1.3 billion to romance scams in 2022, with median losses of $4,400. According to previous FTC's Consumer Sentinel Network (Sentinel) sources, Americans have also reported losing $493 million in 2019, $730 million in 2020, and $1.3 billion throughout 2021
The City of Oakland; was hit by a ransomware attack on Wednesday night. The ransomware group responsible for the attack is currently unknown. However, as a consequence of the incident, the City of Oakland was forced to shut down its systems. The attack has not influenced the city's core services. Additionally, all emergency services are working as expected. The City's Information Technology Department is collaborating with law enforcement to investigate the attack and reinstate services affected by the assault. The city stated that they are organizing a response plan to address the issue, and the public should expect delays from the City of Oakland; in the meantime.
Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients' personal information and cryptocurrency wallets. The phishing campaigns started around 4:30 PM ET and originated from SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails. After recipients began complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was compromised and that they disabled email through SendGrid while they investigated the issue. Kirkendall also said that they believe the breach may be related to a December CloudSek report on the API keys of Mailgun, MailChimp, and SendGrid being exposed in mobile apps.
According to a new blog post published by Group-IB, the cybersecurity firm has been the target of several attacks carried out by the Tonto team, an advanced persistent threat group suspected to be of Chinese origin. Tonto Team, also known as Bronze Huntley, Cactus Pete, Earth Akhlut, Karma Panda, and UAC-0018, has been around since 2009. The group is known for targeting military, diplomatic, and infrastructure entities in Asia and Eastern Europe.
Five malicious packages were found on the Python Package Index (PyPI), stealing passwords, Discord authentication cookies, and cryptocurrency wallets from unsuspecting developers. PyPI is a software repository for packages created in the Python programming language. As the index hosts 200,000 packages, it allows developers to find existing packages that satisfy various project requirements, saving time and effort. Between January 27 and January 29, 2023, a threat actor uploaded five malicious packages containing the 'W4SP Stealer' information-stealing malware to PyPi. While the packages have since been removed, they have already been downloaded by hundreds of software developers.
Pro-Russia hacker group Killnet launched a Distributed Denial of Service (DDoS) attack on NATO sites, including the NATO Special Operations Headquarters (NSHQ) website. The attack was confirmed by NATO, while the hacker group announced the attack on its Telegram. NATO said in a statement, “NATO cyber experts are actively addressing an incident affecting some NATO websites. NATO deals with cyber incidents on a regular basis, and takes cyber security very seriously.
A new threat actor is targeting the United States and Germany with new malware that encases the capability to perform surveillance and data theft on compromised systems. The cybercriminal; is recognized as TA866. Researchers at Proofpoint observed activity by TA866 in October 2022. However, TA866 is still active in 2023. The cybercriminal lures victims using phishing emails. The emails "include Microsoft Publisher (.pub) attachments with malicious macros, URLs linking to .pub files with macros, or PDFs containing URLs that download dangerous JavaScript files.
According to a joint advisory released yesterday by US and South Korean cybersecurity and intelligence agencies, North Korean state-backed actors are conducting ransomware attacks against healthcare and critical infrastructure facilities to fund their illicit activities. The actors are demanding cryptocurrency demands in exchange for recovering access to encrypted files. The funds received from victims in turn are being used to support North Korea’s national-level priorities and objectives, including targeting the United States and South Korean governments such as the Department of Defense Information Networks and Defense Industrial Base member networks. To bring awareness and help organizations defend against similar ransomware attacks, the joint advisory includes common TTPs used by the Democratic People’s Republic of Korea (DPRK) state-sponsored actors as well as relevant Indicators of compromise.
Reddit suffered a cyberattack Sunday evening, allowing hackers to access internal business systems and steal internal documents and source code. According to an alert by the company, threat actors used a phishing lure targeting Reddit employees with a landing page impersonating its intranet website. The site was then used to steal employee’s credentials and two-factor authentication tokens.
A privilege escalation vulnerability has been identified with the SAML implementation in Blue Planet products. If you do not use SAML to access Blue Planet applications, you are not exposed to this vulnerability. This vulnerability is only applicable if you have enabled SAML access on your Blue Planet application. If you are using SAML for authentication, there is a vulnerability, which could be exploited only with access to the Blue Planet application.
A campaign operated by Russian threat actors uses fake job offers to target Eastern Europeans working in the cryptocurrency industry, aiming to infect them with a modified version of the Stealerium malware named 'Enigma.' According to Trend Micro, which has been tracking the malicious activity, the threat actors use a set of heavily obfuscated loaders that exploits an old Intel driver flaw to reduce the token integrity of Microsoft Defender and bypass protections. The attacks start with an email pretending to be a job offer with fake cryptocurrency interviews to lure their targets. The emails have a RAR archive attachment which contains a TXT ("interview questions.txt") and an executable ("interview conditions.word.exe").
A wave of denial-of-service attacks has targeted the Tor Network since July 2022. Since then, users have been experiencing connectivity and performance issues. Some users report being unable to load pages or access onion services. The Tor Network team is adjusting network defenses to address the ongoing matter. The Tor Network is adding two new members to focus on .onion services. Furthermore, Tor Project's executive director Isabela Dias Fernandez has stated that the Network's team is choosing to limit public information on the nature of the attacks for now and clarified that their services have not been down, just slow; and that user experiences vary from person to person.
VMware on Monday said it found no evidence that threat actors are leveraging an unknown security flaw, i.e., a zero-day, in its software as part of an ongoing ransomware attack spree worldwide. ‘Most reports state that End of General Support (EoGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),’ the virtualization services provider said. The company is further recommending users to upgrade to the latest available supported releases of vSphere components to mitigate known issues and disable the OpenSLP service in ESXi.
Clop ransomware has come out with a new variant specially designed to target Linux Servers. The new variant was spotted in the wild in December 2022 by security researcher Antonis Terefos at SentinelLabs after it was used to target a university in Colombia. Although the new strain is very similar to its Windows counterpart (e.g. same encryption method and almost identical process logic), the Linux variant seems to be in the early stages of development and lacks features, including proper obfuscation and evasiveness mechanisms, making it possible for victims to retrieve their files without paying any ransom demands.
OpenSSL recently fixed several security flaws in its open-source cryptographic library, including 1 type confusion bug rated high in severity vulnerability as well as 7 other vulnerabilities that have been rated medium in severity. The type confusion bug is being tracked as CVE-2023-0236 and can allow attackers to read memory contents or enact a denial of service. “The vulnerability is rooted in the way the popular cryptographic library handles X.509 certificates, and is likely to impact only those applications that have a custom implementation for retrieving a certificate revocation list (CRL) over a network.
The United States and the United Kingdom have sanctioned seven Russian individuals for their involvement in the TrickBot cybercrime group, whose malware was used to support attacks by the Conti and Ryuk ransomware operation. The sanctions come after a massive trove of internal conversations, and personal information was leaked from Conti and TrickBot members in what was called the ContiLeaks and TrickLeaks. While the ContiLeaks focused more on leaking internal conversations and source code, the TrickLeaks went one step further, with the identities, online accounts, and personal information of TrickBot members publicly leaked on Twitter. These data breaches ultimately led to the Conti gang shutting down their operation and their members starting new ransomware operations or joining existing ones.
The National Institute of Standards and Technology (NIST) announced that ASCON is the winning bid for the "lightweight cryptography" program to find the best algorithm to protect small IoT (Internet of Things) devices with limited hardware resources. Small IoT devices are those often found in wearable technologies, smart home applications, and more. Due to their size, they have limited hardware resources to handle robust encryption standards. While the devices, may lack hardware, they are often used to store and handle sensitive personal information such as health and financial details. NIST was looking to implement a standard for encrypting data on these devices, which have very little computational power.
Unfortunately, a second ESXiArgs ransomware wave started today and includes a modified encryption routine that encrypts far more data in large files. BleepingComputer first learned of the second wave after an admin posted in the ESXiArgs support topic stating that their server was encrypted and could not be recovered using the methods that had worked previously. Preliminary reports indicated that the devices were breached using old VMware SLP vulnerabilities. However, some victims have stated that SLP was disabled on their devices and were still breached and encrypted.
A new Qbot malware campaign has emerged. "Qbot (aka QakBot) is a former banking trojan that evolved into malware that specializes in gaining initial access to devices, enabling threat actors to load additional malware on the compromised machines and perform data-stealing, ransomware, or other activities across an entire network.
On February 7, Google announced the promotion of Chrome 110 to the stable channel for Windows, Mac, and Linux, addressing a total of 15 security flaws, 10 of which were uncovered and brought to attention by external researchers. Three of the vulnerabilities have been rated high in severity and relate to a type confusion flaw in the V8 engine (CVE-2023-0696), an inappropriate implementation issue in full screen mode (CVE-2023-0697), and an out-of-bounds read vulnerability in WebRTC (CVE-2023-0698). CVE-2023-0696 can allow a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2023-0697 could enable a remote attacker to use a crafted HTML page to spoof the contents of the security UI while the third vulnerability (CVE-2023-0698) can be exploited to perform an out of bounds memory read.
The Russian hacking group known as 'Nodaria' (UAC-0056) is using a new information-stealing malware called 'Graphiron' to steal data from Ukrainian organizations. The Go-based malware can harvest a wide range of information, including account credentials, system, and app data. The malware will also capture screenshots and exfiltrate files from compromised machines. Symantec's threat research team discovered that Nodaria has been using Graphiron in attacks since at least October 2022 through mid-January 2023.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by the recent widespread ESXiArgs ransomware attacks. Starting last Friday, exposed VMware ESXi servers were targeted in a widespread ESXiArgs ransomware attack. Since then, the attacks encrypted 2,800 servers according to a list of bitcoin addresses collected by CISA technical advisor Jack Cable. While many devices were encrypted, the campaign was largely unsuccessful as the threat actors failed to encrypt flat files, where the data for virtual disks are stored.
Recorded business email compromise (BEC) attacks increased by more than 81% during 2022 and by 175% over the past two years, with open rates on malicious emails also surging, according to Abnormal Security. The security vendor analyzed data from its customers to help compile its H1 2023 threat report, Read Alert.
The massive trove of data was leaked by an affiliate of the Anonymous group called Caxxii. The stolen documents contain evidence of a dragnet surveillance activity conducted by the Federal Security Service (FSB), headquartered in Moscow. The Russian government is said to monitor its citizens and private organizations across the country illegally. A Russian-based organization known as ‘Convex’ launched a project code-named ‘Green Atom’ whose overall goal was to spy on Russian citizens through unauthorized wiretapping, espionage, and warrantless surveillance of citizens.
The notorious ransomware gang LockBit has claimed another victim. On February 6, 2022, the threat actors published Royal Mail to their data leak site. The attack has led the UK-based mail delivery service to halt international shipping services due to a severe service disruption. "This comes after LockBitSupport, the ransomware gang public-facing representative, previously told BleepingComputer that the LockBit cybercrime group did not attack Royal Mail. Instead, they blamed the attack on other threat actors using the LockBit 3.0 ransomware builder that was leaked on Twitter in September 2022.
A new hacking campaign exploits Sunlogin flaws to deploy the Sliver post-exploitation toolkit and launch Windows Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software. Sliver is a post-exploitation toolkit created by Bishop Fox that threat actors began using as a Cobalt Strike alternative last summer, employing it for network surveillance, command execution, reflective DLL loading, session spawning, process manipulation, and more.
The New York attorney general's office has announced a $410,000 fine for a stalker developer who used 16 companies to promote surveillance tools illegally. Patrick Hinchy, the spyware vendor, also agreed to alert his customers' victims that their phones are being secretly monitored using one of his multiple apps, including Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint, or TurboSpy.
Microsoft’s Digital Threat Analysis Center (DTAC) attributes a recent cyberattacks against the satirical French magazine Charlie Hebdo to an Iran-linked threat actor tracked as NEPTUNIUM (aka Emennet Pasargad, Holy Souls). The attack is a retaliation for the initiative of Charlie Hebdo of launching a cartoon contest to mock Iran’s ruling cleric.
A malicious campaign targeting organizations in the Middle East with a new backdoor malware has been spotted by security researchers. Describing the activity in a Thursday advisory, Trend Micro researchers Mohamed Fahmy, Sherif Magdy and Mahmoud Zohdy have attributed it to the advanced persistent threat (APT) group the company refers to as APT34.
Royal Ransomware group has come out with a new variant designed to encrypt Linux devices, specifically targeting VMware ESXI virtual machines. According to security researcher, Will Thomas, who uncovered the new strain, Royal’s encryptor now supports multiple flags giving operators control over the encryption process: stopvm > stops all running VMs so they can be encrypted vmonly - Only encrypt virtual machines fork - unknown logs - unknown id: id must be 32 characters VM files encrypted with the new variant are appended with the “.royal_u extension. As of writing, less than 50% of malware scanning engines on VirusTotal are capable of detecting the strain.
A new DDoS-as-a-Service (DDoSaaS) platform named 'Passion' was seen used in recent attacks by pro-Russian hacktivists against medical institutions in the United States and Europe. DDoSaaS platforms rent their available firepower to those looking to launch disruptive attacks on their targets, absolving them from the need to build their own large botnets or coordinate volunteer action. Typically, these botnets are built by compromising vulnerable IoT devices such as routers and IP cameras, uniting them under a large swarm that generates malicious requests toward a particular target. Radware discovered the Passion platform, and although its origins are unknown, the operation has distinctive ties with Russian hacking groups, such as Killnet, MIRAI, Venom, and Anonymous Russia. "The Passion Botnet was leveraged during the attacks on January 27th, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands, and the United Kingdom as retaliation for sending tanks in support of Ukraine," said Radware researchers.
A new ransomware operation; was discovered. The ransomware is known as Nevada. Researchers have observed the variants evolving capabilities, such as targeting Windows and VMware ESXi systems. Nevada ransomware started to be promoted on the RAMP darknet forums on December 10, 2022, inviting Russian and Chinese-speaking cybercriminals to join it for an 85% cut from paid ransoms. For those affiliates who bring in a lot of victims, Nevada says they will increase their revenue share to 90%. RAMP has been previously reported as a space where Russian and Chinese hackers promote their cybercrime operations or communicate with peers.
The LockBit ransomware gang has again started using encryptors based on other operations, this time switching to one based on the leaked source code for the Conti ransomware. Since its launch, the LockBit operation has gone through numerous iterations of its encryptor, starting with a custom one and moving to LockBit 3.0 (aka LockBit Black), which is derived from the BlackMatter gang's source code. This week, cybersecurity collective VX-Underground first reported that the ransomware gang is now using a new encryptor named 'LockBit Green,' based on the leaked source code of the now-disbanded Conti gang.
A new attack campaign has been targeting the gaming and gambling sectors since at least September 2022, just as the ICE London 2023 gaming industry trade fair event is scheduled to kick off next week. Israeli cybersecurity company Security Joes is tracking the activity cluster under the name Ice Breaker, stating the intrusions employ clever social engineering tactics to deploy a JavaScript backdoor. The attack sequence proceeds as follows: The threat actor poses as a customer while initiating a conversation with a support agent of a gaming company under the pretext of having account registration issues. The adversary then urges the individual on the other end to open a screenshot image hosted on Dropbox.
Cybersecurity firm WithSecure says it detected a campaign targeting the medical research and energy sectors that came to its attention after endpoint detection scans showed a Cobalt Strike beacon on a customer's servers connecting to known threat actor IP addresses. Researchers from the Finnish company dub the campaign "No Pineapple," taking the lead of a fruit-loving software developer of a remote access Trojan called acres.exe deployed by the hackers. The tool truncates data exfiltration messages greater than 1,024 bytes with the message "No Pineapple!
The LockBit ransomware gang has claimed responsibility for the cyberattack on ION Group, a UK-based software company whose products are used by financial institutions, banks, and corporations for trading, investment management, and market analytics. Back on January 31, 2023, the firm released a statement saying a cyber incident had impacted ION Cleared Derivatives, a division of ION Markets. “The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing. Further updates will be posted when available” - ION Group.
ESET uncovered yet another wiper malware strain , dubbed NikoWiper, used by Russia affiliated Sandworm to attack a energy sector company in Ukraine, on October 2022. Not much is known about NikoWiper besides the fact that it is based on SDelete, a command line utility from Microsoft that is used for securely deleting files. According to researchers, the attack on the company took place around the same time as when Russian armed forces targeted Ukrainian energy infrastructure with missile strikes.
Researchers have discovered a new exploit dubbed Sh1mmer. The exploit allows users to install and bypass device restrictions by unenrolling in an enterprise-managed Chromebook. "The exploit requires a publicly leaked RMA shim that the Sh1mmer exploit will modify to allow users to manage the device's enrollment. The researchers say that the following Chromebook boards are known to have publicly released RMA shims brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zork. For those unfamiliar with RMA shims, they are disk images stored on USB devices that contain a combination of the ChromOS factory bundle components used to reinstall the operating system and manufacturer tools used to perform repair and diagnostics."
Marking an end to an era, Microsoft is no longer directly selling Windows 10 product keys on their website, instead redirecting users to Windows 11 product pages. This month, Microsoft began displaying an alert on their Windows 10 Home and Pro product pages, warning customers that January 31st would be the last day to purchase a license.
Microsoft revealed today that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families that were actively used until the end of last year. "Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal," Microsoft said.
QNAP recently released firmware updates to address a critical security vulnerability that could enable remote attackers to inject malicious code on QNAP NAS devices. Tracked as CVE-2022-27596, the flaw impacts QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system. According to the networking hardware company, the bug is related to a SQL injection flaw that could be exploited by threat actors to send specially crafted requests on vulnerable devices and modify legitimate SQL queries. QNAP says this flaw can be exploited in low-complexity attacks and does not require user interaction or privileges on the targeted devices.
Porsche, the German automobile manufacturer specializing in high-performance vehicles, halted their anticipated NFT launch. The vehicle manufacturer produced its first NFT mint on January 23, 2023. A digital replica of one of their renowned 911 car, the ETH value on the NFT was around $1,500. Additionally, Porsche promised their NFT community 7,500 NFTs in their new collection.
The IT-ISAC operations team informed the membership of an ongoing bug in VMWare products. Fortunately, the company quickly acknowledged and released patches to address four security vulnerabilities in its vRealize log analysis tool last week. Two of these were rated critical in terms of severity using the CVSS scale, as successful exploitation could allow attackers to execute code remotely on compromised devices.
Malicious third-party OAuth apps with an evident “Publisher identity verified” badge have been used by unknown attackers to target organizations in the UK and Ireland, Microsoft has shared. The attacks were first spotted by Proofpoint researchers in early December 2022, and involved three rogue apps impersonating SSO and online meeting apps. Targets in these organizations who have fallen for the trick effectively allowed these rogue apps to access to their O365 email accounts and infiltrate organizations’ cloud environments” (Help Net Security, 2023). “The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse,” Proofpoint researchers explained.
Recently, in the Android app store, there has been an uptick in downloading activity-tracking applications. The applications advertise themselves as health-tracking apps such as pedometers, good-habit building apps, and health apps. These apps incentivize users to reach their goals on the app by promising users rewards. "According to a report by the Dr. Web antivirus, though, the rewards may be impossible to cash out or are only made available partially after forcing users to watch a large number of advertisements.
(Lucky Step – Walking Tracker – 10 million downloads WalkingJoy – 5 million downloads Lucky Habit: health tracker – 5 million downloads
)
In a recent announcement from the Ukrainian Computer Emergency Response Team (CERT-UA), the agency stated that 5 different wiper malware were deployed on the network of Ukraine’s national news agency (Ukrinform) on January 17th. According to CERT-UA, “5 samples of malicious programs (scripts) were detected, the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion).” The list of wipers deployed includes:
Researchers at Uptycs uncovered a new Golang-based information stealer malware dubbed Titan Stealer which is being advertised by threat actors on Telegram. Titan Stealer is being advertised as a builder, enabling buyers to customize the malware binary to include specific functionalities and the kind of data to be exfiltrated from victim’s system. According to researchers, Titan Stealer is capable of stealing credentials from browsers and crypto wallets, FTP client details, screenshots, system information, grabbed files, and much more. Browsers targeted by the info stealer include Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. Titan also targets crypto wallets like Armory, Armory, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash.
Microsoft says this week's five-hour-long Microsoft 365 worldwide outage was caused by a router IP address change that led to packet forwarding issues between all other routers in its Wide Area Network (WAN). Redmond said that the outage resulted from DNS and WAN networking configuration issues caused by a WAN update and that users across all regions serviced by the impacted infrastructure were having problems accessing the affected Microsoft 365 services. The issue led to service impact in waves, peaking approximately every 30 minutes as shared on the Microsoft Azure service status page (this status page was also affected as it intermittently displayed "504 Gateway Time-out" errors.
Security researchers with Horizon3's Attack Team will release an exploit targeting a vulnerability chain next week for gaining remote code execution on unpatched VMware vRealize Log Insight appliances. Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware admins to analyze and manage terabytes of infrastructure and application logs.
Security researchers discovered a new ransomware strain they named Mimic that leverages the APIs of the 'Everything' file search tool for Windows to look for files targeted for encryption. Discovered in June 2022 by researchers at cybersecurity company Trend Micro, the malware appears to target mainly English and Russian-speaking users. Some of the code in Mimic shares similarities with Conti ransomware, the source of which was leaked in March 2022 by a Ukrainian researcher.
Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials. As the enterprise and consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords. However, unless you use a local password manager, like KeePass, most password managers are cloud-based, allowing users to access their passwords through websites and mobile apps. These passwords are stored in the cloud in "password vaults" that keep the data in an encrypted format, usually encrypted using users' master passwords.
Lexmark has released a security firmware update to fix a severe vulnerability that could enable remote code execution (RCE) on more than 100 printer models. The security issue is tracked as CVE-2023-23560 and, according to the company, it has a severity rating of 9.0. It is a server-side request forgery (SSRF) in the Web Services feature of Lexmark devices.
The threat actor known as Cobalt Sapling has been spotted creating a new persona dubbed "Abraham's Ax" to target Saudi Arabia for political leverage. The findings come from cybersecurity experts at Secureworks' Counter Threat Unit (CTU), who published an advisory about the new threat earlier today.
Today, the Hive ransomware Tor payment and data leak sites were seized as part of an international law enforcement operation involving the US Department of Justice, FBI, Secret Service, Europol, and Germany's BKA and Polizei. The seizure notice on the Tor sites also lists a wide range of other countries involved in the law enforcement operation, including Canada, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom. Unlike previous seizure messages used by law enforcement, this image is an animated GIF rotating between a message in English and Russian, likely to be a warning for other ransomware gangs.
Researchers at Akamai published proof-of-concept exploit code for a critical Windows CryptoAPI vulnerability (CVE-2022-34689) discovered by the NSA and U.K.'s NCSC allowing MD5-collision certificate spoofing. “CryptoAPI is the de facto API in Windows for handling anything related to cryptography. In particular, it handles certificates — from reading and parsing them to validating them against verified certificate authorities (CAs). Browsers also use CryptoAPI for TLS certificate validation — a process that results in the lock icon everyone is taught to check.
The IT-ISAC distributed an attachment in our daily report yesterday detailing how threat actors currently use RMM (Remote Monitoring and Management) tools for malicious purposes. CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system after releasing a Silent Push report in mid-October 2022.
Palo Alto Networks researchers reported that between August and October 2022 the number of attacks that attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394) (CVSS score 9.8) accounted for more than 40% of the total number of attacks (Security Affairs, 2023). “Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.” reads the description for this flaw.
Zacks, an investment research company, fell victim to a data breach last year on December 28, 2022. Zack learned that an unknown third party had gained unauthorized access to customer records. They are one of the largest providers of independent stock, ETF, and mutual fund research in the United States. Their services include aiding investors with; stock buying decisions using financial data analytics. The data breach affected 820,000 users. The specific dataset that was apprehended consisted of Zack's Elite customers who joined between November 1999 and February 2005. The information included; in the data set consists of names, addresses, phone numbers, email addresses, and passwords used for Zacks.com. The research firm has found no evidence that any financial data had been; abstracted.
The IT-ISAC distributed an attachment in our daily report yesterday detailing how threat actors currently use RMM (Remote Monitoring and Management) tools for malicious purposes. CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system after releasing a Silent Push report in mid-October 2022.
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most powerful of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the user's privileges, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.
Researchers have discovered a new advertising campaign. DEV-0569 is responsible. The campaign utilizes Google Ads to spread malware, steal passwords, and breach networks for ransomware attacks. "Over the past couple of weeks, cybersecurity researchers MalwareHunterTeam, Germán Fernández, and Will Dormann have illustrated how Google search results have become a hotbed of malicious advertisements pushing malware. These ads pretend to be websites for popular software programs, like LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.
On Tuesday, VMware addressed several vulnerabilities impacting its vRealize Log Insight, a log analysis and management tool. Two of the flaws have been rated critical in severity (CVSS: 9.8) and are tracked as CVE-2022-31703 and CVE-2022-31704. CVE-2022-31703 is related to a directory traversal vulnerability that can be leveraged for remote code execution (RCE) by injecting files into the operating system of impacted appliances. The other critical flaw, CVE-2022-31704 relates to a broken access control bug which can also be abused for RCE using a similar method.
A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name TA444, and by the larger cybersecurity community as APT38, BlueNoroff, Copernicium, and Stardust Chollima. TA444 is ‘utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims,’ the enterprise security firm said in a report.
Apple recently backported fixes for older iPhones and iPads to address a remotely exploitable zero-day vulnerability that was disclosed last month. Tracked as CVE-2022-42856, the vulnerability is related to a type confusion weakness in Apple’s Webkit web browsing engine. A malicious threat can exploit the weakness to perform arbitrary code execution by tricking victims into visiting a maliciously crafted website under the attacker’s control.
The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.
Researchers have witnessed a Chinese-speaking hacking group dubbed Dragon Spark. "The attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more. The threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable MySQL database servers exposed online.
We reported on this vulnerability throughout the last couple of weeks and urged companies to ensure that they’re patched, as POC was set to be released. CISA added the Zoho ManageEngine remote code execution flaw (CVE-2022-47966) to its Known Exploited Vulnerabilities Catalog. CVE-2022-47966 allows attackers to execute code remotely on vulnerable products without authentications. The bug impacts multiple Zoho products where SAML SSO is enabled in the ManageEngine configurations. The issue also affects products that had the feature enabled in the past. The company addressed the vulnerability on October 27, 2022.
The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, urging users to remain vigilant against phishing emails. On January 13th, MailChimp confirmed they suffered a breach after hackers stole an employee's credentials using a social engineering attack. Using these credentials, the threat actors accessed an internal MailChimp customer support and administration tool to steal the "audience data" for 133 customers.
Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain. By chaining two security flaws disclosed last week, threat actors can bypass authentication (CVE-2023-20025) and execute arbitrary commands (CVE-2023-2002) on the underlying operating system of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.
Last month, Fortinet disclosed a vulnerability in FortiOS SSL-VPN, warning customers to patch their appliances as attackers were observed exploiting it in the wild. The vulnerability tracked as CVE-2022-42475, relates to a heap-based buffer overflow in FortiOS SSL-VPN which could enable unauthenticated threat actors to execute arbitrary code and commands via specifically crafted requests. Fortinet silently fixed the bug in November, but didn’t publicly disclose details of the vulnerability until December. At the time, the company stated that it was aware of active exploitation surrounding this flaw but no further details were provided. Recently, Mandiant released a blog post, stating that suspected Chinese hackers exploited the flaw as a zero-day in December to target a European government and an African MSP and deploy a custom malware, dubbed Boldmove.
The video game developer Riot Games, recognized for publishing games such as League of Legends and Valorant, has been hacked. "The LA-based game publisher disclosed the incident in a Twitter thread on Friday night and promised to keep customers up-to-date with whatever an ongoing investigation discovers. " (Bleeping Computer, 2023). The company has stated that its development environment had been a victim of a social engineering attack. Multiple development teams have confirmed the security breach, including the League of Legends development team and Teamfight Tactics. However, there has been no indication that player data or personal information was compromised. One consequence of the attack; is Riot Games will be unable to release content leading to delays in the anticipated release date of the next major patch. The company's head of studio released a statement explaining that there will be no changes in the release plan of Patch 13.2; however, aspects of Patch 13.2 have the possibility of being moved to Patch 13.3, which debuts on February 8. The league team is attempting to hotfix what they can to deliver the planned and tested balance changes on time.
Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain. By chaining two security flaws disclosed last week, threat actors can bypass authentication (CVE-2023-20025) and execute arbitrary commands (CVE-2023-2002) on the underlying operating system of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.
The Roaming Mantis malware distribution campaign has updated its Android malware to include a DNS changer that modifies DNS settings on vulnerable Wi-Fi routers to spread the infection to other devices. Starting in September 2022, researchers observed the 'Roaming Mantis' credential theft and malware distribution campaign using a new version of the Wroba.o/XLoader Android malware that detects vulnerable Wi-Fi routers based on their model and changes their DNS. The malware then creates an HTTP request to hijack a vulnerable Wi-Fi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.
Yum! Brands, the fast food brand operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill fast-food restaurant chains, has been targeted by a ransomware attack that forced the closure of 300 locations in the United Kingdom. Yum! Brands operates 53,000 restaurants across 155 countries and territories, with over $5 billion in total assets and $1.3 billion in yearly net profit.
A new Android malware named 'Hook' is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). The new malware is promoted by the creator of Ermac, an Android banking trojan selling for $5,000/month that helps threat actors steal credentials from over 467 banking and crypto apps via overlaid login pages. While the author of Hook claims the new malware was written from scratch, and despite having several additional features compared to Ermac, researchers at ThreatFabric dispute these claims and report seeing extensive code overlaps between the two families. ThreatFabric explains that Hook contains most of Ermac's code base, so it's still a banking trojan. At the same time, it includes several unnecessary parts found in the older strain that indicate it re-used code in bulk.
The FBI has recently warned the public about search engine ads pushing malware disguised as legitimate software – an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers – anything that can be downloaded, really – via Google and Bing. Recently there has been an noticeable uptick in malicious ads being served by popular search engines. Mimicking popular open source tools via typosquatted domains, threat actors are luring victims into search engine ad links. HP threat researcher Patrick Schläpfer says that they have seen “a significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique.
Researchers identified a new phishing campaign known as “Blank Image”. The blank image attack was; observed in the wild. Where the technique used was to conceal empty SVG files inside HTML attachments impersonating DocuSign documents. The phishing email is sent, to proposed victims, as a document from DocuSign. Next, the recipient is; prompted to review and sign the document named "Scanned Remittance Advice[.]htm". However, if the receiver chooses the "View Completed Document" option, they are then directed to a legitimate DocuSign webpage. Be that as it may, if the user sets out to open the HTML attachment, then the ‘Blank Image’ attack commences.
T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs). While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to retrieve data without authenticating first.
Ukraine’s Computer Emergency Response Team recently linked a cyberattack targeting the country’s national news agency (Ukinform) to Sandworm, a group of Russian military hackers. It is currently unknown how the attackers breached the news agency’s network. However after gaining an initial foothold, CaddyWiper, a destructive wiper malware was launched onto the agency’s systems via the Windows group policy (GPO). CERT-U notes this type of attack chain is similar to that of Sandworm, whose activities are linked to the Russian Federation. In April 2022, Sandworm was observed using CaddyWiper against a large Ukrainian energy provider.
The vulnerabilities discovered in the Netcomm routers are a a stack based buffer overflow and an authentication bypass, respectively tracked as CVE-2022-4873 and CVE-2022-4874. Both issues impact the Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035.
Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named 'Kraken,' who claims to have hacked it on January 13, 2022. The Tor site of Solaris currently redirects to Kraken, while blockchain monitoring experts at Elliptic report no movements in the cryptocurrency addresses associated with the site after January 13, 2022.
Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers for a decryption key. The availability of a decryptor comes only about half a year after increased activity from BianLian ransomware over the summer of 2022 when the threat group breached multiple high-profile organizations.
A ransomware attack against the maritime software supplier DNV impacted approximately 1,000 vessels. About 1,000 vessels have been impacted by a ransomware attack against DNV, one of the major maritime software suppliers. DNV GL provides solutions and services throughout the life cycle of any vessel, from design and engineering to risk assessment and ship management. The Norwegian company provides services for 13,175 vessels and mobile offshore units (MOUs) amounting to 265.4 million gross tonnes, which represents a global market share of 21%.
In September 2022, Sophos released an advisory warning its customers of a critical remote code execution vulnerability (CVE-2022-3236) impacting its Sophos Firewall Webadmin and User Portal HTTP interfaces. Hotfixes were released in September for the impacted Firewall versions (v19.0 MR1 (19.0.1) and older), with official fixes being issued three months later in December 2022. According to a new report by VulnCheck vulnerability researcher Jacob Baines, out of more than 88,000 instances, around 6% or more than 4,000 are still running versions that haven't received a hotfix and are vulnerable to CVE-2022-3236 attacks.
The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary. Also known by the names APT15, KeChang, NICKEL, and Vixen Panda, the Chinese APT group has a history of cyber espionage campaigns aimed at government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010.
According to new research from SecurityScorecard titled “Addressing the Trust Deficit In Critical Infrastructure”, published on January 18, 2023. nearly half (48%) of critical manufacturing organizations are vulnerable to a breach. The report analyzed the current state of cyber resilience in the critical infrastructure sectors such as energy, chemical, healthcare, and others, as designated by the Cybersecurity and Infrastructure Security Agency (CISA). As part of the report, the 48% of the organizations analyzed received a rating of ”C”, “D” or “F” on SecurityScorecard’s security ratings platform. Security Scorecard says organizations with an “A” rating are 7.7 times less likely to sustain a breach that those with an “F” rating.
On Friday, DevOps CircleCI disclosed that one of its engineers became infected with an info-stealing malware capable of stealing two-factor authentication-backed credentials, enabling threat actors to breach the company’s systems and data. CircleCI says the attack took place on December 16, 2022, and that the malware was able to go undetected by its antivirus software. According to CircleCI’s chief technology officer, Rob Zuber the malware was able to execute session cookie theft, enabling the attackers to impersonate the targeted employee in a remote location, and then escalate access to a subset of the company’s production systems. From here, the threat actors used the elevated privileges to steal data from the company’s database, which included customer environment variables, tokens, and keys. Although the data stolen was encrypted at rest, Zuber stated that the actors extracted encryption keys from a running process, enabling them to potentially access the encrypted data.
In early December 2022, a security advisory warned of a critical command injection vulnerability (tracked as CVE-2022-46169, severity rating 9.8 out of 10) in Cacti that could be exploited without authentication. Cacti is an operational and fault management monitoring solution for network devices that also provides graphical visualization. There are thousands of instances deployed across the world exposed on the web” (Bleeping Computer, 2023). Although the developer released an update for the flaw, there are currently more than 1,600 instances vulnerable to CVE-2022-46169, that hackers have already started to exploit.
Researchers at Fortinet recently discovered three malicious PyPI packages on January 10, 2023. These three packages are named “colorslib”, “httpslib”, and “libhttps”. All three packages were uploaded by the same actor, and have been downloaded a total of 550 times. The packages include complete descriptions, and they do not mimic the names of other projects; because of this developers are deceived into believing these packages are general resources with risk free-code. Nevertheless, the packages are capable of dropping info-stealing malware on developer systems.
Security researcher, Daniel Milisic, discovered that the T95 Android TV box he purchased on Amazon was infected with sophisticated pre-installed malware. This Android TV box model is available on Amazon and AliExpress for as low as $40. The device came with Android 10 (with working Play store) and an Allwinner H616 processor. Milisic purchased the T95 Android TV box to run Pi-hole, which is a Linux network-level advertisement and Internet tracker blocking application.
It twas on Friday that security researchers with Horizon3's Attack Team warned admins that they created a proof-of-concept (POC) exploit for CVE-2022-47966. According to researchers, the vulnerability could be leveraged in 'spray and pray' attacks across the internet since remote code execution at NT AUTHORITY\SYSTEM which essentially gives an attacker complete control over the system. Vulnerable software versions include almost all ManageEngine products. Fortunately, Zoho has already patched the bugs in waves which started on October 27, 2022, by updating third-party modules to a more recent version.
A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals. ‘Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,’ Cybereason researchers said in a report published this week.
Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery (SSRF) vulnerability also exploited in Play ransomware attacks. Cloud computing provider Rackspace recently confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF targeting this bug (CVE-2022-41080) to compromise unpatched Microsoft Exchange servers on its network after bypassing ProxyNotShell URL rewrite mitigations. According to Microsoft, the Play ransomware gang has abused this security flaw since late November 2022. The company advises customers to prioritize CVE-2022-41080 patching to block potential attacks. Redmond says that this SSRF vulnerability has also been exploited since at least November 17th by another threat group it tracks as DEV-0671 to hack Exchange servers and deploy Cuba ransomware payloads.
Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools. The campaign was spotted by Deep Instinct, which reports that the threat actors achieve moderate success in evading detection by anti-virus engines. This is notable considering how old and well-documented the two particular RATs are.
A recently patched vulnerability in Control Web Panel (CWP), a tool for managing servers formerly known as CentOS Web Panel, is being leveraged in cyberattacks. The security vulnerability in question is being identified as CVE-2022-44877, which received a critical severity score of 9.8 out of 10. An attacker could execute code remotely without authentication on unpatched instances. It twas on January 3rd when researcher Numan Türle at Gais Cyber Security, who initially reported the issue around October last year, published a proof-of-concept (POC) exploit with a video demonstrating how the exploit works. After the release of the POC, it was only three days later when security researchers noticed hackers using the flaw to get remote access to unpatched systems and to find more vulnerable machines.
Royal Mail, UK's largest mail delivery service, disclosed yesterday that they suffered and were recovering from a callous cyber attack. The attribute was initially unknown; however, today, reports suggest that the Lock bit Ransomware operators are responsible for the blitz that the left organization's computer systems immedicable. As a result, the company's shipping and logistics services were reposed, severely halting business operations, “Royal Mail is experiencing severe service disruption to our international export services following a cyber incident," disclosed Royal Mail in its service update.
On Wednesday, Cisco published an advisory to warn customers of several vulnerabilities impacting its end-of-life VPN routers. The first flaw, which is being tracked as CVE-2023-20025 (CVSS score: 9.0), is related to an authentication bypass vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082 Routers. Cisco says the flaw is due to improper validation of user input within incoming HTTP packets and can be exploited by sending specially crafted HTTP requests to the web-based management interface. Upon successful exploitation, a malicious threat actor could bypass authentication and gain root access to the targeted system.
A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware.
A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware.
Personal information for more than 1.3 million Aflac cancer insurance and almost 760,000 Zurich Insurance auto insurance policy holders is on the dark web following a hack on a third-party contractor. Neither company named the data leak site or third-party vendor involved with its breaches, so it is unclear if both incidents are related. Affected individuals from both hacks reside in Japan, "The incident, caused by a vulnerability in a file transfer server, originated with a subcontractor of a third-party vendor that Aflac Japan uses for marketing purposes. The data, which did not include personally identifiable information was posted on a dark website. This incident was confined to Aflac Japan and did not involve data related to U.S. operations or customers.
CrowdStrike reports that the Scattered Spider threat actor was seen attempting to exploit CVE-2015-2291, a high-severity vulnerability in the Intel Ethernet diagnostics driver that allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls. Although the aforementioned CVE was fixed in 2015, by planting an older, still vulnerable version on the breached devices, the threat actors can leverage the flaw no matter what updates the victim has applied to the system.
The Gootkit loader malware operators are running a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons. The campaigns goal is to deploy the Cobalt Strike post-exploitation toolkit on infected devices for initial access to corporate networks. From there, the remote operators can perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware.
The Cybersecurity and Infrastructure Security Agency (CISA) has added two more security vulnerabilities to its catalog of exploited bugs today. The first is a Microsoft Exchange elevation of privileges bug tracked as CVE-2022-41080 that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution.
Attacks targeting government agencies and military bodies in multiple countries in the APAC region have been attributed to what appears to be a new advanced threat actor that leverages custom malware to steal confidential information. Security researchers are referring to this group as Dark Pink (Group-IB) or Saaiwc Group (Anheng Hunting Labs), noting that it employs uncommon tactics, techniques, and procedures.
Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. Some gangs are exploiting the flaws to plan a backdoor while the window of opportunity exists and may return long after the victim applied the necessary security updates. One case is a Lorenz ransomware attack that reached completion months after the hackers gained access to the victim's network using an exploit for a critical bug in a telephony system. During an incident response engagement to a Lorenz ransomware attack, researchers at global intelligence and cyber security consulting company S-RM determined that the hackers had breached the victim network five months before starting to move laterally, steal data, and encrypt systems.
As part of the January 2023 Patch Tuesday, Microsoft addressed 98 flaws, including a zero-day that is actively being exploited in attacks. Of the 98 flaws fixed, there was 39 Elevation of Privilege Vulnerabilities, 4 Security Feature Bypass Vulnerabilities, 33 Remote Code Execution Vulnerabilities, 10 Information Disclosure Vulnerabilities, 10 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities. 11 of the vulnerabilities are rated critical in severity, most of which relate to remote code execution and privilege escalation.
The StrongPity APT hacking group is distributing a fake Shagle chat app that is a trojanized version of the Telegram for Android app with an added backdoor. Shagle is a legitimate random-video-chat platform allowing strangers to talk via an encrypted communications channel. However, the platform is entirely web-based, not offering a mobile app” (Bleeping Computer, 2023). Since 2021, StrongPity has been using a fake website to impersonate the actual Shagle website, with the goal of tricking victims into downloading malicious Android application. The malicious app can be used by the attacker to conduct espionage on targeted victims including, monitoring phone calls, collecting SMS text messages, and grabbing their contact lists for continued attacks. StrongPity, also known as Promethium or APT-C-41, has used trojanized applications in previous campaigns, including malicious versions of Notepad++, WinRAR, and TrueCrypt.
Auth0 fixed a remote code execution vulnerability in the immensely popular 'JsonWebToken' open-source library used by over 22,000 projects and downloaded over 36 million times per month on NPM. The library is used in open source projects created by Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack, SAP, and many more.
It’s been reported that the Kinsing malware is now actively breaching Kubernetes clusters by leveraging known weaknesses in container images and misconfigured, exposed PostgreSQL containers. While these tactics aren't novel, Microsoft's Defender for Cloud team reports they have seen an uptick lately, indicating that the threat actors are actively looking for specific entry points.
GitHub has introduced a new option to set up code scanning for a repository known as "default setup," designed to help developers configure it automatically with just a few clicks. While the CodeQL code analysis engine, which powers GitHub's code scanning, comes with support for many languages and compilers, the new option only shows up for Python, JavaScript, and Ruby repositories. Product marketing manager Walker Chabbott said that GitHub is working on expanding support to more languages over the next six months.
The MS Exchange exploit chain recently revealed by Crowdstrike researchers is how the Play ransomware gang breached the Rackspace Hosted Exchange email environment, the company confirmed last week. The exploit chains CVE-2022-41082, a RCE flaw, and CVE-2022-41080, a privilege escalation vulnerability, to achieve unrestricted remote access to vulnerable MS Exchange setups.
Windows 7 Professional and Enterprise editions will no longer receive extended security updates for critical and important vulnerabilities starting Tuesday, January 10, 2023. Microsoft launched the legacy operating system in October 2009. It then reached its end of support in January 2015 and its extended end of support in January 2020. The Extended Security Update (ESU) program was the last resort option for customers who still needed to run legacy Microsoft products past their end of support on Windows 7 systems.
Threat actors are using a well-crafted Pokemon NFT card game website to distribute the NetSupport remote access tool and take control over victims' devices. The website "pokemon-go[.]io," which is still online at the time of writing, claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits.
Cyble Research & Intelligence Labs (CRIL) recently identified a phishing campaign targeting Zoom application software to deliver the IcedID malware. IcedID, also known as BokBot, is a banking trojan that enables attackers to steal victims’ banking credentials. This malware primarily targets businesses and can be used to steal payment information. In addition, IcedID acts as a loader, allowing it to deliver other malware families or download additional modules. IcedID usually spreads via spam emails with malicious Office file attachments. However, in this campaign, the attackers employed a phishing website to deliver the IcedID payload, which is not a typical distribution method for IcedID. The TAs behind this campaign used a highly convincing phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware, which carries out malicious activities.
The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker UNC4210, said the hijacked servers correspond to a variant of a commodity malware called ANDROMEDA (aka Gamarue) that was uploaded to VirusTotal in 2013. ‘UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022,’ Mandiant researchers said in an analysis published last week.
Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family, making it possible for victims of the once notorious gang to restore their data for free. The creation of the decryptor was the combined work of Bitdefender analysts and experts from Europol, the NoMoreRansom Project, and the Zürich Public Prosecutor's Office and Cantonal Police. Using the decryptor is pretty straightforward, as it's a standalone executable that doesn't require installation and offers to locate encrypted files on the system automatically. Moreover, the decryptor can back up the encrypted files for safety in case something goes wrong in the decryption process that could corrupt the files beyond recovery. Also, for those who attempted to decrypt their files previously with mixed success, the new decryptor offers an advanced setting to replace them with clean files.
Rackspace revealed on Thursday that attackers behind last month's incident accessed some of its customers' Personal Storage Table (PST) files which can contain a wide range of information, including emails, calendar data, contacts, and tasks. This update comes after Rackspace confirmed that the Play ransomware operation was behind the cyberattack that took down its hosted Microsoft Exchange environment in December. As discovered during the now-finished investigation led by cybersecurity firm Crowdstrike, the attackers gained access to the personal storage folders of 27 Rackspace customers.
Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique. The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable. The new campaign was spotted by K7 Security Labs, which could not identify the hackers, but they are believed to be based in China.
Zoho, a business software provider, released a security advisory encouraging its customers to patch a critical security flaw affecting three ManageEngine products immediately, BleepingComputer reports. The SQL injection vulnerability, CVE-2022-47523, was found in Zoho's PAM360 privileged access management software, Password Manager Pro secure vault, and Access Manager Plus privileged session management solution.
During the final quarter of 2021, researchers noted an increase in detections for SpyNote (SpyMax), an Android malware with spying capabilities. The increase in SpyNote infections is likely the result of a source code leak of another piece of malware called CypherRat. “CypherRat combined SpyNote's spying capabilities, such as offering remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials” (Bleeping Computer, 2022). CypherRat was sold on private Telegram channels over the second half of 2021, but the author of the malware decided to publish the malwares source code to GitHub. Other threat actors have now leveraged the available source code to launch their own campaigns.
A threat actor group out of South Africa known as 'Automated Libra' has been improving their techniques to make a profit by using cloud platform resources for cryptocurrency mining. According to Palo Alto Networks Unit 42, the threat actors use a new CAPTCHA solving system, follow a more aggressive use of CPU resources for mining, and mixe 'freejacking' with the "Play and Run" technique to abuse free cloud resources.
Zoho is urging customers to patch a critical security flaw impacting multiple ManageEngine products. Tracked as CVE-2022-47523, the flaw is related to a SQL injection vulnerability in the company’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution. According to Zoho, successful exploitation could enable threat actors to gain unauthenticated access to the backend database and execute queries to retrieve database table entries.
Below is a list of the impacted product versions:
Password Manager Pro 12200 and below
PAM360 5800 and below
Access Manager Plus 4308 and below
CyberNews discovered that a database used by the platform was left open online, it contains a huge trove of data. The Social platform for the cricket community exposed over 100k entries of private customer data and credentials. The database, hosted by Amazon Web Services (AWS) in the US, contained admin credentials and private customer data, including email, phone numbers, names, hashed user passwords, dates of birth, and addresses.
Slack in a statement this week, alerted users of an incident over the holiday’s which impacted some of its private GitHub code repositories. The incident involved a threat actors gaining access to Slack’s externally hosted GitHub repositories via stolen Slack employee tokens. While some of Slack's private code repositories were breached, Slack’s primary codebase and customer data remained unaffected, according to the company.
Cybersecurity vendor Fortinet addressed several vulnerabilities impacting its products. The company also warned customers of a high-severity command injection flaw, tracked as CVE-2022-39947 (CVSS score of 8.6), affecting the Application Delivery Controller FortiADC. The CVE-2022-39947 flaw is an improper neutralization of special elements used in an OS Command vulnerability in FortiADC, it can potentially lead to arbitrary code execution via specifically crafted HTTP requests.
U.S. rail and locomotive company Wabtec Corporation has disclosed a data breach that exposed personal and sensitive information. Wabtec is a U.S.-based public company producing state-of-the-art locomotives and rail systems. The company employs approximately 25,000 people and has a presence in 50 countries, being the world's market leader in freight locomotives and a major player in the transit segment. The firm's 2021 financial results give a revenue figure of $7.8 billion, reporting a staggering 20% of the world's freight being moved by the 23,000 of Wabtec's locomotives in global operation.
Taiwan-based NAS maker Synology has addressed a maximum (10/10) severity vulnerability affecting routers configured to run as VPN servers. The vulnerability, tracked as CVE-2022-43931, was discovered internally by Synology's Product Security Incident Response Team (PSIRT) in the VPN Plus Server software and was given a maximum CVSS3 Base Score of 10 by the company. VPN Plus Server is a virtual private network server that allows administrators to set up Synology routers as a VPN server to allow remote access to resources behind the router.
The ASEC analysis team recently discovered that a Linux malware developed with shell script compiler (shc) that threat actors used to install a CoinMiner. The experts believe attackers initially compromised targeted devices through a dictionary attack on poorly protected Linux SSH servers, then they installed multiple malware on the target system, including the Shc downloader, XMRig CoinMiner, and a Perl-based DDoS IRC Bot.
According to NCC Group's Fox-IT research team, thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The vulnerabilities in question are being tracked as CVE-2022-27510 and CVE-2022-27518 and have both received a CVSS score of 9.8, indicating a critical level of severity.
A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities. The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.
Nations cannot use these levers of power against an individual stone-thrower, but can use them against the nation that abets him. For countries that are willing to cooperate to reduce the numbers of insecure systems, there should be offers of funding, training, education, and access to technology. If a nation repeatedly refuses to cooperate, states on the receiving ends of continuing attacks must have recourse to the traditional full spectrum of coercive policies, from démarches to sanctions in the UN Security Council, prosecution in international courts, and all the way to covert action and kinetic military force.
This paper accordingly introduced the spectrum of state responsibility to shift the discussion away from “attribution fixation,” to national responsibility for attacks in cyberspace. The global national security community needs to shift resources from the technical attribution problem to solving the responsibility problem. This re-establishes state-to-state symmetry and enables a wider range of options open to sovereign nations: diplomatic, intelligence, military, and economic responses.
SickKids is a teaching and research hospital in Toronto that provides healthcare to sick children. On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.
On December 26, the threat actor published on their data leak site hidden on the Tor network that they had compromised a company in financial services. As the victim did not meet the threat actor’s demands, BlackCat published all the stolen files as a penalty. As a deviation from the usual process, the hackers decided to also leak the data on a site that mimics the victim's as far as the appearance and the domain name go.
BlueNoroff is a financially motivated threat actors who uses it’s cyber capabilities to generate profits. The group often targets a victims cryptocurrency assets, and since October has been using new malware strains that take advantage of Word documents and shortcut files for initial intrusion.
The Federal Bureau of Investigation (FBI) this week raised the alarm on cybercriminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats. The attackers register domains similar to those of legitimate businesses or services and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.
The Vice Society ransomware operation has switched to using a custom ransomware encrypt that implements a strong, hybrid encryption scheme based on NTRUEncrypt and ChaCha20-Poly1305. According to cybersecurity firm SentinelOne, which discovered the new strain and named it "PolyVice," it's likely that Vice Society sourced it from a vendor who supplies similar tools to other ransomware groups.
Comcast Xfinity customers report their accounts being hacked in widespread attacks that bypass two-factor authentication. These compromised accounts are then used to reset passwords for other services, such as the Coinbase and Gemini crypto exchanges. Starting on December 19th, many Xfinity email users began receiving notifications that their account information had been changed. However, when attempting to access the accounts, they could not log in as the passwords had been changed.
An Iranian group of hackers, known as Moses Staff, had seized control of dozens of Israeli CCTV cameras; the hack was known to the authorities that did nothing to stop it, reported The Times of Israel, which had access to a preview of the full investigative report, “In a preview of a full investigative report set to be aired on Tuesday, the Kan public broadcaster said officials did not take action to secure the cameras, despite their knowledge of the activities of the group, known as Moses Staff.” reported The Times of Israel.
Leading sports betting company BetMGM disclosed a data breach after a threat actor stole personal information belonging to an undisclosed number of customers. While the personal info stolen in the attack varies for each customer, the attackers obtained a wide range of data, including names, contact info (like postal addresses, email addresses, and phone numbers), dates of birth, hashed Social Security numbers, account identifiers (like player IDs and screen names) and info related to transactions with BetMGM. The company added that it discovered the incident on November 2022 but believes the breach occurred in May 2022.
The notorious FIN7 hacking group uses an automated attack system that exploits Microsoft Exchange and SQL injection vulnerabilities to breach corporate networks, steal data, and select targets for ransomware attacks based on financial size. This system was discovered by Prodaft's threat intelligence team, which has been closely following FIN7 operations for years now. In a report shared with BleepingComputer before publication, Prodaft reveals details about FIN7's internal hierarchy, affiliations with various ransomware projects, and a new SSH backdoor system used for stealing files from compromised networks.
Cybersecurity firm, modzero AG recently disclosed several high-severity vulnerabilities in Passwordstate password management solution that could enable unauthenticated threat actors to remotely obtain a user’s plaintext passwords.
Yesterday, BleepingComputer claimed to have obtained a 'confidential' security incident notification that Okta has been emailing to its security contacts. Okta has released an official statement which you can find below: “In alignment with our core value of transparency, we are sharing context and details around a recent security event affecting Okta code repositories. There is no impact to any customers, including any HIPAA, FedRAMP or DoD customers. No action is required by customers”
The Zero bot botnet has been upgraded to infect new devices by exploiting security vulnerabilities affecting Internet-exposed and unpatched Apache servers. The Microsoft Defender for IoT research team also observed that this latest version adds recent distributed denial-of-service (DDoS) capabilities. Zero bot has been under active development since at least November, with new versions adding new modules and features to expand the botnet's attack vectors and make it easier to infect new devices, including firewalls, routers, and cameras. Since early December, the malware's developers have removed modules that targeted phpMyAdmin servers, Dasan GPON home routers, and D-Link DSL-2750B wireless routers with year-old exploits.
Corsair has confirmed that a bug in the firmware of K100 keyboards, and not malware, is behind previously entered text being auto-typed into applications days later. The company's statement comes after multiple K100 users have reported that their keyboards are typing text on their own at random moments. The company's announcement comes after numerous K100 users have reported that their keyboards are typing text on their own at unexpected moments. A Corsair spokesperson responded to concerns, saying that their keyboards do not have keylogging capabilities, nor do they actively monitor what users type on them. Unfortunately, the latest firmware update made available to K100 devices (version 1.11.39) a couple of weeks back does not fix the issue. To make matters worse, this latest firmware update has caused random freezes on the keyboard, which some users report may be linked to the high polling rate setting.
Scammers are pretending to be government employees. They may threaten you and may demand immediate payment to avoid arrest or other legal action. These criminals continue to evolve and find new ways to steal your money and personal information. Do not fall for it! We want you to know how you and your loved ones can avoid becoming victims!
Microsoft has disclosed details of a now-fixed security vulnerability dubbed Achilles (CVE-2022-42821, CVSS score: 5.5) in Apple macOS that threat actors could exploit to bypass the Gatekeeper security feature; The Apple Gatekeeper is designed to protect OS X users by performing several checks before allowing an App to run. The flaw was discovered on July 27, 2022, by Jonathan Bar-Or from Microsoft; it is a logic issue that was addressed with improved checks, “On July 27, 2022, Microsoft discovered a vulnerability in macOS that can allow attackers to bypass application execution restrictions imposed by Apple’s Gatekeeper security mechanism, designed to ensure only trusted apps run on Mac devices. We developed a proof-of-concept exploit to demonstrate the vulnerability, which we call “Achilles”.” reads the post published by Microsoft.
Microsoft has released an emergency out-of-band (OOB) Windows Server update to address a known issue breaking virtual machine (VM) creation on Hyper-V hosts after installing this month's Patch Tuesday updates. The problem affects only VMs managed with the System Center Virtual Machine Manager (SCVMM) and using Software Defined Networking.
An Android banking trojan known as GodFather is being used to target users of more than 400 banking and cryptocurrency apps spanning across 16 countries. This includes 215 banks, 94 crypto wallet providers, and 110 crypto exchange platforms serving users in the U.S., Turkey, Spain, Italy, and Canada, among others, Singapore-headquartered Group-IB said in a report shared with The Hacker News. The malware, like many financial trojans targeting the Android ecosystem, attempts to steal user credentials by generating convincing overlay screens (aka web fakes) that are served atop target applications.
A new security threat to a recently introduced functionality in Amazon Web Services (AWS) has been uncovered by researchers from Mitiga. The attack vector relates to AWS’ Amazon Virtual Private Cloud feature ‘Elastic IP transfer,’ which was announced in October 2022. This feature enables a far easier transfer of Elastic IP addresses from one AWS account to another.
This new tactic was discovered by Trend Micro researchers who observed Raspberry Robin in recent attacks against telecommunication service providers and government systems. Raspberry Robin is a worm-like malware dropper that sells initial access to compromised networks to ransomware gangs and malware operators. It has been previously associated with FIN11 and the Clop gang, as well as Bumblebee, IcedID, and TrueBot payload distribution.
High-severity security vulnerabilities have been disclosed in different endpoint detection and response (EDR) and antivirus (AV) products that could be exploited to turn them into data wipers. Out of 11 security products that were tested, six were found vulnerable to the zero-day wiper exploit, prompting vendors to release updates.
The Play ransomware gang has claimed responsibility for a cyber attack on H-Hotels (h-hotels.com) that has resulted in communication outages for the company. H-Hotels is a hospitality business with 60 hotels in 50 locations across Germany, Austria, and Switzerland, offering a total capacity of 9,600 rooms. The hotel chain employs 2,500 people and is one of the largest in the DACH region, operating under 'H-Hotels' and the sub-brands Hyperion, H4 Hotels, H2 Hotels, H + Hotels, H.ostels, and H.omes.
On Monday, Microsoft published details of a recently patched vulnerability (CVE-2022-42821) in macOS, dubbed “Achilles,” that could enable threat actors to bypass application execution restrictions imposed by Apple’s Gatekeeper mechanism. Gatekeeper is a security feature in macOS that automatically checks apps downloaded from the Internet if they are notarized and developer-signed (approved by Apple), asking the user to confirm before launching or issuing an alert that the app cannot be trusted. Similar to the Mark of the web flags employed in Windows, Gatekeeper checks for an extended attribute called com.apple.quarantine which is assigned by web browsers to all downloaded files.
Threat actors have published a malicious Python package on PyPI, named 'SentinelOne,' that pretends to be the legitimate SDK client for the trusted American cybersecurity firm but, in reality, steals data from developers. Most concerning, the package offers the expected functionality by accessing the SentinelOne API from within another project. This means many developers may not realize they have been compromised. The malicious package has been trojanized to steal sensitive data from compromised developer systems. The packages were discovered by experts at ReversingLabs, who reported the issue and had the malicious PyPi packages removed. The first package was uploaded on December 11, 2022, and had been updated twenty times since then.
Argishti Khudaverdyan, the former owner of a T-Mobile retail store, was sentenced to 10 years in prison for a $25 million scheme where he unlocked and unblocked cellphones by hacking into T-Mobile's internal systems. Between August 2014 and June 2019, the 44-year-old man behind the scheme, who was also ordered to pay $28,473,535 in restitution, "cleaned" hundreds of thousands of cellphones for his "customers.
Microsoft is investigating a known issue leading to Blue Screen of Death (BSOD) crashes with 0xc000021a errors after installing the Windows 10 KB5021233 cumulative update released during this month's Patch Tuesday. The company warned over the weekend that "after installing KB5021233, some Windows devices might start up to an error (0xc000021a) with a blue screen." According to researcher this known issue is likely caused by a mismatch between the file versions of hidparse.sys in system32 and system32/drivers in the Windows folder, "which might cause signature validation to fail when cleanup occurs.
On Friday, researchers at Trend Micro disclosed details of a new Rust variant of the ransomware strain Agenda, which includes new features allowing for faster encryption and detection evasion. Agenda, also known as Qilin, is a ransomware-as-a-service operation that was first spotted a few months ago in August, 2022 targeting healthcare and education sectors in countries like Thailand and Indonesia. Agenda’s ransomware strains were originally written in the Go programming language. However, in just a short amount of time, the actors have switched to Rust, a cross-platform language that enables the malware to target different operating systems including Windows and Linux.
Google on Friday announced that its client-side encryption for Gmail is in beta for Workspace and education customers as part of its efforts to secure emails sent using the web version of the platform. The development comes at a time when concerns about online privacy and data security are at an all-time high, making it a welcome change for users who value the protection of their personal data. To that end, Google Workspace Enterprise Plus, Education Plus, and Education Standard customers can apply to sign up for the beta until January 20, 2023. It's not available to personal Google Accounts.
The US National Institute of Standards and Technology (NIST) has announced the phasing out of the secure hash algorithm (SHA)-1 in the federal government. The agency said it will stop using SHA-1 in its last remaining specified protocols by December 31, 2030. It also recommended that all IT professionals replace the algorithm by the end of the decade, and modules that still use SHA-1 after December 2030 will not be permitted for purchase by the federal government, NIST said in an announcement on December 15.
A new phishing campaign uses Facebook posts as part of its attack chain to trick users into giving away their account credentials and personally identifiable information (PII). The emails sent to targets pretend to be a copyright infringement issue on one of the recipient's Facebook posts, warning that their account will be deleted within 48 hours if no appeal is filed. The link to appeal the account deletion is an actual Facebook post on facebook.com, helping threat actors bypass email security solutions and ensure their phishing messages land in the target's inbox. The Facebook post pretends to be "Page Support," using a Facebook logo to appear as if the company manages it. However, this post includes a link to an external phishing site named after Meta, Facebook’s owner company, to slightly reduce the chances of victims realizing the scam.
CISA recently added two new vulnerabilities to its catalog of Known Exploited Vulnerabilities (KEV), impacting Veeam Backup and Replication Software. The vulnerabilities are being tracked as CVE-2022-26500 and CVE-2022-26501 and have been given a CVSS score of 9.8, indicating a critical level of severity. CVE-2022-26500 is related to an Improper limitation of path names in Veeam Backup & Replication while CVE-2022-26501 is related to an Improper authentication in Veeam Backup and & Replication. Both flaws can be exploited for remote code execution, in turn allowing attackers to compromise and take control of targeted systems.
I created this report for another information sharing group we work with. At the IT-ISAC we have been tracking ransomware attacks going back to January of 2021. I crunched some number from November 1, 2022 - Today. Please find a PDF attached and a CSV of recent events. Our metrics are gathered from industry partners, open source reporting, and manual scans of ransomware leak sites by the IT-ISAC operations team. I will note that they are likely skewed towards the IT sector, which will throw off the statistics.
Microsoft has addressed a known issue that made parts of the Task Manager unreadable after installing the KB5020044 November preview update on Windows 11 22H2 systems. As Redmond explained when confirming the issue two weeks ago, affected users see some user interface elements of the Task Manager displayed using unexpected colors that make them unreadable.
At approximately 2 PM ET, as users were getting ready to watch the World Cup semifinal, FuboTV subscribers could not log in to the streaming service. Instead, they were greeted with a CB_ERR_OPEN error, stating "ff: downstream not available" when logging in. Subscribers could not contact support to report the problem, as it requires a user to first log in to the FuboTV site, which could no longer be done.
A former Twitter employee has been handed a jail sentence of over three years after accepting bribes from the Kingdom of Saudi Arabia (KSA) in return for accessing dissidents’ accounts. Ahmad Abouammo, 45, formerly of Walnut Creek, was convicted in August of acting as a foreign agent without notice to the attorney general, conspiracy, wire fraud, international money laundering and falsification of records in a federal investigation.
The US Department of Justice has seized 48 Internet domains and charged six suspects for their involvement in running ‘Booter’ or ‘Stresser’ platforms that allow anyone to easily conduct distributed denial of service attacks. Booters are online platforms allowing threat actors to pay for distributed denial-of-service attacks on websites and Internet-connected devices. Essentially, they are "booting" the target off of the Internet. Stressers offer the same DDoS features but claim to be provided for legitimate testing of the reliability of web services and the servers behind them.
Microsoft reclassified the severity of an information disclosure vulnerability in SPNEGO NEGOEX that it patched in September 2022, after discovering the flaw could enable attackers to remotely execute code. “SPNEGO, short for Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO), is a scheme that allows a client and remote server to arrive at a consensus on the choice of the protocol to be used (e.g., Kerberos or NTLM) for authentication”.
Phishing campaigns involving the Qakbot malware are using Scalable Vector Graphics (SVG) images embedded in HTML email attachments. The new distribution method was spotted by Cisco Talos, which said it identified fraudulent email messages featuring HTML attachments with encoded SVG images that incorporate HTML script tags. HTML smuggling is a technique that relies on using legitimate features of HTML and JavaScript to run encoded malicious code contained within the lure attachment and assemble the payload on a victim's machine as opposed to making an HTTP request to fetch the malware from a remote server. In other words, the idea is to evade email gateways by storing a binary in the form of a JavaScript code that's decoded and downloaded when opened via a web browser.
Social Blade is an analytics platform that provides statistical graphs for YouTube, Twitter, Twitch, Daily Motion, Mixer, and Instagram accounts, allowing customers to see estimated earnings and projects. The company offers an API allowing customers to integrate the Social Blade data directly into their platforms.
The MirrorFace hacking group (APT10 and Cicada) began sending spear-phishing emails to their targets on June 29, 2022, pretending to be PR agents from the recipient’s political party, asking them to post the attached video files on social media. The threat actors impersonated a Japanese ministry, attaching decoy documents that extract WinRAR archives in the background. The library contained an encrypted copy of the LODEINFO malware, a malicious DLL loader, and an innocuous application (K7Security Suite) used for DLL search order hijacking.
Apple released security updates to address a new zero-day vulnerability, tracked as CVE-2022-42856, that is actively exploited in attacks against iPhones. The flaw is the tenth actively exploited zero-day vulnerability since the start of the year. The IT giant released security bulletins for iOS/iPadOS 15.7.2, Safari 16.2, tvOS 16.2, and macOS Ventura 13.1.
In reports released today, researchers explain how they found a new toolkit consisting of two components named STONESTOP (loader) and POORTRY (kernel-mode driver) being used in "bring your own vulnerable driver" (BYOVD) attacks. According to Mandiant and SentinelOne, STONESTOP is a user-mode application that attempts to terminate endpoint security software processes on a device. Another variant includes the ability to overwrite and delete files.
On Monday, LockBit Ransomware gang claimed on its data leak site to have breached the Department of Finance in California. As proof of their claim, the threat actors published a few screenshots of the files allegedly stolen from the government agency. In total, 246,000 files in more than 114,000 folders amounting to 76 GB of data were allegedly exfiltrated which includes databases, confidential data, financial documents, certifications, and IT documents. The ransomware actors have placed a counter on their post, stating that they will publish all of the files stolen if a ransom is not paid by December 24.
As part of the December 2022 Patch Tuesday, Microsoft addressed 49 flaws, including two zero-days, one of which is being actively exploited in attacks. Of the 49 flaws fixed, there was 17 elevation of privilege vulnerabilities, 2 security feature bypass vulnerabilities, 23 remote code execution vulnerabilities, 3 denial of service vulnerabilities, and 1 spoofing vulnerability. Six of the vulnerabilities have been rated critical in severity and relate to remote code execution.
In case some of you are members of the FBI's InfraGard, Krebs on Security posted an article this week on a potential data breach impacting InfraGard and its members. A database of contact information on more than 80,000 members had allegedly gone up for sale on an English-language cybercrime forum.
Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cybersecurity incident. Early Saturday morning, a threat actor named 'UberLeaks' began leaking data they claimed was stolen from Uber and Uber Eats on a hacking forum known for publishing data breaches. The leaked data includes numerous archives claiming to be source code associated with mobile device management platforms (MDM) used by Uber and Uber Eats and third-party vendor services.
On Monday, Fortinet released an advisory to warn users against a vulnerability in its FortiOS SSL-VPN that is actively being exploited in attacks. Tracked as CVE-2022-42475, the flaw is related to a heap-based buffer overflow bug which could allow an unauthenticated attacker to execute arbitrary code or commands via specifically crafted requests on vulnerable devices. CVE-2022-42475 was discovered and disclosed to Fortinet by French cybersecurity firm Olympe Cyberdefense. Shortly after the disclosure, Fortinet began rolling out new FortiOS versions to address the flaw.
Amazon ECR Public Gallery is a public repository of container images used for sharing ready-to-use applications and popular Linux distributions, such as Nginx, EKS Distro, Amazon Linux, CloudWatch agent, and Datadog agent. A Lightspin security analyst discovered a new flaw in the ECR Public Gallery where it's possible to modify existing public images, layers, tags, registries, and repositories of other users by abusing undocumented API actions.
A wildly popular new AI bot could be used by would-be cyber-criminals to teach them how to craft attacks and even write ransomware, security experts have warned. ChatGPT was released by artificial intelligence R&D firm OpenAI last month and has already passed one million users. The prototype chatbot answers questions with apparent authority in natural language, by trawling vast volumes of data across the internet. It can even be creative, for example by writing poetry.
An unauthenticated remote code execution flaw (CVE-2022-27518) is being leveraged by a Chinese state-sponsored group to compromise Citrix Application Delivery Controller (ADC) deployments, the US National Security Agency has warned. “Targeting Citrix ADCs can facilitate illegitimate access to targeted organizations by bypassing normal authentication controls.” CVE-2022-27518 stems from the vulnerable devices’ software failing to maintain control over a resource throughout its lifetime (creation, use, and release) and gives remote attackers the opportunity to execute arbitrary code (without prior authentication) on vulnerable appliances.
Claroty's Team82 has developed a technique to bypass industry-leading web application firewalls (WAF) by appending JSON syntax to SQL injection payloads. WAFs are designed to protect web-based applications and APIs from malicious traffic, but this technique works because major WAF vendors lack support for JSON syntax, despite it being supported by most database engines for a decade. This means that appending JSON to SQL syntax can leave the WAF blind to attacks. The technique was tested against WAFs from Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva, and all five have been notified and have updated their products to support JSON syntax.
Pwn2Own Toronto 2022 has ended with competitors earning $989,750 for 63 zero-day exploits (and multiple bug collisions) targeting consumer products between December 6th and December 9th. During this hacking competition, 26 teams and security researchers have targeted devices in the mobile phones, home automation hubs, printers, wireless routers, network-attached storage, and smart speakers categories, all up-to-date and in their default configuration.
Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence. The Silence group is known for its big heists against financial institutions, and has begun to shift from phishing as an initial compromise vector. The threat actor is also using a new custom data exfiltration tool called Teleport. Analysis of Silence's attacks over the past months revealed that the gang delivered Clop ransomware typically deployed by TA505 hackers, which are associated with the FIN11 group.
We've received an alarming amount of news and inquiries where individuals, including family members, are receiving a ton of email-related phishing scams. The messages increased in November and will likely continue into January. One report included a fraudulent FedEx template where an elderly family unknowingly entered their financial information into the supplied message fields; their debit card information was stolen and used by the adversary. In another reported phishing attempt, a McAfee template with a sense of urgency was sent to an elderly individual with the subject line, "Your devices are under attack; please Upgrade Now for Protection." The targeted individual contacted McAfee after looking up their support number, who then informed them it was a scam and that no action was needed.
On Thursday, Cisco disclosed a vulnerability in its IP Phones (running 7800 and 8800 Series firmware) which can be exploited for remote code execution and denial of service attacks. Tracked as CVE-2022-20968, the vulnerability is due to an insufficient input validation of received Cisco Discovery Protocol packets, which enables an unauthenticated attacker to cause a stack overflow on the affected device.
Researchers from ReversingLabs released their report, The State of Software Supply Chain Security, published on December 5, 2022. The report examines an exponential increase in supply chain attacks between 2020 and early 2022. ReversingLabs based their research on the number of malicious packages uploaded on open-source repositories such as npm, PyPi and Ruby Gems.
MuddyWater hackers, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets. The group adopted the new tactic in a campaign that might have started in September but wasn’t observed until October and combined the use of a legitimate remote administration tool. MuddyWater has used legitimate remote administration tools for its hacking activities in the past. Researchers discovered campaigns from this group in 2020 and 2021 that relied on RemoteUtilities and ScreenConnect.
The Iranian Agrius APT hacking group is using a new 'Fantasy' data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa. The campaign started in February and unfolded at full scale in March 2022, breaching an IT support services firm, a diamond wholesaler, a jeweler, and an HR consulting company. In this campaign, Agrius used a new wiper named 'Fantasy' hidden inside a software suite created by an Israeli vendor. This software is commonly used in the diamond industry.
Google's Threat Analysis Group (TAG) revealed today that a group of North Korean hackers tracked as APT37 exploited a previously unknown Internet Explorer vulnerability (known as a zero-day) to infect South Korean targets with malware. Google TAG was made aware of this recent attack on October 31 when multiple VirusTotal submitters from South Korea uploaded a malicious Microsoft Office document named "221031 Seoul Yongsan Itaewon accident response situation (06:00).docx." Once opened on the victims' devices, the document would deliver an unknown payload after downloading a rich text file (RTF) remote template that would render remote HTML using Internet Explorer. Loading the HTML content that delivered the exploit remotely allows the attackers to exploit the IE zero-day even if the targets weren't using it as their default web browser.
The Iranian Agrius APT hacking group is using a new 'Fantasy' data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa. The campaign started in February and unfolded at full scale in March 2022, breaching an IT support services firm, a diamond wholesaler, a jeweler, and an HR consulting company. In this campaign, Agrius used a new wiper named 'Fantasy' hidden inside a software suite created by an Israeli vendor. This software is commonly used in the diamond industry.
A Chinese state-sponsored APT group has stolen at least $20m from US COVID-relief funds, in what appears to be a first-of-its kind campaign, according to the Secret Service. The service told NBC that it linked prolific Chengdu-based APT41 to the raids, which targeted Small Business Administration (SBA) loans and unemployment insurance funds in more than 12 states. However, the true scale of the campaign may be much greater. The Secret Service said it has over 1000 investigations currently open into theft and fraud related to public benefits programs.
A new Go-based malware named ‘Zerobot’ has been spotted in mid-November using exploits for almost two dozen vulnerabilities in a variety of devices that include F5 BIG-IP, Zyxel firewalls, Totolink and D-Link routers, and Hikvision cameras. The purpose of the malware is to add compromised devices to a distributed denial-of-service (DDoS) botnet to launch powerful attacks against specified targets.
Apple introduced today Advanced Data Protection for iCloud, a new feature that uses end-to-end encryption to protect sensitive iCloud data, including backups, photos, notes, and more. For customers who choose to enable this new security feature, Advanced Data Protection is designed to safeguard "most iCloud data even in the case of a data breach in the cloud" by ensuring that encrypted cloud data can only be decrypted on the users' trusted devices.
Fortinet Labs recently uncovered a new botnet dubbed Zerobot that is rapidly growing in number by exploiting dozens of security vulnerabilities in IoT devices. Zerobot is a go-based botnet that comes with several modules, including self-replication, attacks for different protocols, and self-propagation. According to researchers, two versions of Zerobot have been spotted to date. The first one which was used before November 24 contains basic functions while the current version has been updated to include a “selfRepo” module, enabling it to reproduce itself and infect more devices with different protocols or vulnerabilities.
The China-linked nation-state hacking group referred to as Mustang Panda is using lures related to the ongoing Russo-Ukrainian War to attack entities in Europe and the Asia Pacific. That's according to the BlackBerry Research and Intelligence Team, which analyzed a RAR archive file titled "Political Guidance for the new EU approach towards Russia.rar." Some of the targeted countries include Vietnam, India, Pakistan, Kenya, Turkey, Italy, and Brazil.
In the run-up to Christmas, one of the busiest times for online shopping and e-commerce, we are likely to see a spike in fraudulent domain name registrations. Domain provider CSC analyzed threatening domains targeting 10 of the biggest brands in the world in a report published on December 6, 2022. These include Amazon, Walmart, McDonald’s, Tencent, Google, Microsoft, Apple and Facebook.
Russia's second-largest financial institution VTB Bank says it is facing the worse cyberattack in its history after its website and mobile apps were taken offline due to an ongoing DDoS (distributed denial of service) attack. "At present, the VTB technological infrastructure is under unprecedented cyberattack from abroad," stated a VTB spokesperson to TASS (translated). "It is not only the largest cyberattack recorded this year, but in the entire history of the bank.
A ransomware attack on a New Zealand third-party managed IT service provider affected several government agencies across the country - including the Ministry of Justice and the national health authority. The Office of the Privacy Commissioner said "urgent work" is underway to understand the full impact of the incident. The third-party provider is Mercury IT, whose LinkedIn page describes it as a small business based in Wellington. It provides a wide range of IT services to customers throughout New Zealand, according to a one-page website on the company domain.
Texas-based cloud computing provider Rackspace has confirmed today that a ransomware attack is behind an ongoing Hosted Exchange outage described as an "isolated disruption." In a statement the company said, "As you know, on Friday, December 2nd, 2022, we became aware of suspicious activity and immediately took proactive measures to isolate the Hosted Exchange environment to contain the incident.
In August, researchers at Eclypsium discovered a set of vulnerabilities in the American Megatrends MegaRAC Baseboard Management Controller (BMC) software which can be exploited by attackers under certain conditions to execute code, bypass authentication, and perform user enumeration. The flaws were discovered after researchers examined leaked proprietary code of American Megatrends, specifically, the MegaRAC BMC firmware. MegaRAC BMC is a remote system management solution that allows admins to troubleshoot servers remotely as if they were standing in front of the device. As of writing MegaRAC BMC firmware is used by at least 15 server manufacturers, including AMD, Ampere Computing, ASRock, Asus, ARM, Dell EMC, Gigabyte, Hewlett-Packard Enterprise, Huawei, Inspur, Lenovo, Nvidia, Qualcomm, Quanta, and Tyan.
Russian hackers are using their presence inside the networks of organizations in the UK, US and elsewhere to launch attacks against Ukraine, a new report from Lupovis has revealed. The Scottish security firm used a series of web decoys to lure Russian threat actors in an attempt to study their TTPs. Using a fake document leaked to cybercrime forums, the researchers leaked fake usernames, passwords, and other information that would entice actors to look further.
Microsoft has warned of Russian-sponsored cyberattacks continuing to target Ukrainian infrastructure and NATO allies in Europe throughout the winter. Redmond said in a report published over the weekend that it observed a pattern of targeted attacks on infrastructure in Ukraine by the Russian military intelligence threat group Sandworm in association with missile strikes. The attacks have been accompanied by a propaganda campaign to undermine Western support (from the U.S., EU, and NATO) for Ukraine, “We believe these recent trends suggest that the world should be prepared for several lines of potential Russian attack in the digital domain over the course of this winter. Russia will seek to exploit cracks in popular support for Ukraine to undermine coalitions essential to Ukraine's resilience, hoping to impair the humanitarian and military aid flowing to the region. We should also be prepared for cyber-enabled influence operations that target Europe to be conducted in parallel with cyberthreat activity.
ConnectWise, which offers a self-hosted, remote desktop software application that is widely used by Managed Service Providers (MSPs), is warning about an unusually sophisticated phishing attack that can let attackers take remote control over user systems when recipients click the included link. The warning comes just weeks after the company quietly patched a vulnerability that makes it easier for phishers to launch these attacks.
The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution. A remote attacker can trigger the vulnerability, causing the ping program to crash and potentially leading to remote code execution in ping, “ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.” reads the advisory for this issue.
Florida man Nicholas Truglia was sentenced to 18 months in prison on Thursday for his involvement in a fraud scheme that led to the theft of millions from cryptocurrency investor Michael Terpin. The funds were stolen following a January 2018 SIM swap attack that allowed Truglia's co-conspirators to hijack Terpin's phone number and fraudulently transfer roughly $23.8 million in cryptocurrency from his crypto wallet to an online account under Truglia's control. According to the indictment, the defendant "agreed to convert the stolen cryptocurrency into Bitcoin, another form of cryptocurrency, and then transfer the Bitcoin to other Scheme Participants, while keeping a portion as payment for his services.” In all, Truglia kept at least approximately $673,000 of the stolen funds to assist the other fraudsters in collecting and dividing the illegally obtained funds among them. The 25-year-old was ordered to pay a total of $20,379,007 to Terpin within the next 60 days, until January 30, 2023.
Since the start of the Russo-Ukraine war, Ukraine has been the target of wiper malware including DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, and Industroyer2. Cybersecurity firm Kaspersky recently disclosed the discovery of yet another wiper malware dubbed CryWiper, which it says was used to attack an organization’s network in the Russian Federation. Russia media outlets also stated that the malware was used in attacks against Russian Mayor’s offices and courts. According to Kaspersky, CryWiper masquerades as ransomware and extorts money from the victim for “decrypting” data, but in reality, it does not actually encrypt and rather intentionally destroys data in the affected system making recovery impossible.
On Friday, Google released security updates to address a high-severity zero-day in its Chrome web browser. Tracked as CVE-2022-4262, the vulnerability is related to a type confusion weakness in the Chrome V8 JavaScript engine. “Even though type confusion security flaws generally lead to browser crashes after successful exploitation by reading or writing memory out of buffer bounds, threat actors can also exploit them for arbitrary code execution” (The Bleeping Computer, 2022). To address CVE-2022-4262, Google has released Chrome version 108.0.5359.94/.95 for Windows and version 108.0.5359.94 for macOS and Linux. Users have been advised to upgrade to the latest versions as soon as possible to mitigate potential threats.
ESET released an article on security challenges faced by modern UK farms. During a National Farmer’s Union (NFU) meeting in southern England, a farmer shared details about how his cows had recently “been hacked.” He noted that his farm used relatively high tech milking machines that were abused by a threat actor after he had clicked on a malicious email attachment. After his computer network went down, the farmer realized he had no way of knowing which cows had been milked, or which cows needed milking next. “Making things worse, it wasn’t just his cows that had been attacked, according to the farmer. All the farm’s online accounts had also been compromised and, therefore, his tractors had been taken offline, leaving him with no information on which of his fields had been cropped or still needed cropping, as the tractor usually plans out the routes via his online accounts.
This is a follow-up to another advisory issued one year ago, which warned that the cybercrime group compromised dozens of organizations from U.S. critical infrastructure sectors, making over $40 million since it started targeting U.S. companies. "Since the release of the December 2021 FBI Flash, the number of U.S. entities compromised by Cuba ransomware has doubled, with ransoms demanded and paid on the increase.
The Go-based malware threat that researchers call Redigo has been targeting Redis servers vulnerable to CVE-2022-0543 to plant a stealthy backdoor and allow command execution. CVE-2022-0543 is a critical vulnerability in Redis (Remote Dictionary Server) software with a maximum severity rating. It was discovered and fixed in February 2022. Per usual, attackers continued to leverage it on unpatched machines several months after the fix came out, as proof-of-concept exploit code became publicly available.
An Android malware campaign masquerading as reading and education apps has been underway since 2018, attempting to steal Facebook account credentials from infected devices. According to a new report by Zimperium, the campaign has infected at least 300,000 devices across 71 countries, primarily focusing on Vietnam. Some apps used for spreading the trojan, which Zimperium named 'Schoolyard Bully,' were previously on Google Play but have since been removed. However, Zimperium warns that the apps continue to be spread through third-party Android app stores.
IBM recently addressed a high-severity flaw impacting its Cloud Databases (ICD) for PostgreSQL product that could be exploited to tamper with internal repositories and execute malicious code. Dubbed “Hell’s Keychain” by cloud security firm Wiz, the vulnerability is related to a privilege escalation flaw that allows a malicious threat actor to gain superuser (aka “ibm”) privileges and remotely execute code to read and modify the data stored in the PostgreSQL database.
Multiple platform certificates used by Android OEM device vendors to digitally sign core system applications have also been used to sign Android apps containing malware. OEM Android device manufacturers use platform certificates, or platform keys, to sign devices' core ROM images containing the Android operating system and associated apps.
A new malware-as-a-service (MaaS) operation named 'DuckLogs' has emerged, giving low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host. DuckLogs is entirely web-based. It claims to have thousands of cybercriminals paying a subscription to generate and launch more than 4,000 malware builds.
Popular password management service LastPass said it's investigating a second security incident that involved attackers accessing some of its customer information, “We recently detected unusual activity within a third-party cloud storage service, which is currently shared by both LastPass and its affiliate, GoTo.GoTo, formerly called LogMeIn, acquired LastPass in October 2015. In December 2021, the Boston-based firm announced plans to spin off LastPass as an independent company. The digital break-in resulted in the unauthorized third-party leveraging information obtained following a previous breach in August 2022 to access "certain elements of our customers' information.”
While analyzing its capabilities, Akamai researchers have accidentally taken down a cryptomining botnet that was also used for distributed denial-of-service (DDoS) attacks. As revealed in a report published earlier this month, the KmsdBot malware behind this botnet was discovered by members of the Akamai Security Intelligence Response Team (SIRT) after it infected one of their honeypots. KmsdBot targets Windows and Linux devices with a wide range of architectures, and it infects new systems via SSH connections that use weak or default login credentials. Compromised devices are being used to mine for cryptocurrency and launch DDoS attacks, with some of the previous targets being gaming and technology companies, as well as luxury car manufacturers.
A Barcelona-based surveillanceware vendor named Variston IT is said to have surreptitiously planted spyware on targeted devices by exploiting several zero-day flaws in Google Chrome, Mozilla Firefox, and Windows, some of which date back to December 2018. ‘Their Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender, and provides all the tools necessary to deploy a payload to a target device,’ Google Threat Analysis Group (TAG) researchers Clement Lecigne and Benoit Sevens said in a write-up. Variston, which has a bare-bones website, claims to ‘offer tailor made Information Security Solutions to our customers,’ ‘design custom security patches for any kind of proprietary system,’ and support the ‘the discovery of digital information by [law enforcement agencies],‘ among other services.
Security researchers found a previously unknown backdoor they call Dophin that's been used by North Korean hackers in highly targeted operations for more than a year to steal files and send them to Google Drive storage. According to research from cybersecurity company ESET, the APT 37 threat group (a.k.a. Reaper, Red Eyes, Erebus, ScarCruft) used the newly discovered malware against very specific entities. The group has been associated with espionage activity aligining with North Korean interests since 2012.
Over 280 Android and iOS apps on the Google Play and the Apple App stores trapped users in loan schemes with misleading terms and employed various methods to extort and harass borrowers. To fuel the operation's extortion attempts, the apps stole excessive amounts of data from mobile phones not usually required to offer loans. In a new report by cybersecurity firm Lookout, researchers uncovered 251 Android 35 iOS lending apps that were downloaded a combined total of 15 million times, mostly from users in India, Colombia, Mexico, Nigeria, Thailand, the Philippines, and Uganda. Lookout reported all of them to Google and Apple for removal and was successfully able to remove all of them.
Ireland's Data Protection Commission (DPC) has levied fines of €265 million ($277 million) against Meta Platforms for failing to safeguard the personal data of more than half a billion users of its Facebook service, ramping up privacy enforcement against U.S. tech firms. The fines follow an inquiry initiated by the European regulator on April 14, 2021, close on the heels of a leak of a "collated dataset of Facebook personal data that had been made available on the internet.
A previously unnamed ransomware has rebranded under the name 'Trigona,' launching a new Tor negotiation site where they accept Monero as ransom payments. Trigona has been active for some time, with samples seen at the beginning of the year. However, those samples utilized email for negotiations and were not branded under a specific name. As discovered by MalwareHunterTeam, starting in late October 2022, the ransomware operation launched a new Tor negotiation site where they officially named themselves 'Trigona.' As Trigona is the name of a family of large stingless bees, the ransomware operation has adopted a logo showing a person in a cyber bee-like costume.
New findings from cybersecurity firm JFrog show that malware targeting the npm ecosystem can evade security checks by taking advantage of an "unexpected behavior" in the npm command line interface (CLI) tool. npm CLI's install and audit commands have built-in capabilities to check a package and all of its dependencies for known vulnerabilities, effectively acting as a warning mechanism for developers by highlighting the flaws. But as JFrog established, the security advisories are not displayed when the packages follow certain version formats, creating a scenario where critical flaws could be introduced into their systems either directly or via the package's dependencies.
The US Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw affecting Oracle Fusion Middleware systems to its Known Exploited Vulnerabilities (KEV) Catalog on Monday. The bug, which CISA confirmed has been exploited in the wild, allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks targeting this vulnerability can consequently result in the program's takeover.
Acer has fixed a high-severity vulnerability affecting multiple laptop models that could enable local attackers to deactivate UEFI Secure Boot on targeted systems. The Secure Boot security feature blocks untrusted operating systems bootloaders on computers with a Trusted Platform Module (TPM) chip and Unified Extensible Firmware Interface (UEFI) firmware to prevent malicious code like rootkits and bootkits from loading during the startup process.
A pre-authentication RCE flaw (CVE-2021-35587) in Oracle Access Manager (OAM) that has been fixed in January 2022 is being exploited by attackers in the wild, the Cybersecurity and Infrastructure Security Agency has confirmed by adding the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
“Amazon Web Services (AWS) has addressed a cross-tenant confused deputy problem in its platform that could have allowed threat actors to gain unauthorized access to resources. The problem was reported to the company by researchers from Datadog on September 1, 2022, and the bug was solved on September 6.” “A confused deputy problem occurs when an entity that doesn’t have permission to perform an action can coerce a more-privileged entity to perform the action. AWS provides tools to protect an account if the owner provides third parties (known as cross-account) or other AWS services (known as cross-service) access to resources in your account.”
Researchers at Vedere Labs disclosed a trio of new security vulnerabilities that can be used to attack automated industrial controllers and a popular piece of software used to program millions of smart devices in critical infrastructure. The bugs (tracked under CVE-2022-4048, CVE-2022-3079 and CVE-2022-3270) allow for logic manipulation and denial of service, primarily impacting products from two major German vendors: Festo automated controllers and CODESYS runtime, an application that allows developers to program smart devices and is, according to Vedere Labs, “used by hundreds of device manufacturers in different industrial sectors.
The Federal Communications Commission adopted new rules prohibiting communications equipment deemed to pose an unacceptable risk to national security from being authorized for importation or sale in the United States. The U.S. ban covers not only the parent companies but their subsidiaries and affiliates as well. The new rules prohibit the authorization of equipment through the FCC’s Certification process and make clear that such equipment cannot be authorized under the Supplier’s Declaration of Conformity process or be imported or marketed under rules that allow exemption from an equipment authorization.
The data consists of scraped public information as well as private phone numbers and email addresses that are not meant to be public. While most of the data consisted of public information, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses. Pompompurin, the owner of the Breached hacking forum, told BleepingComputer this weekend that they were responsible for exploiting the bug and creating the massive dump of Twitter user records after another threat actor known as 'Devil' shared the vulnerability with them. In addition to the 5.4 million records for sale, there were also an additional 1.4 million Twitter profiles for suspended users collected using a different API, bringing the total to almost 7 million Twitter profiles containing private information.
On November 21, ESET uncovered a new wave of ransomware dubbed RansomBoggs being deployed in the networks of multiple Ukrainian organizations. According to researchers, the deployment of the new malware is very similar to the previous Industroyer2 attacks which were attributed to Sandworm, a notorious Russian military threat group. “There are similarities with previous attacks conducted by Sandworm: a PowerShell script used to distribute the .NET ransomware from the domain controller is almost identical to the one seen last April during the Industroyer2 attacks against the energy sector,” stated ESET in its post on Twitter. The PowerShell script which CERT-UA refers to as POWERGAP was also used to deploy CaddyWiper (destructive data wiper malware) using Arguepatch (malware loader) in attacks against Ukrainian organizations in March.
Google recently released security updates to address a high-severity heap buffer overflow in GPU in Chrome web browser. The vulnerability is being tracked as CVE-2022-4135 and was uncovered by Clement Lecigne of Google's Threat Analysis Group on November 22, 2022. Like usual, the technical details of the vulnerability have yet to be released to give users enough time to apply the security updates.
Microsoft shared details on an open-source software (OSS) supply chain incident, after looking into an April 2022 report by security vendor Recorded Future about a “likely Chinese State-sponsored” threat actor targeting Indian power companies. Recorded Future found dozens of indicators between late 2021 and Q1 2022 that were used in intrusions against multiple organizations in India’s energy sector. Microsoft notes the latest related activity was in October 2022, and says its researchers identified a "vulnerable component on all the IP addresses published as IOCs" by Record Future and that it found evidence of a "supply chain risk that may affect millions of organizations and devices."
At least 34 distinct Russian-speaking cybercrime groups using info-stealing malware like Raccoon and Redline have collectively stolen 50,350,000 account passwords from over 896,000 individual infections from January to July 2022. The stolen credentials were for cryptocurrency wallets, Steam, Roblox, Amazon, and PayPal accounts, as well as payment card records. According to a report from Group-IB, whose analysts have been tracking these operations globally, most victims are based in the United States, Germany, India, Brazil, and Indonesia, but the malicious operations targeted 111 countries.
Operators of the Ducktail information stealer have returned introducing new malicious capabilities. Ducktail is a malware designed to siphon browser cookies and take advantage of authenticated Facebook sessions to steal information from victims and run ads on their accounts for monetary gain. The info-stealer is attributed to a Vietnamese threat actor which is known for targeting businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform. “Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes marketing, media, and human resources personnel.
SearchBlox' installed by more than 200,000 users, has been discovered to contain a backdoor that can steal your Roblox credentials and your assets on Rolimons, a Roblox trading platform. After analyzing the extension code, which indicated the presence of a backdoor, it has been suggested the backdoor was introduced either intentionally by its developer or after an initial compromise. The extensions claim to let allow users to "search Roblox servers for the desired player... blazingly fast." Suspicions arose among the Roblox community members of SearchBlox containing malware where someone tweeted that the Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED - and if you have it, your account may be at risk.
Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector. Recorded Future revealed in a report published in April that state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company.
Researchers say Black Basta is dropping QBot malware - also called QakBot - in a widespread ransomware campaign targeting mostly U.S.-based companies. In the group's latest campaign, attackers are again using QBot to install a backdoor and then drop in encryption malware and other malicious code, according to Cybereason.
Security researchers are warning that a new red-teaming tool dubbed “Nighthawk” may soon be leveraged by threat actors. Created in late 2021 by MDSec, the tool is best described as an advanced C2 framework, which functions like Cobalt Strike and Brute Ratel as a commercially distributed remote access trojan (RAT) designed for legitimate use.
The U.S. Justice Department in a statement says a federal grand jury on Nov. 10 indicted five former employees of Memphis, Tennessee-based Methodist Le Bonheur Healthcare with accessing and disclosing patient information to a sixth individual, Roderick Harvey, without the knowledge, consent or authorization of the patients. Four of the employees worked as financial counselors at Methodist Healthcare, and one of the individuals held a variety of roles, including PBX unit secretary, according to court documents. The longest-tenured employee, Taylor, worked in the hospital's emergency room as a financial counselor for 18 years, according to court documents.
In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default. In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser. The experts noticed multiple changes to the bot and its payloads, and the operators introduced changes to the malware modules, loader, and packer. Below are the changes observed by Proofpoint, “The volume of emails that Emotet sending bots attempt to deliver each day is in the hundreds of thousands. These numbers are comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant spamming capability during the inactive period.” reads the report published by Proofpoint.
A notorious advanced persistent threat actor known as Mustang Panda has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro said in a Friday report.
Google Cloud researchers announced to have discovered 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions. Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries The experts were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (which was released in 2012) up to the latest version at the time of publishing the analysis, Cobalt Strike 4.7.
When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in as the user or to issue API requests that retrieve information about the associated account. Threat actors commonly attempt to steal these tokens because they enable them to take over accounts or, even worse, abuse them for further malicious attacks.
Researchers from Egress detailed an increase in phishing campaigns spoofing the Netflix brand since October, noting a 78% increase in impersonation attacks against the brand. If employees use the same credentials for personal accounts like Netflix as their work accounts, campaigns like this may impact corporate systems and data, warned Egress. The group behind the attacks is using Unicode characters to bypass natural language processing (NLP) scanning, which will prevent traditional anti-phishing filters from catching it. “Unicode helps to convert international languages within browsers – but it can also be used for visual spoofing by exploiting international language characters to make a fake URL look legitimate,” Egress wrote.
A sophisticated phishing kit has been targeting North Americans since mid-September, using lures focused on holidays like Labor Day and Halloween. The kit uses multiple evasion detection techniques and incorporates several mechanisms to keep non-victims away from its phishing pages.
Atlassian has released updates to address critical-severity updates in its centralized identity management platform, Crowd Server and Data Center, and in Bitbucket Server and Data Center, the company's solution for Git repository management. Both security vulnerabilities received a severity rating of 9 out of 10 (calculated by Atlassian) and affect multiple versions of the products.
A previously unknown ‘ARCrypter’ ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide. Threat actors behind the new ransomware family attacked a government agency in Chile last August, targeting both Linux and Windows systems and appending the “.crypt” extension on encrypted files. Back then, Chilean threat analyst Germán Fernández told BleepingComputer that the strain appeared entirely new, not connected to any known ransomware families. Researchers at BlackBerry have confirmed this via a report that identifies the family as ARCrypter and links it to a second attack against the Colombia National Food and Drug Surveillance Institute (Invima) in October.
Today, CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released joint Cybersecurity Advisory (CSA) #StopRansomware: Hive Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Hive ransomware variants. FBI investigations identified these TTPs and IOCs as recently as November 2022.
A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov, who went by online pseudonyms "tank" and "father," is said to have been involved in the day-to-day operations of the group. He was apprehended on October 23, 2022, and is pending extradition to the U.S. Details of the arrest were first reported by independent security journalist Brian Krebs.
Cybersecurity firm Rapid7 recently disclosed two high-severity vulnerabilities in F5 BIG-IP and BIG-IQ devices which could enable complete device takeover upon successful exploitation. The first flaw which is being tracked as CVE-2022-41622 is related to a cross-site request forgery vulnerability in BIG-IP and BIG-IQ products and can allow a malicious threat actor to execute code remotely without authentication.
Ukrainian cyber-experts have discovered a new attack campaign by suspected Russian threat actors that compromises victims’ VPN accounts to access and encrypt networked resources. The country’s Computer Emergency Response Team (CERT) noted in a new statement that the so-called Somnia ransomware was being used by the FRwL (aka Z-Team), also identified as UAC-0118.
Z-Library is described as "one of the world's largest public and free-to-access written content repositories, containing 11 million books and 84 million articles in a massive 220 TB database and as a volunteer-run project with no commercial direction. However, at some point, it started offering paid memberships in exchange for premium features.
Microsoft has urged developers still using the long-term support (LTS) release of .NET Core 3.1 to migrate to the latest .NET Core versions until it reaches the end of support (EOS) next month. The company warned customers on the Windows message center to upgrade to .NET 6 (LTS) or .NET 7 "as soon as possible" before .NET Core 3.1 (LTS) reaches EOS on December 13, 2022.
When your computer or smartphone needs repairing, can you trust repair technicians not to access or steal your data? According to the results of recent research by scientists at the University of Guelph, Canada, you shouldn’t. Granted, they tested only 16 repair service providers with rigged devices, but in six cases, technicians snooped on customers’ data, and in two, they copied the data to external devices. Oh, and most of them tried to cover their tracks, either by removing evidence (e.g., by clearing items in the “Quick Access” or “Recently Accessed Files” on Microsoft Windows) or by trying not to generate it (e.g., by just zooming in on photo thumbnails).
Researchers from FortiGuard Labs discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.
North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America. DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more. Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device. The new malware version doesn't feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely.
Researchers recently uncovered hundreds of databases on Amazon Relational Database Service (Amazon RDS) which are exposing personally identifiable information (PII). "Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It offers support for different database engines such as MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server.
Security researchers have uncovered a sophisticated phishing campaign using tens of thousands of malicious domains to spread malware and generate advertising revenue. Dubbed “Fangxiao,” the group directs unsuspecting users to the domains via WhatsApp messages telling them they’ve won a prize, according to security vendor Cyjax. The phishing site landing pages apparently impersonate hundreds of well-known brands including Emirates, Unilever, Coca-Cola, McDonald’s and Knorr. The victims will be redirected to advertising sites, which Fangxiao generates money from, en route to a fake survey where it's claimed they can win a prize.
A cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) has been running a campaign targeting a certificate authority, government agencies, and defense organizations in several countries in Asia. The most recent attacks were observed since at least March but the actor has been operating stealthily for more than a decade and it is believed to be a state-sponsored group working for China. Its operations have been documented by multiple cybersecurity companies over the past six years.
Whoosh is Russia's leading urban mobility service platform, operating in 40 cities with over 75,000 scooters. The Russian scooter-sharing service has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. It was on Friday, when the threat actor began selling the stolen data on a hacking forum, which allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data.
Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions using a similar Cobalt Strike loader and has been active since 2020. The experts attributed the attacks to a new subgroup of the China-linked APT41 group, tracked as Earth Longzhi.
The volume of newly discovered vulnerabilities continue to increase year after year. As threat actors become better at weaponizing vulnerabilities, it is becoming ever more important for organizations to make timely and well judged decisions in regards to vulnerability prioritization and remediation. While CISA regularly publishes it’s list of most exploited vulnerabilities and regularly updates the Known Exploited Vulnerabilities Catalog, it still remains a challenge for organizations to understand which security holes should be plugged first. To combat these challenges, CISA has been updating and promoting the Stakeholder-Specific Vulnerability Categorization (SSVC) system.
Microsoft has resolved a known issue causing connectivity problems for Windows customers using the DirectAccess service to access their organizations remotely without using a virtual private network (VPN). According to Redmond, DirectAccess might not reconnect automatically after the impacted device experience connectivity issues. Scenarios that could lead to this known issue include switching between access points or Wi-Fi networks and temporarily losing network connectivity. The problems affect enterprise endpoints where admins have deployed Windows updates released since mid-October.
The malware was employed in cryptocurrency mining campaigns, KmsdBot supports multiple architectures, including as Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection. The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.
Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called 'Somnia,' encrypting their systems and causing operational problems. The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak via an announcement on its portal, attributing the attacks to 'From Russia with Love' (FRwL), also known as 'Z-Team,' whom they track as UAC-0118. The group previously disclosed creating the Somnia ransomware on Telegram and even posted evidence of attacks against tank producers in Ukraine. However, until today, Ukraine has not confirmed any successful encryption attacks by the hacking group.
Palo Alto Networks’ Unit 42 research team recently disclosed multiple vulnerabilities in the open-source OpenLiteSpeed Web Server as well as its enterprise version (LiteSpeed Web Server) which could be exploited to achieve remote code execution. In total, three vulnerabilities were uncovered, two of high severity and one of which has been rated medium in severity.
The vulnerabilities include:
Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend. Sobeys is one of two national grocery retailers in Canada, with 134,000 employees servicing a network of 1,500 stores in all ten provinces under multiple retail banners, including Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs.
Ukraine's cyber police and Europol have identified and arrested five key members of an international investment fraud ring estimated to have caused losses of over €200 million per year. The operation of the investment scheme was spread across multiple European countries, including Ukraine, Germany, Spain, Latvia, Finland, and Albania. The scammers operate call centers and offices in these countries, as required to trick prospective investors into initiating a series of fake investments. The criminals created an extensive network of fake websites posing as cryptocurrency, stocks, bonds, futures, and options investment portals to promote the operation.
The attack stands out for the use of the Windows Credential Roaming feature. Credential Roaming was introduced by Microsoft in Windows Server 2003 SP1 and is still supported on Windows 11 and Windows Server 2022. The feature is used to roam certificates and other credentials with the user within a domain. APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
Security researchers at Claorty recently disclosed details of a vulnerability in a system used across oil and gas organizations. Tracked as CVE-2022-0902 (CVSS score: 8.1), the flaw is related to a path traversal vulnerability in ABB Totalflow flow computers and remote controllers. “Flow computers are special-purpose electronic instruments used by petrochemical manufacturers to interpret data from flow meters and calculate and record the volume of substances such as natural gas, crude oils, and other hydrocarbon fluids at a specific point in time. These gas measurements are critical not only when it comes to process safety, but are also used as inputs when bulk liquid or gas products change hands between parties, making it imperative that the flow measurements are accurately captured”.
Hackers are conducting a massive black hat search engine optimization (SEO) campaign by compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums. The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress. The researchers believe the threat actors' goal is to generate enough indexed pages to increase the fake Q&A sites' authority and thus rank better in search engines.
Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since being designated with zero-day status. The flaws, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, have been chained and exploited against Android phones, but they impact custom Samsung components. The security holes have been described as an arbitrary file read/write issue via a custom clipboard content provider, a kernel information leak, and a use-after-free in the display processing unit driver.
A new Chrome browser botnet named 'Cloud9' has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim's browser in DDoS attacks. The Cloud9 browser botnet is effectively a remote access trojan (RAT) for the Chromium web browser, including Google Chrome and Microsoft Edge, allowing the threat actor to remotely execute commands. The malicious Chrome extension isn't available on the official Chrome web store but is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates. This method appears to be working well, as researchers at Zimperium reported today that they have seen Cloud9 infections on systems across the globe.
On Tuesday Citrix released security updates to address three flaws impacting Citrix ADC and Citrix Gateway one of which is a critical authentication bypass vulnerability. Successful exploitation of these flaws could enable threat actors to gain unauthorized access to the targeted device, perform remote desktop takeover, and bypass login brute force protections.
VMware has released security updates to address three critical severity vulnerabilities in the Workspace ONE Assist solution that enable remote attackers to bypass authentication and elevate privileges to admin. Workspace ONE Assist provides remote control, screen sharing, file system management, and remote command execution to help desk and IT staff remotely access and troubleshoot devices in real time from the Workspace ONE console.
11 vulnerabilities are rated as Critical and 53 are rated Important in severity. This month Microsoft addressed a couple of vulnerabilities in MS Exchange that are currently being exploited in the wild. “They were expected last month, but they are finally here (along with several other Exchange fixes). These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. At some point later, they were detected in the wild. Microsoft has released several different mitigation recommendations, but the best advice is to test and deploy these fixes.” reads the announcement published by ZDI. “There were some who doubted these patches would be released this month, so it’s good to see them here.”
CheckPoint Researchers released their Global Threat Index for October 2022, which features metrics from millions of CheckPoint threat intel sensors, installed across customer networks, endpoints, and mobile devices. The researchers found that AgentTesla accounted for nearly a fifth (16%) of total global detections in October. The report revealed that “AgentTesla was the most widespread malware, impacting 7% of organizations. The advanced RAT malware works as a keylogger and information stealer capable of collecting the victim’s keystrokes, taking screenshots and exfiltrating credentials.
The Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems, researchers have warned. ‘Amadey bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon,’ AhnLab Security Emergency Response Center (ASEC) said in a new report published today.
Cryptocurrency users are being targeted with a new clipper malware strain dubbed Laplas by means of another malware known as SmokeLoader. SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other commodity trojans like SystemBC and Raccoon Stealer 2.0, according to an analysis from Cyble. Observed in the wild since circa 2013, SmokeLoader functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. In July 2022, it was found to deploy a backdoor called Amadey. Cyble said it discovered over 180 samples of the Laplas since October 24, 2022, suggesting a wide deployment.
Microsoft has asserted that China's offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities. China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability information.
According to a new report from cybersecurity firm IronNet, Robin Banks has returned after relocating its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services. Robin Banks is a phishing-as-a-service platform that was uncovered back in July 2022. The platform offers ready-made phishing kits that have been used to target customers of well-known banks and online services including Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, etc.
The United Kingdom's National Cyber Security Centre (NCSC), the government agency that leads the country's cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK's vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture.
A business email compromise (BEC) group named 'Crimson Kingsnake' has emerged, impersonating well-known international law firms to trick recipients into approving overdue invoice payments. The threat actors impersonate lawyers who are sending invoices for overdue payment of services supposedly provided to the recipient firm a year ago. This approach creates a solid basis for the BEC attack, as recipients may be intimidated when receiving emails from large law firms like the ones impersonated in the scams.
Cisco addressed multiple vulnerabilities impacting some of its products, including high-severity flaws in identity, email, and web security products. The most severe vulnerability addressed by the IT giant is a cross-site request forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score of 8.8), that impacts the Identity Services Engine (ISE). An unauthenticated, remote attacker can exploit the vulnerability to perform arbitrary actions on a vulnerable device. The root cause of the issue is the insufficient CSRF protections for the web-based management interface of an affected device.
Attackers are abusing Microsoft Dynamics 365 Customer Voice to evade email filters and deliver phishing emails into Microsoft users’ inboxes, Avanan researchers are warning. Microsoft Dynamics 365 is a suite of enterprise resource planning (ERP) and customer relationship management (CRM) applications. Customer Voice is one of these applications, and it’s used for collecting data and feedback from customers via surveys, phone calls, etc. The attackers have created Microsoft Dynamics 365 Customer Voice accounts and are using them to send out phishing emails telling recipients that they have received a voicemail. To the end user, this looks like a voicemail from a customer, which would be important to listen to. Clicking on it is the natural step.
LockBit allegedly stole some data from Continental's systems, and they are threatening to publish it on their data leak site if the company doesn't give in to their demands within the next 22 hours. The gang has yet to make any details available regarding what data it exfiltrated from Continental's network or when the breach occurred. Ransomware gangs commonly publish data on their leak sites as a tactic to scare their victims into negotiating a deal or into returning to the negotiation table. Since LockBit says that it will publish "all available" data, this indicates that Continental is yet to negotiate with the ransomware operation or it has already refused to comply with the demands.
Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak." When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022.
A French-speaking threat actor dubbed OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022. According to Singapore-headquartered cybersecurity company Group-IB, the attacks have led to thefts totaling $11 million, with actual damages estimated to be as high as $30 million. Some of the more recent attacks in 2021 and 2021 have singled out five different banks in Burkina Faso, Benin, Ivory Coast, and Senegal. Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations.
Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. ‘The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,’ Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer. The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets' websites.
Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops "W4SP" info-stealer on infected machines, while others make use of malware purportedly created for "educational purposes" only. Researchers have identified over two dozen Python packages on the PyPI registry that imitate popular libraries but instead drop info-stealers after infecting machines. The packages, listed below, are typosquats—that is, threat actors publishing these have intentionally named them similar to known Python libraries in hopes that developers attempting to fetch the real library make a spelling error and inadvertently retrieve one of the malicious ones.
Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks. While Emotet was considered the most distributed malware in the past, it suddenly stopped spamming on June 13th, 2022. Researchers from the Emotet research group Cryptolaemus reported that at approximately 4:00 AM ET on November 2nd, the Emotet operation suddenly came alive again, spamming email addresses worldwide.
To follow-up on Monday’s message, OpenSSL has released a security advisory to address the two vulnerabilities (CVE-2022-3602 and CVE-2022-3786), affecting OpenSSL versions 3.0.0 through 3.0.6. Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service. According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, "can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution," allowing them to take control of an affected system.
Threat actors are using newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Android users. They focus on Persian-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East. The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions. To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN.
On Tuesday, Dropbox disclosed it was the victim of a phishing campaign that enabled unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub. The repositories allegedly contained copies of modified third-party libraries used by Dropbox, internal prototypes, and some tools and configuration files used by the file hosting service’s security team.
Ransomware remains a serious threat to organizations, Deep Instinct, a New York-based deep learning cybersecurity specialist, said in its recently released 2022 Interim Cyber Threat Report. It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.
OpenSSL released patches for two vulnerabilities that have caused widespread concern among cybersecurity experts and researchers over the last week and a half. OpenSSL is a commonly used code library that allows secured internet communication.
VMware warned of the existence of a public exploit targeting a recently addressed critical remote code execution (RCE) vulnerability, tracked as CVE-2021-39144 (CVSS score of 9.8), in NSX Data Center for vSphere (NSX-V). VMware NSX is a network virtualization solution that is available in VMware vCenter Server. The remote code execution vulnerability resides in the XStream open-source library. Unauthenticated attackers can exploit the vulnerability in low-complexity attacks without user interaction.
A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling attacks on the enterprise. The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings. Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand. In the third quarter of 2022, KELA's analysts observed 110 threat actors posting 576 initial access offerings totaling a cumulative value of $4,000,000. The average selling price of these listings was $2,800, while the median selling price reached a record figure of $1,350.
The Federal Trade Commission (FTC) has taken legal action against EdTech player Chegg, alleging the firm has failed to protect its customers after suffering four data breaches since 2017. The FTC’s proposed order alleged Chegg took “shortcuts” with the personal data of millions of its students and will mandate enhanced data security, limits to data collection, improved access controls and more autonomy for students to delete their own data. The California-based company – which sells online tutoring and online scholarship search services, among other things – collects a large amount of personal and financial information on its customers. This includes their religious affiliation, date of birth, sexual orientation, disabilities, Social Security numbers and medical data, the FTC said.
Analysts at Orca Security recently disclosed that they found a critical vulnerability affecting Azure Cosmos DB that could allow an unauthenticated threat actor to read and write access to containers. The flaw which has been dubbed CoMiss, resides in Azure Cosmos DB built-in Jupyter Notebooks that integrate into the Azure portal and Azure Cosmos DB accounts for querying, analyzing, and visualizing NoSQL data and results easier.
The personal mobile phone of British Prime Minister Liz Truss was hacked by cyber spies suspected of working for the Kremlin, the Daily Mail reported. According to the British tabloid, the cyber-spies are believed to have gained access to top-secret exchanges with key international partners as well as private conversations with his friend, the British Conservative Party politician Kwasi Kwarteng.
The vulnerability was discovered by Checkmarx, which is called the attack technique RepoJacking. The method potentially allowed attackers to infect all applications and code in the repository. The vulnerability could allow an attacker to take control over a GitHub repository and potentially infect all applications and other code relying on it with malicious code. If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers.
In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.
ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted by due to, "Improper Neutralization of Special Elements in Output Used by a Downstream Component." If exploit an attacker could execute remote code or directly access confidential data.
Affected versions
ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted. R1Soft: SBM v6.16.3 and earlier versions are also impacted.
The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up. Raspberry Robin, also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives.
On Thursday, Google released security updates to address a high-severity zero-day bug that it says is actively being exploited in the wild. Tracked as CVE-2022-3723, the vulnerability is related to a type confusion bug in the Chrome V8 Javascript engine. Type confusion bugs occur when a program allocates a resource, object, or variable using a type and then accesses it using a different, incompatible type, resulting in out-of-bounds memory access. As such, a malicious threat actor could use this access to read sensitive information, cause crashes, and execute arbitrary code.
Gartner released new statistics this week on API attacks. According to the researchers, APIs have become the leading attack vector for enterprise web applications. As more organizations move their operations to cloud based services, data is being moved with APIs. ”Organizations are using APIs to build complex applications that serve as the foundation for their business models since they offer an effective way to leverage the data and functionality delivered by an organization’s digital applications and services. They are becoming more popular due to their ability to provide connectivity between disparate systems. For example, an API for a bank can allow you to access your account information from a mobile app or website. In addition, companies may use APIs for internal processes, such as billing or inventory management.
A set of Android malware droppers were found infiltrating the Google Play store to install banking trojans pretending to be app updates. Malware droppers are a challenging category of apps to stop because they do not contain malicious code themselves and thus can more easily pass Google Play reviews when submitted to the store. At the same time, they do not raise suspicion among the users as they provide the advertised functionality, and malicious behavior is conducted behind the scenes. Researchers at Threat Fabric, who discovered the new set of droppers, report a rise in the use of droppers for Android malware distribution precisely because they can offer a stealthy pathway to infecting devices. This is particularly important considering the ever-increasing restrictions and safeguards introduced with each major Android release, preventing malware from abusing permissions, fetching malicious modules from external resources, or using the Accessibility service to perform unlimited actions on the device.
The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs. Microsoft Internet Information Services (IIS) is a web server that hosts websites and web applications. It’s also used by other software, such as Outlook on the Web (OWA) for Microsoft Exchange, to host management apps and web interfaces.
Calix GigaCenter and GigaHub premises systems with remote access enabled are vulnerable to a SOCKS5 Proxy exploit. The exploit uses command injection via the HTTP API to download a script which then installs the SOCKS5 Proxy. The proxy will continue running after a reboot.
The OpenSSL Project announced that it is going to release updates to address a critical vulnerability in the open-source toolkit. Experts pointed out that it is the first critical vulnerability patched in toolkit since September 2016.
The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC.” reads the announcement. “OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL.
A notorious British hacker was arraigned on Wednesday by the U.S. Department of Justice for allegedly running the now defunct 'The Real Deal" dark web marketplace. The 34-year-old defendant Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) allegedly ran the illicit services market between early 2015 and November 2016 when The Real Deal shut down. Kaye also allegedly trafficked Twitter and Linked accounts and conspired with a threat actor known as TheDarkOverlord to sell stolen Social Security numbers. He laundered the cryptocurrency obtained while operating The Real Deal using the Bitmixer[.]io Bitcoin mixer service to hide the illicit gains from law enforcement's blockchain tracing analysis efforts.
Calix development is, and has been, investigating this issue and working on fixes that include remediating systems impacted as well as preventing exploitation of other systems. The problem is understood and a fix is forthcoming. When it is available, customers will be advised via account teams, service bulletins and proactive alerts. This community post will also be updated with information as it becomes available.
We received reports this morning that some Calix GigaCenters were under attack. According to reports, Calix GigaCenter routers that have default or compromised credentials are being attacked. In one case, a service provider reported that 10% of their GigaCenters (844E) rebooted overnight. Another service provider reported that their DNS server’s cache was exhausted impacting DNS resolution.
On Tuesday, VMware released security updates to address a critical flaw in the VMware Cloud Foundation Product, a hybrid cloud platform that is used to run enterprise apps in private or public environments. Tracked as CVE-2021-39144, the vulnerability is related to a remote code execution flaw that resides in XStream, an open-source library used by Cloud Foundation.
The threat actor behind a remote access trojan called RomCom RAT has been observed targeting Ukrainian military institutions as part of a new spear-phishing campaign that commenced on October 21, 2022. The development marks a shift in the attacker's modus operandi, which has been previously attributed to spoofing legitimate apps like Advanced IP Scanner to drop backdoors on compromised systems.
Cisco is warning of exploitation attempts targeting two security flaws, CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), in the Cisco AnyConnect Secure Mobility Client for Windows. Both vulnerabilities are dated 2020 and are now patched.
Microsoft warns that a newly acknowledged issue can lead to data loss when resetting virtual disks using the Server Manager management console. Server Manager helps IT admins manage Windows-based servers from their desktops without requiring a Remote Desktop connection or physical access to the servers. Because of this issue, admins attempting to reset (or clear) a virtual disk might accidentally reset the wrong disk, leading to data corruption. They will also see "Failed to reset disk" errors in the Task Progress dialog window, with the 'Found multiple disks with the same ID. Please update your storage driver and then try again.' error message.
Security researchers at McAfee have discovered 16 malicious clicker apps available in the official Google Play store that were installed more than 20 million times. One of these apps, DxClean, has more than five million times, and its user rating was 4.1 out of 5 stars. Clicker apps are adware software that loads ads in invisible frames or the background and clicks them to generate revenue for the threat actors behind the campaign. Threat actors have concealed the malicious code in practical utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers. Upon executing the clicker apps, they will download the configuration from a remote server and register the FCM listener to receive the push messages.
On Monday, Apple released security updates to address a zero-day flaw in iOS and iPadOS which is actively being exploited in the wild. Tracked as CVE-2022-42827, the vulnerability is related to an out-of-bounds write bug in the kernel that could be exploited by a malicious threat actor to execute arbitrary code with the highest privileges.
Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month. A subsidiary of the multinational conglomerate Tata Group, Tata Power is India's largest integrated power company based in Mumbai. In screenshots seen by BleepingComputer, Hive operators have posted data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed.
“A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks. Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.
Australian private health insurance provider Medibank has revealed that the hack and data breach it discovered over two weeks ago has affected more customers than initially thought, “We have received a series of additional files from the criminal. We have been able to determine that this includes: a copy of the file received last week containing 100 ahm policy records (including personal and health claims data); a file of a further 1,000 ahm policy records (including personal and health claims data); and files which contain some Medibank and additional ahm and international student customer data. It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers,” the company said.
The US has announced another blockbuster set of charges against Chinese nationals in three cases, including one in which two agents are said to have paid bribes for inside information on the federal prosecution of Huawei. The US Department of Justice (DoJ) unveiled the charges yesterday and, although Huawei is not named, widespread reports claim it is the telco at the center of the case. The US filed a string of charges of racketeering and conspiracy to steal trade secrets against the firm in 2019 and 2020.
CISA, the FBI, and the Department of Health and Human Services (HHS) warned that the Daixin Team cybercrime group is actively targeting U.S. businesses, mainly in the Healthcare and Public Health (HPH) Sector, with ransomware operations. The Daixin Team is a ransomware and data extortion group that has been active since at least June 2022. The group focused on the HPH Sector with ransomware operations that aimed at deploying ransomware and exfiltrating personal identifiable information (PII) and patient health information (PHI) threatening to release the stolen data if a ransom is not paid.
The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch the second. While phishing attacks like these traditionally require persuading the target into opening the attachment, the cybersecurity company said the campaign sidesteps this hurdle by making use of a batch file to automatically supply the password to unlock the payload
Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw. According to the technical paper from the researchers at Leiden Institute of Advanced Computer Science, the possibility of getting infected with malware instead of obtaining a PoC could be as high as 10.3%, excluding proven fakes and prankware.
A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands. The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional "s," making them easy for people to miss. The malicious websites are clones of the originals or at least convincing enough, so there's not much to give away the fraud.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.
The vulnerability is tracked as CVE-2021-3493 and it’s related to the OverlayFS file system implementation in the Linux kernel. It allows an unprivileged local user to gain root privileges, but it only appears to affect Ubuntu. CVE-2021-3493 has been exploited in the wild by a stealthy Linux malware named Shikitega, which researchers at AT&T Alien Labs detailed in early September. Shikitega is designed to target endpoints and IoT devices running Linux, allowing the attacker to gain full control of the system. It has also been used to download a cryptocurrency miner onto the infected device.
Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients. The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information. Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements. However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions.
A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly. Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor. Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tool.
Cisco has released information regarding several vulnerabilities impacting multiple products on October 17, 2022. Please see the links below for more information:
Cisco Identity Services is a policy management and access control platform for network devices and is a crucial element of an organization’s zero-trust architecture. Cisco has published a heads-up for admins of Cisco Identity Services Engine solutions about two vulnerabilities (CVE-2022-20822, CVE-2022-20959) that could be exploited to read and delete files on an affected device to execute arbitrary scripts or access sensitive information. Both vulnerabilities have been discovered and reported by Davide Virruso, a freelance bug hunter and a red team operator at managed security service provider Yoroi.
In a speech during Singapore’s International Cyber Week, NCSC CEO Lindy Cameron called for international standards to improve IoT security. “At every level, individual households, businesses, cities and local governments are keen to reap the benefits of ‘smart devices.’ The benefits are obviously compelling. They provide a range of critical functions and services to us all. This should be an opportunity, not a threat,” outlined Cameron. She pointed at Singapore, a country that has taken major strides in the use of connected devices to manage vital services, such as transport, waste, CCTV, streetlights, traffic lights, parking and emergency services.
A major internet subsea fiber cable in the South of France was severed yesterday at 20:30 UTC, causing connectivity problems in Europe, Asia, and the United States, including data packet losses and increased website response latency. Cloud security company Zscaler reports that they made routing adjustments to mitigate the impact. However, users still face problems due to app and content providers routing traffic through the impacted paths.
A previously undocumented, fully undetectable PowerShell backdoor is being actively used by a threat actor who has targeted at least 69 entities. Based on its features, the malware is designed for cyberespionage, mainly engaging in data exfiltration from the compromised system. When first detected, the PowerShell backdoor was not seen as malicious by any vendors on the VirusTotal scanning service. However, its cover was blown due to operational mistakes by the hackers, allowing SafeBreach analysts to access and decrypt commands sent by the attackers to execute on infected devices.
Microsoft said today that some of its customers' sensitive information was exposed by a misconfigured Microsoft server accessible over the Internet. The company secured the server after being notified of the leak on September 24, 2022 by security researchers at threat intelligence firm SOCRadar.
Orca Security researchers have released technical details about a now-patched FabriXss vulnerability, tracked as CVE-2022-35829 (CVSS 6.2), that impacts Azure Fabric Explorer. An attacker can exploit the vulnerability to gain administrator privileges on the cluster. In order to exploit this flaw, an attacker needs to have CreateComposeDeployment permission. Orca Security reported the flaw to Microsoft in August 2022 and the company addressed it with the release of October 2022 Patch Tuesday updates
Researchers have linked the relatively new Ransom Cartel ransomware operation with the notorious REvil gang based on code similarities in both operations' encryptors. REvil reached its pinnacle of success in the first half of 2021, compromising thousands of companies in a Kaseya MSP supply-chain attack, demanding a $50 million payment from computer maker Acer, and extorting Apple using stolen blueprints of non-yet-released devices.
Researchers at the cybersecurity firm WithSecure discovered a bug in the message encryption mechanism used by Microsoft in Office 365 that can allow to access message contents due. The experts pointed out that Microsoft Office 365 Message Encryption (OME) relies on Electronic Codebook (ECB) mode of operation. The ECB mode is considered insecure and can reveal the structure of the messages sent, potentially leading to partial or full message disclosure. The OME method is used to send and receive encrypted email messages and the vulnerability can allow attackers to decipher the content of encrypted emails.
A freshly fixed vulnerability (CVE-2022-42889) in the Apache Commons Text library has been getting attention from security researchers these last few days, worrying it could lead to a repeat of the Log4Shell dumpster fire. But the final verdict shows there’s no need to panic: while the vulnerability is exploitable, “The nature of the vulnerability means that, unlike Log4Shell, it will be rare that an application uses the vulnerable component of Commons Text to process untrusted, potentially malicious input,” said Rapid7 AI researcher Erick Galinkin.
Verizon warned an undisclosed number of prepaid customers that attackers gained access to Verizon accounts and used exposed credit card info in SIM swapping attacks. "We determined that between October 6 and October 10, 2022, a third-party actor accessed the last four digits of the credit card used to make automatic payments on your account.
The FBI has released a warning that scammers may be targeting individuals seeking to enroll in the Federal Student Aid program to steal their personal information, payment details, and money. Federal Student Aid is a debt relief program announced in August 2022 that opened for applications yesterday. The large amount of applicants present a unique targeting opportunity for cybercriminals, who will use various techniques to trick applicants into falling for fraudulent websites and phishing emails. Users should be on the lookout for phishing emails and SMS messages that mimic the application form for student loan relief.
German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems. On Saturday, the newspaper issued an “emergency” six-page edition while all planned obituaries were posted on the website. Phone and email communication remained offline during the weekend. The regional publication has a circulation of about 75,000 copies, but due to printing issues has temporarily lifted the paywall from its website, which counts approximately 2 million visitors per month.
German newspaper ‘Heilbronn Stimme’ published today’s 28-page issue in e-paper form after a Friday ransomware attack crippled its printing systems. On Saturday, the newspaper issued an “emergency” six-page edition while all planned obituaries were posted on the website. Phone and email communication remained offline during the weekend. The regional publication has a circulation of about 75,000 copies, but due to printing issues has temporarily lifted the paywall from its website, which counts approximately 2 million visitors per month.
A threat actor is selling on hacking forums what they claim to be a new UEFI bootkit named BlackLotus, a malicious tool with capabilities usually linked to state-backed threat groups. UEFI bootkits are planted in the system firmware. They are invisible to security software running within the operating system because the malware loads in the initial stage of the booting sequence. While cybercriminals who want a license for this Windows bootkit have to pay $5,000, the threat actor says rebuilds would only set them back $200.
A wave of DDoS attacks rocked the Bulgarian government over the weekend, with Russia the prime suspect, according to reports. Traffic flooded the websites of the Bulgarian President, the National Revenue Agency, and the ministries of internal affairs, defense, and justice, according to several local reports. Telecoms firms, airports, banks and some media companies were also targeted in the October 15 campaign, according to the Sofia Globe.
The China-aligned espionage-focused actor dubbed Winnti has set its sights on government organizations in Hong Kong as part of an ongoing campaign dubbed Operation CuckooBees. Active since at least 2007, Winnti (aka APT41, Barium, Bronze Atlas, and Wicked Panda) is the name designated to a prolific cyber threat group that carries out Chinese state-sponsored espionage activity, predominantly aimed at stealing intellectual property from organizations in developed economies.
HelpSystems addressed a critical remote code execution vulnerability in their commercial post-exploitation toolkit Cobalt Strike. The vulnerability is tracked as CVE-2022-42948, and allows a remote attacker to take control of a targeted system. By manipulating some client-side UI input fields, threat actors can simulate a Cobalt Strike implant check-in, or hook the implant running on a host.
Last week, researchers from Rapid7 warned of the exploitation of unpatched zero-day remote code execution vulnerability, tracked as CVE-2022-41352, in the Zimbra Collaboration Suite. Rapid7 has published technical details, including a proof-of-concept (PoC) code and indicators of compromise (IoCs) regarding CVE-2022-41352 on AttackerKB. The issue has been rated as CVSS 9.8” (Security Affairs, 2022). “CVE-2022-41352 is an unpatched remote code execution vulnerability in Zimbra Collaboration Suite discovered in the wild due to active exploitation.” reported Rapid7.
The threat actors behind the Black Basta ransomware family have been observed using the Qakbot trojan to deploy the Brute Ratel C4 framework as a second-stage payload in recent attacks. The development marks the first time the nascent adversary simulation software is being delivered via a Qakbot infection, cybersecurity firm Trend Micro said in a technical analysis released last week The intrusion, achieved using a phishing email containing a weaponized link pointing to a ZIP archive, further entailed the use of Cobalt Strike for lateral movement. While these legitimate utilities are designed for conducting penetration testing activities, their ability to offer remote access has made them a lucrative tool in the hands of attackers looking to stealthily probe the compromised environment without attracting attention for extended periods of time.
Microsoft reported that new Prestige ransomware is being used in attacks aimed at transportation and logistics organizations in Ukraine and Poland. The Prestige ransomware first appeared in the threat landscape on October 11 in attacks occurring within an hour of each other across all victims. A notable feature of this campaign is that it is uncommon to observe threat actors attempting to deploy ransomware into the networks of Ukrainian enterprises. Microsoft pointed out that this campaign was not connected to any of the 94 currently active ransomware activity groups that it is tracking.
Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices. Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.
Mango Markets is a trading platform riding on the Solana blockchain. Mango Markets says that the platform halted operations to cease all deposits and withdrawals to limit the attack's impact. "This incident has effectively resulted in a total draining of all equity available." When hacker who stole $117 million in digital assets from their decentralized finance exchange says they will now return the funds — but only if token holders let them keep $70 million without the possibility of criminal prosecution.
Between September 28 and October 7, Kaspersky observed close to 1,800 users infected with QBot worldwide. More than half of the new victims are corporate users. According to security researchers, the United States, Italy, Germany, and India are the countries targeted the most in these recent campaigns. Out of a total of 220 victims in the United States, 95 are corporate users, potentially exposing their organizations to further malicious activity, including distributing ransomware and other malware families.
MSTIC has observed POLONIUM active on or targeting multiple organizations previously compromised by Iran-linked MuddyWater APT (aka MERCURY). According to Microsoft, POLONIUM is an APT group based in Lebanon that coordinates its activities with other actors affiliated with the Iranian Ministry of Intelligence and Security. Now ESET researchers reported that the APT group had used at least seven different custom backdoors since September 2021 against Israeli targets. Most of the attacks were spotted on September 2022, and the custom tools developed by the group allowed them to spy on the victims.
Security researchers have discovered an NPM timing attack that reveals the names of private packages so threat actors can release malicious clones publicly to trick developers into using them instead. The attack relies on a slight time difference in returning a "404 Not Found" error when searching for a private compared to a non-existent package in the repository. While the response time difference is only a few hundred milliseconds, it is enough to determine whether a private package exists to perform package impersonation attacks. Organizations create private packages for internal projects and certain software products to minimize the risk of their development teams falling for typo squatting attacks and to keep their code and functions secret.
Cybersecurity researchers have discovered a new attack and C2 framework called 'Alchimist,' which appears to be actively used in attacks targeting Windows, Linux, and macOS systems. The framework and all its files are 64-bit executables written in GoLang, a programming language that makes cross-compatibility between different operating systems a lot easier. Alchimist offers a web-based interface using the Simplified Chinese language, and it's very similar to Manjusaka, a recently-emerged post-exploitation attack framework growing popular among Chinese hackers.
VMware informed customers today that vCenter Server 8.0 (the latest version) is still waiting for a patch to address a high-severity privilege escalation vulnerability disclosed in November 2021. CrowdStrike's Yaron Zinar found this security flaw (CVE-2021-22048) and Sagi Sheinfeld in vCenter Server's IWA (Integrated Windows Authentication) mechanism also affects VMware's Cloud Foundation hybrid cloud platform deployments. Attackers with non-administrative access can exploit it to elevate privileges to a higher privileged group on unpatched servers.
In the latest attacks, phishing emails impersonate the U.S. Small Business Administration (SBA) and abuse Google Forms to host phishing pages that steal the personal details of business owners. The SBA ran COVID-19 financial recovery programs in the past, which adds legitimacy to the campaign, especially for previous beneficiaries. However, the organization is currently not running any similar initiatives.
As part of the October Patch Tuesday, Microsoft addressed 84 vulnerabilities, including two zero-days (one of which is actively being exploited in attacks in the wild. Of the 84 flaws, there was 39 elevation of privilege vulnerabilities, 2 security feature bypass vulnerabilities, 20 remote code execution vulnerabilities, 11 information discloser vulnerabilities, 8 denial of service vulnerabilities, and 4 spoofing vulnerabilities. 13 of the 84 flaws have been rated critical in severity and relate to spoofing, privilege elevation, and remote code execution.
Team82, the research arm of New York-based industrial cybersecurity firm Claroty, revealed on October 11, 2022, that they managed to extract heavily guarded, hardcoded cryptographic keys embedded within SIMATIC S7-1200/1500s, a range of Siemens programmable logic computers (PLCs), and TIA Portal, Siemens’ automated engineering software platform.
Fortinet has confirmed today that a critical authentication bypass security vulnerability patched last week is being exploited in the wild. The security flaw (CVE-2022-40684) is an auth bypass on the administrative interface that enables remote threat actors to log into FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager (FSWM) on-premise management instances.
The threat actors behind IcedID malware phishing campaigns are utilizing a wide variety of distribution methods, likely to determine what works best against different targets. Researchers at Team Cymru have observed several campaigns in September 2022, all following slightly different infection pathways, which they believe is to help them evaluate effectiveness. Moreover, the analysts have noticed changes in the management of command and control server (C2) IPs used in the campaigns, now showing signs of sloppiness.
A phishing-as-a-service (PhaaS) platform named 'Caffeine' makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns. Caffeine doesn't require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind. Another distinctive characteristic of Caffeine is that its phishing templates target Russian and Chinese platforms, whereas most PhaaS platforms tend to focus on lures for Western services.
Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.
On Monday, October 10, 2022, the websites of several US airports were disrupted due to a large-scale campaign of distributed denial-of-service (DDoS) attacks, in which servers were flooded with web traffic to knock websites offline. The victims include Los Angeles International Airport (LAX), Hartsfield-Jackson Atlanta International Airport (ATL), Chicago O'Hare International Airport (ORD), as well as other airports in Florida, Colorado, Arizona, Kentucky, Mississippi and Hawaii.
Zscaler researchers linked a recently discovered sample of a new malware called LilithBot to the Eternity group (aka EternityTeam; Eternity Project). The Eternity group operates a homonymous malware-as-a-service (MaaS), it is linked to the Russian “Jester Group,” which is active since at least January 2022.
One of the largest non-profit healthcare providers in the US has been hit by a suspected ransomware attack which has already impacted multiple locations around the country. CommonSpirit claims to run over 1000 sites and 140 hospitals in 21 states. In a brief message yesterday it said it had “identified an IT security issue” affecting some facilities.
Fortinet has warned administrators to update FortiGate firewalls and FortiProxy web proxies to the latest versions, which address a critical severity vulnerability. The security flaw (tracked as CVE-2022-40684) is an authentication bypass on the administrative interface that could allow remote threat actors to log into unpatched devices.
NSA, CISA, and the FBI revealed today the top security vulnerabilities most exploited by hackers backed by the People's Republic of China (PRC) to target government and critical infrastructure networks. The three federal agencies said in a joint advisory that Chinese-sponsored hackers are targeting U.S. and allied networks and tech companies to gain access to sensitive networks and steal intellectual property.
The 'LofyGang' threat actors have created a credential-stealing enterprise by distributing 200 malicious packages and fake hacking tools on code hosting platforms, such as NPM and GitHub. Researchers highlighted some of these packages in recent reports by Kaspersky, Jfrog, and Sonatype, who spotted them in supply chain attacks using typo-squatted package names. Many malicious packages have been reported and removed, while others are available for download. There's even a dedicated project to search for and track malicious LofyGang packages on GitHub. A bot on Discord, named "Lofy Boost," can be used by channel members to purchase Nitro using a stolen credit card on behalf of the user. The bot also receives user tokens, which the crooks may abuse later. The stash of the stolen credit cards comes from NPM supply chain infections and by pushing laced and backdoored hacking tools on GitHub, which less skilled cybercriminals grab and use free of charge.
The Australian Federal Police (AFP) have arrested a 19-year old in Sydney for allegedly using leaked Optus customer data for extortion. More specifically, the suspect used 10,200 records leaked last month by the Optus hackers and contacted victims over SMS to threaten that their data would be sold to other hackers unless they paid AUD 2,000 ($1,300) within two days. The scammer used a Commonwealth Bank of Australia account to receive the ransom money. The AFP identified the account and obtained from the bank information about the holder.
Security researchers have shared details about a now-addressed security flaw in Apple's macOS operating system that could be potentially exploited to run malicious applications in a manner that can bypass Apple's security measures. The vulnerability, tracked as CVE-2022-32910, is rooted in the built-in Archive Utility and "could lead to the execution of an unsigned and unnotarized application without displaying security prompts to the user, by using a specially crafted archive.
Australia’s largest telecommunications company Telstra disclosed a data breach through a third-party supplier. The company pointed out that its systems have not been breached, the security breach impacted a third-party supplier that previously provided a now-obsolete Telstra employee rewards program” (Security Affairs, 2022). This story comes just after another Australian telecom Optus, suffered a severe cyber attack that leaked customer data.
Avast has released a decryptor for variants of the Hades ransomware known as 'MafiaWare666', 'Jcrypt,' 'RIP Lmao', and 'BrutusptCrypt,' allowing victims to recover their files for free. The security company says it discovered a flaw in the encryption scheme of the Hades strain, allowing some of the variants to be unlocked. However, this may not apply to newer or unknown samples that use a different encryption system.
The BlackByte ransomware gang is using a new technique that researchers are calling "Bring Your Driver," which enables bypassing protections by disabling more than 1,000 drivers used by various security solutions. Recent attacks attributed to this group involved a version of the MSI Afterburner RTCore64.sys driver, vulnerable to a privilege escalation and code execution flaw tracked as CVE-2019-16098.
Former Netwalker ransomware affiliate Sebastien Vachon-Desjardins has been sentenced to 20 years in prison and demanded to forfeit $21.5 million for his attacks on a Tampa company and other entities. Vachon-Desjardins, a 34 Canadian man extradited from Quebec, was sentenced today in a Florida court after pleading guilty to 'Conspiracy to commit Computer Fraud', 'Conspiracy to Commit Wire Fraud', 'Intentional Damage to Protected Computer,' and 'Transmitting a Demand in Relation to Damaging a Protected Computer.' He is also required to serve three years of supervised release after he gets out of prison. During this term, Vachon-Desjardins will not be allowed to have a job in information technology or use a computer capable of connecting to the Internet, including a smartphone, gaming device, or other electronic devices.
In a press statement released yesterday, the mobile carrier updated the information regarding the personal data of 9.8 million customers exposed during the attack. Of these 2.1 million customers, 1.2 million had at least one number from a current and valid form of identification compromised, and 900,000 had ID numbers exposed but from documents that are now expired, However, all 9.8 million customers had other personal information exposed, including email addresses, date of birth, or phone numbers.
QakBot is a banking trojan that has been in development for around 15 years. Overtime it has evolved significantly and continues to impact organizations globally. Recently, the malware has been used to spy on financial operations and to install ransomware. Researchers from Menlo Labs shared their QakBot findings after observing several campaigns. QakBot uses various Highly Evasive Adaptive Threat (HEAT) techniques. “HEAT attacks are a new class of attack methods built specifically to avoid detection from common layers in traditional security stacks.
A new Android spyware named 'RatMilad' was discovered targeting mobile devices in the Middle East, used to spy on victims and steal data. The RatMilad spyware was discovered by mobile security firm Zimperium who warned that the malware could be used for cyber espionage, extortion, or to eavesdrop on victim's conversations. Data stolen from the malware is being used to access private corporate networks, blackmail a victim, and more. The spyware is distributed masquerading as a fake virtual number generator called NumRent, which would be used for automating the activation of social media accounts. The app requests risky permissions, then abuses those to sideload the RatMilad payload onto the device.
The U.S. Government yesterday released an alert about state-backed hackers using a custom CovalentStealer malware and the Impacket framework to steal sensitive data from a U.S. organization in the Defense Industrial Base (DIB) sector. According to the report, the compromise lasted for about 10 months, and allowed multiple APT groups to gain initial access through the victims Microsoft Exchange Server in January of last year. The hackers used a combination of a custom malware called CovalentStealer and an open source tool called Impacket to carry out their attacks.
Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber espionage group Bronze Starlight (aka DEV-0401, APT10). Bronze Starlight has been active since mid-2021; researchers from Secureworks reported that the A.P.T. group is deploying post-intrusion ransomware families to cover up the cyber espionage operations.
Today, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) released a joint Cybersecurity Advisory (CSA) with details on advanced persistent threat (APT) actors using an open-source toolkit and custom data exfiltration tool to steal sensitive data from a defense industrial base (DIB) sector organization’s enterprise network.
The official installer for the Comm100 Live Chat application, a widely deployed SaaS (software-as-a-service) that businesses use for customer communication and website visitors, was trojanized as part of a new supply-chain attack. A report from CrowdStrike says that the infected variant was available from the vendor's website from at least September 26 until as the morning of September 29. Because the trojanized installer used a valid digital signature, antivirus solutions would not trigger warnings during its launch, allowing for a stealthy supply-chain attack.
Scammers are impersonating security researchers to sell fake proof-of-concept ProxyNotShell exploits for newly discovered Microsoft Exchange zero-day vulnerabilities. Last week, Vietnamese cybersecurity firm GTSC disclosed that some of their customers had been attacked using two new zero-day vulnerabilities in Microsoft Exchange. Working with Trend Micro's Zero Day Initiative, the researchers disclosed the vulnerabilities privately to Microsoft, who confirmed that the bugs were being exploited in attacks and that they were working on an accelerated timeline to release security updates.
The Federal Bureau of Investigation (FBI) warns of a rise in 'Pig Butchering' cryptocurrency scams used to steal ever-increasing amounts of crypto from unsuspecting investors. The warning was issued as a Private Industry Notification from the FBI Miami Field Office in coordination with the Internet Crime Complaint Center (IC3) yesterday to raise awareness among cryptocurrency investors who are increasingly being targeted by these types of scams.
Russian retail chain 'DNS' (Digital Network System) disclosed yesterday that they suffered a data breach that exposed the personal information of customers and employees. DNS is Russia's second-largest computer and home appliance store chain, with 2,000 branches and 35,000 employees. According to the scant details provided in the announcement, a group of hackers residing outside the Russian Federation exploited a security gap in the company's IT systems and accessed customer and employee details. While the firm has not provided details on what information was compromised, it clarified that the hackers didn't steal user passwords and payment card data, as that data isn't stored on their systems.
The ALPHV/BlackCat ransomware gang claims to have breached the IT firm NJVC, which supports the federal government and the United States Department of Defense. The company supports intelligence, defense, and geospatial organizations. The company has more than 1,200 employees in locations worldwide. BlackCat added NJVC to the list of victims on its Tor leak site and is threatening to release the allegedly stolen data if the company will not pay the ransom, “We strongly recommend that you contact us to discuss your situation. Otherwise, the confidential data in our possession will be released in stages every 12 hours. There is a lot of material,” reads the ALPHV’s statement.
The Vice Society Ransomware gang published data and documents Sunday morning that were stolen from the Los Angeles Unified School District during a cyberattack earlier this month. LAUSD superintendent Alberto M. Carvalho confirmed the release of stolen data in a statement posted to Twitter and announced a new hotline launching tomorrow morning for concerned parents and students to ask questions about the data leak. The public release of data comes after the school system announced Friday that they would not be giving in to the ransom demands and that the district could better use the money for students and their education.
The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver, highlighting new tactics adopted by the state-sponsored adversary. The Bring Your Own Vulnerable Driver (BYOVD) attack, which took place in the autumn of 2021, is another variant of the threat actor's espionage-oriented activity called Operation In(ter)ception that's directed against aerospace and defense industries.
A former U.S. National Security Agency (NSA) employee has been arrested on charges of attempting to sell classified information to a foreign spy, who was actually an undercover agent working for the Federal Bureau of Investigation (FBI). Jareh Sebastian Dalke, 30, was employed at the NSA for less than a month from June 6, 2022, to July 1, 2022, serving as an Information Systems Security Designer as part of a temporary assignment in Washington D.C.
Last week, “Microsoft shared mitigations for two new Microsoft Exchange zero-day vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082, but researchers warn that the mitigation for on-premise servers is far from enough. Threat actors are already chaining both of these zero-day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution in limited attacks. Both security flaws were reported privately through the Zero Day Initiative program about three weeks ago by Vietnamese cybersecurity company GTSC, who shared the details publicly last week.
After being laid off, an IT system administrator disrupted the operations of his former employer, a high-profile financial company in Hawaii, hoping to get his job back. Casey K. Umetsu, aged 40, worked as a network admin for the company between 2017 and 2019, when his employer terminated his contract. The U.S. Department of Justice says in a press release that the defendant pled guilty yesterday to accessing his former employer's website and making configuration changes to redirect web and email traffic to external computers, "After using his former employer's credentials to access the company's configuration settings on that website, Umetsu made numerous changes, including purposefully misdirecting web and email traffic to computers unaffiliated with the company, thereby incapacitating the company's web presence and email" - the U.S. Department of Justice.
Security researchers have discovered a malicious campaign by the 'Witchetty' hacking group, which uses steganography to hide a backdoor malware in a Windows logo. Witchetty is closely tied to the state-backed Chinese threat actor APT10 (aka 'Cicada'). The group is also considered part of the TA410 operatives, previously linked to attacks against U.S. energy providers.
Microsoft says the North Korean-sponsored Lazarus threat group is trojanizing legitimate open-source software and using it to backdoor organizations in many industry sectors, such as technology, defense, and media entertainment. The list of open-source software weaponized by Lazarus state hackers to deploy the BLINDINGCAN (aka ZetaNile) backdoor includes PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and the muPDF/Subliminal Recording software installer.
We shared this week that the Fast Company took its website offline after it was hacked to display stories and push out Apple News notifications containing obscene and racist comments. Today, the hacker shared how they allegedly breached the site. The site today shows a statement from the company confirming they were hacked on Sunday afternoon, followed by an additional hack on Tuesday evening that allowed threat actors to push out racist notifications to mobile devices via Apple News.
In an incident response engagement earlier this year, security researchers at cyber threat intelligence company Mandiant (acquired by Google) found that an actor suspected to have ties with China used malicious vSphere Installation Bundles (VIBs) to deliver the VirtualPita and VirtualPie malware. With the help of malicious vSphere Installation Bundles, an attacker could install malware on bare-metal hypervisors. Researchers have named the two backdoors VirtualPita and VirtualPie. Also uncovered was a unique malware sample dubbed VirtualGate, which includes a dropper and a payload.
The Brute Ratel post-exploitation toolkit has been cracked and is now being shared for free across Russian-speaking and English-speaking hacking communities. For those unfamiliar with Brute Ratel C4 (BRC4), it is a post-exploitation toolkit created by Chetan Nayak, an ex-red teamer at Mandiant and CrowdStrike. Similar to Cobalt Strike, Brute Ratel is a toolkit used by red teamers to deploy agents, called badgers, on compromised network devices and use them to execute commands remotely and spread further on a network.
A quickly expanding botnet called Chaos is targeting and infecting Windows and Linux devices to use them for cryptomining and launching DDoS attacks. This Go-based malware can also infect various architectures, including x86, x86-64, AMD64, MIPS, MIPS64, ARMv5-ARMv8, AArch64, and PowerPC, used by a wide range of devices from small office/home office routers and enterprise servers. Even though it mainly propagates by attacking devices unpatched against various security vulnerabilities and SSH brute-forcing, Chaos will also use stolen SSH keys to hijack more devices. It also backdoors hijacked devices by establishing a reverse shell that will allow the attackers to reconnect at any time for further exploitation.
The second-largest telecommunications provider in Australia – Optus – was recently breached and faced a $1m extortion threat. Making matters worse, the attacker started contacting Optus customers directly. According to reports in the Australian media, the hacker has texted customers demanding $2000 AUD to be paid within two days, or their personal identifiable information (PII) will be sold for fraudulent purposes. However, this is an ongoing story, and the hacker has now apparently taken down the database containing customers’ released information and apologized for their actions. It may be that the attacker got more attention than they bargained for.
Fast, who is a U.S. business publication company has confirmed that a hacker breached its internal systems to send offensive push notifications to Apple News users. In a statement, Fast Company said that a threat actor breached the company’s content management system (CMS) on Tuesday, giving them access to the publication’s Apple News account. The hacker used this access to send two “obscene and racist” push notifications to Apple News subscribers, prompting shocked users to post screenshots on Twitter. It’s not clear how many users received the notifications before they were deleted, “The messages are vile and are not in line with the content and ethos of Fast Company,” Fast Company said. “We are investigating the situation and have shut down FastCompany.com until the situation has been resolved.
Last week we shared that SentinelOne researchers discovered decoy documents advertising positions for the popular cryptocurrency exchange Crypto[.]com, a continuation of an investigation by ESET back in August. The security company observed the APT group Lazarus targeting job seekers with macOS malware working on Intel and M1 chipsets. As you may recall, ESET published a series of tweets detailing the attacks; the experts spotted a signed Mac executable disguised as a job description for Coinbase. The malicious code was uploaded to VirusTotal from Brazil on August 11, 2022.
Meta has revealed how it closed down two significant but unconnected disinformation operations originating in China and Russia, which attempted to influence public opinion in Western countries. The first was the “largest and most complex” Russian campaign seen since the start of the country’s war against Ukraine, according to the social media giant” (Bleeping Computer, 2022). Meta notes that beginning in May, Russian actors coordinated a disinformation campaign against media consumers in Germany, France, Italy, Ukraine, and the UK. It centered on 60 websites designed to spoof legitimate news sites such as The Guardian in the UK and Germany’s Bild and Der Spiegel. The articles criticized Ukraine and Ukrainian refugees, supported Russia, and argued that Western sanctions on Russia would backfire.
The relatively new Bloody Ransomware Gang has started to use a recently leaked LockBit ransomware builder in attacks against companies. Last week, the LockBit 3.0 ransomware builder was leaked on Twitter after the LockBit operator had a falling out with his developer. This builder allows anyone to build a fully functional encryptor and decryptor that threat actors can use for attacks. As the builder includes a configuration file that can easily be customized to use different ransom notes, statistics servers, and features, BleepingComputer predicted that other threat actors would soon use the builder to create their own ransomware.
A recently discovered malware builder called Quantum Builder is being used to deliver the Agent Tesla remote access trojan (RAT). "This campaign features enhancements and a shift toward LNK (Windows shortcut) files when compared to similar attacks in the past," Zscaler ThreatLabz researchers Niraj Shivtarkar and Avinash Kumar said in a Tuesday write-up. Sold on the dark web for €189 a month, Quantum Builder is a customizable tool for generating malicious shortcut files as well as HTA, ISO, and PowerShell payloads to deliver next-stage malware on the targeted machines, in this case Agent Tesla.
Researchers from Cluster25 believe APT28, a Russian state sponsored threat group, is using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentation (T1566.001, T1204.002), which in turn triggers a malicious PowerShell script (T1059.001). While most Microsoft Office based attacks require malicious macros, this new technique does not, making it especially dangerous.
A new sample of malware known as Exmatter was spotted by malware analysts with the Cyderes Special Operations team during a recent incident response following a BlackCat ransomware attack and later shared with the Stairwell Threat Research team for further analysis (Symantec saw a similar sample deployed in a Noberus ransomware attack). Exmatter has been used by BlackMatter affiliates since at least October 2021, this is the first time the malicious tool was seen sporting a destructive module.
Researchers have named 'Metador' a previously unknown threat actor' which has been breaching telecommunications, internet services providers (ISPs), and universities for about two years. Metador targets organizations in the Middle East and Africa, and its purpose appears to be long-term persistence in espionage. The group uses two Windows-based malware that has been described as "extremely complex," but there are indications of Linux malware, too.
Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. MS-SQL servers are database management systems holding data for internet services and apps. Disrupting them can cause severe business trouble. BleepingComputer has reported similar attacks in February, dropping Cobalt Strike beacons, and in July when threat actors hijacked vulnerable MS-SQL servers to steal bandwidth for proxy services. The latest wave is more catastrophic, aiming for a quick and easy profit by blackmailing database owners.
Last Friday, Sophos released security updates to address a critical zero-day vulnerability that is actively being exploited in the wild. Tracked as CVE-2022-3236 (CVSS score: 9.8), the flaw impacts Sophos Firewall v19.0 MR1 and older and is related to a code injection vulnerability in the User Portal and Webadmin of Sophos Firewall. Successful exploitation could enable a malicious threat actor to remotely execute code.
Researchers from Kaspersky noticed a new malicious campaign using the NullMixer malware tool. The tool is used to spread malware via malicious websites and can easily be found via popular search engines, including Google. “These websites are often related to crack, keygen and activators for downloading software illegally, and while they may pretend to be legitimate software, they actually contain a malware dropper,” reads the advisory.
Russian threat actors allegedly from FIN11 have been impersonating web download pages for Zoom, to trick victims into downloading malicious executables. Security company Cyfirma released their findings and issued an advisory this week. FIN11 has been conducting a large-scale phishing campaign which masquerades as Zoom download pages. The goal of the campaign is to infect users with the Vidar information stealing malware.
An SMS-based phishing campaign is targeting customers of Indian banks with information-stealing malware that masquerades as a rewards application. The Microsoft 365 Defender Research Team said that the messages contain links that redirect users to a sketchy website that triggers the download of the fake banking rewards app for ICICI Bank. According to researchers, the malware is capable of intercepting important device notifications and stealing SMSes, allowing the threat actors to potentially swipe 2FA codes sent as text messages and gain unauthorized access to victim accounts.
GitHub is warning of an ongoing phishing campaign that started on September 16 and is targeting its users with emails that impersonate the CircleCI continuous integration and delivery platform. The bogus messages inform recipients that the user terms and privacy policy have changed and they need to sign into their GitHub account to accept the modifications and keep using the services. The threat actors' goal is to steal GitHub account credentials and two-factor authentication (2FA) codes by relaying them through reverse proxies.
Optus, one of the largest service providers in Australia, disclosed a data breach. The intruders gained access to the personal information of both former and current customers. The company is a subsidiary of Singtel with 10.5 million subscribers as of 2019. The company notified the Australian Cyber Security Centre which is helping it to mitigate any risks to customers. Optus has also notified the Australian Federal Police, the Office of the Australian Information Commissioner and key regulators.
The Cybersecurity and Infrastructure Security Agency (CISA) has added a critical severity Java deserialization vulnerability affecting multiple Zoho ManageEngine products to its catalog of bugs exploited in the wild. This security flaw (CVE-2022-35405) can be exploited in low-complexity attacks, without requiring user interaction, to gain remote code execution on servers running unpatched Zoho ManageEngine PAM360 and Password Manager Pro (without authentication) or Access Manager Plus (with authentication) software.
LockBit recently suffered a breach, with an allegedly disgruntled developer leaking the bulilder for the gang’s newest encryptor. In June, the LockBit ransomware operation released version 3.0 of their encryptor, codenamed LockBit Black, after testing it for two months. The new version promised to 'Make Ransomware Great Again,' adding new anti-analysis features, a ransomware bug bounty program, and new extortion methods.
The BlackCat Ransomware gang (aka ALPHV) recently came out with a new version of its data exfiltration tool used for double-extortion attacks. Dubbed “Exmatter,” the tool was introduced during BlackCat’s launch in November 2021 and was heavily updated in August 2022, featuring the following changes:
Researchers from Palo Alto’s Unit 42, have discovered the technique of domain shadowing is more prevalent than originally thought. The company found nearly 12,000 cases of domain shadowing between April and June of 2022. “Domain shadowing is a subcategory of DNS hijacking, where threat actors compromise the DNS of a legitimate domain to host their own subdomains for use in malicious activity but do not modify the legitimate DNS entries that already exist.
In a post published by TrendMicro, threat actors were observed actively leveraging CVE-2022-26134, remote code execution vulnerabilities, which received a critical rating of 9.8 out of 10 on the CVSS scale. TrendMicro also made it worthy of knowing that if the bugs are left unremedied and successfully exploited could be used for additional purposes where an could potentially takeover domains, deploy information stealers, install remote access trojans (RATs), or deploy ransomware.
The vulnerability likely affects more than 350,000 open-source repositories and could lead to code execution if exploited by an attacker. CVE-2007-4559 was disclosed in 2007, but the security bugs never received a patch. The only mitigation provided around the time of disclosure was a documentation update warning developers that the vulnerability exists. The bug lies in the Python tarfile package, "in code that uses un-sanitized tarfile.extract() function or the built-in defaults of tarfile.extractall(). A path traversal bug enables an attacker to overwrite arbitrary files.
Internet security company Imperva has announced its DDoS (distributed denial of service) mitigation solution has broken a new record, defending against a single attack that sent over 25.3 billion requests to one of its customers. The target was a Chinese telecommunications service provider often at the receiving end of DDoS attacks with unusually large volumes. The DDoS attack unfolded on June 27, 2022, peaking at 3.9 million requests per second (RPS) and averaging 1.8 million RPS.
NYRA is the operator of New York's most extensive thoroughbred horse racing tracks, namely the Aqueduct Racetrack, the Belmont Park, and the Saratoga Racecourse. According to the security breach notifications sent to impacted individuals late last month and shared with the authorities last week, the threat actors may have exfiltrated the following member information from the organization:
Okta reports that the attacks involving credentials stuffing have gotten worse in 2022. The identity and access management firm has recorded over 10 billion credential stuffing events on its platform in the first 90 days of 2022. This number represents roughly 34% of the overall authentication traffic, which means that one-third of all attempts are malicious and fraudulent. Okta notes that recent attacks are using a “burst” approach, where a large number of credentials are used in a short time. Impacted platforms saw sudden load spikes of up to tenfold from previous attacks,” targeting specific geographic locations with the worst cases located Southeast Asia and the United States.
American video game publisher 2K has confirmed that its help desk platform was hacked and used to target customers with fake support tickets pushing malware via embedded links. 2K released a statement on the incident: "Earlier today, we became aware that an unauthorized third party illegally accessed the credentials of one of our vendors to the help desk platform that 2K uses to provide support to our customers," Using the third-party support system, the threat actor sent communications to certain players which contained a malicious link. 2K is asking customers not to open emails coming from 2K Games support at this time. The malicious link contained a ZIP archive, which if opened contained the RedLine Stealer malware.
Back in May, Researchers from Red Canary found a malicious Chrome browser extension (T1587.001) that modifies browser settings and redirects user traffic (T1185). “The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell (T1059.001) to inject itself into the browser and added the extension to the browser” (Security Affairs, 2022). This week, VMWare and Microsoft confirmed their own sighting of a widespread ChromeLoader Campaign, that is dropping malicious browser extensions, the node-WebKit malware, and ransomware.
American Airlines has notified customers of a recent data breach after attackers compromised an undisclosed number of employee email accounts and gained access to sensitive personal information. In notification letters sent on Friday, September 16th, the airline explained that it has no evidence that the exposed data was misused. American Airlines discovered the breach on July 5th, immediately secured the impacted email accounts, and hired a cybersecurity forensic firm to investigate the security incident.
The threat actor responsible for hacking Uber last week is likely connected to the prolific Lapsus$ group, the firm has claimed. The ride-hailing giant admitted last Thursday that it was investigating a security incident after reports revealed a malicious actor claiming to be 18 years old had managed to access email and cloud systems, code repositories, an internal Slack account and HackerOne tickets. In an update yesterday, Uber explained that the attacker targeted an Uber EXT contractor, most likely obtaining their corporate password on the dark web after the credential had been stolen via malware installed on their personal device.
Attackers are more frequently using social engineering attacks to gain access to corporate credentials and breach large networks. One component of these attacks that is becoming more popular with the rise of multi-factor authentication is a technique called MFA Fatigue. When breaching corporate networks, hackers commonly use stolen employee login credentials to access VPNs and the internal network.
The Russian state-sponsored hacking group known as Sandworm has been masquerading as telecommunication providers to target Ukrainian entities with malware. Starting from August 2022, researchers at Recorded Future have observed a rise in Sandworm command and control (C2) infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers. While Sandworm has refreshed its C2 infrastructure significantly, it did so gradually, so historical data from CERT-UA reports allowed Recorded Future to link current operations with solid confidence to the threat actor.
While monitoring the Emotet botnet's current activity, security researchers found that the Quantum and BlackCat ransomware gangs are now using the malware to deploy their payloads. This is an interesting development given that the Conti cybercrime syndicate was the one that previously used the botnet before shutting down in June. The Conti group was the one who orchestrated its comeback in November after an international law enforcement action took down Emotet's infrastructure at the beginning of 2021.
LastPass recently published an updated notice in regard to the security incident that targeted its development environment, resulting in the theft of some of LastPass’s source code and technical information. According to the password management company, the threat actor only had access to LastPass’s systems for a period of four days. During this timeframe, LastPast stated that its security team detected the threat actor’s activity and contained the incident. Although the threat actor was able to access the Development environment, LastPass confirmed that no customer data or encrypted password vaults were accessed.
Empress EMS (Emergency Medical Services), a New York-based emergency response and ambulance service provider, has disclosed a data breach that exposed customer information. According to the notification, the company suffered a ransomware attack on July 14, 2022. An investigation into the incident revealed that the intruder had gained access to Empress EMS’ systems on May 26, 2022. About a month and a half later, on July 13, the hackers exfiltrated “a small subset of files,” a day before deploying the encryption.
As of 2022, Rockstar Games net worth is over $5 billion. The wealth has been created from the many games that the company has published. One of the highest-selling games is Grand Theft Auto, popularly known as GTA. Also, this company released several movies that have enjoyed super success. With that being said Grand Theft Auto 6 gameplay videos and source code have been leaked after a hacker allegedly breached Rockstar Game's Slack server and Confluence wiki. The videos and source code were first leaked on GTAForums yesterday, where a threat actor named ‘teapotuberhacker’ shared a link to a RAR archive containing 90 stolen videos.
Researchers at security and compliance assessment firm Onekey warns of an arbitrary code execution via FunJSQ, which is a third-party module developed by Xiamen Xunwang Network Technology for online game acceleration, that impacts multiple Netgear router models. The FunJSQ module is used in various NETGEAR routers and Orbi WiFi systems, the issues affecting it were discovered in May 2022 and are now fixed. The analysis of various firmware allowed the researchers to discover the presence of the flawed module in NETGEAR devices (R9000, R7800, RAX200, RAX120, R6230, R6260, RAX40) and some Orbi WiFi Systems (RBR20, RBS20, RBR50, RBS50).
According to research from Cybereason, threat actors are abusing Notepad++ plugins to bypass security mechanisms and achieve persistence on a victim machine (T1203). Notepad++ is a popular open source coding environment that formats text for various coding languages. The abused plugin packs itself in a .NET package for Visual Studio an provides a basic template for building plugins. An advanced persistent threat (APT) group is leveraging the plugin for malicious purposes.
Uber suffered a cyberattack Thursday afternoon with a hacker gaining access to vulnerability reports and sharing screenshots of the company's internal systems, email dashboard, and Slack server. The screenshots shared by the hacker and seen by BleepingComputer show what appears to be full access to many critical Uber IT systems, including the company's security software and Windows domain.
The Hive ransomware gang claimed responsibility for an attack that hit the systems of Bell Canada subsidiary Bell Technical Solutions (BTS). BTS is an independent subsidiary with more than 4,500 employees, specializing in installing Bell services for residential and small business customers across the Ontario and Québec provinces. While the Canadian telecommunications company didn't reveal when its network was breached or the attack happened, Hive claims in a new entry added to its data leak blog that it encrypted BTS' systems almost a month ago, on August 20, 2022.
North Korean hackers are using trojanized versions of the PuTTY SSH client to deploy backdoors on targets' devices as part of a fake Amazon job assessment. A novel element in this campaign is the use of a trojanized version of the PuTTY and KiTTY SSH utility to deploy a backdoor, which in this case, is 'AIRDRY.V2'. The group's latest activities appear to be a continuation of the 'Operation Dream Job' campaign, which has been ongoing since June 2020, this time targeting media companies.
The U.S. government sanctioned Iran's Ministry of Intelligence and Security and its minister for a July cyberattack that temporarily paralyzed Albania's online service portal for citizens. The designation by the Department of Treasury prohibits persons under U.S. jurisdiction from transacting with the ministry and its minister, Esmail Khatib. The action will have no material effect given long-standing and robust governmental prohibitions on doing business with Iran. The Treasury Department already sanctioned the ministry for support of terrorism and human rights abuses, but the designation of Khatib is new.
Russian hackers have been targeting Ukrainian entities with previously unseen info-stealing malware during a new espionage campaign that is still active. Security researchers at Cisco Talos attribute the campaign to Gamaredon, a Russian state-backed threat group with a long history of targeting mainly organizations in the Ukrainian government, critical infrastructure, defense, security, and law enforcement.
Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as Agent Tesla” (The Hacker News, 2022). Agent Tesla is a .NET based keylogger and remote access tool that allows threat actors to gain remote access to targeted systems and beacon sensitive information to an actor-controlled domain. The malware can be purchased by interested buyers on the dark web and is generally distributed through malicious spam emails as an attachment.
On Wednesday, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions against ten individuals and two other entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The individuals are employees and associates of Iran-based Najee Technology Hooshmand Fater LLC (Najee Technology) and Afkar System Yazd Company (Afkar System)
Security researchers unveiled another potential flaw in the technology used by auto manufacturer Tesla to unlock its cars that makes them vulnerable to theft. Whether because of Tesla's cutting-edge reputation or because techies like driving electric vehicles, Tesla seems to invite probes from white hat hackers eager to publicize how thieves could drive one away. The newest example comes from internet of things security company IOActive, which describes an attack involving two people, a customized RFID emulator and a mark who carries a Tesla near-field communication key card for a Model Y sedan.
Peiter ‘Mudge’ Zatko, former head of security, testified in front of Congress on Tuesday, sustaining that the platform ignored his security concerns and was vulnerable to cyber attacks. Zatko filed a whistleblower complaint in July with Congress, the justice department, the Federal Trade Commission and the Securities and Exchange Commission, arguing that Twitter mislead regulators and the public about its cybersecurity best practices. The expert added that ‘any employee could take over the accounts of any senator in this room.’ While serving as head of security for the company, from late 2020 until January 2022, he repeatedly alerted the management of the presence of severe vulnerabilities that could expose the platform to compromise, “I’m here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Zatko told the hearing.
Security researchers have noted that attackers are exploiting CVE-2022-37969 in the wild. The CVE references Microsoft Windows CLFS - Common Log File System. To leverage the driver vulnerability, an attacker must have access to targeted systems and the ability to run code on the said system (e.g., by exploiting another vulnerability or through social engineering attempts) before it can be triggered.
Treat actors are exploiting the death of Queen Elizabeth II in phishing attacks to lure their targets to sites that steal their Microsoft account credentials. In addition to Microsoft account details, the attackers also attempt to steal their victims' multi-factor authentication (MFA) codes to take over their accounts, "Messages purported to be from Microsoft and invited recipients to an 'artificial technology hub' in her honor.”
The Wordfence Threat Intelligence team warned yesterday that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the WPGateway premium plugin. WPGateway is a WordPress plugin that allows admins to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard
As part of the September 2022 Patch Tuesday, Microsoft addressed 63 vulnerabilities including a zero-day that is actively being exploited in the wild. Of the 63 flaws, there were 18 Elevation of Privilege Vulnerabilities, 1 Security Feature Bypass Vulnerabilities, 30 Remote Code Execution Vulnerabilities, 7 Information Disclosure Vulnerabilities, and 7 Denial of Service Vulnerabilities. 5 of the 63 flaws have been rated critical in severity, all of which allow for remote code execution.
The Wordfence Threat Intelligence team warned yesterday that WordPress sites are actively targeted with exploits targeting a zero-day vulnerability in the WPGateway premium plugin. WPGateway is a WordPress plugin that allows admins to simplify various tasks, including setting up and backing up sites and managing themes and plugins from a central dashboard
As part of the September 2022 Patch Tuesday, Microsoft addressed 63 vulnerabilities including a zero-day that is actively being exploited in the wild. Of the 63 flaws, there were 18 Elevation of Privilege Vulnerabilities, 1 Security Feature Bypass Vulnerabilities, 30 Remote Code Execution Vulnerabilities, 7 Information Disclosure Vulnerabilities, and 7 Denial of Service Vulnerabilities. 5 of the 63 flaws have been rated critical in severity, all of which allow for remote code execution.
State-backed Chinese hackers have developed a Linux variant for the SideWalk backdoor used against Windows systems belonging to targets in the academic sector. The malware is attributed with high confidence to the SparklingGoblin threat group, also tracked as Earth Baku, which is believed to be connected to the APT41 cyberespionage group.
Yesterday, Apple released security updates to address multiple vulnerabilities in iOS, macOS, and iPadOS, including a new zero flaw that has been used in attacks in the wild. The zero-day which is being tracked as CVE-2022-32917 resides in the kernel and could enable a malicious application to execute arbitrary code with kernel-level privileges. Although the technical details of CVE-2022-32917 have yet to be released, Apple stated in its advisory that the bug has been resolved with improved bound checks.
The Lorenz ransomware gang now uses a critical vulnerability in Mitel MiVoice VOIP appliances to breach enterprises, using their phone systems for initial access to their corporate networks. Arctic Wolf Labs security researchers spotted this new tactic after observing a significant overlap with Tactics, Techniques, and Procedures (TTPs) tied to ransomware attacks exploiting the CVE-2022-29499 bug for initial access, as Crowdstrike reported in June. While these incidents weren't linked to a specific ransomware gang, Arctic Wolf Labs was able to attribute similar malicious activity to the Lorenz gang with high confidence.
On the morning of September 11, 2022, the U.S. Army launched a swarm of 40 s small quadcopter drones into the California desert as part of a training exercise designed to prepare America’s soldiers for a grim reality of modern war: cheap off the shelf drones capable of carrying munitions have become ubiquitous on the battlefield. As first spotted by The Warzone, the drone swarm is part of a training exercise. “MILES, and lethal munition capable” sounds ominous but references what the drone is capable of doing and the equipment it’s been equipped with. MILES is the Multiple Integrated Laser Engagement System, a kind of fancy laser tag that tracks kills and casualties.
Iranian threat actor TA453 has been sending spear-phishing emails to individuals specializing in Middle Eastern affairs, nuclear security and genome research with a social engineering twist: As opposed to a one-on-one conversation, the known actor has been including multiple fake personas on the email chain in hopes of making the attack appear more legitimate. Researchers said that the technique, which has been previously used by business email compromise (BEC) group Cosmic Lynx, is “intriguing” because attackers must leverage more resources and email addresses.
Security researchers have developed an implementation of the Sysinternals PsExec utility that allows moving laterally in a network using a single, less monitored port, Windows TCP port 135. PsExec is a legitimate tool that helps administrators execute processes remotely on machines in the network without having to install a client. Threat actors have abused the tool for post-exploitation stages of an attack, using it to spread on the network, run commands on multiple systems, and deploy malware.
Cisco has confirmed that the data leaked yesterday by the Yanluowang ransomware gang was stolen from the company network during a cyberattack in May. However, the company says in an update that the leak does not change the initial assessment that the incident has no impact on the business: “On September 11, 2022, the bad actors who previously published a list of file names from this security incident to the dark web, posted the actual contents of the same files to the same location on the dark web. The content of these files match what we already identified and disclosed. Our previous analysis of this incident remains unchanged-we continue to see no impact to our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property, or supply chain operations.”
Investigators have disrupted a major organized crime gang believed to have tricked thousands of British victims into handing over money. The UK’s National Crime Agency (NCA) and Romanian police searched two penthouse apartments in Bucharest thought to have been the nerve center for a fraud operation that targeted consumers across Europe on a “massive scale.
Threat actors are increasingly turning to a new encryption method in their ransomware attacks, designed to improve success rates, according to SentinelOne. SentinelLabs researchers Aleksandar Milenkoski and Jim Walter wrote in a new blog post that “intermittent encryption” is being heavily advertised to buyers and affiliates. Compared to traditional ransomware methods, this new encryption method offers higher speeds, and a better ability to evade threat detection tools. By only partially encrypting the victim’s files, threat actors can cause damage more quickly. The intermittent encryption will also trick statistical analysis that is commonly used by security tools to detect ransomware.
The U.S. Treasury Department on Friday announced sanctions against Iran's Ministry of Intelligence and Security (MOIS) and its Minister of Intelligence, Esmaeil Khatib, for engaging in cyber-enabled activities against the nation and its allies” (The Hacker News, 2022). According to the Treasury, the MOIS and its cyber actor proxies have engaged in malicious cyber operations targeting a range of government and private-sector organizations around the world and across various critical infrastructure sectors since at least 2017. More recently, in mid-July of this year, Iranian state-sponsored threat actors targeted Albanian government computer systems, forcing the government to temporarily suspend its online services. As a result, the Albanian government announced on September 7, 2022, that it would be serving diplomatic ties with Iran.
China recently blamed the U.S National Security Agency for conducting cyberattacks aimed at aeronautical and military research-oriented Northwestern Polytechnical University in the city of Xi'an in June 2022. The National Computer Virus Emergency Response Centre (NCVERC) disclosed its findings last week, and accused the Office of Tailored Access Operations (TAO) at the USA's National Security Agency (NSA) of orchestrating thousands of attacks against the entities located within the country.
A new version of the Bumblebee malware loader has been spotted in the wild, featuring a new infection chain that uses the PowerSploit framework for stealthy reflective injection of a DLL payload into memory. Bumblebee was discovered in April, involved in phishing campaigns believed to be orchestrated by the same actors behind BazarLoader and TrickBot, i.e., the Conti syndicate. According to a report by Cyble, based on a finding by threat researcher Max Malyutin, the authors of Bumblebee are preparing a comeback from the summer hiatus of spam operations, using a new execution flow.
Researchers discovered a new attack technique they are calling “GIFShell” which allows threat actors to abuse Microsoft Teams to execute commands and steal data using GIFs. Attackers are able to string together various Microsoft Teams vulnerabilities and flaws to deliver malicious files, commands, and perform data exfiltration using GIFs. The exfiltration is done through Microsoft’s own servers, which will make the malicious traffic harder to detect by security software.
CISA has added 12 more security flaws to its list of bugs exploited in attacks, including two critical D-Link vulnerabilities and two (now-patched) zero-days in Google Chrome and the Photo Station QNAP software. The Google Chrome zero-day (CVE-2022-3075) was patched on September 2nd via an emergency security update after the company was made aware of in-the-wild exploitation.
In August 2022, Cyble Research & Intelligence Labs (CRIL) discovered and reported an alarming trend of exploitation of the Zimbra Collaborative Suite (ZCS) by cybercriminals. During their routine monitoring of threat activities in various cybercrime forums to gauge the impact of cyberattacks, they discovered an instance wherein the web shell accesses to multiple email servers operating on Zimbra Collaboration Suite (ZCS) were auctioned in a Russian cybercrime forum. The impacted email servers were allegedly vulnerable to the authentication bypass remote code execution (RCE) vulnerability.
The North Korean state-sponsored crime ring Lazarus Group is behind a new cyberespionage campaign with the goal to steal data and trade secrets from energy providers across the US, Canada and Japan. The Lazarus Group is perhaps best known for the infamous WannaCry attacks and a ton of cryptocurrency theft. Now it's going after the troubled energy markets run by its foes. In research published today, Cisco Talos threat researchers say they observed malicious activity attributed to Lazarus Group between February and July. The reconnaissance and spy campaigns targeted "multiple victims."
Microsoft's threat intelligence division on Wednesday assessed that a subgroup of the Iranian threat actor tracked as Phosphorus is conducting ransomware attacks as a "form of moonlighting" for personal gain. The tech giant, which is monitoring the activity cluster under the moniker DEV-0270 (aka Nemesis Kitten), said it's operated by a company that functions under the public aliases Secnerd and Lifeweb, citing infrastructure overlaps between the group and the two organizations.
Cisco says that a new authentication bypass flaw affecting multiple small business VPN routers will not be patched because the devices have reached end-of-life (EoL). This zero-day bug (CVE-2022-20923) is caused by a faulty password validation algorithm that attackers could exploit to log into the VPN on vulnerable devices using what the company describes as "crafted credentials" if the IPSec VPN Server feature is enabled.
The Armed Forces General Staff agency of Portugal (EMGFA) has suffered a cyberattack that allegedly allowed the theft of classified NATO documents, which are now sold on the dark web. EMGFA is the government agency responsible for the control, planning, and operations of the armed forces of Portugal.
Los Angeles Unified School District (LAUSD), the largest public school system in California and the 2nd largest public school district in the United States, revealed that last weekend it had been the victim of a ransomware incident that impacted its Information Technology (IT) systems. The LAUSD had 664,774 students enrolled for the 2020–2021 school year, including 50,805 adult students and 124,400 students attending independent charter schools. During the same academic year, it had 25,088 teachers and 50,586 other employees.
Google says some former Conti ransomware gang members, now part of a threat group tracked as UAC-0098, are targeting Ukrainian organizations and European non-governmental organizations (NGOs). UAC-0098 is an initial access broker known for using the IcedID banking trojan to provide ransomware groups with access to compromised systems within enterprise networks.
On Tuesday, networking equipment manufacturer Zyxel rolled out firmware patches to address a critical security flaw impacting its network-attached storage devices. Tracked as CVE-2022-34747 (CVSS score: 9.8), the flaw is related to a format string vulnerability. According to Zyxel, CVE-2022-34747 was found in a specific binary of Zyxel NAS products and could enable an attacker to achieve unauthorized remote code execution via a specially crafted UDP packet.
Security researcher Shaposhnikov IIya has been credited for discovering the vulnerability.
Below is a list of the impacted Zxyel NAS devices:
An international law enforcement operation has resulted in the dismantling of WT1SHOP, an online criminal marketplace that specialized in the sales of stolen login credentials and other personal information. The seizure was orchestrated by Portuguese authorities, with the U.S. officials taking control of four domains used by the website: ‘wt1shop[.]net,’ ‘wt1store[.]cc,’ "wt1store[.]com,’ and ‘wt1store[.]net.
Palo Alto Network’s Unit 42 researchers reported a new wave of attacks launched by the Moobot botnet that target vulnerable D-Link routers. The recent wave of attacks started in August, and have been exploiting both old and new exploits (T1190). “The Mirai-based Moobot botnet was first documented by Palo Alto Unit 42 researchers in February 2021, in November 2021, it started exploiting a critical command injection flaw (CVE-2021-36260) in the webserver of several Hikvision products”
A newly discovered cyber-espionage group has been hacking governments and high-profile companies in Asia since at least 2020 using a combination of custom and existing malicious tools. The threat group, tracked as Worok by ESET security researchers who first spotted it, has also attacked targets from Africa and the Middle East. To date, Worok has been linked to attacks against telecommunications, banking, maritime, and energy companies, as well as military, government, and public sector entities.
On Friday, Google rolled out fixes to address a high-severity zero-day bug in the Chrome web browser. Tracked as CVE-2022-3075, the vulnerability is caused due to insufficient data validation in Mojo, a collection of runtime libraries that facilitates message passing across arbitrary inter- and intra-process boundaries. The flaw was discovered by a security researcher who anonymously reported it to Google. Since then, the company has issued a fix, releasing Chrome 105.0.5195.102 for Windows, Mac, and Linux.
Researchers from Fox-IT, published a blog focusing on an upgraded version of the SharkBot mobile malware (T1587.001) which was seen uploaded to the Google Play Store (T1608.001). The updated version of the malware targets the banking credentials of Android users through malicious applications. Fox-IT notes that between the malicious apps, there have been roughly 60,000 installations. The apps have been removed from the Google Play Store and most notably are titled “Mister Phone Cleaner” and “Kylhavy Mobile Security.
A "major" security issue in the Google Chrome web browser, as well as Chromium-based alternatives, could allow malicious web pages to automatically overwrite clipboard content without requiring any user consent or interaction by simply visiting them. The clipboard poisoning attack is said to have been accidentally introduced in Chrome version 104, according to developer Jeff Johnson.
Chile's national computer security and incident response team (CSIRT) has announced that a ransomware attack has impacted operations and online services of a government agency in the country. The attack started on Thursday, August 25, targeting Microsoft and VMware ESXi servers operated by the agency. The hackers stopped all running virtual machines and encrypted their files, appending the ".crypt" filename extension.
Researchers at IBM recently uncovered similarities between a malicious component used in Raspberry Robin infection chain and a Dridex malware loader, further strengthening the operator’s connection to the Russia-based Evil Corp group. First discovered in September 2021, Raspberry Robin is a worm that spreads via external drives. Since its discovery, the worm has remained in the shadows for nearly a year. However, in July 2022, Microsoft observed FakeUpdates (aka SocGholish) malware being delivered via existing Raspberry Robin infections, with potential connections identified between DEV-0206 and DEV-0243.
NFL's San Francisco 49ers are mailing notification letters confirming a data breach affecting more than 20,000 individuals following a ransomware attack that hit its network earlier this year. The San Francisco Bay Area professional American football team confirmed that personal information (including names and Social Security numbers) belonging to 20,930 impacted individuals was accessed and/or stolen in the attack between February 6 and February 11, 2022.
Cyble Research & Intelligence Labs started its investigation after seeing a post on Twitter a new JavaScript skimmer developed by the Magecart threat group used to target Magento e-commerce websites. In Magecart attacks against Magento e-stores, attackers attempt to exploit vulnerabilities in the popular CMS (T1190) to gain access to the source code of the website and inject malicious JavaScript (T1059.007). The malicious code is designed to capture payment data (credit/debit owner’s name, credit/debit card number, CVV number, and expiry date) from payment forms and checkout pages. The malicious code also performs some checks to determine that data are in the correct format, for example analyzing the length of the entered data.
The U.S. National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released tips today on securing the software supply chain. This guidance is designed by the Enduring Security Framework (ESF)—a public-private partnership that works to address threats to U.S. critical infrastructure and national security systems—to serve as a collection of suggested practices for software developers.
Apple has released an iOS 12 update for older iPhone and iPad devices, patching a vulnerability that was reportedly exploited by threat actors. According to a document published by the company on Wednesday, August 31, the flaw would allow the processing of maliciously crafted web content, which in turn led to arbitrary code execution.
Security researchers are raising the alarm about mobile app developers relying on insecure practices that expose Amazon Web Services (AWS) credentials, making the supply chain vulnerable. Malicious actors could take advantage of this to access private databases, leading to data breaches and the exposure of customers' personal data.
A new security framework for the UK’s telecommunications industry is set to come into effect in October, making the UK’s telecoms security regulations among the strongest in the world. A response to a public consultation was published by the UK government on August 30, 2022, and set out the changes made to the draft regulations and code of practice ahead of the planned commencement of the new framework in October 2022.
The operators of the emerging cross-platform BianLian ransomware have increased their command-and-control (C2) infrastructure this month, a development that alludes to an increase in the group's operational tempo. The earliest known C2 server associated with BianLian is said to have appeared online in December 2021. But the infrastructure has since witnessed a "troubling explosion" to surpass 30 active IP addresses.
The National Police of Ukraine (NPU) took down a network of call centers used by a cybercrime group focused on financial scams and targeting victims of cryptocurrency scams under the guise of helping them recover their stolen funds. The fraudsters behind these illegal call centers were also allegedly involved in scamming citizens of Ukraine and European Union countries interested in cryptocurrency, securities, gold, and oil investments. Throughout this cross-border fraud operation, they used software and high-tech equipment that made it possible to spoof the phone numbers of state banking organizations.
China-based threat actors have been targeting Australian government agencies and wind turbine fleets in the South China Sea by directing select individuals to a fake impersonating an Australian news media outlet. Victims landed on the fraudulent site after receiving phishing emails with enticing lures and received a malicious JavaScript payload from the ScanBox reconnaissance framework.
Threat analysts have spotted a new malware campaign dubbed ‘GO#WEBBFUSCATOR’ that relies on phishing emails, malicious documents, and space images from the James Webb telescope to spread malware. The malware is written in Golang, a programming language that is gaining popularity among cybercriminals because it is cross-platform (Windows, Linux, Mac) and offers increased resistance to reverse engineering and analysis.
The Cuba ransomware gang is taking credit for attacking the government of Montenegro, which took offline multiple government websites and services amid what officials characterize as a targeted cyberattack. Government officials in the Western Balkan nation -which has a population of 620,000 - on Friday acknowledged disruptions to online government infrastructure.
Threat analysts at McAfee found five Google Chrome extensions that steal track users’ browsing activity. Collectively, the extensions have been downloaded more then 1.4 million times. “The purpose of the malicious extensions is to monitor when users visit e-commerce website and to modify the visitor's cookie to appear as if they came through a referrer link. For this, the authors of the extensions get an affiliate fee for any purchases at electronic shops”
Data for over 2.5 million individuals with student loans from Oklahoma Student Loan Authority (OSLA) and EdFinancial was exposed after hackers breached the systems of technology services provider Nelnet Servicing. Technology services from Nelnet Servicing, including a web portal, are used by OSLA and EdFinancial to give students taking out a loan online access to their loan accounts.
Security researchers at Trend Micro recently uncovered a new ransomware strain that is being used in attacks targeting healthcare and education entities in Indonesia, Saudi Arabia, South Africa, and Thailand. Dubbed “Agenda,” the ransomware is a 64-bit Windows PE file written in the Go programming language. According to Trend Micro, “Agenda can reboot systems in safe mode, attempts to stop many server-specific processes and services, and has multiple modes to run.”
Google will now pay security researchers to find and report bugs in the latest versions of Google-released open-source software (Google OSS). The company's newly announced Vulnerability Reward Program (VRP) focuses on Google software and repository settings (like GitHub actions, application configurations, and access control rules). It applies to software available on public repositories of Google-owned GitHub organizations as well as some repositories from other platforms.
The U.S. Federal Bureau of Investigation (FBI) is warning investors that cybercriminals are increasingly exploiting security vulnerabilities in Decentralized Finance (DeFi) platforms to steal cryptocurrency. "The FBI encourages investors who suspect cyber criminals have stolen their DeFi investments to contact the FBI via the Internet Crime Complaint Center or their local FBI field office.
A critical command-injection vulnerability in multiple API endpoints of Atlassian Bitbucket Server and Data Center could allow an unauthorized attacker to remotely execute malware, and view, change, and even delete data stored in repositories. Atlassian has fixed the security holes, which are present in versions 7.0.0 to 8.3.0 of the software. There have been no reports of active exploitation in the wild. The vulnerability which is tracked as CVE-2022-36804 received a CVSS score of 9.9, and users are urged to update servers as soon as possible.
US military and intelligence entities are renewing their efforts to protect electoral procedures from hacking and disinformation before and during the November midterms elections. The news comes from the US Cyber Command (USCYBERCOM) and the National Security Agency (NSA), who published a joint blog post detailing their security capabilities on Thursday.
A Turkish-speaking entity called Nitrokod has been attributed to an active cryptocurrency mining campaign that involves impersonating a desktop application for Google Translate to infect over 111,000 victims in 11 countries since 2019. The list of countries with victims includes the U.K., the U.S., Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland.
Atlassian has published a security advisory warning Bitbucket Server and Data Center users of a critical security flaw that attackers could leverage to execute arbitrary code on vulnerable instances. Bitbucket is a Git-based code hosting, management, and collaboration tool, with Jira and Trello integration.
Members of the government in Montenegro are stating that the country is being hit with sophisticated and persistent cyberattacks that threaten the country’s essential infrastructure. Targets include electricity and water supply systems, transportation services, online portals that citizens use to access various state services, and more. Already, several power plants have switched to manual operations, while the state-managed IT infrastructure has been taken offline to contain the effect of the attacks.
In the last couple of weeks, the Microsoft Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Research Team have spotted Iran-based threat actors leveraging Log4j 2 vulnerabilities in SysAid applications to target organizations located in Israel. The actors belong to a group called MERCURY, which Microsoft assesses with high confidence to be affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
On Thursday, CISA added 10 security flaws to its list of actively exploited vulnerabilities catalog, mandating federal agencies to take action by September 15. One of the flaws is a high-severity remote code execution vulnerability in Delta Electronics DOPSoft 2, an industrial automation software used for designing and programming human-machine interfaces (HMIs). Tracked as CVE-2021-38406, the flaw is related to an out-of-bounds write issue and is exploited by tricking the targeted user to open a specially crafted project file. The vulnerability was discovered last year in September. However, at the time, CISA stated that the flaw would not be patched as the product had reached its end of life, with the vendor encouraging its customers to switch to a supported software release.
ato is assessing the impact of a data breach of classified military documents being sold by a hacker group online. The data includes blueprints of weapons being used by Nato allies in the Ukraine conflict. Criminal hackers are selling the dossiers after stealing data linked to a major European weapons maker.
LastPass, a popular password management firm suffered a data breach two weeks ago, enabling threat actors to exfiltrate the company’s source code and proprietary technical information. On Thursday, LastPass released a security advisory confirming the breach, stating that the hackers compromised a developer account to access the company’s developer environment. As of writing, LastPass has yet to disclose how the threat actors were able to compromise the developer account or what source code was stolen. However, the company confirmed that it has not found any evidence that customer data or encrypted password vaults were compromised.
The North Korean 'Kimsuky' threat actors are going to great lengths to ensure that their malicious payloads are only downloaded by valid targets and not on the systems of security researchers. According to a Kaspersky report published today, the threat group has been employing new techniques to filter out invalid download requests since the start of 2022, when the group launched a new campaign against various targets in the Korean peninsula.
The Dominican Republic's Instituto Agrario Dominicano has suffered a Quantum ransomware attack that encrypted multiple services and workstations throughout the government agency. The Instituto Agrario Dominicano (IAD) is part of the Ministry of Agriculture and is responsible for executing Agrarian Reform programs in the country.
With Cobalt Strike growing in popularity as an attack tool for various threat actors, many defenders have learned to detect and stop attacks relying on this toolkit. As a result, hackers have moved to other frameworks like Sliver that aren’t so popular and can go unnoticed by Endpoint Detection and Response (EDR) and antivirus solutions.
Attacks against Python packages continue, yesterday researchers found a phishing campaign (T1566.002) targeting the PyPI registry. The Python packages “extol” and “spam” are among hundreds seen laced with malware after attackers compromised the accounts of maintainers who fell victim to a phishing email. ”Admins of the PyPI registry confirmed yesterday a phishing email campaign had actively been targeting PyPI maintainers after Django project board member Adam Johnson reported receiving a suspicious email. The email urges developers, who have their packages published to PyPI, to undergo a mandatory "validation" process or risk getting their packages purged from the PyPI registry (T1204.001).
The threat actors behind a large-scale adversary-in-the-middle (AiTM) phishing campaign targeting enterprise users of Microsoft email services were spotted targeting Google G Suite users. The threat actors are using a proxy server between the victim and the website they user is trying to visit (T1557). The phishing site which is controlled by the threat actors allows them to monitor traffic and target the victims password and session cookie.
A new data exfiltration technique has been discovered, which uses a covert ultrasonic channel to leak sensitive information from air-gapped computers to a nearby smartphone device. The adversarial model is called “Gairoscope” and was designed by Dr. Mordechai Guri, head of research and development (R&D) in the Cyber Security Research Center at the Ben Gurion University of the Negev in Israel.
Cybersecurity researchers have discovered multiple ongoing malware distribution campaigns that target internet users who seek to download copies of pirated software. The campaign uses SEO poisoning and malvertising to push malicious shareware sites high in Google Search results, promoting fake software along with cracks and product activation key generators.
The Center Hospitalier Sud Francilien (CHSF), a 1000-bed hospital located 28km from the center of Paris, suffered a cyberattack on Sunday, which has resulted in the medical center referring patients to other establishments and postponing appointments for surgeries. CHSF serves an area of 600,000 inhabitants, so any disruption in its operations can endanger the health, and even lives, of people in a medical emergency.
On Monday, DevOps platform GitLab rolled out patches for a remote code execution vulnerability impacting its GitLab Community Edition (CE) and Enterprise Edition (EE) releases. Tracked as CVE-2022-2884, the flaw received a CVSS score of 9.9/10, indicating a critical level of severity. According to GitLab, an authenticated user can achieve remote code execution via the GitHub import API.
Below is a list of the impacted CE/EE versions:
A team of mobile security researchers has discovered backdoors in the system partition of some budget Android device models that are counterfeit versions of known brand-name models (T1036). The malware, which the Doctor Web team first discovered in July 2022, was found in at least four different smartphones: ‘P48pro’, ‘radmi note 8’, ‘Note30u’ and ‘Mate40’. The threat actors used counterfeit devices that mimicked famous brand-name models. However, instead of having the latest OS version installed, they would come pre-installed with outdated versions.
Security researchers have discovered over 80,000 Hikvision cameras vulnerable to a critical command injection flaw that's easily exploitable via specially crafted messages sent to the vulnerable web server. The flaw is tracked as CVE-2021-36260 and was addressed by Hikvision via a firmware update in September 2021. However, according to a whitepaper published by CYFIRMA, tens of thousands of systems used by 2,300 organizations across 100 countries have still not applied the security update.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added a security flaw impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The high-severity vulnerability tracked as CVE-2022-0028 (CVSS score: 8.6), is a URL filtering policy misconfiguration that could allow an unauthenticated, remote attacker to carry out reflected and amplified TCP denial-of-service (DoS) attacks.
The Federal Bureau of Investigation (FBI) warns of a rising trend of cybercriminals using residential proxies to conduct large-scale credential stuffing attacks without being tracked, flagged, or blocked. Credential stuffing is a type of attack where threat actors use large collections of username/password combinations exposed in previous data breaches to try and gain access to other online platforms. Because people commonly use the same password at every site, cybercriminals have ample opportunity to take over accounts without cracking passwords or phishing any other information.
State-sponsored Iranian hacking group Charming Kitten has been using a new tool to download email messages from targeted Gmail, Yahoo, and Microsoft Outlook accounts. The name of the utility is Hyperscraper and like many of the threat actor’s tools and operations, it is far from sophisticated. The APT group uses the tool to steal emails from a victim’s inbox without leaving any traces of their intrusion. Google has attributed the still under-development tool to Charming Kitten (APT35, Phosphorus), an Iranian backed hacking group. Early samples of the malware date back to 2020.
The threat actor dubbed 'Mysterious Team' has used the Raven Storm tool to conduct distributed denial-of-service (DDoS) attacks against multiple targets. The news comes from CloudSEK, who detailed the new threat in an advisory on Sunday. The tool uses multi-threading to send multiple packets at a victim server. The device can be used to take down servers and has also carried out Wi-Fi and application layer attacks (layer 3 (network), level 4 (transport), level 5 (application). The malware can also connect to a client via botnets.
Security researchers from Resecurity “identified a new RAT (Remote Administration Tool) advertised in Dark Web and Telegram called Escanor. The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code. Escanor has been for sale since January of this year, and started as a compact HVNC implant that allowed for silent remote connections to a victims computer. Over time it has transformed into a full-scale commercial RAT with robust features. On the groups Telegram channel they have over 28,000 subscribers, leading researchers to believe the tool is building a credible reputation on the dark web. The tool is thought to have borrowed functionality from other cracked version of dark web tools including Venom RAT, 888 RAT and Pandora HVNC.
According to security researchers at Sucuri, threat actors are now hacking poorly protected WordPress sites to display fake Cloudflare DDoS protection pages, enabling the download of malicious remote access trojans (RAT) like NetSupport RAT and Raccoon Stealer. “We recently discovered a malicious JavaScript injection affecting WordPress websites which results in a fake CloudFlare DDoS protection popup. Since these types of browser checks are so common on the web many users wouldn’t think twice before clicking this prompt to access the website they’re trying to visit. However, the prompt actually downloads a malicious **.**iso file onto the victim’s computer".
Cyber analysts at Zscaler recently uncovered a new campaign that is targeting employees of a chemicals manufacturer in Spain and workers of automotive and machinery makers in Mexico with banking malware. Dubbed, Grandoreiro, the banking trojan has been active since 2016 targeting Brazil and Peru, expanding to Mexico and Spain in 2019. In the latest campaign spotted by Zscaler, starting in June 2022 and still ongoing, researchers noted that Grandoreiro malware authors have added new features to evade detection and anti-analysis in addition to revamping their C2 system.
Greece's largest natural gas distributor DESFA confirmed on Saturday that they suffered a limited scope data breach and IT system outage following a cyberattack. In a public statement shared with local news outlets on Saturday, DESFA explained that hackers attempted to infiltrate its network but were thwarted by the quick response of its IT team. However, some files and data were accessed and possibly "leaked," so there was a network intrusion, even if limited.
Apple has left a VPN bypass vulnerability in iOS unfixed for at least two years, leaving identifying IP traffic data exposed, and there's no sign of a fix. Back in early 2020, secure mail provider ProtonMail reported a flaw in Apple’s iOS version 13.3.1 that prevented VPNs from encrypting all traffic. The issue was that the operating system failed to close existing connections.
In May, Amazon fixed a high-severity vulnerability in its Ring app for Android that could have allowed a malicious app installed on a user’s device to access sensitive information and camera recordings. The Ring app allows users to monitor video feeds from multiple devices, including security cameras, video doorbells, and alarm systems. The Android application has been downloaded over 10 million times. Researchers from security firm Checkmarx discovered a vulnerability in the com.ringapp/com.ring[.]nh.deeplink.DeepLinkActivity activity, which was implicitly exported in the Android Manifest and, for this reason, it was accessible to other applications on the same device.
Researchers at Secureworks recently disclosed details of a .NET based crypter dubbed DarkTortilla that is being used by threat actors to distribute info stealers and remote access trojans (RATs) including AgentTesla, AsyncRat, NanoCore, and RedLine as well as popular payloads like Cobalt Strike and MetaSploit. The malware can also be utilized to deliver “addon packages” such as additional malicious payloads, benign decoy documents, and executables. While is not known where or how much the tool is being sold for, DarkTortilla has sparked an interest in cybercriminals as it features anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.
A Google Cloud Armor customer was hit with a distributed denial-of-service (DDoS) attack over the HTTPS protocol that reached 46 million requests per second (RPS), making it the largest ever recorded of its kind. In just two minutes, the attack escalated from 100,000 RPS to a record-breaking 46 million RPS, almost 80% more than the previous record, an HTTPS DDoS of 26 million RPS that Cloudflare mitigated in June. The attack is said to have commenced on the morning of June 1, at 09:45 pacific time, targeting a customer’s HTTP/S Load Balancer with an initial 10,000 RPS. Within 8 minutes, the attack grew to 100,000 RPS, causing Google’s Cloud Armor Adaptive Protection to detect the attack and generate an alert containing signatures based on data pulled from traffic analysis. The alert included a recommended rule that the security team deployed into their security policy to block the attack traffic. However, within the next 2 minutes, the attack increased from 100,000 RPS to a record-breaking 46 million RPS. In total the attack lasted for 69 minutes, ending at 10:54 am. Since Cloud Amor was blocking the traffic, the attack slowly decreased in size after peaking.
The Cybereason Global Security Operations Center (GSOC) Team analyzed a cyberattack that involved the Bumblebee Loader and detailed how the attackers were able to compromise the entire network. Most Bumblebee infections started by users executing LNK files (T1204.002) which use a system binary to load the malware. The malware is distributed through phishing messages using a malicious attachment (T1566.001) or a link (T1566.002) to the malicious archive containing Bumblebee.
Researchers from Group-IB found a link between the ATMZOW JS Sniffer campaign and the Hancitor malware downloader. They released their findings in a blog post this week. The connection was made early this week by threat intelligence analyst Victor Okorokov from Group-IB, who said ATMZOW successfully infected at least 483 websites across four continents since the beginning of 2019. Group-IB specialists collected information about ATMZOW’s recent activity and found ties with a phishing campaign targeting clients of a US bank based on the same JS obfuscation technique.
The BlackByte ransomware is back with version 2.0 of their operation, including a new data leak site utilizing new extortion techniques borrowed from LockBit. After a brief disappearance, the ransomware operation is now promoting a new data leak site on hacker forums and through Twitter accounts the threat actor controls. With BlackByte 2.0 recently being introduced, it is unclear what technical changes were made to the ransomware encryptor. As for BlackByte’s new Tor data leak site, the ransomware operators have introduced a similar extortion strategy to that of LockBit where victims can pay on the site to extend the publishing of their data by 24 hours ($5,000), download the data ($200,000), or destroy all the data ($300,000). These prices are not set in stone as they will vary depending on the victim being targeted.
On Wednesday, Apple rolled out fixes to address two zero-day vulnerabilities that were previously exploited by threat actors to compromise several Apple products including IPhones, iPads, and Macs. The first vulnerability, tracked as CVE-2022-32804, is related to an out-of-bounds write vulnerability in the operating system’s kernel.
Researchers at Recorded Future recently attributed a multi-year mass credential theft campaign targeting global humanitarian, think tank, and government organizations to a threat group that goes by the alias RedAlpha. First identified by Citizen Lab in January 2018, the threat group has a history of conducting cyber espionage and surveillance operations directed against the Tibetan community to facilitate intelligence collection.
On Tuesday Google released a security update for the Chrome Browser to address several vulnerabilities, one of which is a high-severity zero-day flaw. Tracked as CVE-2022-2856, the vulnerability is related to the insufficient validation of untrusted input in Intents, a feature that enables the launching of applications and web services directly from a web page. While Google has not disclosed the technical details of the bug, “bad input validation in software can serve as a pathway to overriding protections or exceeding the scope of the intended functionality, potentially leading to buffer overflow, directory traversal, SQL injection, cross-site scripting, null byte injection, and more.
ESET researchers continue to monitor a cyberespionage campaign, tracked as “Operation In(ter)ception,” that has been active at least since June 2020. The campaign targets employees working in the aerospace and military sectors and leverages decoy job offer documents. In a series of tweets, ESET detailed a recent campaign from the group. They spotted a signed Mac executable disguised as a job description for Coinbase (T1036). The file was uploaded to VirusTotal from an IP in Brazil on August 11, 2022.
In the decade’s first half, simple denial-of-service tools, such as HOIC, HULK, LOIC, and Slowloris, were the go-to choices for hackers and hacktivists worldwide. When leveraged by a group in a coordinated attack like an Anonymous operation, the threat actors could launch powerful distributed denial-of-services (DDoS) attacks, resulting in more successful campaigns. But after the publication of BASHLITE’s source code in 2015 and Mirai’s source code in 2016, threat actors abandoned these old tools. They began focusing on building their own IoT botnets capable of launching much more powerful DDoS attacks.
South Staffordshire Water, a company supplying 330 million liters of drinking water to 1.6 consumers daily, has issued a statement confirming IT disruption from a cyberattack. As the announcement explains, the safety and water distribution systems are still operational, so the disruption of the IT systems doesn’t impact the supply of safe water to its customers or those of its subsidiaries, Cambridge Water and South Staffs Water” (Bleeping Computer, 2022). “This is thanks to the robust systems and controls over water supply and quality we have in place at all times, as well as the quick work of our teams to respond to this incident and implement the additional measures we have put in place on a precautionary basis,” explains the statement published on the company’s site.
An injection flaw (T1055) connected to how macOS handles software updates on the system could allow attackers to access all files on Mac devices” (Info Security Magazine, 2022). The flaw was found by macOS security specialist Patrick Wardle, who shared his findings at Black Hat. Threat actors can use the flaw to take over impacted devices. The flaw allows threat actors to escape the macOS sandbox (T1553.003) to bypass the System Integrity Protection (SIP), which enables further deployment of non-authorized code (T1059). The vulnerability was found in December of 2020, and was reported to Apple through the company’s bug bounty program.
A dozen malicious Python packages were uploaded to the PyPi repository this weekend in a typosquatting (T1036) attack that performs DDoS attacks on a Counter-Strike 1.6 server. Python Package Index (PyPi) is a repository of open-source software packages that developers can easily incorporate into their Python projects to build complex apps with minimal effort. Anyone is able to upload packages to the PyPi repository, and it can take time for malicious packages to be reported and removed. The repository has been popularly abused by threat actors who have used it to steal developer credentials, and to spread malware.
An Android banking trojan has re-emerged with new features that make it more powerful and more dangerous to a wider range of users. Also, it now delivers ransomware. The Sova Android banking malware first appeared for sale in underground markets in September last year, with its author stating that it was still under development. Even so, it still packed a punch, with the ability to harvest usernames and passwords via keylogging, stealing cookies and adding false overlays to a range of apps.
As Bleeping Computer reports, the company has since confirmed that it was targeted by a ransomware attack, and that it is working with police investigators. Many of 7-Eleven’s stores in Denmark have since reopened. 7-Eleven Denmark is not sharing much in the way of technical detail regarding the attack, which means that not only do we not know what family of ransomware might have caused the disruption but we also do not know how it might have entered the organization in the first place.
Three Nigerian nationals have been extradited from the UK to the US after allegedly participating in business email compromise (BEC) attacks that attempted to steal millions from American organizations, including universities. The alleged crimes cover jurisdictions in North Carolina, Texas and Virginia. They relate to Oludayo Kolawole John Adeagbo (aka John Edwards and John Dayo), 43, a Nigerian citizen and UK resident; Donald Ikenna Echeazu (aka Donald Smith and Donald Dodient), 40, a dual UK and Nigerian citizen; and Olabanji Egbinola, 42.
Researchers from Sonatype have discovered a new PyPI package name “secretslib” that is being used to drop a fileless cryptominer (T1496) to the memory of Linux machines. The package claims “secrets matching and verification made easy.” It currently has around 93 downloads going back to August of 2020. The package is used to stealthily run cryptominers on Linux machines directly from RAM (T1620). The package fetches a Linux executable from a remote server (T1105), which drops an ELF file called “memfd” into memory (T1027.002). A Monero crypto miner is the end result.
Researchers have discovered at least 9,000 exposed VNC (virtual network computing) endpoints that can be accessed and used without authentication, allowing threat actors easy access to internal networks. VNC (virtual network computing) is a platform-independent system meant to help users connect to systems that require monitoring and adjustments, offering control of a remote computer via RFB (remote frame buffer protocol) over a network connection.
On Thursday, the U.S. State Department announced that it would be paying a $10 million reward for information related to five high-ranking Conti ransomware members that could lead to their identification or whereabouts. As part of the announcement, the State Department revealed the face of one of these members, known as “Target.” The other four members are known as “Tramp”, “Dandis”, Professor”, and “Reshaev.”
On Thursday, August 4th around 7 AM, a Managed service provider (MSP) known as Advanced was the target of a ransomware attack that disrupted its systems. The attack resulted in a major outage to NHS emergency services across the United Kingdom. While Advanced did not reveal the identity of the ransomware group behind the attack, it stated that it had taken immediate action to mitigate the risk and isolate Health and Care environments where the incident was detected.
Security researchers from TrendMicro noticed a server hosting both a HyperBro sample and a malicious Mach-O executable named “rshell.” HyperBro is a malware family used by Iron Tiger (also known as Emissary Panda, APT27, Bronze Union, and Luckymouse), an advanced persistent threat (APT) group that has been performing cyberespionage for almost a decade, and there have been no reports of this group associated with a tool for Mac operating systems (OS). We analyzed the Mach-O sample and found it to be a new malware family targeting the Mac OS platform. TM also eventually found samples compiled for the Linux platform that belongs to the same malware family.
An automotive supplier had its systems breached and files encrypted by three different ransomware gangs over two weeks in May, two of the attacks happening within just two hours. The attacks followed an initial breach of the company's systems by a likely initial access broker (IAB) (T1078) in December 2021, who exploited a firewall misconfiguration (T1190) to breach the domain controller server using a Remote Desktop Protocol (RDP) connection.
According to researchers at AdvIntel, three groups that have splintered off from the Conti ransomware operation are adopting BaZarCall phishing tactics to gain initial access to victim networks. BazarCall, otherwise known as BazaCall, is a call-back phishing scheme that emerged in early 2021 as an attack vector used by the Ryuk ransomware operation, which later rebranded into Conti. “A BazarCall attack starts with an email informing that a subscription the recipient is allegedly paying for is about to be renewed automatically and canceling the payment is possible by calling a specific number. While the social engineer distracts the victim, the intruder determines how to compromise the network without triggering any alarm”
Yesterday, Cisco released a security advisory to address a high severity vulnerability affecting its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software. Tracked as CVE-2022-20866, the flaw is due to the mishandling of RSA keys on ASA and FTD devices. Successful exploitation of the CVE could enable an unauthenticated attacker to retrieve an RSA private key remotely, which In turn could be used by the actor to impersonate a device running Cisco ASA Software or Cisco FTD Software or to decrypt the device traffic. “This vulnerability is due to a logic error when the RSA key is stored in memory on a hardware platform that performs hardware-based cryptography. An attacker could exploit this vulnerability by using a Lenstra side-channel attack against the targeted device. A successful exploit could allow the attacker to retrieve the RSA private key,” stated Cisco in its advisory on Wednesday.
HP’s Wolf Security released new research in their quarterly report, which highlights a cybercriminal shift away from Office macros. According to the researchers, various malware spreading families are using shortcut (LNK) (T1204.002) files instead of Office macros, which are now blocked by default by Microsoft. “Specifically, the report shows an 11% rise in archive files containing malware, including LNK files. Further, the data suggests that 69% of malware detected was delivered via email, while web downloads were responsible for 17%
Last week, VMware addressed a critical authentication bypass flaw impacting several of its products including VMware Workspace ONE access, Identity Manager, and VRealize Automation. Tracked as CVE-2022-31656, a malicious actor with network access to the UI could exploit this vulnerability to gain administrative access without the need to authenticate. In addition to CVE-2022-31656, VMware also addressed a high severity SQL injection flaw (CVE-2022-31659) that could enable remote attackers to gain remote code execution.
As a part of the August 2022 patch Tuesday, Microsoft fixed 121 vulnerabilities including 17 critical ones allowing for remote execution and privilege escalation. One of the security flaws addressed by Microsoft is a high severity Windows zero-day vulnerability (CVE-2022-34713) that is being actively exploited in the wild. Dubbed DogWalk, the flaw is related to a path traversal weakness in the Windows Support Diagnostic Tool (MSDT). Successful exploitation of this zero-day could enable threat actors to gain remote code execution on compromised systems when MSDT is called using the URL protocol from a calling application, typically Microsoft Word.
On the groups telegram page, KillNet claims to have taken down websites connected with both Lockheed Martin and NASA. While the group uploaded a short video showing the alleged websites being down, the websites are operational at the time of this writing. KillNet has previously expressed their intent to target Lockheed Martin and other entities who have supported Ukraine during the current Russian invasion. KillNet has also claimed, without proof, to have dumped the data of job applicants for Lockheed Martin.
On Monday, the U.S. Treasury Department imposed sanctions on Tornado Cash, a crypto mixing service that is being used by cybercriminals to launder stolen money. Tornado cash allows its users to move cryptocurrency assets between accounts by obfuscating their origin and destination. Since its creation in 2019, the platform has been used to launder more than $7.6 billion worth of virtual assets. According to blockchain analytics firm Elliptic, thefts, hacks, and fraud account for $1.5 billion of the total assets sent through the mixer.
A new IoT botnet malware dubbed RapperBot has been observed rapidly evolving its capabilities since it was first discovered in mid-June 2022. The malware, which gets its name from an embedded URL to a YouTube rap music video in an earlier version, is said to have amassed a growing collection of compromised SSH servers, with over 3,500 unique IP addresses used to scan and brute-force their way into the servers.
Threat actors have been leveraging Open Redirect Vulnerabilities in online services and applications to bypass spam filters and deliver phishing messages. This information comes from researchers at Resecurity, they found highly trusted domains such as Snapchat and other online services were being used in attacks against several financial institutions and other online services internationally.
Popular collaboration tool Slack (not to be confused with the nickname of the world’s longest-running Linux distro, Slackware) has just owned up to a long-running cybersecurity SNAFU. According to a news bulletin entitled Notice about Slack password resets, the company admitted that it had inadvertently been oversharing personal data “when users created or revoked a shared invitation link for their workspace.” >From 2017-04-17 to 2022-07-17, Slack said that the data sent to the recipients of such invitations included the sender’s hashed password. Slack’s security advisory doesn’t explain the breach very clearly, saying merely that “[t]his hashed password was not visible to any Slack clients; discovering it required actively monitoring encrypted network traffic coming from Slack’s servers.
A zero-day vulnerability in Twitter’s code base was responsible for a major data breach that is thought to have affected 5.4 million users, the social media firm has revealed. The threat actor was hoping to sell the profile data for $30,000 on a cybercrime site. Some information was scraped from public Twitter profiles, including location and image URL. However, they were crucially able to link account emails and phone numbers with account IDs by leveraging the vulnerability.
A new social engineering campaign by the notorious North Korean Lazarus hacking group has been discovered, with the hackers impersonating Coinbase to target employees in the fintech industry. A common tactic the hacking group uses is to approach targets over LinkedIn to present a job offer and hold a preliminary discussion as part of a social engineering attack.
An extensive series of attacks detected in January used new Windows malware to backdoor government entities and organizations in the defense industry from several countries in Eastern Europe. Kaspersky linked the campaign with a Chinese APT group tracked as TA428, known for its information theft and espionage focus and attacking organizations in Asia and Eastern Europe [1, 2, 3, 4]. The threat actors successfully compromised the networks of dozens of targets, sometimes even taking control of their entire IT infrastructure by hijacking systems used to manage security solutions.
In July, a video of a robot dog with a submachine gun strapped to its back terrified the internet. Now a hacker who posts on TwHomeitter as KF@d0tslash and GitHub as MAVProxyUser has discovered that the robot dog contains a kill switch, and it can be accessed through a tiny handheld hacking device. “Good news!” d0tslash said on Twitter. “Remember that robot dog you saw with a gun!? It was made by @UnitreeRobotic. Seems all you need to dump it in the dirt is @flipper_zero. The PDB has a 433mhz backdoor.”
On Wednesday, the research team at Trellix disclosed details of an unauthenticated remote code execution vulnerability affecting multiple DrayTek routers (Vigor 3910 and 28 other DrayTek models sharing the same codebase). Tracked as CVE-2022-32548, the flaw received a CVSS score of 10/10, indicating a critical level of severity. “The attack can be performed without user interaction if the management interface of the device has been configured to be internet facing. A one-click attack can also be performed from within the LAN in the default device configuration,” stated Philippe Laulheret, a senior security researcher at Trellix.
Security researchers found a new service called Dark Utilities that provides an easy and inexpensive way for cybercriminals to set up a command and control (C2) center for their malicious operations. A C2 server is how adversaries control their malware in the wild, sending out commands, configurations and new payloads, and receiving data collected from compromised systems. The Dark Utilities service provides threat actors a platform that supports Windows, Linux, and Python-based payloads, and eliminates the effort associated with implementing a C2 communication channel.
The Cybersecurity & Infrastructure Security Agency (CISA) has added a recently disclosed flaw in the Zimbra email suite, tracked as CVE-2022-27924, to its Known Exploited Vulnerabilities Catalog. In middle June, researchers from Sonarsource discovered the high-severity vulnerability impacting the Zimbra email suite, tracked as CVE-2022-27924 (CVSS score: 7.5). It can be exploited by an unauthenticated attacker to steal login credentials of users without user interaction.
Attackers are exploiting a well-known open redirect flaw to phish people’s credentials and personally identifiable information (PII) using American Express and Snapchat domains, researchers have found. Threat actors impersonated Microsoft and FedEx among other brands in two different campaigns, which researchers from INKY observed from mid-May through late July, they said in a blog post published online. Attackers took advantage of redirect vulnerabilities affecting American Express and Snapchat domains, the former of which eventually was patched while the latter still is not, researchers said.
Yesterday, Cisco rolled out fixes to address several vulnerabilities impacting its Small business VPN routers. In total, Cisco addressed 3 vulnerabilities, which have been tracked as CVE-2022-20842 (RCE & DoS vulnerability), CVE-2022-20827 (command injection vulnerability), and CVE-2022-20841 (command injection vulnerability). The exploitation of these bugs could enable unauthenticated, remote attackers to execute arbitrary code or commands and trigger denial of service conditions on vulnerable devices.
Russian entities are being targeted by unknown attackers to spread a newly discovered malware that allows them to remotely control and steal information from compromised devices. Dubbed Woody Rat, the remote access trojan comes with a wide range of capabilities including collecting system information, listing folders and running processes, executing commands and files received from its command-and-control (C2) server, downloading, uploading, and deleting files on infected machines, and taking screenshots.
Hackers apparently angry over the Iranian opposition group Mojahedin-e Khalq’s upcoming conference in Albania carried out disruptive cyberattacks on Albanian government sites last month, researchers from the cybersecurity firm Mandiant said Thursday. Based on the timing of the attacks in July, technical indicators associated with the malware and the focus on MEK, the researchers are moderately confident that hackers working to further the Iranian government’s goals were behind the attack, they said. The attacks, which forced the government of Albania to shut down online access to multiple government services, may have included a previously unknown backdoor called “ChimneySweep,” and a newly discovered ransomware tool known as “RoadSweep” to attack the government systems, the researchers said.
CVE-2020-2509 was added to CISA’s Known Exploited Vulnerabilities Catalog in April 2022, and it was listed as one of the “Additional Routinely Exploited Vulnerabilities in 2021” in CISA’s 2021 Top Routinely Exploited Vulnerabilities alert. However, CVE-2020-2509 has no public exploit, and no other organizations have publicly confirmed exploitation in the wild.
Yesterday, VMware released a security advisory to address a critical authentication bypass flaw affecting local domain users in several VMware products. Tracked as CVE-2022-31656, the flaw received a CVSS score of 9.8/10 and impacts VMware Workspace ONE Access, Identity Manager, and vRealize Automation. If exploited successfully, “a malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate,” stated VMware in its advisory.
Researchers at Cisco Talos recently uncovered a new post-exploitation attack framework that is being deployed in the wild as an alternative to the widely abused Cobalt Strike toolset. Dubbed Manjusaka, the framework uses implants written in the cross-platform Rust programming language, while its binaries are written in GoLang. Manjusaka comes with a RAT and file management module, each featuring distinct capabilities. Similar to Cobalt Strike, its RAT implant supports command execution, file access, network reconnaissance, and more.
Cyble Research Labs has been actively monitoring various Stealers and blogging about them to keep our readers aware and informed. Recently, we came across a malware sample which turned out to be a new malware variant named “LOLI Stealer.”
The TA sells this stealer for fairly low prices, as listed below:
An unidentified hacker used an exploit to drain funds from more than 7,000 cryptocurrency wallets on the Solana blockchain as of Wednesday morning. Solana confirmed on Twitter the extent of the hack that began Tuesday night. Outside cryptocurrency analysis firms have placed the losses at roughly $5 million worth of Solana currencies. Solana has not provided its own estimate. Solana says it has not yet identified the source of the exploit and is still investigating the attack. However, it appears to have affected “a software dependency shared by several software wallets,” Solana head of communications Austin Federa wrote on Twitter Tuesday night. The exploit allowed the attacker to sign transactions as users themselves, suggesting private keys were compromised. Researchers at cryptocurrency analysis firm Elliptic also suggested the attack was software-based.
Two universal and seemingly innocuous browser features – the ability to create bookmarks (aka “favorites”) and browser synchronization – make users’ lives easier, but may also allow hackers to establish a covert data exfiltration channel. Malicious browser extensions are a known and widespread threat, used by attackers to perform actions such as stealing passwords, exfitrating email data or delivering additional malware. Some attackers have also recently managed to exploit Chrome’s syncing feature and use an extension to connect their computer directly to a targeted workstation, creating a covert channel for remote data manipulation, but also (concievably) for data exfiltration and C&C communication.
Security researcher Derek Abdine has published an advisory about vulnerabilities that exist in the MIT-licensed muhttpd web server. This web server is present in Arris firmware which can be found in several router models. muhttpd (mu HTTP deamon) is a simple but complete web server written in portable ANSI C. It has three major goals: Be simple, be portable, and be secure. Simplicity was the main goal for muhttpd, but because of its simplicity and broad use, it also must prioritize security.
Security researchers at CloudSEK, uncovered thousands of mobile applications that are exposing Twitter API keys to the public. In turn, these keys could enable threat actors to take over users’ Twitter accounts that are associated with the app. The discovery was made possible after CloudSEK examined large app sets for potential data leaks. To their surprise, researchers uncovered 3,207 apps leaking a valid Consumer Key and Consumer Secret for the Twitter API.
On July 30, 2022, a group of hackers who operate under the name “Andrastea” took to a popular hacking forum, claiming they had breached MBDA by leveraging critical network vulnerabilities. MBDA is one of the largest missile developers and manufacturers in Europe. It currently makes 45 different missile types, with another 15 in development, including air-to-air, surface-to-air, air-to-surface, anti-ship, anti-tank, and multiple-launcher systems.
A 24-year-old Australian national has been charged for his purported role in the creation and sale of spyware for use by domestic violence perpetrators and child sex offenders. Jacob Wayne John Keen, who currently resides at Frankston, Melbourne, is said to have created the remote access trojan (RAT) when he was 15, in addition to working as the administrator for the tool from 2013 until its shutdown in 2019 by the authorities.
The ALPHV ransomware gang, aka BlackCat, claimed responsibility for a cyberattack against Creos Luxembourg S.A. last week, a natural gas pipeline and electricity network operator in the central European country. Creos’ owner, Encevo, who operates as an energy supplier in five EU countries, announced on July 25 that they had suffered a cyberattack the previous weekend, between July 22 and 23. While the cyberattack had resulted in the customer portals of Encevo and Creos becoming unavailable, there was no interruption in the provided services.
Akamai Technologies squelched the largest-ever distributed denial-of-service (DDoS) attack in Europe earlier this month against a company that was being consistently hammered over a 30-day period. According to the cybersecurity and cloud services vendor, the height of the attack hit on July 21, when over a 14-hour period it peaked at 659.6 million packets per second (Mpps) and 853.7 gigabits per second (Gbps).
The independent agency of the United States federal government Federal Communications Commission (FCC) alerted mobile users to an uptick in SMS (Short Message Service) phishing campaigns that aim to steal their money and snatch their private data. Threat actors behind these types of attacks, also known as smishing or robotexts, may employ a variety of enticements to deceive targets into disclosing sensitive information. As defined in one of our previous articles, smishing is a type of phishing attack in which cybercriminals use text messages to trick their victims into opening malicious attachments or clicking on malicious links.
On Thursday, Nozomi Networks disclosed details of a vulnerability in Dahua’s Open Network Video Interface (ONVIF) Forum Standard implementation, which, when exploited, can lead to seizing control of IP cameras. Tracked as CVE-2022-30563, the flaw received a CVSS score of 7.4, indicating a high level of severity. According to Nozomi Networks, the vulnerability could be abused by attackers to “compromise network cameras by sniffing a previous unencrypted ONVIF interaction and replaying the credentials in a new request towards the camera.”
Spanish Law enforcement officials recently arrested two individuals suspected of hacking the country’s Radioactivity Alert Network (RAR). RAR is a network of gamma radiation sensors that is operated by Spain’s General Directorate of Civil Protection and Emergencies (DGPCE). The system is deployed in certain parts of Spain, especially near nuclear power plants, in order to monitor excessive radiation levels.
On July 26, 2022, Microsoft researchers discovered that the FakeUpdates malware was being distributed via Raspberry Robin malware. Raspberry Robin is a Windows worm discovered by cybersecurity researchers from Red Canary, the malware propagates through removable USB devices (T1091)” (Security Affairs, 2022). The malware was first spotted in September of 2021. It’s malicious code uses Windows Installer (T1543.003) to reach out to QNAP-associated domains to download a malicious DLL (T1105). It uses TOR exit nodes as a backup C2 infrastructure (T1090.003). It has been targeting the technology and manufacturing industries, through infected removable drives, most commonly USB devices.
Recenlty Atlassian released security updates to address a critical hardcoded credentials vulnerability in Confluence Server and Data Center tracked as CVE-2022-26138. A remote, unauthenticated attacker can exploit the vulnerability to log into unpatched servers. Once installed the Questions for Confluence app (versions 2.7.34, 2.7.35, and 3.0.2), a Confluence user account with the username “disabledsystemuser” is created. The account allows administrators to migrate data from the app to Confluence Cloud. The bad news is that the account is created with a hard-coded password and is added to the confluence-users group, which allows viewing and editing all non-restricted pages within Confluence by default.
A new phishing as a service (PhaaS) platform named 'Robin Banks' has been launched, offering ready-made phishing kits targeting the customers of well-known banks and online services. The targeted entities include Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, Lloyds Bank, the Commonwealth Bank in Australia, and Santander. Additionally, Robin Banks offers templates to steal Microsoft, Google, Netflix, and T-Mobile accounts.
With Microsoft taking steps to block Excel 4.0 (XLM or XL4) and Visual Basic for Applications (VBA) macros by default across Office apps, malicious actors are responding by refining their new tactics, techniques, and procedures (TTPs). According to ProofPoint, “the use of VBA and XL4 Macros decreased approximately 66% from October 2021 through June 2022.” In its place, adversaries are increasingly pivoting away from macro-enabled documents to other alternatives, including container files such as ISO and RAR as well as Windows Shortcut (LNK) files in campaigns to distribute malware.
The peer-to-peer network IPFS offers an ingenious base for cyberattacks and is seeing a stratospheric increase in malicious hosting. The distributed, peer-to-peer (P2P) InterPlanetary File System (IPFS) has become a hotbed of phishing-site storage: Thousands of emails containing phishing URLs utilizing IPFS are showing up in corporate inboxes. According to a report from Trustwave SpiderLabs, the company found more than 3,000 of these emails within its customer telemetry in the last three months. They lead victims to fake Microsoft Outlook login pages and other phishing webpages.
According to research by Intel 471, threat actors are using Discord and Telegram to spread malware. These apps have elements which allow users to create and share programs inside the platform. Using the platform as a host, threat actors can distribute and execute malware (T1204.002) that allows them to steal credentials or other information from an unsuspecting user. Intel 471 researchers have discovered several information stealers that are freely available for download that rely on Discord or Telegram for their functionality.
System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed. According to Palo Alto's 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution.
Microsoft says attackers increasingly use malicious Internet Information Services (IIS) web server extensions to backdoor unpatched Exchange servers as they have lower detection rates compared to web shells. Because they're hidden deep inside the compromised servers and often very hard to detect being installed in the exact location and using the same structure as legitimate modules, they provide attackers' with a perfect and durable persistence mechanism.
A threat actor going by 'Beeper' is allegedly seeking a partner to coordinate a cyber attacks against an unspecific managed service provider (MSP). The post was noticed by security researchers at ZeroFox, who found the message on a Russian language dark web forum called exploit[.]in. The actor claims to have access to the MSP’s administrative panel. According to the threat actors, the MSP manages 50 different US based companies located in the same time zone. The resources impacted include over 100 VMware ESXi instances and 1,000 servers that likely contain sensitive data.
Woburn, MA – July 26, 2022 – No More Ransom, the initiative launched to help victims of ransomware decrypt their files, has celebrated its six-year anniversary. Since the launch, it has grown from four partners to 188 and has contributed 136 decryption tools covering 165 ransomware families. In doing so, it has helped more than 1.5 million people decrypt their devices all over the world, with the project available in 37 languages.
Untested threat actor “Beeper” is seeking a partner to coordinate a large-scale cyber-attack against the clients of an unspecified managed service provider (MSP) on the Russian language Deep Web forum exploit[.]in. The actor claims to have access to the MSP’s administrative panel, where they currently manage resources for more than 50 different U.S.-based companies located in approximately the same time zone. These resources allegedly include more than 100 VMware instances and 1,000 servers that almost certainly contain sensitive data.
On Monday, Claroty disclosed two critical security flaws impacting FiveWave’s mobile device management system that could be leveraged to carry out remote attacks and seize control of devices connected to the system. “The vulnerabilities are remotely exploitable and enable an attacker to bypass authentication mechanisms and gain full control over the MDM platform and its managed devices," Claroty security researcher Noam Moshe said in a report.
Researchers from Kaspersky have spotted a UEFI firmware rootkit, named CosmicStrand, which has been attributed to an unknown Chinese-speaking threat actor. This malware was first spotted by Chinese firm Qihoo360 in 2017. While the initial attack vector is unclear, the rootkit has been located on firmware images of Gigabyte and ASUS motherboards, which are designed using the H81 chipset (T1542.001). It is likely a common vulnerability is being exploited by attackers to inject the rootkit into the firmware’s image. “In these firmware images, modifications have been introduced into the CSMCORE DXE driver, whose entry point has been patched to redirect to code added in the .reloc section. This code, executed during system startup (T1547), triggers a long execution chain which results in the download and deployment of a malicious component inside Windows.” reads the analysis published by the experts. “Looking at the various firmware images we were able to obtain, we assess that the modifications may have been performed with an automated patcher. If so, it would follow that the attackers had prior access to the victim’s computer in order to extract, modify and overwrite the motherboard’s firmware.
The prolific Lockbit ransomware gang appears to have claimed another two scalps in recent days: the Canadian town of St Marys and the Italian tax agency. The local administration at St Marys explained in an update on Friday that the attack occurred last Wednesday, locking an internal server and encrypting data on it. “Upon learning of the incident, staff took immediate steps to secure any sensitive information, including locking down the town’s IT systems and restricting access to email. The town also notified its legal counsel, the Stratford Police Service and the Canadian Centre for Cyber Security,” a statement read.
Researchers at Securonix recently uncovered a campaign that is targeting high-value organizations in the Czech Republic, Poland, and other European countries with Konni malware. Konni is a remote access trojan that has been associated with North Korean cyberattacks since 2014. Like any other RAT, Konni is capable of establishing persistence and performing privilege escalation on the host.
A new version of the Amadey Bot malware is distributed through the SmokeLoader malware, using software cracks and keygen sites as lures (T1608.001). Amadey Bot is a malware strain discovered four years ago, capable of performing system reconnaissance, stealing information, and loading additional payloads. Amadey has been around for some time, but it’s distribution dwindled in 2020. Korean researchers at AhnLab found that a new strain of Amadey is being spread by the SmokeLoader malware. Amadey had historically used a piece of malware called Fallout as well as the Rig exploit kit. ”SmokeLoader is downloaded and executed voluntarily by the victims, masked as a software crack or keygen.
The latest Google Chrome update includes 11 security fixes, some of which could be exploited by an attacker to take control of an affected system. Google Chrome’s Stable channel has been updated to 103.0.5060.134 for Windows, Mac, and Linux, and the new version will roll out over the coming days/weeks. Of the 11 security fixes five are use-after-free issues, including four that are marked with a severity of “high.” Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation.
Earlier this month, Google addressed a high severity zero-day vulnerability impacting its Chrome browser. Tracked as CVE-2022-2294, the flaw is related to a memory corruption bug in the WebRTC component of Chrome browser which, if successfully exploited, could lead to shellcode execution on the target device. While Google stated that the vulnerability was being exploited in attacks in the wild, the tech firm did not disclose the details of such attacks.
Ukrainian media group TAVR Media confirmed on Thursday that it was hacked to spread fake news about President Zelenskiy being in critical condition and under intensive care. The company stated on Facebook that the cyber attack was carried out on the servers and networks of TAVR Media radio stations. According to the State Service of Special Communications and Information Protection of Ukraine (SSCIP), the network operates nine major Ukrainian radio stations, including Hit FM, Radio ROKS, KISS FM, Radio RELAX, Melody FM, Nashe Radio, Radio JAZZ, Classic Radio, and Radio Bayraktar.
Researchers from Cyble Research Labs discovered new IoCs related to the QakBot malware. QakBot has been leveraging a mass phishing campaign to target victims with a password-protected Zip file which contains an ISO file (T1566.001). The ISO file, when executed by the victim (T1204.002), will show a .lnk file masquerading as a PDF file (T1036.005). If the victim opens the .lnk file, the system is infected with QakBot malware.
Microsoft is rolling out a new security default for Windows 11 that will go a long way to preventing ransomware attacks that begin with password-guessing attacks and compromised credentials. The new account security default on account credentials should help thwart ransomware attacks that are initiated after using compromised credentials or brute-force password attacks to access remote desktop protocol (RDP) endpoints, which are often exposed on the internet. RDP remains the top method for initial access in ransomware deployments, with groups specializing in compromising RDP endpoints and selling them to others for access.
Google has released Chrome version 103.0.5060.134 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates.
Oracle has released its Critical Patch Update for July 2022 to address 349 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Oracle July 2022 Critical Patch Update and apply the necessary updates.
Details have emerged on how the Conti ransomware gang breached the Costa Rican government, showing the attack's precision and the speed of moving from initial access to the final stage of encrypting devices. This is the last attack from the Conti ransomware operation before the group transitioned to a different form of organization that relies on multiple cells working with other gangs.
A large software development company whose software is used by different state entities in Ukraine was at the receiving end of an "uncommon" piece of malware, new research has found. The malware, first observed on the morning of May 19, 2022, is a custom variant of the open source backdoor known as GoMet and is designed for maintaining persistent access to the network. "This access could be leveraged in a variety of ways including deeper access or to launch additional attacks, including the potential for software supply chain compromise," Cisco Talos said in a report.
Atlassian recently patched a critical hard-coded credentials vulnerability affecting the Questions for Confluence app for Confluence Server and Confluence Data Center. According to Atlassian, when the app is enabled on Confluence Server or Data Center, it creates a Confluence user account with the username “disabledsystemuser.” While Atlassian says this account is designed to aid administrators that are migrating data from the app to Confluence cloud, the account is created with a hardcoded password and is added to the confluence-users group by default. In turn, this could allow an unauthorized individual to view and edit all non-restricted pages within Confluence.
Around June 24 2022, out of over 4.7 million hosts Censys observed in Russia, Censys discovered two Russian hosts containing an exploitation tool, Metasploit, and Command and Control (C2) tool, Deimos C2. Historical analysis indicated one of these Russian hosts also used the tool PoshC2. These tools allow penetration testers and hackers to gain access to and manage target hosts. Censys then used details from the PoshC2 certificate to locate, among hosts elsewhere in the world including the U.S., two additional Russian hosts also using the PoshC2 certificate. Censys data showed these two Russian hosts possessing confirmed malware packages, one of which included a ransomware kit and a file that indicated two additional Russian Bitcoin hosts.
The Department of Justice (DoJ) on Tuesday said it disrupted the activities of a North Korean state-sponsored group, known for deploying the Maui ransomware, and seized $500,000 from the actors in May. These seized funds included ransom payments made by two healthcare providers impacted by the Maui ransomware over the past year. A medical center in Kansas was hit by the Maui ransomware in May 2021 and paid a ransom of $100,000 in Bitcoin to attackers. After the unnamed Kansas-based medical center reported the incident to the FBI, U.S. authorities were able to identify the ransomware family and trace the cryptocurrency back to China-based money launderers.
The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. "8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne said in a Monday report.
A Romanian man accused of distributing a computer virus that hit over 1 million computers has been extradited to the US. The suspect, 37-year-old Mihai Paunescu, allegedly ran a hosting service that helped distribute the Gozi (Ursnif) virus, which caused tens of millions of dollars of financial losses worldwide.
A new ransomware family dubbed Luna can be used to encrypt devices running several operating systems, including Windows, Linux, and ESXi systems. Discovered by Kaspersky security researchers via a dark web ransomware forum ad spotted by the company's Darknet Threat Intelligence active monitoring system, Luna ransomware appears to be specifically tailored to be used only by Russian-speaking threat actors.
Yesterday, the FBI released an alert warning financial institutions and investors about how cybercriminals are creating fraudulent cryptocurrency investment applications to steal funds from US investors. “The FBI has observed cybercriminals contacting US investors, fraudulently claiming to offer legitimate cryptocurrency investment services, and convincing investors to download fraudulent mobile apps, which the cybercriminals have used with increasing success over time to defraud the investors of their cryptocurrency,” says the FBI.
Security researchers at ESET recently disclosed details of a previously undocumented spyware that is being used to target the Apple macOS operating system. Dubbed, CloudMensis, the malware was first discovered in April 2022. Written in Objective-C programming language, CloudMensis is designed to strike both Intel and Apple silicon architectures. According to ESET, the malware exclusively uses public storage servers such as pCloud, Yandex Disk, and Dropbox to receive attacker commands and exfiltrate files.
State-backed hackers part of Russia's Federation Foreign Intelligence Service (SVR) have started using Google Drive legitimate cloud storage service to evade detection. By using online storage services trusted by millions worldwide to exfiltrate data and deploy their malware and malicious tools, the Russian threat actors are abusing that trust to render their attacks exceedingly tricky or even impossible to detect and block.
After hitting Germany, Taiwan, South Korea, Japan, the US, and the U.K. the Roaming Mantis operation moved to targeting Android and iOS users in France, likely compromising tens of thousands of devices. Roaming Mantis is believed to be a financially-motivated threat actor that started targeting European users in February.
Proofpoint researchers warn that APT groups have been regularly targeting and posing as journalists and media organizations since early 2021. The media sector is a (valuable) target for this category of attackers due to the access its operators have to sensitive information that could be aligned with the interests of state actors. The report published by Proofpoint focuses on the activities conducted by some APT actors linked to China, North Korea, Iran, and Turkey.
Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain” (Bishop Fox, 2022) Auditor is an auditing and visibility platform that enables organizations to have a consolidated view of their IT environments, including Active Directory, Exchange, file servers, SharePoint, VMware, and other systems—all from a single console. Netwrix, the company behind the software, claims more than 11,500 customers across over 100 countries, such as Airbus, Virgin, King's College Hospital, and Credissimo, among others.
Cybersecurity firm Dragos recently uncovered a campaign that is infecting industrial control systems to create a botnet by leveraging a password “cracking” software for programmable logic controllers (PLCs). Threat actors are advertising the software on various social media websites, with the promise to unlock PLC and HMI (human-machine interface) terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic. According to researchers at Dragos, the tool leverages a known vulnerability to retrieve passwords on command. The flaw tracked as CVE-2022-2003 is related to a case of cleartext transmission of sensitive data. If exploited successfully, it could lead to information disclosure and unauthorized changes.
Security researchers have detected a massive campaign that scanned close to 1.6 million WordPress sites for the presence of a vulnerable plugin that allows uploading files without authentication. The attackers are targeting the Kaswara Modern WPBakery Page Builder, which has been abandoned by its author before receiving a patch for a critical severity flaw tracked as CVE-2021-24284
In late June 2022, HP Wolf Security isolated an unusually stealthy malware campaign that used OpenDocument text (.odt) files to distribute malware (T1204.002). OpenDocument is an open, vendor-neutral file format compatible with several popular office productivity suites, including Microsoft Office, LibreOffice and Apache OpenOffice. As described in a blog post by Cisco Talos, the campaign targets the hotel industry in Latin America. The targeted hotels are contacted by email with fake booking requests. The malicious document was sent as an email attachment. If the user opens the document, they are shown a prompt asking whether fields with references to other files should be updated. An Excel file opens if they click ‘Yes’ to this cryptic message.
vAccording to security company Sophos, the BlackCat ransomware group has begun using Brute Ratel, a penetration testing suite that includes remote access features for attackers. We reported last week, that other threat groups have added Brute Ratel to their toolkit, along with, or instead of the popular Cobalt Strike. Sophos found several of it’s customers were impacted by BlackCat after the group exploited unpatched firewalls and VPNs connected to internal systems (T1190). “The attackers used vulnerabilities reported as early as 2018 to read memory from VPN systems and then log in as an authorized user. They dumped domain controller passwords (T1003.001) along the way, using the latter to create accounts with administrative privileges (T1078.002). They then ran a scanning tool (netscanportable.exe) (T1082, T1049, T1124) to find additional targets and then spread internally via RDP (T1021.001). The attacks targeted both Windows machines and ESXi hypervisor servers.
The advanced persistent threat (APT) group known as Transparent Tribe has been attributed to a new ongoing phishing campaign targeting students at various educational institutions in India at least since December 2021. "This new campaign also suggests that the APT is actively expanding its network of victims to include civilian users," Cisco Talos said in a report shared with The Hacker News.
On Wednesday, Microsoft uncovered a vulnerability in macOS that could allow specially crafted codes to escape App Sandbox and run unrestrtod on the system. The flaw has been tracked as CVE-2022-26706 and was included in the security updates released by Apple on May 16, 2022. Apple’s App Sandbox is an access control technology that is designed to regulate a third-party app’s access to the system resources and user data. Although the sandbox does not prevent attacks against apps, it does help reduce the impact of a successful attack by restricting the app to a minimum set of privileges it requires to function properly. According to Microsoft, it found specially crafted codes that could escape the sandbox, allowing an attacker to gain elevated privileges on the affected device or even execute malicious commands like installing additional payloads.
Researchers from Cyble released details this week on a new ransomware strain called Lilith. The group has posted their first victim on their data leak site, which will be used in double-extortion attacks. It joins RedAlert and 0mega as new members of the ransomware scene. “Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices”.
VMware addressed a high-severity privilege escalation flaw, tracked as CVE-2021-22048 in vCenter Server‘s IWA (Integrated Windows Authentication) mechanism after eight months since its disclosure. It is unclear why the vulnerability did not receive a patch sooner, but attackers could have leveraged it before the patch was released, especially if exploit code is available. Unfortunately, in previous attacks, we’ve observed threat actors leveraging VMWare to deploy ransomware and disrupt business operations. Ransomware strains targeting hypervisors usually remain encrypted or become corrupted during decryption.
Socelars is a typical spyware that looks for specific information on the affected system and sends it to the threat actor. It is usually delivered as a download from other malware or by an exploit kit. On static analysis, malware contains insignificant number of imports and maybe it is using dynamic API resolution using LoadLibraryA and GetProcAddress APIs to hide its functionality.
While conducting our routine Open-Source Intelligence (OSINT) research, we came across a Twitter Post wherein the researcher mentioned an opendir website “hxxp://blindajeseguro[.]online,” which was hosting a malicious Android application. Upon analyzing the application, they observed that the Threat Actor (TA) was using the source code of the “Pro” version of AIRAVAT RAT, which the TA may have bought from the AIRAVAT author. AIRAVAT is a multifunctional Android RAT with a web panel without port forwarding. The source code of AIRAVAT’s basic version is available on Github, while the Pro version’s source code is not publicly available.
Yesterday, Microsoft disclosed a large-scale phishing campaign that targeted over 10,000 organizations since September 2021 by hijacking Office 365’s authentication process even on accounts secured with multi-factor authentication (MFA). "The attackers then used the stolen credentials and session cookies to access affected users' mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets," said Microsoft. The intrusions entailed setting up adversary-in-the-middle (AitM) phishing sites, wherein the adversary deploys a proxy server between a potential victim and the targeted website so that recipients of a phishing email are redirected to lookalike landing pages designed to capture credentials and MFA information.
As a part of the July 2022 Patch Tuesday, Microsoft patched an actively exploited high severity zero-day that impacts both server and client Windows platforms, including the latest Windows 11 and Windows Server 2022 releases. Tracked as CVE-2022-22047, the flaw is related to a local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem. According to Microsoft, successful exploitation of CVE-2022-22047 could enable a threat actor to gain SYSTEM privileges. Yesterday, CISA added the vulnerability to its list of bugs abused in the wild. Organizations have been given three weeks, until August 2nd, to patch CVE-2022-22047 and block ongoing attacks that could target their systems.
“A new data extortion group has been breaching companies to steal confidential information, threatening victims to make the files publicly available unless they pay a ransom. The gang received the name Luna Moth and has been active since at least March in phishing campaigns that delivered remote access tools (RAT) that enable the corporate data theft. Researchers have been tracking the activity of the Luna Moth ransom group, noting that the actor is trying to build a reputation using the name Silent Ransom Group (SRG). In a report earlier this month, Sygnia says that the modus operandi of Luna Moth (also tracked as TG2729) resembles that of a scammer, although the focus is on getting access to sensitive information.
“Microsoft has warned users clinging to Windows 7 and Windows 8.1 that the end really is near, “Windows 7 went out of support in 2020, but Microsoft recognized that many enterprises were quite happy where they were. For a fee, it made Extended Security Updates (ESU) available, which would at least deal with security patches.” Released in 2009, Windows 7 outlived its successor Windows 8 but now the time has come to say goodbye. If Windows is your thing, Microsoft would be more than happy to direct you to 10 or 11. There are also plenty of alternatives out there these days, certainly when compared to 2009.
GitHub Actions and Azure virtual machines (VMs) are being leveraged for cloud-based cryptocurrency mining, indicating sustained attempts on the part of malicious actors to target cloud resources for illicit purposes. "Attackers can abuse the runners or servers provided by GitHub to run an organization's pipelines and automation by maliciously downloading and installing their own cryptocurrency miners to gain profit easily," Trend Micro researcher Magno Logan said in a report last week.
The US Department of Justice (DOJ) announced last Friday that a Florida resident named Ron Aksoy has been arrested and charged for allegedly selling thousands of fraudulent and counterfeit Cisco products over the course of 12 years. Aksoy who also goes by Dave Durden is said to have run at least 19 companies formed in New Jersey and Florida, at least 15 Amazon storefronts, roughly 10 eBay storefronts, and multiple other entities with an estimated retail value of over $1 billion. According to court documents, the fake companies imported tens of thousands of counterfeit Cisco networking devices from China and Hong Kong and resold them to customers in the US and overseas, falsely representing the products as new and genuine.
Lithuanian energy company Ignitis Group was hit by what it described as its “biggest cyber-attack in a decade” on Saturday when numerous distributed denial of service (DDoS) attacks were aimed at it, disrupting its digital services and websites (T1498 - Network Denial of Service). Pro-Russian hacking group Killnet claimed responsibility for the attack on its Telegram channel on Saturday, making this the latest in a series of attacks launched by the group in Lithuania due to that country’s support for Ukraine in the war with Russia.
Microsoft has warned users clinging to Windows 7 and Windows 8.1 that the end really is near, “Windows 7 went out of support in 2020, but Microsoft recognized that many enterprises were quite happy where they were. For a fee, it made Extended Security Updates (ESU) available, which would at least deal with security patches.” Released in 2009, Windows 7 outlived its successor Windows 8 but now the time has come to say goodbye. If Windows is your thing, Microsoft would be more than happy to direct you to 10 or 11. There are also plenty of alternatives out there these days, certainly when compared to 2009.
“Lithuanian energy company Ignitis Group was hit by what it described as its “biggest cyber-attack in a decade” on Saturday when numerous distributed denial of service (DDoS) attacks were aimed at it, disrupting its digital services and websites (T1498 - Network Denial of Service). Pro-Russian hacking group Killnet claimed responsibility for the attack on its Telegram channel on Saturday, making this the latest in a series of attacks launched by the group in Lithuania due to that country’s support for Ukraine in the war with Russia” (Info Security Magazine, 2022). On July 9th, the company announced on it’s Facebook page that is had managed to limit the attack’s impact on it’s systems, and while no breaches were recorded, the company appears to be dealing with continued attacks. v
A recent wave of social media phishing schemes doubles down on aggressive scare tactics with phony account-abuse accusations to coerce victims into handing over their login details. Last week alone, Malwarebytes Labs uncovered two phishing scams, targeting Twitter and Discord (a voice, video, and text chat app). The Twitter phishing scam sends users a direct message (DM) flagging their account for use of hate speech and requesting the user authenticate the account to avoid a suspension. Users are then redirected to a fake "Twitter help center," which asks for the user's login credentials.
A new ransomware operation named ‘0mega’ targets organizations worldwide in double-extortion attacks and demands millions of dollars in ransoms. 0mega (spelled with a zero) is a new ransomware operation launched in May 2022 and has attacked numerous victims since then. While it is unclear how files are encrypted by 0mega, the ransomware appends the .Omega extension to the encrypted file’s names and creates ransom notes called DECRYPT-FILES.txt. The ransom notes are said to be customized for each victim and usually contain the company name as well as a description of the data stolen. In some cases, the notes will threaten victims to disclose the attack to business partners and trade associations if a ransom is not paid.
The maintainers of the official third-party software repository for Python have begun imposing a new two-factor authentication (2FA) condition for projects deemed "critical.” "We've begun rolling out a 2FA requirement: soon, maintainers of critical projects must have 2FA enabled to publish, update, or modify them," Python Package Index (PyPI) said in a tweet last week. "Any maintainer of a critical project (both 'Maintainers' and 'Owners') are included in the 2FA requirement," it added.”
“Fortinet FortiGuard Labs researchers observed a phishing campaign (T1566.001) that is leveraging the recently disclosed Follina security vulnerability (CVE-2022-30190, CVSS score 7.8) (T1190) to distribute the Rozena backdoor on Windows systems” (Security Affairs, 2022). Follina is a remote code execution vulnerability related to Microsoft Windows Support Diagnostic Tool (MDST). This new backdoor, dubbed Rozena is able to inject a remote shell connection back to the attacker’s machine using weaponized Office documents (T1204.002). Once clicked, the Office Document connects to an external Discord CDN URL (T1090.004) to download an HTML file.
Taiwan-based network-attached storage (NAS) maker QNAP is warning customers to secure their devices against attacks pushing Checkmate ransomware payloads. Checkmate is a recently discovered ransomware operation that first came into the spotlight in May 2022. According to QNAP, operators of the Checkmate ransomware are targeting internet-exposed QNAP devices with the SMB service enabled and accounts with weak passwords that can easily be cracked in brute-force attacks.
Since the Russian invasion, researchers at IBM’s Security X-Force team have uncovered evidence indicating that the Russia-based cybercriminal syndicate “Trickbot group” has resorted to systematically targeting Ukraine - an unprecedented shift as the group had not previously targeted Ukraine. TrickBot, aka ITG23, Gold Blackburn, and Wizard Spider, is a financially motivated cybercrime gang that is known for the development of the TrickBot banking trojan. In the past, groups like Conti have used the banking trojan to siphon account credentials and deploy ransomware payloads on victims’ systems.
Researchers from Checkmarx released details on a large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository. They have dubbed the campaign “CuteBoi”, as a tribute to the “cute” username hardcoded in many of the packages’ configuration files and to one of the non-random NPM usernames the Attacker is using, “cloudyboi12”. “Threat actors behind the campaign published 1,283 malicious modules in the repository and used over 1,000 different user accounts. The researchers uncovered the supply chain attack after noticing a burst of suspicious NPM users and packages being automatically created” (Security Affairs, 2022). Over 1200 npm packages were released to the registry by thousands of different user accounts. The process was automated and included the ability to pass NPMs 2FA challenge.
While Microsoft announced earlier this year that it would block VBA macros on downloaded documents by default, Redmond said on Thursday that it will roll back this change based on "feedback" until further notice. The company has also failed to explain the reason behind this decision and is yet to publicly inform customers that VBA macros embedded in malicious Office documents will no longer be blocked automatically in Access, Excel, PowerPoint, Visio, and Word.
The leaders of MI5 and the FBI shared the stage for the first time yesterday in a bid to warn business leaders and academics of the seriousness of the espionage threat from China. British intelligence boss Ken McCallum explained that the Communist Party and the government it controls has been engaged for years in attempts to steal “world-leading expertise, technology, research and commercial advantage” to boost China’s global standing. China is using various methods to steal intellectual property from foreign countries including having Chinese spies operating undercover, M&A and “tech transfers” from Western to Chinese firms, and are co-opting local contacts who are sometimes oblivious to what they are doing.
Researchers from Palo Alto’s Unit 42 warn this week that cybercriminals are moving away from Cobalt Strike to the newer Brute Ratel post-exploitation toolkit. The move away from the popular Cobalt Strike toolkit allows them to better evade detection by Endpoint Detection and Response (EDR) and antivirus solutions. “Corporate cybersecurity teams commonly consist of employees who attempt to breach corporate networks (red team) and those who actively defend against them (blue team). Both teams then share notes after engagements to strengthen the cybersecurity defenses of a network. For years, one of the most popular tools in red team engagements has been Cobalt Strike, a toolkit allowing attackers to deploy "beacons" on compromised devices to perform remote network surveillance or execute commands” .
On Wednesday, Cisco released security updates to address multiple vulnerabilities in the API and the web-based management interface of Cisco Expressway series and Cisco TelePresence Video Communication Server (VCS). The most severe flaw, tracked as CVE-2022-20812 (CVSS: 9), is related to an arbitrary file overwrite vulnerability in the cluster database API of Cisco Expressway Series and Cisco TelePresence VCS. Successful exploitation could allow an authenticated, remote attacker with Administrator read-write privileges on the application to conduct path traversal attacks on an affected device and overwrite files on the operating system as a root user.
OpenSSL released security fixes to address a high-severity bug in the cryptographic library that could potentially lead to remote code execution under certain scenarios. OpenSSL is a general-purpose cryptography library that offers open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, enabling users to generate private keys, create certificate signing requests (CSRs), install SSL/TLS certificates.
Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter. "Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5. The findings from the Berlin-headquartered company build on a previous report from Cisco Talos in May, which disclosed the group's expansion in targeting to strike Bangladeshi government organizations with a backdoor called ZxxZ.
Microsoft recently published a blog post uncovering a new variant of the Hive ransomware. According to Microsoft’s Threat Intelligence Center, the Hive ransomware-as-a-service has fully migrated to the Rust programming language, allowing it to adopt a more sophisticated encryption method. "Instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension," MSTIC explained.
The FBI, CISA, and the U.S. Treasury Department issued today a joint advisory warning of North-Korean-backed threat actors using Maui ransomware in attacks against Healthcare and Public Health (HPH) organizations” (Bleeping Computer, 2022). The advisory comes after the FBI detected multiple Maui ransomware attacks against the healthcare sector starting in May 2021. According to the FBI, North Korean state-sponsored threat actors are using the Maui ransomware to target organizations responsible for healthcare services. Specifically, the threat actors are looking to encrypt electronic health records services, diagnostics services, imaging services, and intranet services. In some of these cases, cyber incidents impacted services provided by HPH sector organizations for prolonged periods of time, which could result in public safety concerns and even death.
An NPM supply-chain attack dating back to December 2021 used dozens of malicious NPM modules containing obfuscated Javascript code to compromise hundreds of downstream desktop apps and websites. As researchers at supply chain security firm ReversingLabs discovered, the threat actors behind this campaign (known as IconBurst) used typosquatting to infect developers looking for very popular packages, such as umbrellajs and ionic.io NPM modules. If fooled by the very similar module naming scheme, they would add the malicious packages designed to steal data from embedded forms (including those used for sign-in) to their apps or websites.
Yesterday, Google released Chrome 103.0.5060.114 to address a high-severity zero-day vulnerability that attackers are currently exploiting in the wild. Tracked as CVE-2022-2294, the flaw is related to a heap-based buffer overflow weakness in the WebRTC (Web Real-Time Communications) component of Chrome. For its part, WebRTC is a free and open-source project that enables real-time voice, text, and video communications capabilities between web browsers and devices. While Google has yet to share technical details about the bug, the impact of successful heap overflow exploitation can range from program crashes and arbitrary code execution to bypassing security solutions if code execution is achieved during the attack.
An anonymous threat actor is selling several databases they claim to contain more than 22 terabytes of stolen information on roughly 1 billion Chinese citizens for 10 bitcoins (approximately $195,000). The announcement was posted on a hacker forum by someone using the handle 'ChinaDan,' saying that the information was leaked from the Shanghai National Police (SHGA) database. Based on the information they shared regarding the allegedly stolen data, the databases contain Chinese national residents' names, addresses, national ID numbers, contact info numbers, and several billion criminal records.
Researchers from Lumen released details on a new malware campaign leveraging infected SOHO routers to target victims in North America and Europe. The malware called ZuoRat, shows a high level of sophistication and samples date back to 2020. Lumen researchers believe the malware may have attribution to a state sponsored threat actor, due to it’s complexity. ”SOHO is short for small office/home office and SOHO routers are hardware devices that route data from a local area network (LAN) to another network connection. Modern SOHO routers have almost the same functions as home broadband routers, and small businesses tend to use the same models. Some vendors also sell routers with advanced security and manageability features, but most SOHO devices are only monitored in exceptional cases.
Macmillan, one of the largest book publishers in the U.S., said it has been hit by a cyberattack that forced it to shut down its IT systems. Macmillan spokesperson Erin Coffey told TechCrunch that the company recently experienced a “security incident” that “involved the encryption of certain files on our network.” The attack struck the company on June 25, according to reports, and also impacted its U.K. branch, known as Pan Macmillan.
South Korean cybersecurity agency KISA recently published a free decryptor tool that can be used to recover files encrypted by the Hive ransomware (version 1 through version 4). Users can find step-by-step instructions on how to recover their encrypted data using the manual provided in the announcement by the KISA agency. The news comes after a team of researchers at Kookmin University (South Korea) discovered a flaw in the encryption algorithm used by Hive Ransomware, enabling them to decrypt data without knowing the private key used by the gang to encrypt files.
A cloud threat actor group tracked as 8220 has updated its malware toolset to breach Linux servers with the goal of installing crypto miners as part of a long-running campaign. "The updates include the deployment of new versions of a crypto miner and an IRC bot," Microsoft Security Intelligence said in a series of tweets on Thursday. "The group has actively updated its techniques and payloads over the last year." 8220, active since early 2017, is a Chinese-speaking, Monero-mining threat actor so named for its preference to communicate with command-and-control (C2) servers over port 8220. It's also the developer of a tool called whatMiner, which has been co-opted by the Rocke cybercrime group in their attacks.
Xloader is a rebranded version of the Formbook stealer. It is designed as a malicious tool to steal credentials from different web browsers, collect screenshots, monitor and log keystrokes from the victim’s machine, and send them to Command and Control (C&C) server. Typically, Xloader spreads via spam emails that trick victims into downloading a malicious attachment file, such as MS Office documents, PDF documents, etc. During Cybable’s routine threat-hunting exercise, the team came across a Twitter post wherein a researcher mentioned an interesting infection chain of Xloader malware.
Attackers used a newly discovered malware to backdoor Microsoft Exchange servers belonging to government and military organizations from Europe, the Middle East, Asia, and Africa. The malware was dubbed SessionManager by security researchers at Kaspersky, who first spotted it in early 2022. The malware is a malicious native-code module for Microsoft's Internet Information Services (IIS) web server software.
Note: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
A lesser-known ransomware strain called AstraLocker has recently released its second major version, and according to threat analysts, its operators engage in rapid attacks that drop its payload directly from email attachments. This approach is quite unusual as all the intermediate steps that typically characterize email attacks are there to help evade detection and minimize the chances of raising red flags on email security products. According to ReversingLabs, which has been following AstraLocker operations, the adversaries don’t seem to care about reconnaissance, evaluation of valuable files, and lateral network movement. Instead, they are performing "smash-n-grab" attacks to his immediately hit with maximum force aiming for a quick payout.
Ukraine’s cyberpolice force recently arrested nine members of a criminal group that operated over 400 phishing websites pretending to be legitimate EU portals offering financial assistance to Ukrainians. “The threat actors used forms on the site to steal visitors' payment card data and online banking account credentials and perform fraudulent, unauthorized transactions like moving funds to accounts under their control” (Bleeping Computer, 2022). In total, this cybercrime operation was able to steal approximately $3,360,000, from roughly 5,000 victimized citizens. While it is unclear how the victims ended up on these phishing sites, the cybercriminals could have used various means including SEO poisoning, direct messaging, email, and scam posts on social media platforms.
The XFiles info-stealer malware has added a delivery module that exploits CVE-2022-30190, aka Follina, for dropping the payload on target computers. The flaw, discovered as a zero-day at the end of May and fixed with Microsoft’s Windows update on June 14, enables the execution of PowerShell commands simply by opening a Word document.
The FBI Internet Crime Complaint Center (IC3) warns of an increase in complaints reporting the use of deepfakes and stolen Personally Identifiable Information (PII) to apply for a variety of remote work and work-at-home positions. Deepfakes include a video, an image, or recording convincingly altered and manipulated to misrepresent someone as doing or saying something that was not actually done or said.
A leading UK producer of frozen ready meals has revealed its systems are currently down after experiencing a serious cyber-attack. Wiltshire Farm Foods said on Sunday that it is “currently experiencing severe difficulties” with its computer systems. “If you are expecting a delivery this week (w/c 27th June) or have other concerns, please contact your local depot,” it continued. Wiltshire says their systems are currently not working, and they will be unable to make deliveries for the next few days. While the company released little details about the attack, security experts noted the high likelihood of a ransomware attack on social media.
Semiconductor giant AMD says they are investigating a cyberattack after the RansomHouse gang claimed to have stolen 450 GB of data from the company last year. RansomHouse is a data extortion group that breaches corporate networks, steals data, and then demands a ransom payment to not publicly leak the data or sell it to other threat actors. For the past week, RansomHouse has been teasing on Telegram that they would be selling the data for a well-known three-letter company that starts with the letter A.
Security researchers at Lumen’s Black Lotus Labs have uncovered a new remote access trojan (RAT) dubbed ZuoRAT. Since 2020, ZuoRAT has stayed under the radar, targeting remote workers via small office/home office (SOHO) routers across North America and Europe. “We identified a multistage remote access trojan (RAT) developed for SOHO devices that grants the actor the ability to pivot into the local network and gain access to additional systems on the LAN by hijacking network communications to maintain an undetected foothold”.
Phishing simulator data from Kaspersky’s Security Awareness Platform shows that workers tend to not notice pitfalls hidden in emails devoted to corporate issues and delivery problem notifications, with one in five (16% to 18%) clicking the link in the email templates imitating these phishing attacks. According to estimates, 91% of all cyberattacks begin with a phishing email, and phishing techniques are involved in 32% of all successful data breaches.
Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors.
Security researchers at Cyble recently uncovered over 900,000 misconfigured Kubernetes clusters that were exposed on the Internet to potentially malicious scans, some even vulnerable to data-exposing cyberattacks. For its part, Kubernetes is a highly versatile open-source container orchestration system for hosting online services and managing containerized workloads via a uniform API interface. Due to its scalability, flexibility in multi-cloud environments, portability, and cost, Kubernetes has seen a mass adoption by users in the last couple of years.
The Raccoon Stealer malware is back with a second major version circulating on cybercrime forums, offering hackers elevated password-stealing functionality and upgraded operational capacity. The Raccoon Stealer operation shut down in March 2022 when its operators announced that one of the lead developers was killed during Russia’s invasion of Ukraine. The remaining team promised to return with a second version, relaunching the MaaS (malware as a service) project on upgraded infrastructure and with more capabilities.
The Homeland Security Systems Engineering and Development Institute, sponsored by CISA and operated by MITRE, has released the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The list uses data from the National Vulnerability Database to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list also incorporates updated weakness data for recent Common Vulnerabilities and Exposure records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog.
A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them. The database — cloudvulndb.org — is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities that security researcher Scott Piper had previously compiled in a document on GitHub titled "Cloud Service Provider security mistakes." Going forward, anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues. The goal is to list issues that a cloud service provider might have already addressed.
A new Android banking malware named Revive has been discovered that impersonates a MFA application required to log into BBVA bank accounts in Spain. The new banking trojan follows a more focused approach targeting the BBVA bank instead of attempting to compromise customers of multiple financial institutes. Revive appears to still be in the early phases of development, but includes some sophisticated functions, like it’s ability to intercept multi-factor authentication (MFA) codes and one-time passwords.
The emails, which were discovered by researchers at AhnLab in Korea, did not identify which files were inappropriately utilized in the body of the message; rather, they instructed the receiver to download and open the attached file in order to see the infringing material. Similar to traditional phishing campaign the attachment is a ZIP file, encrypted with a password and contains a compressed file. The compressed file contains an executable that seems to be a PDF document but is really an NSIS installation for the Lockbit 2.0 ransomware. The recipients of these emails are warned about a copyright violation, allegedly having used media files without the creator’s license. These emails demand that the recipient remove the infringing content from their websites, or they will face legal action.
Iran is the leading producer of steel in the Middle East and among the top 10 in the world, according to the World Steel Association. Its iron ore mines provide raw materials for domestic production and are exported to dozens of countries, including Italy, China and the United Arab Emirates. With that said, “One of Iran’s major steel companies said on Monday it was forced to halt production after being hit by a cyberattack, apparently marking one of the biggest such assaults on the country’s strategic industrial sector in recent memory.” The state-owned Khuzestan Steel Company said experts had determined the plant had to stop work until further notice “due to technical problems” following “cyberattacks.” The company’s website was down on Monday.
The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a new malware distribution campaign targeting Ukrainian telecommunication operators with DarkCrystal RAT. DarkCrystal is a remote access trojan that first came into the spotlight in 2018. Written in the .NET programming language, DarkCrystal can be used by threat actors to perform surveillance, reconnaissance, remote code execution, and DDoS attacks.
Over the weekend, the LockBit ransomware group released a revamped ransomware-as-a-service (RaaS) operation called LockBit 3.0 after beta testing for the past two months, with the new version already used in attacks. While it is unclear what technical changes were made to LockBit’s encryptor, its ransom notes are no longer named 'Restore-My-Files.txt' and instead have moved to the naming format, [id].README.txt.
A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim's authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts” (Bleeping Computer, 2022). Data breaches and phishing campaigns have led to a large number of exposed login credentials. The increased adoption of multi-factor authentication (MFA) has made it difficult for cybercriminals to take advantage of these stolen and leaked credentials. As a result, they continue to look for ways to bypass MFA.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks.
Researchers at Cyble recently came across a new tool called Quantum that can be used by cybercriminals to build malicious .LNK files. LNKs are Windows shortcut files that can contain malicious code to abuse legitimate tools on the system, the so-called living-off-the-land binaries (LOLBins), such as PowerShell or the MSHTA that is used to execute Microsoft HTML Application (HTA) files. Due to this, LNKs are extensively used for malware distribution, especially in phishing campaigns, with some notable malware families currently using them being Emotet, Bumblebee, Qbot, and IcedID.
The Conti ransomware operation has finally shut down its last public-facing infrastructure, consisting of two Tor servers used to leak data and negotiate with victims, closing the final chapter of the notorious cybercrime brand. According to threat intel analyst Ido Cohen, Conti’s servers were shut down on Wednesday and BleepingComputer has confirmed they are still offline as of today. The news comes after BleepingComputer reported in May that Conti had started to shut down their operations, telling members that the brand was no more and that its internal infrastructure had been decommissioned, including communication and storage servers.
Google's Threat Analysis Group (TAG) revealed today that RCS Labs, an Italian spyware vendor, has received help from some Internet service providers (ISPs) to infect Android and iOS users in Italy and Kazakhstan with commercial surveillance tools. Google tracks more than 30 spyware vendors. RCS Labs’ spyware uses drive-by-downloads (T1608.004) to infect multiple victims. The targets are generally prompted to install malicious apps (T1204.002), which are mimicking legitimate mobile carrier apps (T1036). The victim will appear to lose Internet connection, and will have to install the malicious app to get back online with their ISP.
A suspected ransomware intrusion against an unnamed target leveraged a Mitel VoIP appliance as an entry point to achieve remote code execution and gain initial access to the environment. The findings come from cybersecurity firm CrowdStrike, which traced the source of the attack to a Linux-based Mitel VoIP device sitting on the network perimeter, while also identifying a previously unknown exploit as well as a couple of anti-forensic measures adopted by the actor on the device to erase traces of their actions.
Cybersecurity researchers have discovered a new campaign attributed to the Chinese "Tropic Trooper" hacking group, which employs a novel loader called Nimbda and a new variant of the Yahoyah trojan. The trojan is bundled in a greyware tool named 'SMS Bomber,' which is used for denial of service (DoS) attacks against phones, flooding them with messages. Tools like this are commonly used by "beginner" threat actors who want to launch attacks against sites. According to a report by Check Point, the threat actors also demonstrate in-depth cryptographic knowledge, extending the AES specification in a custom implementation.
Today, cybersecurity firm Group-IB published a report detailing what researchers refer to as one of the “shortest yet most successful” campaigns conducted by the Conti ransomware group. Codenamed ARMattack, the campaign occurred last year, between November 17 and December 20, 2021. Within a span of one month, Conti affiliates were able to compromise more than 40 organizations in various sectors across the world.
A group of likely state-backed cyber attackers have adopted a new loader to spread five different kinds of ransomware in a bid to hide their true espionage activities. On Thursday, cybersecurity researchers from Secureworks published new research on HUI Loader, a malicious tool that criminals have used widely since 2015.
People in Russia can no longer download Windows 10 and Windows 11 ISOs and installation tools from Microsoft, with no reason for the block provided by the company. Russia's TASS news agency first reported this problem over the weekend, and the news quickly spread on Twitter. Using a VPN server located in Russia, BleepingComputer has confirmed that attempting to download the Windows 10 Update Assistant, the Windows 10 Media Creation Tool, and the Windows 11 Installation Assistant, Russian users are shown a message stating, "404 - File or Directory not found.
QNAP has warned customers today that some of its Network Attached Storage (NAS) devices (with non-default configurations) are vulnerable to attacks that would exploit a three-year-old critical PHP vulnerability allowing remote code execution. "A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. If exploited, the vulnerability allows attackers to gain remote code execution," QNAP explained in a security advisory released today.
The Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the Follina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike beacons. According to an advisory published by Microsoft, Follina is a “remote code execution vulnerability that exists when “MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
A new piece of research from academics at ETH Zurich has identified a number of critical security issues in the MEGA cloud storage service that could be leveraged to break the confidentiality and integrity of user data. With more than 10 million daily active users and with over 122 billion files uploaded to the platform to date, MEGA promises user-controlled end-to-end Encryption (UCE). However, researchers pointed out in their paper titled “MEGA: Malleable Encryption Goes Awry”, that MEGA’s system does not protect its users against a malicious server, thereby enabling a rogue actor to fully compromise the privacy of the uploaded files.
Europol on Tuesday announced the dismantling of an organized crime group that dabbled in phishing, fraud, scams, and money laundering activities. The cross-border operation was carried out with the help of law enforcement authorities from Belgium and the Netherlands. In total, nine individuals were arrested. The suspects are men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse and a 25-year-old woman from Deventer, according to a statement from the National Police Force.
Since January 2022, the Bitdefender Cyber Threat Intelligence Lab observed operators behind the RIG Exploit Kit pushing the Dridex banking trojan instead of the Raccoon Stealer. The switch occurred in February when Raccoon Stealer temporarily halted its activity as one of its developers was killed in the Russian invasion of Ukraine. First seen in 2019, Raccoon stealer was offered on the dark web for sale as a malware-as-a-service. It is designed to steal victims credit card data, email credentials, and cryptocurrency wallets.
Nearly five dozen security vulnerabilities have been disclosed in devices from 10 operational technology (OT) vendors due to what researchers call are "insecure-by-design practices." Collectively dubbed OT:ICEFALL by Forescout, the 56 issues span as many as 26 device models from Bently Nevada, Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. "Exploiting these vulnerabilities, attackers with network access to a target device could remotely execute code, change the logic, files or firmware of OT devices, bypass authentication, compromise credentials, cause denials of service or have a variety of operational impacts," the company said in a technical report.
Security researchers with Kaspersky’s Global Research & Analysis Team (GReAT) recently unveiled an unknown APT group dubbed ToddyCat that has been targeting Microsoft Exchange servers throughout Asia and Europe for more than a year. While tracking the group’s activity, researchers found a previously unknown passive backdoor they named Samurai and new trojan malware dubbed Ninja Trojan. Both malware strains allow the attackers to take control of infected systems and move laterally within the victims' networks.
A new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain. The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to networkA new kind of Windows NTLM relay attack dubbed DFSCoerce has been uncovered that leverages the Distributed File System (DFS): Namespace Management Protocol (MS-DFSNM) to seize control of a domain. The NTLM (NT Lan Manager) relay attack is a well-known method that exploits the challenge-response mechanism. It allows malicious parties to sit between clients and servers and intercept and relay validated authentication requests in order to gain unauthorized access to network resources, effectively gaining an initial foothold in Active Directory environments. resources, effectively gaining an initial foothold in Active Directory environments.
Cisco is advising owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched. The vulnerability is tracked as CVE-2022-20825 and has a CVSS severity rating of 9.8 out of 10.0. According to a Cisco security advisory, available here: https://tools.cisco.com/security/ce...rityAdvisory/cisco-sa-sb-rv-overflow-s2r82P9v The flaw exists due to insufficient user input validation of incoming HTTP packets on the impacted devices. An attacker could exploit it by sending a specially crafted request to the web-based management interface, resulting in command execution with root-level privileges. The vulnerability impacts four Small Business RV Series models, namely the RV110W Wireless-N VPN Firewall, RV130 VPN Router RV130W Wireless-N Multifunction VPN Router RV215W Wireless-N VPN Router Cisco states that they will not be releasing a security update to address CVE-2022-20825 as the devices are no longer supported. Furthermore, there are no mitigations available other than to turn off remote management on the WAN interface, which should be done regardless for better overall security.
Security researchers have noticed a new malicious spam campaign that delivers the 'Matanbuchus' malware to drop Cobalt Strike beacons on compromised machines (T1105 - Ingress Tool Transfer). Cobalt Strike is a penetration testing suite that is frequently used by threat actors for lateral movement and to drop additional payloads.
Researchers from TrendMicro noticed a new version of CopperStealer and analyzed these samples to be related to a previous campaign we’ve documented. We examined this new version reusing parts of code and observed the following similarities from previous versions:
The newly updated malware has several capabilities and attack stages, with the initial infection vector consisting of a website offering fake cracks. These websites usually display two buttons, one offering to download and the other to set up the desired cracks. Selecting either button begins the redirection chain, requiring the user to select another “Download” button. Afterward, a download prompt appears and the user is prompted to save the file to the computer.
The U.S. Department of Justice has announced the disruption of the Russian RSocks malware botnet used to hijack millions of computers, Android smartphones, and IoT (Internet of Things) devices worldwide for use as proxy servers. The law enforcement operation involved the FBI and police forces in Germany, the Netherlands, and the United Kingdom, where the botnet maintained parts of its infrastructure.
WordPress websites using a widely used plugin named Ninja Forms have been updated automatically to remediate a critical security vulnerability that's suspected of having been actively exploited in the wild. The issue, which relates to a case of code injection, is rated 9.8 out of 10 for severity and affects multiple versions starting from 3.0. It has been fixed in 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.
An enterprise-grade surveillanceware dubbed Hermit has been put to use by entities operating from within Kazakhstan, Syria, and Italy over the years since 2019, new research has revealed. Lookout Threat Lab attributed the spy software, which is equipped to target both Android and iOS, to an Italian company named RCS Lab S.p.A and Tykelab Srl, a telecom services provider which it suspects to be a front company. The San Francisco-based cybersecurity firm said it detected the campaign aimed at Kazakhstan in April 2022.
Yesterday, Cisco released a security advisory to address a critical vulnerability that could allow attackers to bypass authentication and login into the web management interface of Cisco email gateway appliances with non-default configurations. Tracked as CVE-2022-20798, the flaw resides in the external authentication functionality of virtual and hardware Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager appliances. “This vulnerability is due to improper authentication checks when an affected device uses Lightweight Directory Access Protocol (LDAP) for external authentication. An attacker could exploit this vulnerability by entering a specific input on the login page of the affected device. A successful exploit could allow the attacker to gain unauthorized access to the web-based management interface of the affected device”
Security researchers are warning that threat actors could hijack Office 365 accounts to encrypt for a ransom the files stored in SharePoint and OneDrive services that companies use for cloud-based collaboration, document management and storage. A ransomware attack targeting files on these services could have severe consequences if backups aren’t available, rendering important data inaccessible to owners and working groups.
Shoprite Holdings, Africa's largest supermarket chain that operates almost three thousand stores across twelve countries in the continent, has been hit by a ransomware attack. Shoprite is Africa's largest supermarket chain, with a revenue of $5.8 billion and 149,000 employees. The retailer has 2,943 stores, serving millions of customers in South Africa, Nigeria, Ghana, Madagascar, Mozambique, Namibia, DRC, Angola, and other countries.
A newly discovered form of Android malware steals passwords, bank details and cryptocurrency wallets from users – and it does so by bypassing multi-factor authentication protections. The malware has been detailed by cybersecurity researchers at F5 Labs, who've dubbed it MaliBot. It's the latest in a string of powerful malware targeting Android users.
Microsoft will finally end support for Internet Explorer on multiple Windows versions on Wednesday, June 15, almost 27 years after its launch on August 24, 1995. After finally reaching its end of life, the Internet Explorer desktop application will be disabled. It will be replaced with the new Chromium-based Microsoft Edge, with users automatically redirected to Edge when launching IE11.
Security researchers at Akamai uncovered a new Golang-based peer-to-peer (P2P) botnet that has been actively targeting Linux servers in the education sector. Dubbed Panchan, the botnet was first spotted by Akamai on March 19, 2022. Since its emergence in March, Panchan has managed to infect 209 systems, 40 of which are currently active. Most of the compromised machines are located in Asia (64), followed by Europe (52), North America (45), South America (11), Africa (1), and Oceania (1). According to researchers, Panchan “utilizes its built-in concurrency features to maximize spreadability and execute malware modules” and harvests SSH keys to perform lateral movement. Panchan’s approach to harvesting SSH keys is rather unique. Unlike other botnets which just brute force or perform dictionary attacks on randomized IP addresses, Panchan also “reads the id_rsa and known_hosts files to harvest existing credentials and uses them to move laterally across the network”
Citrix on Tuesday released a security advisory warning its customers of a critical vulnerability in Citrix Application Delivery Management that can let unauthenticated attackers login as administrator and reset the admin password. Citrix ADM is a web-based solution that provides admins with a centralized cloud-based console for managing on-premises or cloud Citrix deployments, including Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix Secure Web Gateway.
Microsoft says that some applications might fail to backup data using Volume Shadow Copy Service (VSS) after applying the June 2022 Patch Tuesday Windows updates. The issue occurs due to security enforcement introduced to address an elevation of privilege vulnerability (CVE-2022-30154) in the Microsoft File Server Shadow Copy Agent Service (RVSS). On systems where this known issue is experienced, Windows backup applications may receive E_ACCESSDENIED errors during shadow copy creation operations, and a "FileShareShadowCopyAgent Event 1013" will be logged on the File Server. "Since RVSS is an optional component, Windows Server systems are not vulnerable by default. Additionally, Windows Client editions are not vulnerable to attacks using CVE-2022-30154 exploits in privilege escalation attempts."
The ALPHV ransomware gang, aka BlackCat, has brought extortion to a new level by creating a dedicated website that allows the customers and employees of their victim to check if their data was stolen in an attack. The ransomware operators released stolen data today from a hotel and spa in Oregon. The group claims to have stolen 112GBs of data, including employee information and social security numbers for 1,500 employees. Instead of simply leaking the data on their TOR data leak site, the group created a dedicated website allowing both customers and employees to check if their data was stolen during the attack. Using this site, employees, customers, or anyone for that matter, can see information about hotel guests and their stays or the personal data of 1,534 employees.
Microsoft says BlackCat ransomware affiliates are now attacking Microsoft Exchange servers using exploits targeting unpatched vulnerabilities. In at least one incident that Microsoft's security experts observed, the attackers slowly moved through the victim's network, stealing credentials and exfiltrating information to be used for double extortion. Two weeks after the initial compromise using an unpatched Exchange server as an entry vector, the threat actor deployed BlackCat ransomware payloads across the network via PsExec.
Cybersecurity researchers have detailed the workings of a fully-featured malware loader dubbed PureCrypter that's being purchased by cybercriminals to deliver remote access trojans (RATs) and information stealers. "The loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption, and obfuscation to evade antivirus software products," Zscaler's Romain Dumont said in a new report.
Internet infrastructure firm Cloudflare said today that it mitigated a 26 million request per second distributed denial-of-service (DDoS) attack, the largest HTTPS DDoS attack detected to date. The record-breaking attack occurred last week and targeted one of Cloudflare's customers using the Free plan. The threat actor behind it likely used hijacked servers and virtual machines seeing that the attack originated from Cloud Service Providers instead of weaker Internet of Things (IoT) devices from compromised Residential Internet Service Providers.
Check Point Research uncovers a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens. The attacks use a custom phishing infrastructure, as well as a wide array of fake email accounts to impersonate trusted parties. To establish deeper trust with new targets, the threat actors performed an account takeover of some victims’ inboxes , and then hijacked existing email conversations to start attacks from an already existing email conversation between a target and a trusted party and continue that conversation in that guise.
Microsoft has incorporated additional improvements to address the recently disclosed SynLapse security vulnerability in order to meet comprehensive tenant isolation requirements in Azure Data Factory and Azure Synapse Pipelines. The latest safeguards include moving the shared integration runtimes to sandboxed ephemeral instances and using scoped tokens to prevent adversaries from using a client certificate to access other tenants' information.
Cybersecurity researchers report increased activity of the Hello XD ransomware, whose operators are now deploying an upgraded sample featuring stronger encryption. Hello XD was first spotted in wild on November 2021 and is based on the leaked source code of another ransomware known as Babuk. Unlike other ransomware groups, this particular ransomware family does not have a data leak site. Rather, it prefers to direct the impacted victim to negotiations through Tox chat and onion-based messenger instances.
Ukraine's Computer Emergency Response Team (CERT) is warning that the Russian hacking group Sandworm may be exploiting Follina, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) currently tracked as CVE-2022-30190. The security issue can be triggered by either opening or selecting a specially crafted document and threat actors have been exploiting it in attacks since at least April 2022.
A new Linux rootkit malware named ‘Syslogk’ is being used in attacks to hide malicious processes, using specially crafted "magic packets" to awaken a backdoor laying dormant on the device. The malware is currently under heavy development, and its authors appear to base their project on Adore-Ng, an old open-source rootkit. Syslogk can force-load its modules into the Linux kernel (versions 3.x are supported), hide directories and network traffic, and eventually load a backdoor called ‘Rekoobe.’”
Ransomware gangs are now targeting a recently patched and actively exploited remote code execution (RCE) vulnerability affecting Atlassian Confluence Server and Data Center instances for initial access to corporate networks. If successfully exploited, this OGNL injection vulnerability (CVE-2022-26134) enables unauthenticated attackers to take over unpatched servers remotely by creating new admin accounts and executing arbitrary code.
A Chinese advanced persistent threat (APT) known as Gallium has been observed using a previously undocumented remote access trojan in its espionage attacks targeting companies operating in Southeast Asia, Europe, and Africa. Gallium is known for its attacks primarily aimed at telecom companies dating as far back as 2012. Also tracked under the name Soft Cell by Cybereason, the state-sponsored actor has been connected to a broader set of attacks targeting five major telecom companies located in Southeast Asian countries since 2017.
Security researchers at Check Point recently observed a crypto mining hacking group known as “8220 gang” exploiting a code execution flaw in Atlassian Confluence servers to install miners on vulnerable servers. "The vulnerability, tracked as CVE-2022-26134, was discovered as an actively exploited zero-day at the end of May, while the vendor released a fix on June 3, 2022. Various proof of concept (PoC) exploits were released in the days that followed, giving a broader base of malicious actors an easy way to exploit the flaw for their purposes” .
Cybercriminals are impersonating popular crypto platforms such as Binance, Celo, and Trust Wallet with spoofed emails and fake login pages in an attempt to steal login details and deceptively transfer virtual funds. "As cryptocurrency and non-fungible tokens (NFTs) become more mainstream, and capture headlines for their volatility, there is a greater likelihood of more individuals falling victim to fraud attempting to exploit people for digital currencies," Proofpoint said in a new report.
Multiple vulnerabilities were disclosed in Carrier’s LenelS2 Mercury access control system that’s used widely in healthcare, education, transportation, and government facilities. LenelS2 is employed in environments to grant physical access to privileged facilities and can be integrated with more complex building automation deployments. A total of 8 vulnerabilities were disclosed which relate to a protection mechanism failure, forced browsing, buffer overflow, path traversal, and OS command injection. According to the security advisory published by CISA, successful exploitation of these vulnerabilities could allow an attacker access to the device, allowing monitoring of all communications sent to and from the device, modification of onboard relays, changing of configuration files, device instability, and a denial-of-service condition.
Today, security researcher MalwareHunterTeam found a new ransomware named 'WannaFriendMe' that impersonates the notorious Ryuk Ransomware. However, in reality, it is a variant of the Chaos Ransomware. A new ransomware is taking the unusual approach of selling its decryptor on the Roblox gaming platform using the service's in-game Robux currency. Roblox is an online kids gaming platform where members can create their own games and monetize them by selling Game Passes, which provide in-game items, special access, or enhanced features. To pay for these Game Passes, members must purchase them using an in-game currency called Robux.
“The first quarter of 2022 saw phishing attacks hit a record high, topping one million for the first time, according to data from the Anti Phishing Working Group (APWG)” (Info Security Magazine, 2022). The group released the details in their Phishing Activity Trends Report. March apparently was the worst month with 384,000 attacks.
A previously unknown Chinese-speaking threat actor has been discovered by threat analysts SentinelLabs who were able to link it to malicious activity going as far back as 2013. Named Aoqin Dragon, the hacking group is focused on cyber-espionage, targeting government, education, and telecommunication organizations based in Singapore, Hong Kong, Vietnam, Cambodia, and Australia.
The notorious Emotet malware has turned to deploy a new module designed to siphon credit card information stored in the Chrome web browser. The credit card stealer, which exclusively singles out Chrome, has the ability to exfiltrate the collected information to different remote command-and-control (C2) servers, according to enterprise security company Proofpoint, which observed the component on June 6.
The Vice Society ransomware group has claimed responsibility for the recent cyber attack on the city of Palermo in Italy, which has caused a large-scale service outage. The attack occurred last Friday, and all internet-relying services remain unavailable, impacting 1.3 million people and many tourists visiting the city.
The 2022 edition was a bit more somber than past editions, following the passing of SANS founder Alan Paller who moderated the panel for over a decade. Ed Skoudis, fellow and director at SANS Institute, started the 2022 panel with a moving tribute to Paller, who was mentioned more than once during the session as the inspiration for how cybersecurity education can and should continue to improve.
This novel threat was discovered and analyzed by BlackBerry and Intezer Labs researchers, who worked together to uncover all aspects of the new malware in a detailed technical report. According to them, Symbiote has been under active development since last year. In recent attack's the malware has new capabilities that infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access, “The new malware is primarily used for automated credential harvesting from hacked Linux devices by hooking the "libc read" function. This is a crucial mission when targeting Linux servers in high-value networks, as stealing admin account credentials opens the way to unobstructed lateral movement and unlimited access to the entire system.”
Threat Research analysts at Uptcys uncovered new Black Basta ransomware binaries which revealed that the ransomware gang now supports the encryption of VMware ESXi virtual machines running on enterprise Linux servers. “Most ransomware groups are now focusing their attacks on ESXi VMs since this tactic aligns with their enterprise targeting. It also makes it possible to take advantage of faster encryption of multiple servers with a single command. Encrypting VMs makes sense since many companies have recently migrated to virtual machines as they allow for easier device management and a lot more efficient resource usage.
Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program. This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report detecting an average of 10,000 infection attempts every day from its customer telemetry data. Most of these victims are based in France, Brazil, Indonesia, and India. The malware distributed in this campaign is a powerful information stealer that can harvest personal data and cryptocurrency assets and route internet traffic through data-snatching proxies.
On Tuesday, the U.S Department of Justice announced the shutdown of SSNDOB, an illicit online marketplace that sold the names, social security numbers, and dates of birth of approximately 24 million US people. The operation was conducted by the FBI, the Internal Revenue Service, and the Department of Justice, with significant help from the Cyprus Police. In total, four domains hosting the SSNDOB marketplace were seized, including SSNDOB[.]club, SSNDOB[.]vip, SSNDOB[.]ws, blackjob[.]biz
This vulnerability was first publicly disclosed by security researchers in January 2020 after Microsoft replied to reports saying they wouldn't provide a fix because it was not a security issue. However, the bug was recently re-discovered and brought to public attention by security researcher j00sean. The security flaw (jokingly dubbed DogWalk) is a path traversal flaw attackers can exploit to copy an executable to the Windows Startup folder when the target opens a maliciously crafted .diagcab file (received via email or downloaded from the web). While Microsoft said that Outlook users are not at risk because .diagcab files are automatically blocked, security researchers and experts argue that exploiting this bug is still a valid attack vector.
Several US federal agencies today revealed that Chinese-backed threat actors have targeted and compromised major telecommunications companies and network service providers to steal credentials and harvest data. The NSA, CISA, and the FBI released a joint cybersecurity advisory Tuesday evening. Chinese threat actors are exploiting known vulnerabilities in home office routers, and even targeting those used in medium and large enterprises. The compromised devices are used as command and control servers and proxy systems, which allow the threat actors to move laterally to other networks.
Researchers at HP have spotted a new wave of phishing campaigns spreading a previously documented malware dubbed “SVCReady.” SVCReady is said to be in its early stage of development, with the authors iteratively updating the malware several times last month. First signs of activity date back to April 22, 2022. SVCReady is commonly spread via emails containing macro-laced word documents. Upon opening these documents, victims are prompted to enable macros by clicking on the “Enable Content” button. In turn, this activates the deployment of malicious payloads.
Researchers at the NCC Group discovered a new partnership between the Black Basta Ransomware group Qakbot malware operation during a recent incident response. QBot (QuakBot) is Windows malware that steals bank credentials, Windows domain credentials, and delivers further malware payloads on infected devices. Victims usually become infected with Qbot via phishing attacks with malicious attachments. Even though it started as a banking trojan, it has had numerous collaborations with other ransomware gangs, including MegaCortex, ProLock, DoppelPaymer, and Egregor.
Shields Health Care Group (Shields) suffered a data breach that exposed the data of approximately 2,000,000 people in the United States after hackers breached their network and stole data. Shields is a Massachusetts-based medical services provider specializing in MRI and PET/CT diagnostic imaging, radiation oncology, and ambulatory surgical services. According to a data breach notification published on the company's site, Shield became aware of the cyberattack on March 28, 2022, and hired cybersecurity specialists to determine the scope of the incident.
It was disclosed a while back that Cisco FTD Software was affected by a denial of service vulnerability; an advisory from Nessus today notes that CFTD/Snort is susceptible to DOS attacks stemming from the same flaw, “A denial of service (DoS) vulnerability exists in the way the Snort detection engine processes ICMP traffic. An unauthenticated, remote attacker can exploit this issue by sending a series of ICMP packets which can cause the device to stop responding.
Security Company EfficientIP released their eighth annual Global DNS Threat Report. The focus of the report is Domain Name System (DNS) attacks and their impacts on global organizations over the past 12 months. “The report uncovers how despite 73% of organizations knowing that DNS security is critical to their business, cyber criminals are still infiltrating the network and causing significant business disruption, resulting in the shutdown of cloud and on-premise applications and theft of data. As enterprises continue to strike a balance between supporting remote workers and mitigating the network security risks posed by the rise in hybrid work models and reliance on cloud applications, the results show that 88% of organizations have experienced one or more DNS attacks on their business. Each successful attack costs the business, on average, $942,000.
An alleged nation-state actor is attempting to exploit the recently disclosed Microsoft Office Follina vulnerability in attacks aimed at government entities in Europe and the U.S. Follina, tracked as CVE-2022-30190 resides in Microsoft Office and is a zero-day vulnerability yet to be patched, though several workarounds are available. In an advisory released by Microsoft, they say, “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
Proof-of-concept exploits for the actively exploited critical CVE-2022-26134 vulnerability impacting Atlassian Confluence and Data Center servers have been widely released this weekend. “The vulnerability tracked as CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability exploited through OGNL injection and impacts all Atlassian Confluence and Data Center 2016 servers after version 1.3.0.
Security researchers are seeing an uptick in the use of reverse tunnel services along with URL shorteners for large-scale phishing campaigns, making the malicious activity more difficult to stop. This practice deviates from the more common method of registering domains with hosting providers, who are likely to respond to complaints and take down the phishing sites.
The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices. It was first seen targeting QNAP Systems, Inc. in January 2022. According to a report from attack surface solutions provider Censys.io, as of Jan. 26, 2022, out of 130,000 QNAP NAS devices that were potential targets, 4,988 services showed signs of a DeadBolt infection. A few weeks later, ASUSTOR, another NAS devices and video surveillance solutions vendor, also experienced DeadBolt ransomware attacks that targeted an unknown number of its devices. In March, DeadBolt attackers once again targeted QNAP devices; according to Censys.io, the number of infections reached 1,146 by March 19, 2022. Most recently, on May 19,2022, QNAP released a product security update stating that internet-connected QNAP devices were once again been targeted by DeadBolt, this time aiming at NAS devices using QTS 4.3.6 and QTS 4.4.1.
The company has now released patches and advises all customers to upgrade their appliances to versions 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1, which contain a fix for this flaw. Admins who cannot immediately upgrade their Confluence installs can also use a temporary workaround to mitigate the CVE-2022-26134 security bug by updating some JAR files on their Confluence servers.
The Microsoft Digital Crimes Unit (DCU) has disrupted a spear-phishing operation linked to an Iranian threat actor tracked as Bohrium that targeted customers in the U.S., Middle East, and India. Bohrium has targeted organizations from a wide range of industry sectors, including tech, transportation, government, and education, according to Amy Hogan-Burney, the General Manager of Microsoft DCU.
GitLab has released a critical security update for multiple versions of its Community and Enterprise Edition products to address eight vulnerabilities, one of which allows account takeover. Tracked as CVE-2022-1680 and rated with a critical severity score of 9.9, the vulnerability affects all GitLab versions 11.10 through 14.9.4, 14.10 through 14.10.3, and version 15.0.
Microsoft on Thursday said it took steps to disable malicious activity stemming from abuse of OneDrive by a previously undocumented threat actor it tracks under the chemical element-themed moniker Polonium. The adversarial collective is believed to have breached more than 20 organizations based in Israel and one intergovernmental organization with operations in Lebanon since February 2022. In addition to removing the offending accounts created by the Lebanon-based activity group, the tech giant's Threat Intelligence Center (MSTIC) said it suspended over 20 malicious OneDrive applications created and that it notified affected organizations.
A ransomware gang is taking extortion to a new level by publicly hacking corporate websites to publicly display ransom notes. This new extortion strategy is being conducted by Industrial Spy, a data extortion gang that recently began using ransomware as part of their attacks. As part of their attacks, Industrial Spy will breach networks, steal data, and deploy ransomware on devices. The threat actors then threaten to sell the stolen data on their Tor marketplace if a ransom is not paid.
Hackers are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134 to install web shells, with no fix available at this time. On Thursday, Atlassian released a security advisory disclosing that CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability tracked in both Confluence Server and Data Center. Atlassian says that they confirmed the vulnerability in Confluence Server 7.18.0 and believe that Confluence Server and Data Center 7.4.0 and higher are also vulnerable.
UNISOC, a semiconductor company based in Shanghai, is the world's fourth-largest mobile processor manufacturer after Mediatek, Qualcomm, and Apple, accounting for 10% of all SoC shipments in Q3 2021, according to Counterpoint Research. A critical security flaw has been uncovered in UNISOC's smartphone chipset that could be potentially weaponized to disrupt a smartphone's radio communications through a malformed packet, "Left unpatched, a hacker or a military unit can leverage such a vulnerability to neutralize communications in a specific location," Israeli cybersecurity company Check Point said in a report shared with The Hacker News. "The vulnerability is in the modem firmware, not in the Android OS itself.
The FBI and U.S. Department of Justice (DoJ) announced on Wednesday the seizure of three domains used by cybercriminals to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks for hire. The three domains seized include weleakinfo[.]to, ipstress[.]in, and ovh-booter[.]com. Weleakinfo[.]to allowed its users to traffic hacked personal data and offered a searchable database containing illegally amassed information obtained from over 10,000 data breaches. The database consisted of seven billion indexed records featuring names, email addresses, usernames, phone numbers, and passwords for online accounts that could be accessed through different subscription tiers.
Security researchers at Secureworks have uncovered a new campaign targeting poorly secured Elasticsearch databases to replace their data with a ransom note. Over 1,200 databases that could be accessed without authentication have already fallen victim to the attackers. So far Secureworks has identified 450 individual requests for ransom payments demanding 0.012 Bitcoin in exchange for the data. In total, the ransom requests amount to roughly $280,000.
Researchers analyzing the leaked chats of the notorious Conti ransomware operation have discovered that teams inside the Russian cybercrime group were actively developing firmware hacks. According to messages exchanged between members of the cybercrime syndicate, Conti developers had created proof-of-concept (PoC) code that leveraged Intel’s Management Engine (ME) to overwrite flash and gain SMM (System Management Mode) execution.
Microsoft Office apps – including Outlook and Teams – are vulnerable to homograph attacks based on internationalized domain names (IDNs). In practice, this means that users hovering above a link in a phishing email, a Word or Excel document they have received, or a message sent via Teams, can’t tell that it will direct them to a spoofed malicious domain that’s not what it purports to be.
Chinese-linked APT group, TA413, is now actively exploiting the Microsoft Office zero-day vulnerability (known as 'Follina') to execute malicious code remotely on Windows systems. Tracked as CVE-2022-30190, the remote-execution flaw impacts all Windows client and server platforms still receiving security updates (Windows 7 or later and Windows Server 2008 or later).
Costa Rica’s public health service (known as Costa Rican Social Security Fund or CCCS) was hit by a Hive ransomware attack yesterday, rendering its computer systems to go offline. Hive, a Ransomware-as-a-Service (RaaS) operation active since at least June 2021, has been behind attacks on over 30 organizations, counting only the victims who refused to pay the ransom and had their data leaked online.
Threat analysts have spotted a new version of the XLoader botnet malware that uses probability theory to hide its command and control servers, making it difficult to disrupt the malware's operation. This helps the malware operators continue using the same infrastructure without the risk of losing nodes due to blocks on identified IP addresses while also reducing the chances of being tracked and identified.
Phishing campaigns attributed to an advanced threat actor called SideWinder involved a fake VPN app for Android devices published on Google Play Store along with a custom tool that filters victims for better targeting. SideWinder is an APT group that’s been active since at least 2012, believed to be an actor of Indian origin with a relatively high level of sophistication. Security researchers at Kaspersky attributed close to 1,000 attacks to this group in the past two years. Among its primary targets are organizations in Pakistan, China, Nepal, and Afghanistan. The adversary relies on a fairly large infrastructure with that includes more than 92 IP addresses, mainly for phishing attacks, hosting hundreds of domains and subdomains used as command and control servers.
Europol has announced the takedown of the FluBot operation, one of the largest and fastest-growing Android malware operations in existence. The malware operation's takedown resulted from a law enforcement operation involving eleven countries following a complex technical investigation to pinpoint FluBot's most critical infrastructure. The participants in the operation were Australia, Belgium, Finland, Hungary, Ireland, Spain, Sweden, Switzerland, the Netherlands, and the United States.
Anonymous-affiliated collective Spid3r claims to have attacked Belarus’ government websites in retaliation for the country’s alleged support of Russia’s invasion of Ukraine. The group made the announcement on Twitter, publishing screenshots of various websites connected with the Belarus state being down, including the Ministry of Communications, the Ministry of Justice and the Ministry of Economy.
Cyber Research Labs observed a rise in ransomware attacks in the second quarter of 2022, some of them with a severe impact on the victims, such as the attack that hit the Costa Rican government that caused a nationwide crisis. The experts warn of ransomware attacks against government organizations. They observed a total of 48 government organizations from 21 countries that were hit by 13 ransomware attacks in 2022.
Microsoft has shared mitigation measures to block attacks exploiting a newly discovered Microsoft Office zero-day flaw abused in the wild to execute malicious code remotely. The bug is a Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution vulnerability reported by crazyman of the Shadow Chaser Group.
After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT. Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.
The ERMAC Android banking trojan has released version 2.0, increasing the number of applications targeted from 378 to 467, covering a much wider range of apps to steal account credentials and crypto-wallets. The goal of the trojan is to send stolen login credentials to threat actors, who then use them to take control of other people’s banking and cryptocurrency accounts and conduct financial or other forms of fraud.
Austrian federal state Carinthia has been hit by the BlackCat ransomware gang, also known as ALPHV, who demanded $5 million to unlock the encrypted computer systems. ALPHV/BlackCat is a ransomware gang that emerged in November 2021. The group is a rebrand of the DarkSide/BlackMatter gang who was responsible for the Colonial Pipeline attack last year. Since the beginning of 2022, ALPHV/BlackC
Researchers have demonstrated what they call the "first active contactless attack against capacitive touchscreens." GhostTouch, as it's called, "uses electromagnetic interference (EMI) to inject fake touch points into a touchscreen without the need to physically touch it," a group of academics from Zhejiang University and Technical University of Darmstadt said in a new research paper.
The FBI issued an alert to inform the higher education sector about the availability of login credentials on dark web forums that threat actors can use to launch attacks against individuals and organizations in the industry. The availability of this data is the result of continued attacks conducted by threat actors against US colleges and universities. The alert also includes recommendations and mitigations for these attacks, “This exposure of sensitive credential and network access information, especially privileged user accounts, could lead to subsequent cyber-attacks against individual users or affiliated organizations.” reads the alert published by the FBI
Horizon3 security researchers have released a proof-of-concept (PoC) exploit and technical analysis for the critical authentication bypass vulnerability CVE-2022-22972 affecting multiple VMware products. The virtualization giant recently warned that a threat actor can exploit the CVE-2022-22972 flaw (CVSSv3 base score of 9.8) to obtain admin privileges and urges customers to install patches immediately” (Security Affairs, 2022). “This critical vulnerability should be patched or mitigated immediately per the instructions in VMSA-2021-0014. The ramifications of this vulnerability are serious.” states VMware. The vulnerability resides in Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.
The Industrial Spy data extortion marketplace has now launched its own ransomware operation, where they also encrypt victim's devices. The marketplace allows threat actors, even business competitors to purchase stolen data from various companies. This marketplace sells different types of stolen data, ranging from selling 'premium' data for millions of dollars to individual files for as little as $2.
The Industrial Spy data extortion marketplace has now launched its own ransomware operation, where they also encrypt victim's devices. The marketplace allows threat actors, even business competitors to purchase stolen data from various companies. This marketplace sells different types of stolen data, ranging from selling 'premium' data for millions of dollars to individual files for as little as $2.
The two applications in question where 'ctx' and 'PHPass' which together been downloaded over 3 million times. the incident sparked much panic and discussion among developers—now worried about the impact of the hijack on the overall software supply chain. It was yesterday when developers noticed that the two Python and PHP libraries where modified to harvest AWS developer credentials, in what was determined to be a bug-bounty exercise or was meant to be ethical in nature. However as a result of successful penetration testing, “The hijacked versions didn't stop at basic PoC—they stole the developer's environment variables and AWS credentials, casting doubts on the intention of the hijacker or if this was even ethical research.
An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022. "The campaigns [...] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes said in a technical report published Tuesday. The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as Deep Panda.
New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems. BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations. The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen. PwC found BPFDoor during an incident response engagement in 2021. Looking closer at the malware, the researchers noticed that it received commands from Virtual Private Servers (VPS) controlled through compromised routers in Taiwan.
Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.
After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT. Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.
After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT. Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.
“US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards. General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points. Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.
The Research and Intelligence team at BlackBerry released a report today detailing a new version of the Chaos ransomware line, dubbed Yashma. Chaos is a customizable ransomware builder that emerged in underground forums on June 9, 2021, by falsely marketing itself as the .NET version of Ryuk despite sharing no such overlaps with the notorious counterpart. Since its discovery, the ransomware builder has undergone five successive iterations aimed at improving its functionalities: version 2.0 on June 17, version 3.0 on July 5, version 4.0 on August 5, and version 5.0 in early 2022.
Microsoft recently observed web skimming campaigns employing various obfuscation techniques to deliver and hide skimming scripts. "It's a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions," Microsoft 365 Defender Research Team said in a new report.
Identified as CVE-2022-22972, the security issue received a fix last Wednesday, accompanied by an urgent warning for administrators to install the patch or apply mitigations immediately. In an advisory on May 18th, VMware warned that the security implications for leaving CVE-2022-22972 unpatched are severe as the issue is "in the critical severity range with a maximum CVSSv3 base score of 9.8," with 10 being the maximum.
Interpol Secretary General Jurgen Stock declared that nation-state malware will become available on the darknet in a couple of years. In the ongoing conflict between Russia and Ukraine, the malware developed by both nation-state actors and non state actors represents a serious risk for critical infrastructure and organizations worldwide”.
“Interpol Secretary General Jurgen Stock declared that nation-state malware will become available on the darknet in a couple of years. In the ongoing conflict between Russia and Ukraine, the malware developed by both nation-state actors and non state actors represents a serious risk for critical infrastructure and organizations worldwide” (Security Affairs, 2022).
At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed "Twisted Panda," come in the backdrop of Russia's military invasion of Ukraine, prompting a wide range of threat actors to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks. They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents.
In a new reconnaissance campaign, the Russian state-sponsored hacking group Turla was observed targeting the Austrian Economic Chamber, a NATO platform, and the Baltic Defense College. This discovery comes from cybersecurity firm Sekoia, which built upon previous findings of Google’s TAG, which has been following Russian hackers closely this year. Google warned about coordinated Russian-based threat group activity in late March 2022, while in May, they spotted two Turla domains used in ongoing campaigns. Sekoia used this information to investigate further and found that Turla targeted the federal organization in Austria and the military college in the Baltic region.
Google's Threat Analysis Group (TAG) says that state-backed threat actors used five zero-day vulnerabilities to install Predator spyware developed by commercial surveillance developer Cytrox. In these attacks, part of three campaigns that started between August and October 2021, the attackers used zero-day exploits targeting Chrome and the Android OS to install Predator spyware implants on fully up-to-date Android devices.
Researchers from threat intelligence firm Cyble uncovered a malware campaign targeting the infoSec community. The expert discovered a post where a researcher were sharing a fake Proof of Concept (POC) exploit code for an RPC Runtime Library Remote Code Execution flaw (CVE-2022-26809 CVSS 9.8). The malware, disguised as a fake PoC code, was available on GitHub.
Cisco has addressed a zero-day vulnerability in its IOS XR router software that allowed unauthenticated attackers to remotely access Redis instances running in NOSi Docker containers. The IOS XR Network OS is deployed on multiple Cisco router platforms, including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.
A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack "CrateDepression."
Advanced Intel researcher Yelisey Boguslavskiy, announced on Twitter yesterday that the Conti ransomware gang has officially shut down its operation, stating the gang’s internal infrastructure was turned off. “While public-facing 'Conti News' data leak and the ransom negotiation sites are still online, Boguslavskiy told BleepingComputer that the Tor admin panels used by members to perform negotiations and publish "news" on their data leak site are now offline”
Microsoft stated in a blog post yesterday that it has seen a 254% increase in activity from a Linux trojan called XorDdos. XorDdos is a modular malware that amasses botnets by targeting a multitude of Linux system architectures (ARM, x86, and x64). First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its usage of XOR-based encryption for C2 communication and being employed to launch distributed denial-of-service (DDoS) attacks. As the tech giant revealed, the botnet’s success is likely due to its extensive use of various evasion and persistence tactics which allow it to remain stealthy and hard to remove.
A new risk analysis published today warns that modern “smart” farm machinery is vulnerable to malicious hackers, leaving global supply chains exposed to risk. The analysis, published in the journal Nature Machine Intelligence, warns that hackers could exploit flaws in agricultural hardware used to plant and harvest crops. Additionally, it said automatic crop sprayers, drones and robotic harvesters could be vulnerable to hackers.
The Government of Canada announced its intention to ban the use of Huawei and ZTE telecommunications equipment and services across the country's 5G and 4G networks. The statement explains that after a thorough review from Canada's independent security agencies, the two Chinese tech companies have been deemed too great of a security risk to be allowed in the country's telecommunication network.
WordPress security analysts have discovered a set of vulnerabilities impacting the Jupiter Theme and JupiterX Core plugins for WordPress, one of which is a critical privilege escalation flaw. Jupiter is a powerful high-quality theme builder for WordPress sites used by over 90,000 popular blogs, online mags, and platforms that enjoy heavy user traffic. The vulnerability, tracked as CVE-2022-1654, and given a CVSS score of 9.9 (critical), allows any authenticated user on a site using the vulnerable plugins to gain administrative privileges.
Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads. The company asked users to update their NAS devices to the latest software version and ensure that they're not exposed to remote access over the Internet.
A new research published by academics from KU Leuven, Radboud University, and the University of Lausanne has revealed that users' email addresses are exfiltrated to tracking, marketing, and analytics domains before such is submitted and without prior consent. The study involved crawling 2.8 million pages from the top 100 websites, and found that as many as 1,844 websites allowed trackers to capture email addresses before form submission in the European Union, a number that jumped to 2,950 when the same set of websites were visited from the U.S.
A previously unknown Chinese cyberespionage group, tracked as ‘Space Pirates’, targets enterprises in the Russian aerospace industry with spear-phishing attacks. The group has been active since at least 2017, researchers believe it is linked with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27.
Group IB released a report this week outline various tactics ransomware groups are using to breach victim networks. According to their research, external remote access services continue to be the main attack vector used by ransomware gangs to gain initial access. However, they note that there has been an uptick in the use of exploitable vulnerabilities.
VMware warned customers today to immediately patch a critical authentication bypass vulnerability "affecting local domain users" in multiple products that can be exploited to obtain admin privileges. The flaw (tracked as CVE-2022-22972) was reported by Bruno López of Innotec Security, who found that it impacts Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.
Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks. The tech giant dubbed the new threat "cryware," with the attacks resulting in the irreversible theft of virtual currencies by means of fraudulent transfers to an adversary-controlled wallet.
On May 16, 2022, the threat intelligence team at PRODAFT (PTI) released a report detailing the inner workings of the Wizard Spider group. Wizard Spider is a financially motivated cybercrime group that is believed to operate out of Russia. The group was first identified in 2017 and is known for the creation and deployment of TrickBot, a modular malware that was officially discounted earlier this year. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals. The group has been tied to various malware variants including Ryuk, Conti, Bazar, Cobalt Strike, etc.
Researchers from the Jamf Threat Labs team have uncovered a new variant of the UpdateAgent macOS malware dropper. The new version is written in Swift and relies on the AWS infrastructure to host its malicious payloads. The malware dropper has a variety of capabilities including system fingerprinting, endpoint registration, and persistence tools. For second stage payloads, researchers found evidence of different types of malware, spyware and adware.
Microsoft warned of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords. While this isn't necessarily the first time MSSQL servers have been targeted in such attacks, Microsoft says that the threat actors behind this recently observed campaign are using the legitimate sqlps.exe tool as a LOLBin (short for living-off-the-land binary)
The threat actors are using the sqlps[.]exe utility to achieve fileless persistence. The executable is a PowerShell wrapper used for running SQL-built commands. The executable is also used to create a new sysadmin account which allows them to take control of the SQL server. From there they can perform other actions and deploy additional payloads like ransomware or cryptominers.
Researchers at Malwarebytes uncovered a campaign that targets German users with a custom PowerShell RAT. The threat actors attempt to trick victims into opening weaponized documents by using the current situation in Ukraine as bait. The attackers registered a decoy site that was an expired German domain name at collaboration-bw[.]de. The site was hosting a bait document, named “2022-Q2-Bedrohungslage-Ukraine,” used to deliver the custom malware. The document appears to contain information about the current crisis in Ukraine.
Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites. Tatsu Builder is a popular plugin that offers powerful template editing features integrated right into the web browser. Large attack waves started on May 10, 2022 and peaked four days later. Exploitation is currently ongoing.
Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms. The warning comes in a new joint advisory from The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) outlining the role North Korean IT workers play in raising revenue for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions.
CISA has added two more vulnerabilities to its list of actively exploited bugs, a code injection bug in the Spring Cloud Gateway library and a command injection flaw in Zyxel firmware for business firewalls and VPN devices. The Spring Framework vulnerability (CVE-2022-22947) is a maximum severity weakness that attackers can abuse to gain remote code execution on unpatched hosts. The vulnerability is being used by a recently discovered botnet called Sysrv, which is installing cryptomining malware on vulnerable Windows and Linux servers.
Ukraine CERT has released details on a new phishing attack carried out by the Russian linked Armageddon group. The threat actors are using a HTM-file to decode and create an archive named “Henson[.]rar” which contains a malicious LNK file titled “”Kherson[.]lnk.” ”Upon clicking on the link file, the HTA-file “precarious[.]xml” is loaded and executed leading to the creation and execution of files “desktop[.]txt” and “user[.]txt”. In the last stage of the attack chain, the GammaLoad[.]PS1_v2 malware is downloaded and executed on the victim’s computer.
Hackers have started to exploit a recently patched critical vulnerability tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell.
SonicWall "strongly urges" customers to patch several high-risk security flaws impacting its Secure Mobile Access (SMA) 1000 Series line of products that can let attackers bypass authorization and, potentially, compromise unpatched appliances. SonicWall SMA 1000 SSLVPN solutions are used by enterprises to simplify end-to-end secure remote access to corporate resources across on-prem, cloud, and hybrid data center environments.
The Parker-Hannifin Corporation announced a data breach exposing employees' personal information after the Conti ransomware gang began publishing allegedly stolen data last month. Parker is an Ohio-based corporation specializing in advanced motion and control technologies, with a strong focus in aerospace hydraulic equipment. It has a revenue of $15.6 billion and employs over 58,000 people.
Microsoft says the Sysrv botnet is now exploiting vulnerabilities in the Spring Framework and WordPress to ensnare and deploy cryptomining malware on vulnerable Windows and Linux servers. Redmond discovered a new variant (tracked as Sysrv-K) that has been upgraded with more capabilities, including scanning for unpatched WordPress and Spring deployments.
A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama. Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.
A growing number of Android Google Chrome users in Russia are reporting errors when attempting to install the latest update for the web browser. The number of complaints is increasing every day but so far, the cause of the problem remains unknown and is still unsolved.
Zyxel has fixed critical firewall vulnerabilities that could have allowed threat actors to gain full access to devices and the internal corporate networks they are designed to protect. The company pushed out the security updates in a silent update two weeks ago but more details emerged recently.
The Linux Foundation and the Open Source Software Security Foundation, with input provided by executives from 37 companies and many U.S. government leaders, delivered a 10-point plan to broadly address open source and software supply chain security, by securing open source security production, improving vulnerability discovery and remediation, and shortening the patching response time of the ecosystem.
A Ukrainian man has been handed a four-year jail term for stealing thousands of server logins and putting them up for sale on the dark web. Glib Oleksandr Ivanov-Tolpintsev, 28, from Chernivtsi, was arrested in October 2020 by Polish police and subsequently extradited to the US, where he pleaded guilty in February this year.
On May 7th, researchers became aware of an online database containing personal details and login credentials for 21 million users of various VPN providers. The leaked database contains 10GBs of sensitive information from SuperVPN, GeckoVPN, and ChatVPN. The details from the database were actually stolen over a year ago and were put up for sale on Dark Web marketplaces. Now, the information is publicly available on Telegram for free.
Costa Rica has declared a national emergency following sustained cyber-attacks on government systems by the Russia-based Conti ransomware gang. The decree, signed by newly-elected President Rodrigo Chaves, is believed to be the first-ever response of this type by a government to a cyber-attack. Chaves described the attack, which took place on April 18, as an act of “cyber terrorism” .
HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which allow code to run with Kernel privileges. Kernel-level privileges are the highest rights in Windows, allowing threat actors to execute any command at the Kernel level, including manipulating drivers and accessing the BIOS.
A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia. Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus)
Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content. According to Sucuri, at least 322 websites were compromised as a result of this new wave of attacks. The infections automatically redirect site visitors to third-party websites containing malicious content (i.e. phishing pages, malware downloads), scam pages, or commercial websites to generate illegitimate traffic.
The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.[1] This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements.
A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K. Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022.
Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. IceApple is a highly sophisticated .NET-based framework that comes with at least 18 modules, each for a specific task, that help the attacker discover relevant machines on the network, steal credentials, delete files and directories, or exfiltrate valuable data. These modules run in memory, emphasizing the adversary’s priority of maintaining a low forensic footprint on the infected host.
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new security vulnerability to its list of actively exploited bugs, the critical severity CVE-2022-1388 affecting BIG-IP network devices. F5 customers using BIG-IP solutions include governments, Fortune 500 firms, banks, service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that "48 of Fortune 50 companies are F5 customers
International cybersecurity agencies are urging IT service providers and their customers to take actions to protect themselves from the threat of supply chain attacks. The cybersecurity agencies warn that Russia's invasion of Ukraine has increased the risk of cyberattacks against organizations around the world. But they also suggest a number of actions that IT and cloud service providers, along with their customers, can take to protect networks from supply chain attacks, where attackers gain access to a company that provides software or services to many other companies. "As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," said Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA).
This month, Microsoft released patches for 75 vulnerabilities. Of these 74, 7 are critical (2 elevation of privilege and 5 remote code execution), 66 are important, and 1 is rated as low. There is one zero-day vulnerability (CVE-2022-26925) that has been publicly disclosed and exploited in the wild. Two other vulnerabilities (CVE-2022-22713 and CVE-2022-29972) have been publicly disclosed but not yet observed exploited in the wild.
The notorious ransomware operation known as REvil (aka Sodin or Sodinokibi) has resumed after six months of inactivity, an analysis of new ransomware samples has revealed. "Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged," researchers from Secureworks Counter Threat Unit (CTU) said in a report published Monday.
Since Russia’s invasion of Ukraine, Hacktivists and white hat hackers have continued to support Ukraine by launching cyberattacks on Russian websites and infrastructure. In a recent attack, they defaced Russian TV with anti-war messages and took down the RuTube video streaming site. The attack took place during Russia’s Victory Day, Russians attempting to view the parade were displayed Pro-Ukraine messages due to a cyber attack that impacted the Russian TV listings systems. According to the BBC, the coordinated attack affected major Russian networks, including Channel One, Rossiya-1, MTS, Rostelecom, and NTV-Plus.
Lincoln College, a liberal-arts school from rural Illinois, says it will close its doors later this month, 157 years since its founding and following a brutal hit on its finances from the COVID-19 pandemic and a recent ransomware attack. This decision was made even harder with the college having survived multiple disasters, including a major fire in 1912, the Spanish flu, the Great Depression, the World Wars, and the 2008 global financial crisis.
More than 70% of UK critical national infrastructure (CNI) providers have seen an increase in cyber-attacks since the start of the war in Ukraine, according to new research from Bridewell
Threat actors started massively exploiting the critical remote code execution vulnerability, tracked as CVE-2022-1388, affecting F5 BIG-IP. F5 and CISA released a security advisory last week warning customers to install the latest updates for a variety of products.
The US authorities have offered a multimillion-dollar reward for information leading to the identification, arrest and/or conviction of individuals involved in attacks using the Conti ransomware variant. Offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), the money is split into two pots: up to $10m for information on the identity or location of individuals “who hold a key leadership position” in Conti; and up to $5m for info leading to the arrest or conviction of anyone conspiring to use the malware in attacks
A cyber attack has disrupted the operations of AGCO/Fendt, a major manufacturer of agricultural equipment, the company has acknowledged. AGCO/Fendt, headquartered in Duluth, Georgia, said in a statement to the Security Ledger that it was the subject of a cybersecurity incident that “has impacted some of our production facilities. We are working to address the issues. Our first priority is to restore those critical activities needed to keep farmers farming.” The company first acknowledged the attack on Thursday, May 5.
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that deploy an information-stealing malware called Jester Stealer on compromised systems. The mass email campaign carries the subject line "chemical attack" and contains a link to a macro-enabled Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer.
The RubyGems package repository has fixed a critical vulnerability that would allow anyone to unpublish ("yank") certain Ruby packages from the repository and republish their tainted or malicious versions with the same file names and version numbers.
On Sunday, May 8th, newly elected Costa Rican President Rodrigo Chaves declared a national emergency following cyber-attacks from the Conti Ransomware group on multiple government bodies.
Code hosting platform GitHub on Wednesday said it would make it mandatory for software developers to use at least one form of two-factor authentication (2FA) by the end of 2023. The Microsoft-owned platform has been supporting 2FA for years and is allowing users to use physical and virtual security keys, Time-based One-Time Password (TOTP) authenticator apps, and SMS as a second form of authentication.
Hacktivists operating on the side of Ukraine have focused their DDoS attacks on a portal that is considered crucial for the distribution of alcoholic beverages in Russia. DDoS (distributed denial of service) attacks are collective efforts to overwhelm servers with large volumes of garbage traffic and bogus requests, rendering them unable to serve legitimate visitors.
The Lazarus hacking group is one of the top cybersecurity threats from North Korea, recently catching the attention of the US government for massive cryptocurrency heists. Now researchers at NCCGroup have pieced together a few of the tools and techniques Lazarus hackers have been using recently, including social engineering on LinkedIn, messaging US defense contractor targets on WhatsApp, and installing the malicious downloader LCPDot.
Some of the world’s biggest tech companies are throwing considerable weight behind a common passwordless sign-in standard that could finally signal the end of static credentials for many users. Apple, Microsoft and Google announced plans to support the FIDO Alliance and World Wide Web Consortium (W3C) standard, making it easier for websites and apps to deliver end-to-end passwordless authentication via fingerprint/face scan or device PIN.
Red Canary researchers have discovered a new wormable Windows malware that spreads through USB drives. They have dubbed the malware Raspberry Robin and first observed the activity back in September 2021. Using detection tools on customer networks, Red Canary saw the malware spreading in the technology and manufacturing sectors.
Cisco Systems on Wednesday shipped security patches to contain three flaws impacting its Enterprise NFV Infrastructure Software (NFVIS) that could permit an attacker to fully compromise and take control over the hosts.
Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products which have gone undetected for ten years.
A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. This previously undocumented malware framework features a loader, a dropper, a protection driver, and a powerful RAT component that relies on a custom network communication protocol.
A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. This previously undocumented malware framework features a loader, a dropper, a protection driver, and a powerful RAT component that relies on a custom network communication protocol.
The Federal Bureau of Investigation (FBI) said today that the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021. From June 2016 until July 2019, IC3 received victim complaints regarding 241,206 domestic and international incidents, with a total exposed dollar loss of $43,312,749,946
F5 and US-CERT released security notifications this morning, warning of a handful of vulnerabilities in various products. In total the company addressed 43 vulnerabilities, the most severe being tracked as CVE-2022-1388. It received a CVSS scored of 9.8 and allows an unauthenticated attacker to exploit BIG-IP systems through the management port. Using the system they can execute arbitrary system commands, create or deleted files, or disable services.
Financially motivated and state-sponsored actors around the globe continue to use the war in Ukraine as a lure for phishing campaigns, with Chinese groups targeting Russia of late, according to Google. The tech giant’s Threat Analysis Group (TAG) claimed in its new quarterly bulletin that the usual governments of China, Iran, North Korea and Russia were responsible for many of the attacks recorded over the period.
An Unpatched DNS bug in a popular C standard library is putting millions of IoT devices at risk of DNS poisoning attacks. Using the vulnerability, a threat actor may be able to spoof or redirect a victim to a malicious website under their control.
An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019. Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information. Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.
Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today. Malware from notorious ransomware operations like Conti, the revived REvil, the newcomer Black Basta, the highly active LockBit, or AvosLocker, all came with security issues that could be exploited to stop the final and most damaging step of the attack, file encryption.
Docker images with a download count of over 150,000 have been used to run distributed denial-of-service (DDoS) attacks against a dozen Russian and Belarusian websites managed by the government, military, and news organizations. Behind the incidents are believed to be pro-Ukrainian actors such as hacktivists, likely backed by the country's IT Army.
Security researchers have discovered five vulnerabilities in network equipment from Aruba (owned by HP) and Avaya (owned by ExtremeNetworks), that could allow malicious actors to execute code remotely on the devices. The damage caused by a successful attack ranges from data breach and complete device takeover to lateral movement and overriding network segmentation defenses.
Researchers have identified a new cluster of malicious cyber activity tracked as Moshen Dragon, targeting telecommunication service providers in Central Asia. While this new threat group has some overlaps with "RedFoxtrot" and "Nomad Panda," including the use of ShadowPad and PlugX malware variants, there are enough differences in their activity to follow them separately.
Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.
Recorded Future’s Insikt Group continues to monitor Russian state-sponsored cyber espionage operations targeting government and private sector organizations across multiple geographic regions. From mid-2021 onwards, Recorded Future’s midpoint collection revealed a steady rise in the use of NOBELIUM infrastructure tracked by Insikt Group as SOLARDEFLECTION, which encompasses command and control (C2) infrastructure. In this report, we highlight trends observed by Insikt Group while monitoring SOLARDEFLECTION infrastructure and the recurring use of typosquat domains by its operators.
Mandiant researchers discovered a new APT group, tracked as UNC3524, that heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. Once gained initial access to the target systems, UNC3524 deployed a previously unknown backdoor tracked by Mandiant researchers as QUIETEXIT. The QUIETEXIT backdoor borrows the code from the open-source Dropbear SSH client-server software. The threat actors deployed QUIETEXIT on network appliances within the target network, including load balancers and wireless access point controllers.
A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week. "The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country."
The Open Source Security Foundation (OpenSSF) has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories. Called the Package Analysis project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software.
Security analysts have uncovered a recent phishing campaign from Russian hackers known as APT29 (Cozy Bear or Nobelium) targeting diplomats and government entities in Europe, the Americas, and Asia. The APT29 is a state-sponsored actor that focuses on cyberespionage and has been active since at least 2014. Its targeting scope is determined by current Russian geopolitical strategic interests.
“The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks”. The REvil ransomware group was shut down by law enforcement back in October of 2021. Various members of the group was arrested and their Tor servers were seized. There has been rumors that the groups Tor servers were back online, and this week we are seeing reports that their previous websites are now redirecting visitors to a new unnamed ransomware operation.
Some major tech companies have unwittingly opened harassment and exploitation opportunities to the women and children who they have pledged to protect. This happened because they provided information in response to emergency data requests from legitimate law enforcement accounts that hackers had compromised. This finding came from four federal law enforcement agencies and a couple of industry investigators.
Ukraine ‘s computer emergency response team (CERT-UA) announced that it is investigating, along with the National Bank of Ukraine (CSIRT-NBU), ongoing DDoS (distributed denial of service) attacks targeting pro-Ukraine sites and the government web portal.
Microsoft has addressed a chain of critical vulnerabilities found in the Azure Database for PostgreSQL Flexible Server that could let malicious users escalate privileges and gain access to other customers' databases after bypassing authentication.
The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month. Emotet is one of the most actively distributed malware spread through emails using phishing emails with malicious attachments, including Word/Excel documents, Windows shortcuts, ISO files, and password-protected zip files. The phishing emails use creative lures to trick users into opening the attachments, including reply-chain emails, shipping notices, tax documents, accounting reports, or even holiday party invites.
The criminal group FIN7 has been mailing malware-ridden USBs to various entities in the transport, insurance, and defense industries under the guise that they originated from a trusted source, such as Amazon and the US Department of Health and Human Services. Those from the former were supposedly gift vouchers, while the latter claimed to include new COVID guidelines. FIN7’s badUSB attacks serve as a reminder of two key vulnerabilities present among all organizations.
Cybercriminal actors previously observed delivering BazaLoader and IcedID as part of their malware campaigns are said to have transitioned to a new loader called Bumblebee that's under active development.
A new ransomware gang known as Black Basta has quickly catapulted into operation this month, breaching at least twelve companies in just a few weeks. The first known Black Basta attacks occurred in the second week of April, as the operation quickly began attacking companies worldwide. While ransom demands likely vary between victims, BleepingComputer is aware of one victim who received over a $2 million demand from the Black Basta gang to decrypt files and not leak data.
A cyberespionage threat actor known for targeting a variety of critical infrastructure sectors in Africa, the Middle East, and the U.S. has been observed using an upgraded version of a remote access trojan with information-stealing capabilities.
Cloudflare announced to have mitigated a distributed denial-of-service (DDoS) attack that peaked at 15.3 million request-per-second (RPS), which is one of the largest HTTPS DDoS attacks blocked by the company.
Microsoft warns it saw six Russia-aligned, state-sponsored hacking groups launch over 237 cyberattacks against Ukraine starting in the weeks before Russia's February 24 invasion. Microsoft has released an in-depth report detailing how Russian cyberattacks against Ukraine were "strongly correlated" or "directly timed" with its military operations in the country.
CISA, the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) have released a joint Cybersecurity Advisory that provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited. CISA encourages users and administrators to review joint Cybersecurity Advisory: 2021 Top Routinely Exploited Vulnerabilities and apply the recommended mitigations to reduce the risk of compromise by malicious cyber actors.
The US authorities are offering a multimillion-dollar reward for anyone with information that could identify or locate six members of a notorious Russian state hacking group responsible for NotPetya.
Security researchers analyzing a phishing campaign targeting Russian officials found evidence that points to the China-based threat actor tracked as Mustang Panda (also known as HoneyMyte and Bronze President). The threat group was previously seen orchestrating intelligence collection campaigns against European targets, employing phishing lures inspired by the Russian invasion of Ukraine.
Threat analysts have uncovered yet a new campaign that uses the RIG Exploit Kit to deliver the RedLine stealer malware. Exploit kits (EKs) have dropped drastically in popularity as they targeted vulnerabilities in web browsers introduced by plug-in software such as the now-defunct Flash Player and Microsoft Sillverlight.
A previously unknown and financially motivated hacking group is impersonating a Russian agency in a phishing campaign targeting entities in Eastern European countries. The phishing emails pretend to come from the Russian Government’s Federal Bailiffs Service and are written in the Russian language, with the recipients being telecommunication service providers and industrial firms in Lithuania, Estonia, and Russia.
North Korean state-sponsored hackers known as APT37 have been discovered targeting journalists specializing in the DPRK with a novel malware strain. The malware is distributed through a phishing attack first discovered by NK News, an American news site dedicated to covering news and providing research and analysis about North Korea, using intelligence from within the country.
An Iranian-linked threat actor known as Rocket Kitten has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems.
Security researchers have disclosed a security issue that could have allowed attackers to weaponize the VirusTotal platform as a conduit to achieve remote code execution (RCE) on unpatched third-party sandboxing machines employed antivirus engines.
Addressing quantum cyber-threats should already be a high priority for cybersecurity professionals, according to Duncan Jones, head of cybersecurity at Quantinuum, speaking during the ISC2 Secure Webinar ‘The Threat and Promise of Quantum Cybersecurity. Jones began by emphasizing the significant differences between quantum and classical computing, both in operations and possibilities. One of the most significant of these is that while classical computers only have binary choices, 0 or 1, quantum computers are made up of ‘qubits,’ which “can have values that are combinations of 0 and 1.” This mixture is known as a ‘superposition.’ This enables calculations to be made in parallel. In addition, qubits can be connected, which provides the opportunity to model aspects of nature in their entirety. This aspect offers enormous potential in fields like drug discovery, where testing could be simulated rather than requiring lengthy and expensive trials.
The Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from becoming infected when they opened malicious email attachments.
The Quantum ransomware, a strain first discovered in August 2021, was seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react. The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker.
Email security provider Avanan revealed in a Thursday report that a new phishing campaign exploits local credit unions to steal money and data. According to Avanan’s research, phishing emails are masqueraded as legit messages from high-profile companies/businesses. They are sent to lure the recipient into sharing login credentials and sensitive data of the spoofed company.
The Quantum ransomware, a strain first discovered in August 2021, was seen carrying out speedy attacks that escalate quickly, leaving defenders little time to react. The threat actors are using the IcedID malware as one of their initial access vectors, which deploys Cobalt Strike for remote access and leads to data theft and encryption using Quantum Locker.
Threat analysts have spotted yet another addition to the growing space of info-stealer malware infections, named Prynt Stealer, which offers powerful capabilities and extra keylogger and clipper modules. Prynt Stealer targets a large selection of web browsers, messaging apps, and gaming apps and can also perform direct financial compromise.
The GHT Coeur Grand Est. Hospitals and Health Care group has disconnected all incoming and outgoing Internet connections after discovering they suffered a cyberattack that resulted in the theft of sensitive administrative and patient data. GHT is a hospital network located in Northeast France consisting of nine locations, 6,000 employees, and approximately 3,370 beds.
Due to government sanctions, law enforcement action, and the takedown of popular dark web markets, the Russian cybercriminals are looking for alternative means to carry out money-laundering activities. As pressure from law enforcement mounts, cybercriminals will need to be more creative when withdrawing stolen funds and cryptocurrency. ”First came the bank sanctions and the blocking of SWIFT payments, a result of the Russian invasion of Ukraine. This crippled the regular channels for cash flows used by cybercriminals. Then came the suspension of Russian operations of direct money transfer services such as Western Union and MoneyGram. Scammers and extortionists typically used those to receive payments from victims without revealing their real identity. On April 5, the servers of Hydra Market, the largest Russian darknet platform, were seized by the German police, taking down a massive business (over $1.35 billion annual turnover) that also sustained money-laundering services. The following day, the U.S. sanctioned Garantex, one of the most important platforms Russian cybercriminals used for laundering stolen funds, which followed a wave of sanctions on similar platforms starting in 2021. Finally, Binance became the first large cryptocurrency exchange to essentially ban Russian users from performing transactions or investments, and more are expected to follow soon. Even coin mining operations of significant size in Russia are being sanctioned.
Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company's web application security framework. Seraph is used in Jira and Confluence for handling all login and logout requests via a system of pluggable core elements.
Docker APIs on Linux servers are being targeted by a large-scale Monero crypto-mining campaign from the operators of the LemonDuck botnet. Docker is a platform for building, running and managing containerized workloads. Docker provides a number of APIs to help developers with automation, and these APIs can be made available using local Linux sockets or daemons.
QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage (NAS) devices.
Cisco Talos has recently received modified versions of the TeamTNT cyber crime group's malicious shell scripts, an earlier version of which was detailed by Trend Micro. The malware author modified tools after they became aware that security researchers published the previous version of scripts. The scripts are primarily designed to target Amazon Web Services (AWS) but could also run in on-premise, container or other forms of Linux instances. They have the ability to mine cryptocurrency, maintain persistence, lateral movement, remote access, and defense evasion. The threat actors used a bash script to collect information on targeted instances, some scripts (GRABBER_aws_cloud.sh) will not execute if specific hostnames are detected on the targeted machine, this is check is completed to avoid the installation of malware on the authors own systems. The script then checks API’s for credentials that can be used to execute additional scripts, approximately 17 in total. Researchers noted that, “TeamTNT does not make any attempts to disable the AWS CloudWatch agent, Microsoft Defender, Google Cloud Monitor, Cisco Secure Cloud Analytics, CrowdStrike Falcon, Palo Alto Prisma Cloud, or other common United States cloud security tools .
A United Nations expert on North Korea has said the country is funding its banned nuclear and missile programs with cyber activity. Eric Penton-Voak, a coordinator of the UN group tasked with monitoring the enforcement of sanctions on North Korea, made the comment on Wednesday and called for increased focus on cybercrime stemming from the country.
Cisco has released security updates to address a high severity vulnerability in the Cisco Umbrella Virtual Appliance (VA), allowing unauthenticated attackers to steal admin credentials remotely.
Details have emerged about a now-patched security vulnerability in the Snort intrusion detection and prevention system that could trigger a denial-of-service (DoS) condition and render it powerless against malicious traffic.
Security analysts have found that Android devices running on Qualcomm and MediaTek chipsets were vulnerable to remote code execution due to a flaw in the implementation of the Apple Lossless Audio Codec (ALAC). ALAC is an audio coding format for lossless audio compression that Apple open-sourced in 2011. Since then, the company has been releasing updates to the format, including security fixes, but not every third-party vendor using the codec applies these fixes.
Kaspersky experts have detected significant growth in complex malicious spam emails targeting organizations in various countries. These emails are being distributed as part of a coordinated campaign that aims to spread Qbot and Emotet – two notorious banking Trojans that function as part of botnet networks. Both malware instances are capable of stealing users’ data, collecting data on an infected corporate network, spreading further in the network, and installing ransomware or other Trojans on other devices in the network. One of the functions of Qbot is also to access and steal emails.
The Federal Bureau of Investigation (FBI) says the Black Cat ransomware gang, also known as ALPHV, has breached the networks of at least 60 organizations worldwide between November 2021 and March 2022. The FBI's Cyber Division revealed this in a TLP:WHITE flash alert released on Wednesday in coordination with the Cybersecurity and Infrastructure Security Agency (DHS/CISA)
We have closely followed the cyber landscape during the Russia and Ukraine conflict. Reporting today suggests that Russia has been using new malware variants in recent attacks in addition to previous DDoS and wiper attacks on Ukrainian infrastructure in previous campaigns. A joint advisory was released a few moments ago from the cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom. It was released to warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity from Russian state-sponsored cyber actors or Russian-aligned cybercrime groups.
The Emotet malware is having a burst in distribution and is likely to soon switch to new payloads that are currently detected by fewer antivirus engines. Security researchers monitoring the botnet are observing that emails carrying malicious payloads last month have increased tenfold. According to Kaspersky, the number of phishing emails distributed by Emotet operators from February to March increased from 3,000 to 30,000 emails.
Threat analysts report that the Russian state-sponsored threat group known as Gamaredon (a.k.a. Armageddon/Shuckworm) is launching attacks against targets in Ukraine using new variants of the custom Pteredo backdoor. Gamaredon has been launching cyber-espionage campaigns targeting the Ukrainian government and other critical entities since at least 2014. The actor is known for its strong focus on Ukraine, being attributed over 5,000 cyberattacks against 1,500 public and private entities in the country.
Google Project Zero called 2021 a "record year for in-the-wild 0-days," as 58 security vulnerabilities were detected and disclosed during the course of the year. The development marks more than a two-fold jump from the previous maximum when 28 zero-day exploits were tracked in 2015. In contrast, only 25 zero-day exploits were detected in 2020. "The large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits," Google Project Zero security researcher Maddie Stone said.
Okta has revealed that just two of its customers were affected by an incident in January in which threat actors compromised a third-party vendor’s workstation. The authentication specialist completed its investigation into the events that took place between January 16 and 21 this year, when it was believed that a hacker from the Lapsus group gained access to back-end systems. Previously, Okta estimated that 366 customers may have had their tenants accessed by the attackers via a Sitel support engineer’s machine.
Lenovo has patched a trio of bugs that could be abused to perform UEFI attacks. Discovered by ESET researcher Martin Smolár, the vulnerabilities, assigned as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, could be exploited to "deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter" in the Lenovo Notebook BIOS.
Researchers from Kaspersky discovered a vulnerability in the encryption process of the Yanluowang ransomware that can be exploited to recover the files encrypted by the malware without paying the ransom. The Yanluowang ransomware was first spotted by researchers from Symantec Threat Hunter Team in October 2021 after the malware was used in highly targeted attacks against large enterprises.
Security researchers are warning that LinkedIn has become the most spoofed brand in phishing attacks, accounting for more than 52% of all such incidents at a global level. The data comes cybersecurity company Check Point, who recorded a dramatic uptick in LinkedIn brand abuse in phishing incidents in the first quarter of this year.
The U.S. government has observed North Korean cyber actors targeting a variety of organizations in the blockchain technology and cryptocurrency industry, including cryptocurrency exchanges, decentralized finance (DeFi) protocols, play-to-earn cryptocurrency video games, cryptocurrency trading companies, venture capital funds investing in cryptocurrency, and individual holders of large amounts of cryptocurrency or valuable non-fungible tokens (NFTs).
A notorious spyware variant linked to multiple state-backed campaigns was used to target the UK Prime Minister’s Office over the past two years, researchers have revealed. Over recent years, Canadian non-profit Citizen Lab has been heavily involved in tracking the use of the Pegasus spyware produced by Israel’s NSO Group. The firm is being sued by both WhatsApp and Apple after customers of the tech giants were targeted by the covert malware. It was also used to compromise the iPhones of nine US State Department officials, it emerged late last year.
GitHub revealed Friday that an attacker is using stolen OAuth user tokens (issued to two third-party integrators, Heroku and Travis-CI) to download data from private repositories. Since this campaign was first spotted on April 12, 2022, the threat actor has already accessed and stolen data from dozens of victim organizations using Heroku and Travis-CI-maintained OAuth apps, including npm.
An 18-month-long analysis of the PYSA ransomware operation has revealed that the cybercrime cartel followed a five-stage software development cycle from August 2020, with the malware authors prioritizing features to improve the efficiency of its workflows. This included a user-friendly tool like a full-text search engine to facilitate the extraction of metadata and enable the threat actors to find and access victim information quickly.
An ongoing phishing campaign is targeting T-Mobile customers with malicious links using unlockable texts sent via SMS (Short Message Service) group messages. The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) issued a warning after multiple customers have filed reports of being targeted by this new SMS phishing (smishing) campaign.
Industrial Spy is an online marketplace that sells information stolen from compromised organizations while also "spoiling" its customers with stolen data that's free of charge. Unlike traditional stolen data marketplaces, where data is used to extort enterprises and threaten them with GDPR fines, Industrial Spy promotes itself as a marketplace where organizations can buy their rival companies' data to gain access to trade classified information, manufacturing diagrams, accounting reports, and client databases. This newer and lesser-known marketplace offers different tiers of data offerings, with "premium" stolen data packages costing millions of dollars and lower-tier data that can be bought as individual files for as little as $2. An image sample from Bleeping Computer displays Industrial Spy selling an Indian company's data in their premium category for $1.4 million in Bitcoins.
Cybersecurity researchers have disclosed a new version of the SolarMarker malware that packs in new improvements with the goal of updating its defense evasion abilities and staying under the radar. "The recent version demonstrated an evolution from Windows Portable Executables (EXE files) to working with Windows installer package files (MSI files)," Palo Alto Networks Unit 42 researchers said in a report published this month. "This campaign is still in development and going back to using executables files (EXE) as it did in its earlier versions.
A new study shows that pressing the mute button on popular video conferencing apps (VCA) may not actually work like you think it should, with apps still listening in on your microphone. More specifically, in the studied software, pressing mute does not prevent audio from being transmitted to the apps' servers, either continually or periodically.
After breaching servers managed by the cybercriminals, security researchers found a connection between Conti ransomware and the recently emerged Karakurt data extortion group, showing that the two gangs are part of the same operation. The Conti ransomware syndicate is one of the most prolific cybercriminal groups today that operates unabated despite the massive leak of internal conversations and source code that a hacking group already used to cripple Russian organizations.
Google is issuing fixes for two vulnerabilities in its Chrome web browser, including one flaw already being exploited in the wild. The emergency updates the company issued this week impacted almost 3 billion users of its Chrome browser and those using other Chromium-based browsers, such as Microsoft Edge, Brave, and Vivaldi.
Cisco released patches this week for CVE-2022-20695 which received a CVSS score of 10. The vulnerability resides in the Cisco Wireless LAN Controller (WLC) and allows a remote, unauthenticated attacker to bypass authentication and log in to the device through the management interface.
A rapidly growing botnet is ensnaring routers, DVRs, and servers across the Internet to target more than 100 victims every day in distributed denial-of-service (DDoS) attacks. This newly discovered malware, named Fodcha by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), has spread to over 62,000 devices between March 29 and April 10.
OldGremlin, a little-known threat actor that uses its particularly advanced skills to run carefully prepared, sporadic campaigns, has made a comeback last month after a gap of more than one year. The group distinguishes itself from other ransomware operations through the small number of campaigns - less than five since early 2021 - that target only businesses in Russia and the use of custom backdoors built in-house.
Hackers are targeting Ukrainian government agencies with new attacks exploiting Zimbra exploits and phishing attacks pushing the IcedID malware. The Computer Emergency Response Team of Ukraine (CERT-UA) detected the new campaigns and attributed the IcedID phishing attack to the UAC-0041 threat cluster, previously connected with AgentTesla distribution, and the second to UAC-0097, a currently unknown actor.
A new type of information stealer has been added to the Haskers Gang malware portfolio. On Thursday, researchers from Cisco Talos said that the malware, dubbed ZingoStealer, is being offered for free to Haskers Gang Telegram group members. Active since at least 2020, the Haskers Gang group isn't your typical, small collective of cybercriminals. Instead, the 'community' comprises of a few founders -- likely based in Eastern Europe -- and thousands of casual members.
n early 2022, Mandiant, in partnership with Schneider Electric, analyzed a set of novel industrial control system (ICS)-oriented attack tools—which we call INCONTROLLER—built to target machine automation devices. The tools can interact with specific industrial equipment embedded in different types of machinery leveraged across multiple industries. While the targeting of any operational environments using this toolset is unclear, the malware poses a critical risk to organizations leveraging the targeted equipment. INCONTROLLER is very likely state sponsored and contains capabilities related to disruption, sabotage, and potentially physical destruction.
Microsoft Patch Tuesday security updates for April 2022 fixed 128 vulnerabilities in multiple products, including Microsoft Windows and Windows Components, Microsoft Defender and Defender for Endpoint, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Office and Office Components, SharePoint Server, Windows Hyper-V, DNS Server, Skype for Business, .NET and Visual Studio, Windows App Store, and Windows Print Spooler Components.
Vendor Aethon has patched five critical vulnerabilities in hospital robots used to deliver medical supplies. Aethon's mobile robots (referred to as TUG) are autonomous devices used by hundreds of hospitals to perform basic, repetitive tasks to augment existing workforces. TUGs run errands including medicine delivery, cleaning, and dropping off linen and other supplies to healthcare professionals. Stanford is a healthcare provider that uses the robots in drug deliveries, which can move at 2mph down pre-determined routes.
The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites. Although exploiting the flaw requires authentication, it's critical severity is given by the fact that anyone logged into the vulnerable website can exploit it, including regular subscribers.
A months-long global operation led by Microsoft's Digital Crimes Unit (DCU) has taken down dozens of domains used as command-and-control (C2) servers by the notorious ZLoader botnet. The court order obtained by Microsoft allowed it to sinkhole 65 hardcoded domains used by the ZLoader cybercrime gang to control the botnet and another 319 domains registered using the domain generation algorithm used to create fallback and backup communication channels.
A new botnet is targeting routers, Internet of Things (IoT) devices, and an array of server architectures. On April 12, cybersecurity researchers from FortiGuard Labs said the new distributed denial-of-service (DDoS) botnet, dubbed Enemybot, borrows modules from the infamous Mirai botnet's source code, alongside Gafgyt's
Hackers are pretending to poach bank staff in a wave of attacks against the African financial sector. In recent weeks, the threat actors have been spotted using recruitment emails and messages to entice individuals considering moving from their current employment to rival financial companies.
The Russian state-sponsored hacking group known as Sandworm tried on Friday to take down a large Ukrainian energy provider by disconnecting its electrical substations with a new variant of the Industroyer malware for industrial control systems (ICS) and a new version of the CaddyWiper data destruction malware.
A regional U.S. government agency compromised with LockBit ransomware had the threat actor in its network for at least five months before the payload was deployed, security researchers found. Logs retrieved from the compromised machines showed that two threat groups had compromised them and were engaged in reconnaissance and remote access operations.
"The Department of Justice today announced the seizure of the RaidForums website, a popular marketplace for cybercriminals to buy and sell hacked data, and unsealed criminal charges against RaidForums’ founder and chief administrator, Diogo Santos Coelho, 21, of Portugal. Coelho was arrested in the United Kingdom on Jan. 31, at the United States’ request and remains in custody pending the resolution of his extradition proceedings.
According to research published on Tuesday by the Ponemon Institute, on behalf of Intel, the global enterprise will spend roughly $172 billion on cybersecurity this year. However, only 53% of respondents said they refreshed their existing strategies due to the pandemic -- and this could indicate a disconnect between spending the cash and applying it correctly to the modern workplace,
A hacker organization known as NB65 has been infiltrating Russian businesses, collecting their data, and then exposing it online, stating that the attacks are being carried out in retaliation for Russia's military intervention in Ukraine. The hacker gang claims to have targeted several Russian businesses, including document management company Tensor, the Russian space agency Roscosmos, and the state-owned Russian television and radio station VGTRK
A new Android banking malware named Octo has appeared in the wild, featuring remote access capabilities that allow malicious operators to perform on-device fraud. Octo is an evolved Android malware based on ExoCompact, a malware variant based on the Exo trojan that quit the cybercrime space and had its source code leaked in 2018.
A malspam campaign has been found distributing the new META malware, a new info-stealer malware that appears to be rising in popularity among cybercriminals. META is one of the novel info-stealers, along with Mars Stealer and BlackGuard, whose operators wish to take advantage of Raccoon Stealer's exit from the market that left many searching for their next platform.
American automotive tools manufacturer Snap-on announced a data breach exposing associate and franchisee data after the Conti ransomware gang began leaking the company's data in March. Snap-on is a leading manufacturer and designer of tools, software, and diagnostic services used by the transportation industry through various brands, including Mitchell1, Norbar, Blue-Point, Blackhawk, and Williams.
Post-quantum cryptography has arrived by default with the release of OpenSSH 9 and the adoption of the hybrid Streamlined NTRU Prime + x25519 key exchange method. "The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo," the release notes said
Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure. Strontium (also tracked as Fancy Bear or APT28), linked to Russia's military intelligence service GRU, used these domains to target multiple Ukrainian institutions, including media organizations.
A new traffic direction system (TDS) called Parrot is relying on servers that host 16,500 websites of universities, local governments, adult content platforms, and personal blogs. Parrot's use is for malicious campaigns to redirect potential victims matching a specific profile (location, language, operating system, browser) to online resources such as phishing and malware-dropping sites.
The websites of Finland’s defense and foreign affairs were taken offline today following DDoS attacks. The ministries each confirmed the attacks on Twitter earlier today, although the websites now appear to be back up and running. The nation’s Ministry of Defense wrote at 10.45 am GMT: “The Department of Defense’s website is currently under attack. We are currently investigating. We will post any additional information below.” It followed up with: “For the time being, we will keep the Department of Defense website closed until the harmful traffic on the website is gone”
A Ukrainian national has been sentenced as a member of the FIN7 hacking group. Becoming a certified ethical hacker can lead to a rewarding career. Here are our recommendations for the top certifications. On Thursday, the US Department of Justice (DoJ) announced the sentencing of Denys Iarmak to five years in prison for working as a FIN7 penetration tester.
A configuration error exposed millions of internal records traced back to Fox News, including personally identifiable information on employees, researchers have claimed. A team at Website Planet led by Jeremiah Fowler claimed that anyone with an internet connection could theoretically have discovered the 58GB trove, which was left open with no password protection.
VMware has released security updates to patch eight vulnerabilities spanning its products, some of which could be exploited to launch remote code execution attacks. Tracked from CVE-2022-22954 to CVE-2022-22961 (CVSS scores: 5.3 - 9.8), the issues impact VMware Workspace ONE Access, VMware Identity Manager, VMware vRealize Automation, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager. Five of the eight bugs are rated Critical, two are rated Important, and one is rated Moderate in severity. Credited with reporting all the vulnerabilities is Steven Seeley of Qihoo 360 Vulnerability Research Institute.
A new information stealer named FFDroider has emerged, stealing credentials and cookies stored in browsers to hijack victims' social media accounts. Social Media accounts, especially verified ones, are an attractive target for hackers as threat actors can use them for various malicious activities, including conducting cryptocurrency scams and distributing malware. These accounts are even more attractive when they have access to the social site's ad platforms, allowing threat actors to use the stolen credentials to run malicious advertisements.
The Palo Alto Networks Product Security Assurance team is evaluating the OpenSSL infinite loop vulnerability (CVE-2022-0778) as it relates to our products. This vulnerability causes the OpenSSL library to enter an infinite loop when parsing an invalid certificate and can result in a Denial-of-Service (DoS) to the application. An attacker does not need a verified certificate to exploit this vulnerability because parsing a bad certificate triggers the infinite loop before the verification process is completed.
Security researchers have spotted a new cryptocurrency miner targeting serverless computing platforms, like AWS Lambda. While the malware only runs cryptomining software, it shows how threat actors are capable of exploiting complex cloud infrastructure. While cryptomining is more of a nuisance than anything, there are implications for more prolific attacks in the future.
Russian hackers used compromised employee credentials to launch the cyber-attack that severely disrupted internet services in Ukraine last week, it has been claimed today. Kyrylo Honcharuk, CIO of Ukrtelecom, Ukraine’s national telecommunications provider targeted in the attack on March 28, said Russia accessed the account of an employee in a region “recently temporarily” occupied, although the exact location was not disclosed.
US government officials announced today the disruption of the Cyclops Blink botnet controlled by the Russian-backed Sandworm hacking group before being used in attacks. The malware, used by Sandworm to create this botnet since at least June 2019, is targeting WatchGuard Firebox firewall appliances and multiple ASUS router models. Cyclops Blink enables the attackers to establish persistence on the device through firmware updates, providing remote access to compromised networks.
The Conti ransomware gang is still actively running campaigns against victims around the world, despite the inner workings of the group being revealed by data leaks. One of the most prolific ransomware groups of the last year, Conti has encrypted networks of hospitals, businesses, government agencies and more – in many cases, receiving a significant ransom payment in exchange for the decryption key.
A leading US payments company is contacting over eight million current and former customers of its Cash App Investing subsidiary that their details may have been accessed by a malicious insider. San Francisco-headquartered Block revealed the news in an SEC filing on Monday.
The US Department of Justice (DOJ) has shut down Hydra Market, one of the world's largest darknet marketplaces. On Tuesday, the DOJ and German federal police seized Hydra's servers and cryptocurrency wallets containing $25 million worth of bitcoin.
CVE-2021-45382 is a Remote Code Execution (RCE) vulnerability that exists in all series H/W revisions D-Link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L routers via the DDNS function in ncc2 binary file. DDNS (Dynamic Domain Name System) is a function that allows systems to overcome the issues related to Dynamic IP Addresses, in attempting to connect to a resource somewhere on the Internet whose IP address may change at any time.
Tens of thousands of victims have been tricked into clicking on an email claiming to contain a WhatsApp voicemail message, according to researchers. A team at Armorblox has already detected close to 28,000 mailboxes impacted across Google Workspace and Microsoft 365. The email in question is titled “New Incoming Voicemessage,” with the body text spoofed to appear as if a private message has been sent via WhatsApp to the recipient. To view the secure message, victims are asked to click on an embedded button called “play.” Upon clicking on the button, the email will redirect the victim to a webpage that attempts to install the JS/Kryptik Trojan.
A Chinese state-backed advanced persistent threat (APT) group known for singling out Japanese entities has been attributed to a new long-running espionage campaign targeting new geographies, suggesting a "widening" of the threat actor's targeting. The widespread intrusions, which are believed to have commenced at the earliest in mid-2021 and continued as recently as February 2022, have been tied to a group tracked as Cicada, which is also known as APT10, Stone Panda, Potassium, Bronze Riverside, or MenuPass Team.
The Computer Emergency Response Team of Ukraine (CERT-UA) has spotted new phishing attempts attributed to the Russian threat group tracked as Armageddon (Gamaredon). The malicious emails attempt to trick the recipients with lures themed after the war in Ukraine and infect the target systems with espionage-focused malware.
Electricity, oil and gas and other critical infrastructure vital to our everyday lives is increasingly at risk from cyber attackers who know that successfully compromising industrial control systems (ICS) and operational technology (OT) can enable them to disrupt or tamper with vital services. A report from cybersecurity company Dragos details ten different hacking operations which are known to have actively targeted industrial systems in North America and Europe – and it's warned that this activity is likely to grow in the next 12 months.
A new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct DDoS attacks, UAC bypass, and ransomware deployment. As a RAT, Borat enables remote threat actors to take complete control of their victim’s mouse and keyboard, access files, network points, and hide any signs of their presence. The malware lets its operators choose their compilation options to create small payloads that feature precisely what they need for highly tailored attacks.
Email marketing firm MailChimp disclosed on Sunday that they had been hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. Sunday morning, Twitter was abuzz with reports from owners of Trezor hardware cryptocurrency wallets who received phishing notifications claiming that the company suffered a data breach. These emails prompted Trezort customers to reset their hardware wallet PINs by downloading malicious software that allowed stealing the stored cryptocurrency.
An employee of the United States National Security Agency (NSA) has been accused of sending national defense secrets from his personal email account. A 26-count indictment unsealed Thursday in the District of Maryland alleges that 60-year-old Mark Robert Unkenholz willfully transmitted classified National Defense Information (NDI) on 13 occasions between February 14 2018 and June 1 2020.
Threat analysts have compiled a detailed technical report on FIN7 operations from late 2021 to early 2022, showing that the adversary continues to be very active, evolving, and trying new monetization methods. FIN7 (a.k.a. Carbanak) is a Russian-speaking, financially motivated actor known for its resourceful and diverse set of tactics, custom-made malware, and stealthy backdoors. Although some members of the group were indicted in 2018, followed by the sentencing of one of its managers in 2021, FIN7 did not disappear and kept developing new tools for stealthy attacks.
Researchers from SonarSource discovered two 15-year-old security flaws in the PEAR (PHP Extension and Application Repository) repository that could have enabled supply chain attacks. PEAR is a framework and distribution system for reusable PHP components” (Security Affairs, 2022). The vulnerability has been deemed critical because it can easily be exploited by a low-skilled threat actor, it also resides in a central component of the PHP supply chain. Using the vulnerability, and attacker can take over any developer account and even publish malicious releases.
Security Researcher "frycos" has released an alleged vulnerability impacting the 3CX Phone Management System. "3CX is an open-platform office phone system that runs on premise on Windows or Linux, with the option to migrate to cloud with a simple backup and restore." (3CX). The software is typically installed on-premise and is a VoIP solution for collaborative communication.
GitLab has addressed a critical severity vulnerability that could allow remote attackers to take over user accounts using hardcoded passwords. The bug (discovered internally and tracked as CVE-2022-1162) affects both GitLab Community Edition (CE) and Enterprise Edition (EE).
Network equipment company Zyxel has updated the firmware of several of its business-grade firewall and VPN products to address a critical-severity vulnerability that could give attackers administrator-level access to affected devices. Zyxel’s security advisory refers to products from the USG/ZyWALL, USG FLEX, ATP, VPN, and NSG (Nebula Security Gateway) series. Tracked as CVE-2022-0342, the vulnerability if exploited allows an unauthenticated attacker to gain administrative access to impacted Zyxel devices.
Two new security vulnerabilities have been disclosed in Rockwell Automation's programmable logic controllers (PLCs) and engineering workstation software that could be exploited by an attacker to inject malicious code on affected systems and stealthily modify automation processes. The flaws have the potential to disrupt industrial operations and cause physical damage to factories in a manner similar to that of Stuxnet and the Rogue7 attacks, operational technology security company Claroty said.
Apple rushed out patches for two zero-days affecting macOS and iOS Thursday, both of which are likely under active exploitation and could allow a threat actor to disrupt or access kernel activity. Apple released separate security updates for the bugs – a vulnerability affecting both macOS and iOS tracked as CVE-2022-22675 and a macOS flaw tracked as CVE-2022-22674. Their discovery was attributed to an anonymous researcher. CVE-2022-22675 – found in the AppleAVD component present in both macOS and iOS – could allow an application to execute arbitrary code with kernel privileges, according to the advisory.
Security researchers at SentinelLabs have spotted a previously undetected destructive wiper tracked as AcidRain, that hit routers and modems and was suspected to be linked to the Viasat KA-SAT attack that took place on February 24th, 2022. The cyberattack hit the KA-SAT network which caused thousands of modems across Europe to be unreachable. AcidRain uses destructive commands to overwrite key data in flash memory. The modems were then unable to access the network, but were not permanently damaged.
Researchers have uncovered a new infostealer malware being peddled in Russian underground forums. Dubbed BlackGuard, zScaler says that the new malware strain is "sophisticated" and has been made available to criminal buyers for a monthly price of $200. Infostealers are forms of malware designed to harvest valuable data, potentially including operating system information, contact lists, screenshots, network traffic, and online account credentials including those used to access financial services and banking.
Researchers have disclosed what they say is the first-ever Python-based ransomware strain specifically designed to target exposed Jupyter notebooks, a web-based interactive computing platform that allows editing and running programs via a browser. While access to the online application is normally restricted, sometimes these notebooks are left exposed to the internet with no authentication means, allowing anyone to easily access the notebook.
A bug in the support dashboard of Palo Alto Networks (PAN) exposed thousands of customer support tickets to an unauthorized individual. The exposed information included, names and (business) contact information of the person creating support tickets, conversations between Palo Alto Networks staff members and the customer.
According to the Google Threat Analysis Group (TAG), a great number of threat actors are currently exploiting the event of the Russian invasion in Ukraine to launch phishing and malware cyberattacks against Eastern European and NATO countries. The cyberattacks also target Ukraine. Credential phishing cyberattacks organized by a Russian-based hacking group known as COLDRIVER against a NATO Center of Excellence and Eastern European forces are highlighted in the paper. “A Ukrainian defense contractor and many US-based non-governmental organizations (NGOs) together with think tanks were also among the targets of Russian threat actors.
Researchers disclosed a zero-day vulnerability, dubbed Spring4Shell, in the Spring Core Java framework called ‘Spring4Shell.’ An unauthenticated, remote attacker could trigger the vulnerability to execute arbitrary code on the target system. The framework is currently maintained by Spring.io which is a subsidiary of VMware. The Spring Framework is an application framework and inversion of control container for the Java platform. The framework’s core features can be used by any Java application, but there are extensions for building web applications on top of the Java EE (Enterprise Edition) platform.
According to .PDF released by the the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords. In recent years, UPS vendors have added an Internet of Things capability, and UPSs are routinely attached to networks for power monitoring, routine maintenance, and/or convenience.
A nascent information stealer called Mars has been observed in campaigns that take advantage of cracked versions of the malware to steal information stored in web browsers and cryptocurrency wallets. "Mars Stealer is being distributed via social engineering techniques, malspam campaigns, malicious software cracks, and keygens," Morphisec malware researcher Arnold Osipov said in a report published Tuesday.
A new spear phishing campaign is taking place in Russia targeting dissenters with opposing views to those promoted by the state and national media about the war against Ukraine. The campaign targets government employees and public servants with emails warning of the software tools and online platforms that are forbidden in the country. The messages come with a malicious attachment or link embedded in the body that is dropping a Cobalt Strike beacon to the recipient's system, enabling remote operators to conduct espionage on the target.
US satellite communications provider Viasat has shared an incident report regarding the cyberattack that affected its KA-SAT consumer-oriented satellite broadband service on February 24, the day Russia invaded Ukraine. Today's incident report comes after the KA-SAT satellite network — "used intensively by the Ukrainian military" — was affected by a cyberattack that triggered satellite service outages in Central and Eastern Europe.
The Ukrainian Defense Ministry’s Directorate of Intelligence has published what it claims is the personal data of hundreds of Russian intelligence officers online. The data, which was published on Monday, contains the names, addresses and phone numbers of 620 individuals who Ukraine asserts to be officers of Russia’s Federal Security Service (FSB) involved in “criminal activities” in Europe. Ukraine said the alleged FSB officers on the list are registered as living in Lubyanka – the agency’s headquarters in Moscow.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) are aware of threat actors gaining access to a variety of internet-connected uninterruptible power supply (UPS) devices, often through unchanged default usernames and passwords. In a CISA and DOE Insights, organizations are provided with recommended actions to mitigate attacks against UPS devices.
The Security Service of Ukraine (SBU) has destroyed five "enemy" bot farms engaged in activities to frighten Ukrainian citizens. In a March 28 release, the SBU said that the bot farms had an overall capacity of at least 100,000 accounts spreading misinformation and fake news surrounding Russia's invasion of Ukraine, which started on February 24 and has now lasted over a month.
Hackers are compromising WordPress sites to insert a malicious script that uses visitors' browsers to perform distributed denial-of-service attacks on Ukrainian websites. Today, MalwareHunterTeam discovered a WordPress site compromised to use this script, targeting ten websites with Distributed Denial of Service (DDoS) attacks. These websites include Ukrainian government agencies, think tanks, recruitment sites for the International Legion of Defense of Ukraine, financial sites, and other pro-Ukrainian sites.
Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE). The security flaw is a stack-based buffer overflow weakness with a 9.4 CVSS severity score and impacting multiple SonicWall firewalls.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Google Chrome zero-day (CVE-2022-1096) and a critical Redis vulnerability (CVE-2022-0543), along with other 30 vulnerabilities, to its Known Exploited Vulnerabilities Catalog”.
The distribution of the IcedID malware has seen a spike recently due to a new campaign that hijacks existing email conversation threads and injects malicious payloads that are hard to spot. IcedID is a modular banking trojan first spotted back in 2017, used mainly to deploy second-stage malware such as other loaders or ransomware. Its operators are believed to be initial access brokers who compromise networks and then sell the access to other cybercriminals.
Google has released Chrome 99.0.4844.84 for Windows, Mac, and Linux users to address a high-severity zero-day bug exploited in the wild. "Google is aware that an exploit for CVE-2022-1096 exists in the wild," the browser vendor said in a security advisory published on Friday. The 99.0.4844.84 version is already rolling out worldwide in the Stable Desktop channel, and Google says it might be a matter of weeks until it reaches the entire userbase.
Sophos has patched a remote code execution (RCE) vulnerability in the Firewall product line. Sophos Firewall is an enterprise cybersecurity solution that can adapt to different networks and environments. Firewall includes TLS and encrypted network traffic inspection, deep packet inspection, sandboxing, intrusion prevention systems (IPSs), and visibility features for detecting suspicious and malicious network activity. On March 25, the cybersecurity company disclosed the RCE, which was privately disclosed to Sophos via the firm's bug bounty program by an external cybersecurity researcher.
The Hive ransomware operation has converted their VMware ESXi Linux encryptor to the Rust programming language and added new features to make it harder for security researchers to snoop on victim's ransom negotiations. As the enterprise becomes increasingly reliant on virtual machines to save computer resources, consolidate servers, and for easier backups, ransomware gangs are creating dedicated encryptors that focus on these services. Ransomware gang's Linux encryptors typically target the VMware ESXI virtualization platforms as they are the most commonly used in the enterprise.
Russia's RSPP Commission for Communications and IT, the country's largest entrepreneurship union, has warned of imminent large-scale service Internet service outages due to the lack of available telecom equipment. To raise awareness, the commission has compiled a document that reflects the practical challenges facing the industry in Russia at this time and also presents a set of proposals specifically crafted to alleviate them. Russian media that have seen the document in question say that the warning is dire, as the commission highlights the reserves of telecom operator equipment will only last for another six months.
Mobile malware — Android Trojans in particular — accounts for a small slice of overall malware activity, but it's capable of doing more than just displaying adware. Some types of Android Trojans are capable of exfiltrating call data and GPS locations, for example.
The City of London Police announced to have arrested seven teenagers suspected of being members of the notorious Lapsus$ extortion gang, which is believed to be based in South America. “Four researchers investigating the hacking group Lapsus$, on behalf of companies that were attacked, said they believe the teenager is the mastermind.” states Bloomberg that first reported the news. “Lapsus$ has befuddled cybersecurity experts as it has embarked on a rampage of high-profile hacks.
The U.S. government on Thursday released a cybersecurity advisory outlining multiple intrusion campaigns conducted by state-sponsored Russian cyber actors from 2011 to 2018 that targeted the energy sector in the U.S. and beyond. "The [Federal Security Service] conducted a multi-stage campaign in which they gained remote access to U.S. and international Energy Sector networks, deployed ICS-focused malware, and collected and exfiltrated enterprise and ICS-related data," the U.S. government said, attributing the attacks to an APT actor known as Energetic Bear.
Western Digital has released new My Cloud OS firmware to fix a vulnerability exploited by bug hunters during the Pwn2Own 2021 hacking competition to achieve remote code execution. The flaw, tracked as CVE-2022-23121, was exploited by the NCC Group’s EDG team members and relied on the open-source service named “Netatalk Service” that was included in My Cloud OS. The vulnerability, which has a CVSS v3 severity score of 9.8, allows remote attackers to execute arbitrary code on the target device, in this case, WD PR4100 NAS, without requiring authentication.
Researchers have disclosed a 'replay attack' vulnerability affecting select Honda and Acura car models, that allows a nearby hacker to unlock your car and even start its engine from a short distance. The attack consists of a threat actor capturing the RF signals sent from your key fob to the car and resending these signals to take control of your car's remote keyless entry system. The vulnerability, according to researchers, remains largely unfixed in older models. But Honda owners may be able to take some action to protect themselves against this attack.
On Wednesday, the cloud computing company VMware released software updates to patch two critical security vulnerabilities affecting its Carbon Black App Control platform. The vulnerabilities, if exploited, could be abused by threat actors to execute arbitrary code on affected installations in Windows systems. VMware Carbon Black App Control is an application allow listing solution that is designed to enable security operations teams to lock down servers and critical systems, prevent unwanted changes, and ensure continuous compliance with regulatory mandates.
North Korean state hackers have exploited a zero-day, remote code execution vulnerability in Google Chrome web browser for more than a month before a patch became available, in attacks targeting news media, IT companies, cryptocurrency, and fintech organizations. Google’s Threat Analysis Group (TAG) attributed two campaigns exploiting the recently patched CVE-2022-0609 (described only as “use after free in Animation” at the moment) to two separate attacker groups backed by the North Korean government.
A "large scale" attack is targeting Microsoft Azure developers through malicious npm packages. On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers. The miscreants responsible for the npm repositories have developed an automated script that targets the @azure npm scope, alongside @azure-rest, @azure-tests, @azure-tools, and @cadl-lang.
Ukraine CERT-UA continues to observe malware based attacks aimed at Ukrainian organizations, in a recent alert it warned of attacks employing a wiper dubbed DoubleZero. The campaign was first spotted by CERT-UA on March 17, after seeing threat actors targeting users with malicious spear-phishing attacks. DoubleZero is an obfuscated .Net program that can be used to destroy files on infected systems.
Research from Splunk has revealed that the median ransomware variant can encrypt nearly 100,000 files totaling 53.93GB in forty two minutes and fifty-two seconds. A successful ransomware infection can leave organizations without access to critical IP, employee information and customer data.
Yesterday, the popular Anonymous hacktivist collective announced on twitter that it hacked Nestle, the largest food company in the world. Anonymous recently declared war on all companies that continue to operate in Russia by paying taxes to the Russian government. On March 20, the group stated that it would give the companies 48 hours to withdraw from Russia. Any company that failed to comply would become a target of the hacktivist group.
An unknown Chinese-speaking threat actor has been targeting betting companies in Taiwan, Hong Kong, and the Philippines, leveraging a vulnerability in WPS Office to plant a backdoor on the targeted systems. The adversary appears to be sophisticated, and its toolset features code similarities to APT group backdoors analyzed in two 2015 and 2017 reports by Palo Alto and BlackBerry, respectively The newest campaign was spotted by researchers at Avast, who have sampled several malware tools from the threat actors, who have compiled a rich, modular toolset.
Researchers have discovered a previously unknown macOS malware variant called GIMMICK, which is believed to be a custom tool used by a Chinese espionage threat actor known as 'Storm Cloud.’ The malware was discovered by researchers at Volexity, who retrieved it from the RAM of a MacBook Pro running macOS 11.6 (Big Sur), which was compromised in a late 2021 cyberespionage campaign. GIMMICK is a multi-platform family that uses public cloud hosting services such as Google Drive for command-and-control (C2) channels. The malware is written primarily in Objective C, with Windows versions written in both .NET and Delphi. Despite the differences in programming languages used, Volexity has tracked the malware under the same name due to the shared C2 architecture, file paths, and behavioral patterns used by all variants.
Microsoft confirmed that Lapsus$ extortion group has hacked one of its employees to access and steal the source code of some projects. Yesterday the cybercrime gang leaked 37GB of source code stolen from Microsoft’s Azure DevOps server. On Sunday, the Lapsus$ gang announced to have compromised Microsoft’s Azure DevOps server and shared a screenshot of alleged internal source code repositories. The gang claims to have leaked the source code for some Microsoft projects, including Bing and Cortana.
Google has removed an app with over 1000,000 downloads from its Play Store after security researchers warned that the app was able to harvest the Facebook credentials of smartphone users. Researchers at French mobile security firm Pradeo said the app embeds Android trojan malware known as "Facestealer" because it dupes victims into typing in their Facebook credentials to a web page that transmits the credentials to the attacker's server, which happens to be a domain that was registered in Russia.
HP has published security advisories for three critical-severity vulnerabilities affecting hundreds of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models. The three vulnerabilities are tracked as CVE-2022-24291 (high severity score: 7.5), CVE-2022-24292 (critical severity score: 9.8), and CVE-2022-24293 (critical severity score: 9.8) While not many details about these vulnerabilities have been published, the vulnerabilities could be exploited for information disclosure, remote code execution, and denial of service.
A new BitRAT malware distribution campaign is underway, exploiting users looking to activate pirated Windows OS versions for free using unofficial Microsoft license activators. BitRAT is a powerful remote access trojan sold on cybercrime forums and dark web markets for as low as $20 (lifetime access) to any cybercriminal who wants it. As such, each buyer follows their own approach to malware distribution, ranging from phishing, watering holes, or trojanized software.
1. Collect and preserve all Okta logs, focus on the Okta System Log as it's the main audit trail for Okta activities Need more info on this log check (https://developer.okta.com/docs/reference/api/system-log/)
2. Search your audit log for suspicious activity focus on your superuser/admin Okta accounts as they pose the largest risk
3. Rotate passwords for high-privileged accounts, at this stage it might be a bit early to rotate passwords for all users
4. If you outsource (parts) of your Okta deployment check in with your vendor and make sure what 3rd party admin accounts are used and ask them for support
5. Check if you currently have Okta support access enabled, you might want to disable that for the time being more info (https://help.okta.com/oie/en-us/Content/Topics/Settings/settings-support-access.htm)
6. Check for (privileged) accounts created around the time of the suspected breach - 21 January 2022
Okta, a leading provider of authentication services and Identity and access management (IAM) solutions says it is investigating claims of data breach. On Tuesday, data extortion group Lapsus$ posted screenshots in their Telegram channel of what it alleges to be access to Okta's backend adminsitrative consoles and customer data. As a publicly-traded company worth over $6 billion, Okta employs over 5,000 people across the world and provides identity management and authentication services to major organizations including Siemens, ITV, Pret a Manger, Starling Bank, among others.
The U.S. government on Monday once again cautioned of potential cyber attacks from Russia in retaliation for economic sanctions imposed by the west on the country following its military assault on Ukraine last month. "It's part of Russia's playbook," U.S. President Joe Biden said in a statement, citing "evolving intelligence that the Russian Government is exploring options."
“The Government Team for Response to Computer Emergencies of Ukraine (CERT-UA) warns of spear-phishing messages conducted by UAC-0035 group (aka InvisiMole) against Ukrainian state bodies. The messages use an archive named “501 25 103.zip”, which contains a shortcut file. Upon opening the LNK file, an HTA file will be downloaded and executed on the victim’s computer. The HTA file contains a VBScript code that fetches and decodes the bait file and the malicious program LoadEdge backdoor.
Western Digital's EdgeRover desktop app for both Windows and Mac are vulnerable to local privilege escalation and sandboxing escape bugs that could allow the disclosure of sensitive information or denial of service (DoS) attacks. EdgeRover is a centralized content management solution for Western Digital and SanDisk products, unifying multiple digital storage devices under a single management interface. It aims to increase usability and comfort by offering a variety of features including, content searching, filtering, categorization, collection creation, duplicate detection, and more.
Microsoft says they are investigating claims that the Lapsus$ data extortion hacking group breached their internal Azure DevOps source code repositories and stolen data. On Sunday, the Lapsus$ gang posted a screenshot on Telegram of alleged internal source code repositories, indicating that they hacked Microsoft’s Azure DevOps server. The screenshot posted by the gang showcased the DevOps repository which contained source code for Cortana and various Bing projects named 'Bing_STC-SV', 'Bing_Test_Agile', and "Bing_UX.
The Federal Bureau of Investigation (FBI) warns of AvosLocker ransomware being used in attacks targeting multiple US critical infrastructure sectors. This was disclosed in a joint cybersecurity advisory published last week in coordination with the US Treasury Department and the Financial Crimes Enforcement Network (FinCEN). "AvosLocker is a Ransomware as a Service (RaaS) affiliate-based group that has targeted victims across multiple critical infrastructure sectors in the United States including, but not limited to, the Financial Services, Critical Manufacturing, and Government Facilities sectors," the FBI said.
This week the European Union Aviation Safety Agency (EASA) has issued a Safety Information Bulletin to warn of intermittent Global Navigation Satellite Systems (GNSS) outages near Ukraine conflict areas amid the ongoing conflict. The European Agency jamming and/or spoofing attacks against GNSS have intensified in geographical areas surrounding the conflict zone and other areas.
VEEAM, a backup and cloud solutions provider, announced that it had fixed two critical vulnerabilities that allow remote code execution (RCE). CVE-2022-26500 and CVE-2022-26501 with CVSS scores of 9.8 are located on VEEAM Distribution Services.
Threat analysts following the activity of UNC2891 (LightBasin), a financially motivated group of hackers, report the discovery of a previously unknown Unix rootkit that is used to steal ATM banking data and conduct fraudulent transactions. The particular group of adversaries has been recently observed targeting telecom companies with custom implants, while back in 2020, they were spotted compromising managed service providers and victimizing their clients.
TransUnion South Africa has disclosed that hackers breached one of their servers using stolen credentials and demanded a ransom payment not to release stolen data. The African division of TransUnion operates in eight African countries offering commercial and consumer insurance and risk information solutions across various industries. According to the company's statement, an unauthorized person obtained access to a server based in South Africa using stolen credentials.
The malware known as DirtyMoe has gained new worm-like propagation capabilities that allow it to expand its reach without requiring any user interaction, the latest research has found. Active since 2016, the DirtyMoe botnet is used for carrying out cryptojacking and distributed denial-of-service (DDoS) attacks, and is deployed by means of external exploit kits like PurpleFox or injected installers of Telegram Messenger.
Google's Threat Analysis Group (TAG) took the wraps off a new initial access broker that it said is closely affiliated to a Russian cyber crime gang notorious for its Conti and Diavol ransomware operations. Dubbed Exotic Lily, the financially motivated threat actor has been observed exploiting a now-patched critical flaw in the Microsoft Windows MSHTML platform (CVE-2021-40444) as part of widespread phishing campaigns that involved sending no fewer than 5,000 business proposal-themed emails a day to 650 targeted organizations globally.
In what's yet another act of sabotage, the developer behind the popular "node-ipc" NPM package shipped a new version to protest Russia's invasion of Ukraine, raising concerns about security in the open-source and the software supply chain. Affecting versions 10.1.1 and 10.1.2 of the library, the changes introduced undesirable behavior by its maintainer RIAEvangelist, targeting users with IP addresses located either in Russia or Belarus, and wiping arbitrary file contents and replacing it with a heart emoji.
The Cyclops Blink botnet is now targeting Asus routers in a new wave of cyberattacks. Cyclops Blink, a modular botnet, is suspected of being the creation of Sandworm/Voodoo Bear, a Russian advanced persistent threat (APT) group. Several weeks ago, the UK National Cyber Security Centre (NCSC) and the United States' Cybersecurity and Infrastructure Security Agency (CISA), alongside the NSA and FBI, warned of the botnet's existence.
SolarWinds warned customers of attacks targeting Internet-exposed Web Help Desk (WHD) instances and advised removing them from publicly accessible infrastructure (likely to prevent the exploitation of a potential security flaw). WHD is an enterprise helpdesk ticketing and IT inventory management software designed to help customers automate ticketing and IT asset management tasks.
Microsoft released a scanner that detects MikroTik routers hacked by the TrickBot gang to act as proxies for command and control servers. TrickBot is a malware botnet distributed via phishing emails or dropped by other malware that has already infected a device. Once executed, TrickBot will connect to a remote command and control server to receive commands and download further payloads to run on the infected machine.
Microsoft released a scanner that detects MikroTik routers hacked by the TrickBot gang to act as proxies for command and control servers. TrickBot is a malware botnet distributed via phishing emails or dropped by other malware that has already infected a device. Once executed, TrickBot will connect to a remote command and control server to receive commands and download further payloads to run on the infected machine.
Meta has been forced to remove a deepfake of the Ukrainian President in which he appeared to call on the military to lay down their arms. Nathaniel Gleicher, head of security policy at the social media giant, announced the move in a series of tweets late on Wednesday. “Earlier today, our teams identified and removed a deepfake video claiming to show President Zelensky issuing a statement he never did. It appeared on a reportedly compromised website and then started showing across the internet. We’ve quickly reviewed and removed this video for violating our policy against misleading manipulated media, and notified our peers at other platforms.
Attacks targeting Ukraine continue; in a recent report from CPOMagazine, ISPs are being targeted in coordinated attacks to disrupt internet activity for Ukrainian citizens, Governmental organizations, and private ones to disrupt operations and generate fear amongst Ukrainians. Internal sources said they could not pinpoint the source or those responsible for the cyberattacks that hit “key nodes of ISP networks, (CPOMagazine, 2022).” Both Triolan and Ukrtelecom, which have thousands of customers globally, have experienced random outages from the start of the Russian invasion on February 24 and onward. Reports suggest the outages have lasted from minutes to days, with the most prolonged outages from Triolan, where they temporarily disabled services so that they could be restored without intermittent interruption. The timeframe to restore services was increased because various networking devices required physical access for reconfiguration. The company has already restored more than two-thirds (70%) of the Internet nodes in Dnipro, Odesa, Kyiv, Kharkiv, Poltava, Zaporizhia, and Rivne, and stated that they are trying to stop the attackers as soon as possible and resume the network in all areas, according to a post from telegram.
A recently discovered botnet under active development targets Linux systems, attempting to ensnare them into an army of bots ready to steal sensitive info, installing rootkits, creating reverse shells, and acting as web traffic proxies. The newly found malware, dubbed B1txor20 by researchers at Qihoo 360's Network Security Research Lab (360 Netlab), focuses its attacks on Linux ARM, X64 CPU architecture devices.
OpenSSL has released a security update to address a vulnerability in the library that, if exploited, activates an infinite loop function and leads to denial of service conditions. Denial of service attacks may not be the most disastrous security problem. However, it can still cause significant business interruption, long-term financial repercussions, and brand reputation degradation for those affected.
The ransomware space was very active in the last quarter of 2021, with threat analysts observing 722 distinct attacks deploying 34 different variants. This massive amount of activity creates problems for the defenders, making it harder to keep up with individual group tactics, indicators of compromise, and detection opportunities. Compared to Q3 2021, the last quarter had 18% higher attack volume, while the comparison to Q2 2021 results in a difference of 22%, so there’s a trend of increasing attack numbers.
A report recently published by flashpoint highlights the risk associated with cloud security and its various infrastructure. Checkpoint found that applications, otherwise known as 'apps,' are susceptible to data leaks due to misconfigurations of back-end cloud databases. In cloud computing, like on-premises configurations, a server in a closet provides clients or endpoints on local networks access to resources required to complete one's job function. The 'back end is the "cloud" section where databases or resources live. The front end includes the client's computer (or computer network) and the application required to access the cloud computing system. In this particular report, the client is a mobile device where applications or clients are either obtained through a third-party website or proprietary distribution platform like Android's 'Google Play Store,' Apples' App Store,' or for Jail Broken products, 'Cydia.’ During Checkpoint’s study, they discovered 2113 mobile applications where their Firebase back-end was exposed due to misconfigurations.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) warned that Russia-linked threat actors have gained access to a non-governmental organization (NGO) cloud by exploiting misconfigured default multifactor authentication (MFA) protocols and enrolled their own device in the organization’s Cisco’s Duo MFA.
Today, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default multifactor authentication (MFA) protocols and a known vulnerability.
Germany's Federal Office for Information Security, BSI, is warning companies against using Kaspersky antivirus products due to threats made by Russia against the EU, NATO, and Germany. Kaspersky is a Moscow-based cybersecurity and antivirus provider founded in 1997, that has a long history of success, but also controversy over the company's possible relationship with the Russian government.
Large-scale phishing activity using hundreds of domains to steal credentials for Naver, a Google-like online platform in South Korea, shows infrastructure overlaps linked to the TrickBot botnet. The resources used for this attack show the sheer size of the cybercriminal effort to collect login data to be used in various attacks. Similar to Google, Naver provides a diverse set of services that range from web search to email, news, and the NAVER Knowledge iN online Q&A platform.
Researchers have uncovered a new form of wiper malware being used in assaults against Ukrainian organizations. On March 14, ESET published a Twitter thread documenting the malware, dubbed CaddyWiper, that was compiled on the same day it was deployed to target networks. The wiper -- the third discovered in as many weeks by the cybersecurity firm -- has been detected "on a few dozen systems in a limited number of organizations," according to ESET
Security researchers from MalwareHunterTeam analyzed phishing emails targeting Ukrainian governmental agencies to ultimately infect targeted machines with Cobalt Strike Beacons by imitating legitimate antivirus companies through tainted or malicious (fake) updates. Aside from Cobalt Strike, the attackers also used a dropper, coincidently titled “dropper.exe,” which was used to obtain a ‘Go’ downloader that executed an additional file disguised as a java SDK, “An environment for building applications and components using the Java programming language.
Israeli government websites were taken offline yesterday in what was described as the largest ever cyber-attack to be launched against the country. The widescale Distributed Denial of Service (DDoS) successfully took down the websites of Israel’s Prime Minister’s Office and its interior, health, justice and welfare ministries. However, all these websites appear to be operational again.
Automotive parts manufacturer DENSO has confirmed that it suffered a cyberattack on March 10th after a new Pandora ransomware operation began leaking data allegedly stolen during the attack. DENSO is one of the world's largest automotive components manufacturers, supplying brands such as Toyota, Mercedes-Benz, Ford, Honda, Volvo, Fiat, and General Motors with a wide range of electrical, electronic, powertrain control, and various other specialized parts.
Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by a high severity Linux vulnerability dubbed 'Dirty Pipe' that allows attackers with local access to gain root privileges. The 'Dirty Pipe' security bug affects Linux Kernel 5.8 and later versions, even on Android devices. If successfully exploited, it allows non-privileged users to inject and overwrite data in read-only files, including SUID processes that run as root.
A Russian-speaking ransomware outfit likely targeted an unnamed entity in the gambling and gaming sector in Europe and Central America by repurposing custom tools developed by other APT groups like Iran's MuddyWater, new research has found. The unusual attack chain involved the abuse of stolen credentials to gain unauthorized access to the victim network, ultimately leading to the deployment of Cobalt Strike payloads on compromised assets, said Felipe Duarte and Ido Naor, researchers at Israeli incident response firm Security Joes, in a report published last week.
The cybercrime underground has fractured into pro-Ukraine and pro-Russia camps, with the latter increasingly focused on critical national infrastructure (CNI) targets in the West, according to a new report from Accenture. The consulting giant’s Accenture Cyber Threat Intelligence (ACTI) arm warned that the ideological schism could spell mounting risk for Western organizations as pro-Kremlin criminal groups adopt quasi-hacktivist tactics to choose their next victims.
The Anonymous hacker collective claimed to have hacked the German branch of the Russian energy giant Rosneft. (In a post this week), hacktivists announced to have stolen 20 terabytes of data from the company. According to the German website WELT, the attack on Rosneft Deutschland GmbH will have “relevant effects.” The news of the attack was also confirmed by the German Federal Office for Information Security (BSI), the company had reported an IT security incident on Saturday night.
The stealthy BazarBackdoor malware is now being spread via website contact forms rather than typical phishing emails to evade detection by security software. BazarBackdoor is a stealthy backdoor malware created by the TrickBot group and is now under development by the Conti ransomware operation. This malware provides threat actors remote access to an internal device that can be used as a launchpad for further lateral movement within a network. The BazarBackdoor malware is usually spread through phishing emails that include malicious documents that download and install the malware.
A new malware campaign is taking advantage of people's willingness to support Ukraine's cyber warfare against Russia to infect them with password-stealing Trojans. Last month, the Ukrainian government announced a new IT Army composed of volunteers worldwide who conduct cyberattacks and DDoS attacks against Russian entities. This initiative has led to a outpouring of support by many people worldwide who have been helping target Russian organizations and sites, even if that activity is considered illegal.
The cybernews research team identified an open ElasticSearch database, which contained more than 243GB of data detailing current and historic ship positions that is exposed to the public. Analyzing the data, the team determined that it is highly likely to belong to the Yangtze river ports of Nanjing and Zhangjiagang.
You’ve probably heard of the Conti ransomware group. After their 2020 emergence, they’ve accumulated at least 700 victims, where by “victims” we mean ‘big fish’ corporations with millions of dollars in revenue; unlike your average neighborhood ransomware operation, Conti never cared for extorting your mother-in-law for her vacation photos. For a while, Conti was the face of ransomware, along with fellow gang REvil – until this February, when 14 REvil operatives were arrested by the Russian authorities, leaving Conti effectively alone in its position as a major league ransomware operation. At the time, this was cautiously hailed as a sign of goodwill on Russia’s part; some figured that possibly the Russians would finally refuse to tolerate the incessant and irreverent attacks originating on Russian soil and targeted at western corporate offices, schools and hospitals. Now, a month later and two weeks into the full-blown war between Russia and Ukraine, this utopian vision does not seem so likely.
Lapsus$ is a newer ransomware gang that recently made headlines after some prominent attacks on Nvidia and Samsung. “The dumps released as Torrent files contain gigabytes of sensitive documents, digital code-signing certificates and source codes. Hackers have leaked the credentials of more than 71,000 Nvidia employees, source code of NVIDIA’s DLSS (Deep Learning Super Sampling) AI rendering technology, information about six supposed unannounced GPUs, and 190GB of Samsung source codes related to trusted applets in the smartphone TrustZone environment” (Security Affairs, 2022). More recently, the Lapsus$ group claims to have stolen 200 GB of data from Vodafone.
Researchers have disclosed a new technique that could be used to circumvent existing hardware mitigations in modern processors from Intel, AMD, and Arm and stage speculative execution attacks such as Spectre to leak sensitive information from host memory. Attacks like Spectre are designed to break the isolation between different applications by taking advantage of an optimization technique called speculative execution in CPU hardware implementations to trick programs into accessing arbitrary locations in memory and thus leak their secrets.
Dirty Pipe Privilege Escalation Vulnerability in Linux CISA is aware of a privilege escalation vulnerability in Linux kernel versions 5.8 and later known as “Dirty Pipe” (CVE-2022-0847). A local attacker could exploit this vulnerability to take control of an affected system. CISA encourages users and administrators to review (CVE-2022-0847) and update to Linux kernel versions 5.16.11, 5.15.25, and 5.10.102 or later.
Yaroslav Vasinskyi, accused of being connected to the Sodinokibi/REvil ransomware group, was extradited and arraigned in a Dallas, Texas court on Wednesday. In November, the Justice Department said the 22-year-old was behind the July 2021 ransomware attack against Kaseya, which crippled hundreds of companies around the world for days.
The Iranian state-sponsored threat actor known as MuddyWater has been attributed to a new swarm of attacks targeting Turkey and the Arabian Peninsula with the goal of deploying remote access trojans (RATs) on compromised systems. "The MuddyWater supergroup is highly motivated and can use unauthorized access to conduct espionage, intellectual property theft, and deploy ransomware and destructive malware in an enterprise," Cisco Talos researchers Asheer Malhotra, Vitor Ventura, and Arnaud Zobec said in a report published today.
Russia has created its own trusted TLS certificate authority (CA) to solve website access problems that have been piling up after sanctions prevent certificate renewals. The sanctions imposed by western companies and governments are preventing Russian sites from renewing existing TLS certificates, causing browsers to block access to sites with expired certificates.
Conti cyber threat actors remain active and reported Conti ransomware attacks against U.S. and international organizations have risen to more than 1000. Notable attack vectors include Trickbot and Cobalt Strike (see below for details). While there are no specific or credible cyber threats to the U.S. homeland at this time, CISA, FBI, NSA, and the United States Secret Service (USSS) encourage organizations to review this advisory and apply the recommended mitigations.
Three high-impact security vulnerabilities have been disclosed in APC Smart-UPS devices that could be abused by remote adversaries as a physical weapon to access and control them in an unauthorized manner. Collectively dubbed TLStorm, the flaws "allow for complete remote takeover of Smart-UPS devices and the ability to carry out extreme cyber-physical attacks," Ben Seri and Barak Hadad, researchers from IoT security company Armis, said in a report published Tuesday.
The Treasury Department's Financial Crimes Enforcement Network (FinCEN) warned U.S. financial institutions this week to keep an eye out for attempts to evade sanctions and US-imposed restrictions following Russia's invasion of Ukraine. Although unlikely, FinCEN added that convertible virtual currency (CVC) — the term used by U.S. Treasury to describe unregulated digital currency like cryptocurrency — exchanges and other financial institutions may still observe transactions linked to crypto wallets associated with sanctioned Russian, Belarusian, and affiliated individuals.
Russia says some of its federal agencies' websites were compromised in a supply chain attack on Tuesday after unknown attackers hacked the stats widget used to track the number of visitors by multiple government agencies The list of sites impacted in the attack includes the websites of the Energy Ministry, the Federal State Statistics Service, the Federal Penitentiary Service, the Federal Bailiff Service, the Federal Antimonopoly Service, the Culture Ministry, and other Russian state agencies.
As a result of the hybrid warfare taking place between Ukraine and Russia and heightened frictions between Russia and the NATO alliance, weaknesses have been uncovered in the cybersecurity of international electricity supplies.
Researchers from cybersecurity firm Binarly discovered 16 high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.
The notorious Emotet botnet is still being distributed steadily in the wild, having now infected 92,000 systems in 172 countries. While this may be a far cry from the once global dominance of having 1.6 million devices under its control, it shows that the malware is still undergoing a resurgence, and it’s getting stronger every day Emotet activity stopped in 2019 while its second major version was in circulation, and the malware returned only in November 2021, with the help of another malware known as Trickbot.
As many as seven security vulnerabilities have been disclosed in PTC's Axeda software that could be weaponized to gain unauthorized access to medical and IoT devices. Collectively called "Access:7," the weaknesses – three of which are rated Critical in severity – potentially affect more than 150 device models spanning over 100 different manufacturers,
Cloudflare, an U.S.-based web infrastructure and security company, has announced that it is taking drastic measures to protect data of customers in Eastern Europe under current conditions of the Russian invasion of Ukraine.
Security expert Max Kellermann discovered a Linux flaw, dubbed Dirty Pipe and tracked as CVE-2022-0847, that can allow local users to gain root privileges on all major distros.
The FBI first became aware of RagnarLocker in April 2020 and subsequently produced a FLASH to disseminate known indicators of compromise (IOCs) at that time. This FLASH provides updated and additional IOCs to supplement that report. As of January 2022, the FBI has identified at least 52 entities across 10 critical infrastructure sectors affected by RagnarLocker ransomware, including entities in the critical manufacturing, energy, financial services, government, and information technology sectors. RagnarLocker ransomware actors work as part of a ransomware family1, frequently changing obfuscation techniques to avoid detection and prevention.
Mozilla has released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 to fix two critical zero-day vulnerabilities actively exploited in attacks. Both zero-day vulnerabilities are "Use-after-free" bugs, which is when a program tries to use memory that has been previously cleared. When threat actors exploit this type of bug, it can cause the program to crash while at the same time allowing commands to be executed on the device without permission.
The Russian authorities are drafting a set of measures to support the country's economy against the pressure of foreign sanctions, and when it comes to software licensing, the proposal greenlights a form of piracy. More specifically, the suggested plan is to establish a "unilateral" software licensing mechanism that would renew expired licenses without requiring the consent of the copyright or patent owner.
Microsoft has addressed a vulnerability in the Azure Automation service that could have allowed attackers to take complete control over other Azure customers' data. Microsoft Azure Automation Service provides process automation, configuration management, and update management features, with each scheduled job running inside isolated sandboxes for each Azure customer.
BleepingComputer has learned that Hive ransomware gang is behind this attack, and they're asking for a muli-million ransom. Rompetrol is the operator of Romania's largest oil refinery, Petromidia Navodari, which has a processing capacity of over five million tons per year.
Last week, NIVIDA confirmed they were the targets of a cyber attack resulting in the loss of proprietary corporate data. Threat actors are now using stolen NVIDIA code signing certificates to sign malware. By signing certificates, malware appears to be trustworthy and malicious drivers can be loaded on Windows machines.
Phishing campaigns continue to focus on social media, ramping up efforts to target users for the third consecutive year as the medium becomes increasingly used worldwide for communication, news, and entertainment. The targeting of social media is the highlighted finding in the 2021 Phishing report by cybersecurity firm Vade, who analyzed phishing attack patterns that unfolded throughout 2021.
Telegram messaging has taken a pivotal role in the ongoing conflict between Russia and Ukraine, as it is being massively used by hacktivists and cybercriminals alike. According to a report from cybersecurity company Check Point, the number of Telegram groups has increased sixfold since February 24 and some of them, dedicated to certain topics, have ballooned in size, in some cases counting more than 250,000 members.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 95 vulnerabilities to its list of actively exploited security issues, the largest number since issuing the binding operational directive (BOD) last year. Despite some of them being known for almost two decades, the agency notes that the bugs “pose significant risk to the federal enterprise.
In a March 4 blog post, Microsoft announced it will be suspending new sales of it’s products and services to Russia. Microsoft is "coordinating closely and working in lockstep with the governments of the United States, the European Union and the United Kingdom, and they are stopping many aspects of our business in Russia in compliance with governmental sanctions decisions.
The list of domains includes the US CIA and FBI, USA Today, and Ukraine’s Korrespondent magazine, along with domains and apps specifically set up to target Russia amid the invasion. The advisory provides a list of recommendations for Russian organizations, including conducting an inventory of all network devices and services operating in their organization, restricting outside access to them, setting up logging systems, using complex and unique passwords, using Russian DNS servers, watching out phishing attacks, enforcing data backups.
A group of academics from the North Carolina State University and Dokuz Eylul University have demonstrated what they say is the "first side-channel attack" on homomorphic encryption that could be exploited to leak data as the encryption process is underway.
Cisco announced security patches for a couple of critical vulnerabilities, tracked as CVE-2022-20754 and CVE-2022-20755 (CVSS score of 9.0), in its Expressway Series and TelePresence Video Communication Server (VCS) unified communications products.
Avast has released a decryptor for the HermeticRansom ransomware strain used in targeted attacks against Ukrainian systems over the past ten days. The ransomware strain was delivered along with a computer worm named HermeticWizard and served more as a decoy in wiper attacks rather than a tool to support financial extortion. Still, its infections have disrupted vital Ukrainian systems.
JFrog’s Security Research team today released five new vulnerabilities discovered in the popular PJSIP open-source multimedia communication library. “PJSIP is a communication library written in C language implementing standard-based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. It combines signaling protocol (SIP) with rich multimedia framework and NAT traversal functionality into high level API that is portable and suitable for almost any type of systems ranging from desktops, embedded systems, to mobile handsets
The TeaBot Remote Access Trojan (RAT) has been upgraded, leading to a huge increase in both targets and spread worldwide. On March 1, the Cleafy research team said TeaBot now targets over 400 applications, pivoting from an earlier focus on "smishing" to more advanced tactics.
Distributed denial-of-service (DDoS) attacks leveraging a new amplification technique called TCP Middlebox Reflection have been detected for the first time in the wild, six months after the novel attack mechanism was presented in theory. A middlebox is an in-network device that sits on the path between two communicating end-hosts and can monitor, filter, or transform packet streams in-flight. Unlike traditional network devices like routers and switches, middleboxes operate not only on packets’ headers but also on their payloads using Deep Packet Inspection.
Details of a new nation-state sponsored phishing campaign have been uncovered setting its sights on European governmental entities in what's seen as an attempt to obtain intelligence on refugee and supply movement in the region. Enterprise security company Proofpoint, which detected the malicious emails for the first time on February 24, 2022, dubbed the social engineering attacks.
Huntress released details on a newly discovered APT group that aligns with North Korean threat actors. The group has been known to target national security think tanks with a piece of malware called BABYSHARK. The state sponsored threat actors are using the customized malware to target specific victim networks in targeted attacks.
Researchers from ESET have discovered additional malware strains used to target computer systems in Ukraine; the malware has capabilities that include device enumeration, encryption, lateral movement over SMB, and certificate impersonation. The attacks are described as destructive in nature.
Anonymous and numerous hacker groups linked to the popular collective continue to launch cyber attacks against Russian and Belarussian government organizations and private businesses” (Security Affairs, 2022). Ukraine has requested the help of IT “vigilantes” to help disrupt Russia operations in the area. Since then, massive DDoS attacks have been carried out against various Russian government entities including Duma and the Ministry of Defense.
Rated severity Medium, as we have seen Russian malware trickle from Ukraine to countries across the world. It is important to keep track of current malware strains and their mitigations.
Facebook (now known as Meta) says it took down accounts used by a Belarusian-linked hacking group (UNC1151 or Ghostwriter) to target Ukrainian officials and military personnel on its platform. In November 2021, Mandiant security researchers linked the UNC1151 threat group with high confidence to the Belarusian government, as well as a hacking operation the company tracks as Ghostwriter. Facebook also blocked multiple phishing domains used by the threat actors to try and compromise the accounts of Ukrainian users
A Ukrainian security researcher has leaked over 60,000 internal messages belonging to the Conti ransomware operation after the gang sided with Russia over the invasion of Ukraine. BleepingComputer has independently confirmed the validity of these messages from internal conversations previously shared with BleepingComputer regarding Conti's attack on Shutterfly.
Giant Japanese automaker Toyota Motors has announced that it stopped car production operations. The outage was forced by a system failure at one of its suppliers of vital parts, Kojima Industries, which reportedly suffered a cyberattack. Kojima Industries is a Japanese manufacturer of plastic components that are crucial for car production, so this is a case of severe supply chain interruption.
The website for the Moscow Stock Exchange was offline and inaccessible on Monday. A crowdsourced community of hackers endorsed by Kyiv officials has claimed responsibility for the outage. The Ukraine IT Army posted a message on Telegram that it had taken just five minutes to render the site inaccessible. A spokesperson for global internet connectivity tracking company NetBlocks told Forbes: “We can confirm the Moscow Exchange website is down, but we don’t have visibility into the incident’s root cause or the extent of the disruption.” Ukraine’s deputy prime minister, Mykhailo Fedorov, announced the formation of the IT Army on Twitter last week and published a link to a list of prominent Russian websites for the hackers to target. On the hit list were the websites of 31 Russian businesses and state organizations, including those of energy company Gazprom, oil producer Lukoil, three banks and several government websites. Following the IT Army’s Telegram post, Fedorov posted the following message on social media: “The mission has been accomplished! Thank you!”
The shortcomings are the result of an analysis of the cryptographic design and implementation of Android's hardware-backed Keystore in Samsung's Galaxy S8, S9, S10, S20, and S21 flagship devices, researchers Alon Shakevsky, Eyal Ronen, and Avishai Wool said. Trusted Execution Environments (TEEs) are a secure zone that provide an isolated environment for the execution of Trusted Applications (TAs) to carry out security critical tasks to ensure confidentiality and integrity. On Android, the hardware-backed Keystore is a system that facilitates the creation and storage of cryptographic keys within the TEE, making them more difficult to be extracted from the device in a manner that prevents the underlying operating system from having direct access.
The CISA and FBI joint advisory gives a high-level summary of the destructive malware being used, including both WhisperGate and HermeticWiper, against organizations in Ukraine to destroy computer systems and render them inoperable. It also includes open-source indicators of compromise (IOCs) for organizations to detect and prevent the malware from impacting their networks. Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of critical assets and data.
The well-known international hacking collective made the announcement on its Twitter account on Thursday, shortly after the Kremlin commenced military action. The message read: “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after, the group claimed responsibility for taking down Russian government websites, including the Kremlin and State Duma.
Authorities in the UK and United States have issued an alert regarding a group of Iranian government-sponsored advanced persistent threat (APT) actors known as MuddyWater. The actors, who are also known as Earth Vetala, MERCURY, Static Kitten, Seedworm, and TEMP.Zagros, have been observed conducting cyber espionage and other malicious cyber operations in Asia, Africa, Europe and North America.
TrickBot, the infamous Windows crimeware-as-a-service (CaaS) solution that's used by a variety of threat actors to deliver next-stage payloads like ransomware, appears to be undergoing a transition of sorts, with no new activity recorded since the start of the year. The lull in the malware campaigns is "partially due to a big shift from Trickbot's operators, including working with the operators of Emotet," researchers from Intel 471 said in a report shared with The Hacker News.
A notification from the U.S. Cybersecurity Infrastructure and Security Agency (CISA) warns that threat actors are exploiting vulnerabilities in the Zabbix open-source tool for monitoring networks, servers, virtual machines, and cloud services. The agency is asking federal agencies to patch any Zabbix servers against security issues tracked as CVE-2022-23131 and CVE-2022-23134, to avoid “significant risk” from malicious cyber actors.
The Computer Emergency Response Team of Ukraine (CERT-UA) warned today of a spear phishing campaign targeting private email accounts belonging to Ukrainian armed forces personnel. CERT-UA's report attributes this ongoing phishing campaign to the UNC1151 threat group, linked by Mandiant researchers with high confidence in November 2021 to the Belarusian government.
Storage solutions provider Asustor is warning its customers of a wave of Deadbolt ransomware attacks targeting its NAS devices. Since January, DeadBolt ransomware operators are targeting QNAP NAS devices worldwide, its operators claim the availability of a zero-day exploit that allows them to encrypt the content of the infected systems.
Users of Horde Webmail are being urged to disable a feature to contain a nine-year-old unpatched security vulnerability in the software that could be abused to gain complete access to email accounts simply by previewing an attachment. Horde Webmail is a free, browser-based communication suite that allows users to read, send, and organize email messages as well as manage and share calendars, contacts, tasks, notes, files, and bookmarks.
Cybersecurity firms ESET and Broadcom's Symantec said they discovered a new data wiper malware used in fresh attacks against hundreds of machines in Ukraine, as Russian forces formally launched a full-scale military operation against the country. The Slovak company dubbed the wiper "HermeticWiper" (aka KillDisk.NCV), with one of the malware samples compiled on December 28, 2021, implying that preparations for the attacks may have been underway for nearly two months.
Researchers at Palo Alto Network's Unit 42 said they discovered a tool -- named SockDetour -- that serves as a backup backdoor in case the primary one is removed. The researchers said it stood out and is hard to detect because it operates filelessly and socketlessly on compromised Windows servers.
An ongoing large-scale phishing campaign is targeting customers of Citibank, requesting recipients to disclose sensitive personal details to lift alleged account holds. The campaign uses emails that feature CitiBank logos, sender addresses that look genuine at first glance, and content that is free of typos.
A malware named Electron Bot has found its way into Microsoft’s Official Store through clones of popular games such as Subway Surfer and Temple Run, leading to the infection of roughly 5,000 computers in Sweden, Israel, Spain, and Bermuda.
One of the biggest obstacles to successful phishing attacks is bypassing multi-factor authentication (MFA) configured on the targeted victim's email accounts. Even if threat actors can convince users to enter their credentials on a phishing site, if MFA protects the account, fully compromising the account still requires the one-time passcode sent to the victim.
Analysis of the recently-emerged Entropy ransomware reveals code-level similarities with the general-purpose Dridex malware that started as a banking trojan. Two Entropy ransomware attacks against different organizations allowed researchers to connect the dots and establish a connection between the two pieces of malware.
A new version of the CryptBot info stealer was seen in distribution via multiple websites that offer free downloads of cracks for games and pro-grade software. CryptBot is a Windows malware that steals information from infected devices, including saved browser credentials, cookies, browser history, cryptocurrency wallets, credit cards, and files. The latest version features new capabilities and optimizations, while the malware authors have also deleted several older functions to make their tool leaner and more efficient.
Expeditors is a Fortune 500 logistics company headquartered in Seattle, Washington, United States of America. Expeditors provide efficient and tailored supply chain solutions to customers through a worldwide network of over 350 facilities in over 100 countries and across six continents. Expeditors International was targeted in a cyberattack forcing the corporation to shut down the majority of its global operations. As reported by Bleeping Computer, the effect was substantial, since Expeditors’ operations, which comprise freight, customs, and distribution, were constrained.
According to analysis by cybersecurity researchers at Proofpoint, 58% of organizations infected with ransomware paid a ransom to cyber criminals for the decryption key – and in many cases, they paid up more than once.
A new malware called Xenomorph distributed through Google Play Store has infected more than 50,000 Android devices to steal banking information. Still in early development stage, Xenomorph is targeting users of dozens of financial institutions in Spain, Portugal, Italy, and Belgium.
Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts.
This week has been pretty quiet; aside from a couple of things, we've been providing our members with continuous updates on the Ukraine and Russia situation and sharing any relevant news we've come across. We are monitoring the status closely as well as our various business partners. There is a grave concern with a possible fallout from the Ukraine and Russia geopolitical situation. Although a fairly common practice and observed on the threat landscape regularly, several financial institutions were implicated in DDoS in Ukraine, and ones in Canada also experienced some downtime this week.
SonicWall released a report which details a sustained meteoric rise in ransomware with 623.3 million attacks globally. Nearly all monitored threats, cyberattacks and malicious digital assaults rose in 2021 including: ransomware, encrypted threats, IoT malware and cryptojacking.
Since at least 2017, the APT has consistently used more than a dozen remote access Trojans to control and carry out malicious activities, such as cyberespionage, the researchers say.
The US National Security Agency (NSA) has issued fresh guidance for organizations on selecting strong passwords for Cisco devices, citing an increase in the number of compromises involving poorly protected network infrastructure.
On Tuesday, institutions central to Ukraine’s military and economy were hit with a wave of denial-of-service (DoS) attacks, which sparked an avalanche of headlines around the world. The strike itself had limited impact — but the larger implications for critical infrastructure beyond the Ukraine are worth noting, researchers said.
Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages. This bug is due to an insufficient error handling issue in DNS name resolution found and reported to Cisco by Rijksoverheid Dienst ICT Uitvoering (DICTU) security researchers.
Starting in January 2022, Avanan observed how hackers are dropping malicious executable files in Teams conversations. The file writes data to the Windows registry, installs DLL files and creates shortcut links that allow the program to self-administer. Avanan has seen thousands of these attacks per month. In this attack brief, Avanan will analyze how these .exe files are being used by hackers in Microsoft Teams. In this attack, hackers are attaching .exe files to Teams chats to install a Trojan on the end-user’s computer. The Trojan is then used to install malware.
The International Committee of the Red Cross (ICRC) revealed that the attack that breached its network in January was conducted by a nation-state actor that exploited a Zoho vulnerability.
Five major Canadian banks went offline for hours blocking access to online and mobile banking as well as e-transfers for customers. The banks reportedly hit by the outage include Royal Bank of Canada (RBC), BMO (Bank of Montreal), Scotiabank, and the Canadian Imperial Bank of Commerce (CIBC). Online banking and e-Transfers down for many Canada's five major banks went offline yesterday impeding access to e-Transfers, online and mobile banking services for many.
Cybersecurity researchers have unpacked a new Golang-based botnet called Kraken that's under active development and features an array of backdoor capabilities to siphon sensitive information from compromised Windows hosts. "Kraken already features the ability to download and execute secondary payloads, run shell commands, and take screenshots of the victim's system," threat intelligence firm ZeroFox said in a report published Wednesday.
Researchers have identified an advanced persistent threat (APT) group responsible for a series of cyberespionage and spyware attacks against the aviation, aerospace, transportation and defense industries since at least 2017 that feature high-volume email campaigns using industry-specific lures.
Actions to Help Protect Against Russian State-Sponsored Malicious Cyber Activity:
• Enforce multifactor authentication.
• Enforce strong, unique passwords.
• Enable M365 Unified Audit Logs.
• Implement endpoint detection and response tools.
From at least January 2020, through February 2022, the Federal Bureau of Investigation (FBI), National Security Agency (NSA), and Cybersecurity and Infrastructure Security Agency (CISA) have observed regular targeting of U.S. cleared defense contractors (CDCs) by Russian state-sponsored cyber actors. The actors have targeted both large and small CDCs and subcontractors with varying levels of cybersecurity protocols and resources. These CDCs support contracts for the U.S. Department of Defense (DoD) and Intelligence Community in the following areas:
The notorious TrickBot malware is targeting customers of 60 financial and technology companies, including cryptocurrency firms, primarily located in the U.S., even as its operators have updated the botnet with new anti-analysis features.
Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations. Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers.
VMware released patches for several vulnerabilities affecting VMware ESXi, Workstation, Fusion, and Cloud Foundation on Tuesday after security researchers participating in China's Tianfu Cup discovered the issues.
In a summary on the current Ukraine situation from Mandiants, Sandra Joyce, said the situation at hand could be a very big problem for everyone in various regions — not just Ukraine and Russia, “We believe that after attacking U.S. and French elections, Western media, the Olympics, and many other targets with limited repercussions, Russia is emboldened to use their most aggressive cyber capabilities throughout the West.
Distributed Denial-of-Service (DDoS) attacks are wreaking havoc on Ukraine’s Ministry of Defense and Armed Forces, as well as two of the country’s state-owned banks, Privatbank (Ukraine’s largest bank) and Oschadbank (the State Savings Bank).
On Tuesday, researchers from Sophos revealed a recent incident in which a Microsoft Exchange Server, which had not been patched to protect it against a set of critical vulnerabilities disclosed last year, was targeted to hijack email threads and spread malspam.
Cybersecurity researchers have detailed the inner workings of ShadowPad, a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat groups in recent years, while also linking it to the country's civilian and military intelligence agencies.
The BlackCat ransomware group, aka ALPHV, has claimed responsibility for the recent cyber-attack on Swissport that caused flight delays and service disruptions. The €3 billion revenue firm, Swissport, has a presence across 310 airports in 50 countries and provides cargo handling, maintenance, cleaning, and lounge hospitality services. BlackCat has now been seen by BleepingComputer to leak a minuscule set of terabytes of data supposedly obtained from the recent ransomware attack.
Google has released Chrome 98.0.4758.102 for Windows, Mac, and Linux, to fix a high-severity zero-day vulnerability used by threat actors in attacks. "Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild," Google said in a security advisory released today.
This joint Cybersecurity Advisory was developed by the Federal Bureau of Investigation (FBI) and the U.S. Secret Service (USSS) to provide information on BlackByte ransomware. As of November 2021, BlackByte ransomware had compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors (government facilities, financial, and food & agriculture). BlackByte is a Ransomware as a Service (RaaS) group that encrypts files on compromised Windows host systems, including physical and virtual servers.
An unknown criminal hacking group is targeting organizations in the aviation, aerospace, defense, transportation and manufacturing industries with trojan malware, in attacks that researchers say have been going on for years. Dubbed TA2541 and detailed by cybersecurity researchers at Proofpoint, the persistent cyber-criminal operation has been active since 2017 and has compromised hundreds of organizations across North America, Europe, and the Middle East.
The NFL's San Francisco 49ers team is recovering from a cyberattack by the BlackByte ransomware gang who claims to have stolen data from the American football organization. The 49ers confirmed the attack in a statement to BleepingComputer and said it caused a temporary disruption to portions of their IT network. While the 49ers did not confirm whether hackers successfully deployed the ransomware, they said they are still in the process of recovering systems, indicating that devices were likely encrypted.
Security researchers at Website Planet have discovered an unsecured Amazon S3 bucket containing the Personal Identifiable Information (PII) of millions of people. Inside the bucket were ten folders, containing around 6,000 files and totaling over 1GB of data. While most (approximately 99%) of the data belongs to American residents, some information relates to people living in Canada.
One of Europe's biggest car dealers, Emil Frey, was hit with a ransomware attack last month, according to a statement from the company. The Swiss company showed up on the list of victims for the Hive ransomware on February 1 and confirmed that they were attacked in January. The company -- which has about 3,000 employees -- generated $3.29 billion in sales in 2020 thanks to a variety of automobile-related businesses. It was ranked as the number 1 car dealership in Europe based on revenue and the total number of vehicles for sale.
Last week, a cyber-attack has disrupted the operations of Pop TV, the Slovenian most popular TV channel. The attack, which likely was a ransomware attack, impacted the computer network of the TV channel and caused the cancellation of the evening edition of 24UR daily news show. Slovenian news agency Zurnal24 reported that the POP TV hit from threat actors from abroad that attempted to extort money to the company to restore its systems.
Magento is an ecommerce website platform owned by Adobe that specializes in ecommerce websites. Magento users have access to hundreds of unique features that help them connect with their customers and sell their products. Adobe rolled out emergency updates for Adobe Commerce and Magento Open Source to fix a critical vulnerability tracked as CVE-2022-24086 that’s being exploited in the wild.
Apple has patched yet another zero-day vulnerability, this time in its WebKit browser engine, that threat actors already are actively exploiting to compromise iPhones, iPads and MacOS devices. The zero-day, tracked as CVE-2022-22620, is a Use-After-Free issue, which is related to incorrect use of dynamic memory during program operation.
The Ukrainian Security Service said on Tuesday that it shut down a bot farm that was spreading panic on social media and had also been used to send out bomb threats. Authorities said the bot farm was used to manage more than 18,000 bot accounts and that “organizers from Russia supervised the administrators of the bot farms.” Officials detained three suspects from the Lviv region. “Two of them used their flats as premises for bot farms, the third participant was responsible for technical maintenance,” officials said. Equipment seized from their premises included two GSM gateways with 92 and two sets of GSM gateways (92 and 375 online channels), 3,000 SIM cards, and laptops and accounting records.
Moxa users are being urged to upgrade MXview to version 3.2.4 or higher to remediate five vulnerabilities discovered by Claroty's Team82. The issues affect the Taiwanese company's MXview web-based network management system versions 3.x to 3.2.2 and collectively, ICS-CERT scored the vulnerabilities a 10.0, its highest criticality score. According to Team82, an unauthenticated attacker successfully chaining two or more of these vulnerabilities could achieve remote code execution on any unpatched MXview server
Cybercriminals are hijacking the devices of civil rights activists and planting "incriminating evidence" in covert cyberattacks, researchers warn. According to SentinelLabs, an advanced persistent threat (APT) group dubbed ModifiedElephant has been responsible for widespread attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India. The APT is thought to have been in operation since at least 2012, and over the past decade, ModifiedElephant has continually and persistently targeted specific, high-profile people of interest
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added to the catalog of vulnerabilities another 15 security issues actively used in cyberattacks. The most recent one, CVE-2021-36934, is a Microsoft Windows SAM (Security Accounts Manager) vulnerability that allows anyone to access the Registry database files on Windows 10 and 11, extract password hashes and gain administrator privileges.
A peer-to-peer Golang botnet has resurfaced after more than a year to compromise servers belonging to entities in the healthcare, education, and government sectors within a span of a month, infecting a total of 1,500 hosts. Dubbed FritzFrog, "the decentralized botnet targets any device that exposes an SSH server — cloud instances, data center servers, routers, etc. — and is capable of running any malicious payload on infected nodes," Akamai researchers said in a report shared with The Hacker News.
The Palestinian-aligned APT group tracked as TA402 (aka Molerats) was spotted using a new implant named 'NimbleMamba' in a cyber-espionage campaign that leverages geofencing and URL redirects to legitimate websites. The campaign was discovered by Proofpoint, whose analysts observed three variations of the infection chain, all targeting governments in Middle Eastern countries, foreign policy think tanks, and a state-owned airline.
The Uptycs threat research team has been observing an increase in utilization of regsvr32.exe heavily via various types of Microsoft Office documents. Regsvr32 is a Microsoft-signed command line utility in Windows which allows users to register and unregister DLLs (Dynamic Link Library). By registering a DLL file, information is added to the central directory (Registry) so that it can be used by Windows. This makes it easier for other programs to make use of the functionalities of the DLLs.
Analysts have found the source of a mass breach of over 500 e-commerce stores running the Magento 1 platform and involves a single domain loading a credit card skimmer on all of them. According to Sansec, the attack became evident late last month when their crawler discovered 374 infections on the same day, all using the same malware. The domain from where threat actors loaded the malware is currently offline, and the goal of the threat actors was to steal the credit card information of customers on the targeted online stores.
Researchers found three critical remote code execution (RCE) vulnerabilities in the 'PHP Everywhere' plugin for WordPress, used by over 30,000 websites worldwide. PHP Everywhere is a plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, and use it to display dynamic content based on evaluated PHP expressions.
The Palestinian-aligned APT group tracked as TA402 (aka Molerats) was spotted using a new implant named 'NimbleMamba' in a cyber-espionage campaign that leverages geofencing and URL redirects to legitimate websites. The campaign was discovered by Proofpoint, whose analysts observed three variations of the infection chain, all targeting governments in Middle Eastern countries, foreign policy think tanks, and a state-owned airline.
Threat actors have started distributing fake Windows 11 upgrade installers to users of Windows 10, tricking them into downloading and executing RedLine stealer malware. The timing of the attacks coincides with the moment that Microsoft announced Windows 11's broad deployment phase, so the attackers were well-prepared for this move and waited for the right moment to maximize their operation's success. RedLine stealer is currently the most widely deployed password, browser cookies, credit card, and cryptocurrency wallet info grabber, so its infections can have dire consequences for the victims.
The Maze ransomware began operating in May 2019. It quickly rose to fame as they were responsible for data theft and double-extortion tactics now used by many ransomware operations. After Maze announced its shutdown in October 2020, they rebranded in September as Egregor, who later disappeared after members were arrested in Ukraine.
In 2021, cybersecurity authorities in the United States, Australia, and the United Kingdom observed an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA) observed incidents involving ransomware against 14 of the 16 U.S. critical infrastructure sectors, including the Defense Industrial Base, Emergency Services, Food and Agriculture, Government Facilities, and Information Technology Sectors. The Australian Cyber Security Centre (ACSC) observed continued ransomware targeting of Australian critical infrastructure entities, including in the Healthcare and Medical, Financial Services and Markets, Higher Education and Research, and Energy Sectors.
South Korean researchers have spotted a new wave of activity from the Kimsuky hacking group, involving commodity open-source remote access tools dropped with their custom backdoor, Gold Dragon. Kimsuky is a North Korean state-sponsored hacking group, also known as TA406, who has been actively involved in cyber-espionage campaigns since 2017. The group has demonstrated impressive operational versatility and threat activity pluralism, engaging in malware distribution, phishing, data collection, and even cryptocurrency theft.
The Federal Bureau of Investigation (FBI) says criminals have escalated SIM swap attacks to steal millions by hijacking victims' phone numbers. The number of complaints received from the US public since 2018 and reported losses have increased almost fivefold, according to reports received by the FBI through the Internet Crime Complaint Center (IC3) in 2021. FBI's warning comes after the US Federal Communications Commission (FCC) announced in October that it started working on rules that would pull the brake on SIM swapping attacks.
A detailed examination of a Pay-per-install (PPI) malware service called PrivateLoader has revealed its crucial role in the delivery of a variety of malware such as SmokeLoader, RedLine Stealer, Vidar, Raccoon, and GCleaner since at least May 2021. Loaders are malicious programs used for loading additional executables onto the infected machine. With PPI malware services such as PrivateLoader, malware operators pay the service owners to get their payloads "installed" based on the targets provided.
Cybersecurity researchers at Digital Shadows have detailed several vulnerabilities that appeared last year – or that are even older and continue to be left unpatched and exploited – which may have been missed and continue to provide opportunities for cyber criminals. Failure to patch these vulnerabilities could have potentially dangerous consequences for businesses as malicious hackers exploit them to launch ransomware attacks, malware campaigns and other cyber-criminal activity.
An advanced persistent threat (APT) hacking group operating with motives that likely align with Palestine has embarked on a new campaign that leverages a previously undocumented implant called NimbleMamba. The intrusions leveraged a sophisticated attack chain targeting Middle Eastern governments, foreign policy think tanks, and a state-affiliated airline, enterprise security firm Proofpoint said in a report, attributing the covert operation to a threat actor tracked as Molerats (aka TA402)
Two different Android banking Trojans, FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign, according to new research published by ThreatFabric. The ongoing side-by-side infections, facilitated through the same smishing (SMS phishing) infrastructure, involved the overlapping usage of "app names, package names, and similar icons," the Dutch mobile security firm said.
On January 4th, Cisco issued advisories and software updates to address multiple vulnerabilities of which the three most serious are identified as: CVE-2022-20699 , CVE-2022-20700 , CVE-2022-20708 with a severity score of 10 out of 10.
LockBit 2.0 operates as an affiliate-based Ransomware-as-a-Service (RaaS) and employs a wide variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. LockBit 2.0 ransomware compromises victim networks through a variety of techniques, including, but not limited to, purchased access, unpatched vulnerabilities, insider access, and zero day exploits.
The numerous law enforcement operations leading to the arrests and takedown of ransomware operations in 2021 have forced threat actors to narrow their targeting scope and maximize the efficiency of their operations. Most of the notorious Ransomware-as-a-Service (RaaS) gangs continue their operations even after the law enforcement authorities have arrested key members but have refined their tactics for maximum impact.
Researchers at cybersecurity firm Avast discovered that a Chinese-language-speaking threat actor has compromised systems at National Games of China in 2021. The event took place on September 15, 2021 in Shaanxi (China), it is a national version of the Olympics with only local athletes. The attackers breached a web server on September 3rd and deployed multiple reverse web shells to establish a permanent foothold in the target network.
Russia-linked cyberespionage group Gamaredon (aka Armageddon, Primitive Bear, and ACTINIUM) is behind the spear-phishing attacks targeting Ukrainian entities and organizations related to Ukrainian affairs, since October 2021, Microsoft said. This week, Palo Alto Networks’ Unit 42 reported that the Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity operating in Ukraine in January, while geopolitical tensions between Russia and Ukraine have escalated dramatically.
The U.S. government has requested telecom providers replace Chinese equipment in their networks due to security issues and allocated $1.9 billion to support the companies in the transaction. The Federal Communications Commission (FCC) said that the amount of money is not enough and that small telecom providers have requested $5.6 billion to replace Chinese gear. Another problem that telecom companies should face is the chip shortage on a global scale that is impacting the supply chain of electronic gears.
A cross-site scripting (XSS) Zimbra security vulnerability is actively exploited in attacks targeting European media and government organizations. Zimbra is an email and collaboration platform that also includes instant messaging, contacts, video conferencing, file sharing, and cloud storage capabilities.
Attackers are using an under-the-radar PowerPoint file to hide malicious executables that can rewrite Windows registry settings to take over an end user’s computer, researchers have found. It’s one of a number of stealthy ways threat actors recently have been targeting desktop users through trusted applications they use daily, using emails that are designed to evade security detections and appear legitimate.
Accounting and tax software provider Intuit has notified customers of an ongoing phishing campaign impersonating the company and trying to lure victims with fake warnings that their accounts have been suspended. Intuit's alert follows reports received from customers who were emailed and told that their Intuit accounts were disabled following a recent server security upgrade.
The threat actor behind the supply chain compromise of SolarWinds has continued to expand its malware arsenal with new tools and techniques that were deployed in attacks as early as 2019, once indicative of the elusive nature of the campaigns and the adversary's ability to maintain persistent access for years. According to cybersecurity firm CrowdStrike, which detailed the novel tactics adopted by the Nobelium hacking group last week, two sophisticated malware families were placed on victim systems — a Linux variant of GoldMax and a new implant dubbed TrailBlazer — long before the scale of the attacks came to light.
CISA has warned of critical vulnerabilities in Airspan Networks Mimosa, some of which have earned CVSS severity score ratings of 10, the highest possible. Mimosa devices are offered to industrial and enterprise players for point-to-multipoint (PTMP) network deployment.
There are reports this week of cyber attacks impacting major oil terminals in Western Europe's biggest ports. Threat actors have targeted multiple oil facilities in Belgium, including Antwerp, the second largest port in Europe.
Beijing has lashed out at the US government's decision to ban China Unicom from offering its services in the US, describing the move as baseless. It vows to safeguard the "legitimate rights and interests" of Chinese businesses operating in the US market. China's Ministry of Industry and Information Technology (MIIT) said it strongly opposed a move by the US Federal Communications Commission (FCC) to revoke China Unicom's license, effectively banning the state-owned Chinese telco from providing services in the US market.
Morley Companies Inc. disclosed a data breach after suffering a ransomware attack on August 1st, 2021. Morley is a US company offering business services to Fortune 500 and Global 100 firms, including meeting management, back-office processing, contact centers, the creation of trade show exhibits, and more.
A politically motivated hacker group tied to a series of espionage and sabotage attacks on Israeli entities in 2021 incorporated a previously undocumented remote access trojan (RAT) that masquerades as the Windows Calculator app as part of a conscious effort to stay under the radar. Cybersecurity company Cybereason, which has been tracking the operations of the Iranian actor known as Moses Staff, dubbed the malware "StrifeWater."
Scammers are trying to steal job seekers' money and personal information through phishing campaigns using fake advertisements posted on recruitment platforms. The warning was published today as a public service announcement (PSA) on the Bureau's Internet Crime Complaint Center.
Researchers at firmware security company Binarly have discovered 23 vulnerabilities in UEFI firmware code used by the major device makers. The vulnerabilities could impact millions of enterprise devices, including laptops, servers, routers, and industrial control systems (ICS). All these vulnerabilities affect several vendors, including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos.
A critical vulnerability in a popular open-source networking protocol could allow attackers to execute code with root privileges unless patched, experts have warned” (Info Security Magazine, 2022). Samba is used by organizations to implement SMB protocol for Linux, Windows and Mac. Users can use it to share files across a network. A new critical vulnerability (CVE-2021-44142) has been discovered in the software and has received a CVSS score of 9.9/10. This is one of the more dangerous vulnerabilities discovered this year.
Essential Addons for Elementor is a popular WordPress plugin used in over a million sites that provides easy-to-use and creative elements to improve the appearance of the pages. The plugin is affected by a critical remote code execution (RCE) vulnerability that impacts version 5.0.4 and older.
Oiltanking GmbH, a German petrol distributor who supplies Shell gas stations in the country, has fallen victim to a cyberattack that severely impacted its operations. Additionally, the attack has also affected Mabanaft GmbH, an oil supplier. Both entities are subsidiaries of the Marquard & Bahls group, which may have been the breach point.
The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago. The Cybersecurity and Infrastructure Security Agency (CISA) first launched its Known Exploited Vulnerabilities Catalog in November 2021 as part of a government effort to enhance cyber-resilience.
Investigators at Cyble have found over 20,000 instances of publicly exposed DCIM systems, including thermal and cooling management dashboards, humidity controllers, UPS controllers, rack monitors, and transfer switches. Additionally, the analysts were able to extract passwords from dashboards which they then used to access actual database instances stored on the data center. The applications found by Cyble give full remote access to data center assets, provide status reports, and offer users the capacity to configure various system parameters. In most cases, the applications used default passwords or were severely outdated, allowing threat actors to compromise them or override security layers fairly easily.
Broadcom-owned Symantec, in a new report published Monday, attributed the attacks to an actor tracked as Gamaredon (aka Shuckworm or Armageddon), a cyber-espionage collective known to be active since at least 2013. In November 2021, Ukrainian intelligence agencies branded the group as a "special project" of Russia's Federal Security Service (FSB), in addition to pointing fingers at it for carrying out over 5,000 cyberattacks against public authorities and critical infrastructure located in the country.
The Iranian-backed MuddyWater hacking group is conducting a new malicious campaign targeting private Turkish organizations and governmental institutions. This cyber-espionage group (aka Mercury, SeedWorm, and TEMP.Zagros) was linked this month to Iran's Ministry of Intelligence and Security (MOIS) by the US Cyber Command (USCYBERCOM).
On Monday, the SafetyDetectives cybersecurity team said the server belonged to Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire & safety services. The server contained approximately 3TB of data dating back to 2018, including airport employee records. While security researchers from ‘SafetyDetectives’ were not able to examine every record in the database, four airports were named in exposed files: El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE).
The Federal Communications Commission (FCC) has revoked China Unicom Americas' license, one of the world's largest mobile service providers, over "serious national security concerns." This effectively bans the telecom company from providing domestic and international telecommunication services within the United States.
The security researcher RyeLv has publicly released an exploit for a Windows local privilege elevation flaw (CVE-2022-21882) that allows anyone to gain admin privileges in Windows 10. The Win32k elevation of privilege vulnerability was fixed this month as part of the January 2022 Patch Tuesday, it is the result of a bypass for the previously CVE-2021-1732 flaw.
The Conti ransomware gang has been linked to an attack on Delta Electronics, a Taiwanese electronics manufacturing company and a major supplier of power components to companies like Apple and Tesla. The attack took place last Friday, on January 21, according to a statement shared by the company with stock market authorities. Delta, which is primarily known for its powerful UPS solutions, said the attack did not impact its production systems.
Microsoft's threat analysts have uncovered a large-scale, multi-phase phishing campaign that uses stolen credentials to register devices onto the target's network and use them to distribute phishing emails. As the report highlights, the attacks manifested only through accounts that didn't have multi-factor authentication (MFA) protection, which made them easier to hijack.
Two Taiwanese companies were affected by separate ransomware incidents this week, forcing one to scramble to restore crippled systems and another to push out an emergency update to mitigate attacks on its customers. Delta Electronics, an electronics company that provides products for Apple, Tesla, HP and Dell, disclosed Friday that “non-critical systems” were attacked by “overseas hackers” – an attack that’s been attributed to the Conti Group.
Palo Alto Networks' Unit 42 released a deep-dive into the BlackCat ransomware, which emerged in mid-November 2021 as an innovative ransomware-as-a-service (RaaS) group leveraging the Rust programming language and offering affiliates 80-90% of ransom payments. In December, the ransomware family, also known as ALPHV, racked up at least 10 victims, giving it the seventh-largest number of victims listed on their leak site among ransomware groups tracked by Unit 42.
The zero-day exploit broker Zerodium has announced it will pay $400,000 for zero-day remote code execution (RCE) vulnerabilities in the Microsoft Outlook email client. The company pointed out that the increased payout for this specific vulnerability exploit is temporary, but it did not disclose the deadline for submissions.
Microsoft announced that its Azure DDoS protection platform has mitigated a record 3.47 Tbps attack that targeted one of its customers with a packet rate of 340 million packets per second (pps). The news of the attack was reported in the “Azure DDoS Protection —2021 Q3 and Q4 DDoS attack trends
QNAP Systems, Inc. is a Taiwanese company that specializes in network-attached storage equipment for applications such as file sharing, virtualization, storage management, and surveillance. The DeadBolt ransomware organization is encrypting QNAP NAS systems all around the globe, claiming that they are exploiting a zero-day vulnerability in the device’s firmware to do so. When the attacks began QNAP clients discovered that their files had been encrypted and that their file names had been added with the.deadbolt file suffix.
In these attacks, they successfully compromised at least nine organizations from critical sectors worldwide, including defense, healthcare, energy, technology, and education, according to Palo Alto Networks researchers. This active campaign is targeting German commercial organizations, with the attackers using the HyperBro remote access trojans (RAT) to backdoor their networks.
VMware urges customers to patch critical Log4j security vulnerabilities impacting Internet-exposed VMware Horizon servers targeted in ongoing attacks” (Security Affairs, 2022). There are currently tens of thousands of VMware Horizon servers exposed to attacks according to Shodan scans. Most recently, the Night Sky ransomware group has been exploiting Log4Shell (CVE-2021-44228) in vulnerable VMware Horizon systems. VMware has addressed their Log4Shell vulnerabilities with the release of 2111, 7.13.1, and 7.10.3, but many systems remain unpatched.
One of the most prolific families of ransomware now has additional Linux and VMware ESXi variants that have been spotted actively targeting organisations in recent months. Analysis by cybersecurity researchers at Trend Micro identified LockBit Linux-ESXi Locker version 1.0 being advertised on an underground forum. Previously, LockBit ransomware – which was by far the most active ransomware family at one point last year – was focused on Windows
The new version of the BRATA Android malware supports new features, including GPS tracking and a functionality to perform a factory reset on the device. First discovered by Kaspersky in 2019, BRATA’s name comes from the phrase “Brazilian RAT Android.” The RAT has been spreading via WhatsApp, SMS messages, and through the official Google Play Store.
A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.
Researchers from Trellix a new company created following the merger of security firms McAfee Enterprise and FireEye, attributed the attacks with moderate confidence to the Russia-based APT28 group, the threat actor behind the compromise of SolarWinds in 2020, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.
Researchers are describing this vulnerability as an unauthenticated stack-based buffer overflow. The impacted appliances are SMA 100 series and also SMA 200, 210, 400, 410, and 500v. The bug has an impact on the mentioned instances no matter if the web application firewall (WAF) is enabled or not.
CISA has published an infographic to emphasize the importance of implementing network segmentation—a physical or virtual architectural approach that divides a network into multiple segments, each acting as its own subnetwork, to provide additional security and control that can help prevent or minimize the impact of a cyberattack.
According to Proofpoint's 2022 Cost of Insider Threats Global report, published on Tuesday, insider threats now cost organizations $15.4 million annually, an increase of 34% in comparison to 2020 estimates. The report, conducted by the Ponemon Institute, includes survey responses from over 1,000 IT professionals worldwide, all of which have experienced a recent cybersecurity incident due to an insider threat.
Insider Threats Have Increased in Both Frequency and Cost over the past Two Years. Credential Thefts, for Example, Have Almost Doubled in Number since 2020.
A US government’s security agency has added 17 vulnerabilities currently being actively exploited in the wild to a database of bugs that federal agencies must fix. The Known Exploited Vulnerabilities Catalog was launched in November last year as part of Binding Operational Directive (BOD) 22-01, designed to make civilian federal government agencies more cyber-resilient.
Cisco Talos says that two wipers are used in WhisperGate attacks. The first wiper attempts to destroy the master boot record (MBR) and to eradicate any recovery options. "Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten," the researchers say. However, with many modern systems now moving to GUID Partition Tables (GPTs), this executable may not be successful – and so an additional wipe has been included in the attack chain.
APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, has historically targeted Indian military and diplomatic resources. This APT group (also referred to as Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe) has been known to use social engineering and phishing lures as an entry point, after which, it deploys the Crimson RAT malware to steal information from its victims.
Cybersecurity firm F5 announced security patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products. Most of the vulnerabilities (23) addressed by the company affect the BIG-IP application delivery controller (ADC), 13 of them have been rated as high-severity issues (CVSS score 7.5). The issues received CVEs between CVE-2022-23010 to CVE-2022-23032.
The Federal Bureau of Investigation (FBI) warned Americans this week that cybercriminals are using maliciously crafted Quick Response (QR) codes to steal their credentials and financial info. The warning was issued as a public service announcement (PSA) published on the Bureau's Internet Crime Complaint Center (IC3) earlier this week.
The FBI discovered that the Diavol ransomware uses the same method to fingerprint victim machines as Trickbot and Trickbot-related Anchor DNS malware, "Trickbot's tools include the Anchor_DNS backdoor, a tool for transmitting data between victim machines and Trickbot-controlled servers using Domain Name System (DNS) tunneling to hide malicious traffic with normal DNS traffic
“To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. If that's the case, an unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker's system privileges, (SecList, 2022).“ “Researchers discovered a heap overflow bug in the legacy_parse_param in the Linux kernel's fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem's characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it's important.
A high-severity bug in the WordPress Email Template Designer WP HTML Mail, installed in more than 20,000 websites, can lead to code injection and the distribution of persuasive phishing emails. WordPress WP HTML Mail is a plugin for creating tailored emails, contact form alerts, and other custom messages digital platforms send to their customers. WP HTML Mail is compatible with WooCommerce, Ninja Forms, BuddyPress, and other popular WordPress plugins. Even though the number of websites that use it is small, many of them have large audiences, causing the vulnerability to affect numerous users.
Several campaigns employing spyware have come to light, a new report shows. Researchers name these cyberattacks "Anomalous." The threat actors' targets are industrial enterprises, and their final goal consists of email accounts, credential theft, financial fraud, or even the reselling of this spyware to other hackers. Kaspersky researchers noted that the threat actors used various spyware strains to remain undetected. Threat actors were observed rotating spyware for specific periods. It's likely that if endpoint solutions discovered spyware running on a targeted machine, they deployed a variant to evade detection.
McAfee has patched a security vulnerability discovered in the company's McAfee Agent software for Windows enabling attackers to escalate privileges and execute arbitrary code with SYSTEM privileges. McAfee Agent is a client-side component of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces endpoint policies and deploys antivirus signatures, upgrades, patches, and new products on enterprise endpoints.
A new ransomware family called 'White Rabbit' appeared in the wild recently, and according to recent research findings, could be a side-operation of the FIN8 hacking group. FIN8 is a financially motivated actor who has been spotted targeting financial organizations for several years, primarily by deploying POS malware that can steal credit card details” (Bleeping Computer, 2022). Researchers from TrendMicro analyzed a sample of White Rabbit obtained from an attack on a US bank back in December of 2021. The ransomware executable is a small 100 KB file that requires a password to be entered, a technique also used by other ransomware strains including Egregor, MegaCortex, and SamSam.
More than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021, according to a new report from security company Emsisoft. The company found that at least 77 state and municipal governments, 1,043 schools, and 1,203 healthcare providers were impacted by a ransomware incident last year. The attacks also led to 118 data breaches, exposing troves of sensitive information
An international law enforcement collaboration has targeted the users and infrastructure of VPNLab.net, rendering it no longer available. The action was taken in response to the use of the VPN provider’s service to support cybercrime activities, including ransomware deployment” (Info Security Magazine, 2022). A total of 10 national law enforcement agencies coordinated the takedown, including those from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US and the UK. The seizure led to the disruption of 15 servers hosted by VPNLab[.]net. VPNLab was a popular service used by cybercriminals to set up infrastructure and communications for ransomware campaigns. In many cases the service was being advertised on the dark web. During their investigation, law enforcement identifies over 100 businesses at risk of cyber attacks, they are working with impacted organizations to mitigate their risks.
A new phishing campaign impersonating the United States Department of Labor asks recipients to submit bids to steal Office 365 credentials. The phishing campaign has been ongoing for at least a couple of months and utilizes over ten different phishing sites impersonating the government agency. The emails are sent from spoofed domains that look as if they came from the actual Department of Labor (DoL) site, while some are based on a set of newly created look-alike domains such as: dol-gov[.]com dol-gov[.]us bids-dolgov[.]us Most of the emails pass through abused servers owned by non-profit organizations to evade email security blocks.
Security analysts have discovered and linked MoonBounce, "the most advanced" UEFI firmware implant found in the wild so far, to the Chinese-speaking APT41 hacker group (also known as Winnti). APT41 is a notorious hacking group that has been active for at least a decade and is primarily known for its stealthy cyber-espionage operations against high-profile organizations from various industry sectors.
BIOS and UEFI attacks are not new by any means, but APT41 (also known as Winnti), a Russian state-sponsored cybercriminal group, according to security experts, has created the most devastating and complex version to date. Moonbounce implants malware on the SPI Flash memory of a computer's mother or logic board, also known as flash storage. This type of memory is embedded in storage and data transfers in portable devices, including phones, tablets, media players, and industrial machines like security systems and medical products. Flash storage is volatile, which means that it can be electrically erased and reprogrammed, and data stored on them is not lost when power is turned off.
Threats to the internet of things (IoT) continue to evolve as users and businesses grow increasingly reliant on these tools for constant connectivity, access to information and data, and workflow continuity. Cybercriminals have taken notice of this dependence and now regularly update their known tools and routines to include network-attached storage (NAS) devices to their list of targets, knowing full well that users rely on these devices for storing and backing up files in both modern homes and businesses. More importantly, cybercriminals are aware that these tools hold valuable information and have only minimal security measures.
While exploitation of this vulnerability remains highly limited, it could be adopted by other threat actors. While I would normally rank this as a low severity incident, the popularity of Serv-U should be taken into consideration, hence, I would treat this as Medium. There is still some disagreement about the exploitation Microsoft observed, we will continue to update on the situation.
R.R. Donnelley is a Fortune 500 integrated communications corporation based in the United States that offers marketing and business communications, commercial printing, and other associated services. The company’s corporate offices are in Chicago, Illinois, in the United States. R.R. Donnelley was the world’s largest commercial printer in 2007.
The international humanitarian organization Red Cross announced yesterday that it had been the victim of a massive cyberattack that resulted in the theft of confidential information for over 515,000 “very vulnerable people” participating in the “Restoring Family Links” program.
A former Department of Homeland Security acting inspector general pleaded guilty today to stealing confidential and proprietary software and sensitive databases from the US government containing employees' personal identifying information (PII). 61-year-old Charles Kumar Edwards coordinated the scheme while working for DHS-OIG (Department of Homeland Security, Office of Inspector General) as an employee and acting IG between February 2008 and December 2013.
The Federal Communications Commission (FCC) has proposed more rigorous data breach reporting requirements for telecom carriers in response to breaches that recently hit the telecommunications industry. On Wednesday, Chairwoman Jessica Rosenworcel shared the proposal in the form of a Notice of Proposed Rulemaking (NPRM), the first step in changing the FCC's rules for alerting federal agencies and customers of data breaches.
A 'massive' cyberattack has taken down several government websites in Ukraine, including the Ukrainian Foreign Ministry and the Ministry of Education and Science. The cyberattack occurred overnight on Thursday and Friday morning, and it took down more than a dozen official websites, disrupting government work and raising questions about whether Russia was signaling that a new offensive against Ukraine was getting underway. A statement by Ukranian police says cyber attackers left "provocative messages" on the main pages of government websites, which have been taken offline – but no personal data has been altered or stolen.
Cisco Systems has rolled out security updates for a critical security vulnerability affecting Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited by a remote attacker to take control of an affected system. Tracked as CVE-2022-20658, the vulnerability has been rated 9.6 in severity on the CVSS scoring system, and concerns a privilege escalation flaw arising out of a lack of server-side validation of user permissions that could be weaponized to create rogue Administrator accounts by submitting a crafted HTTP request.
The privilege escalation flaw was discovered by an expert from Sentinel LABS, by his name Antonio Cocomazzi together with Andrea Pierini, an independent researcher. They named it RemotePotato0 and disclosed it during the month of April last year. An unofficial patch was released for a privilege escalation vulnerability that has an impact on all versions of Windows after Microsoft tagged its status as “won’t fix”. The flaw is located in the Windows RPC Protocol and was dubbed RemotePotato0 by security researchers. If successfully exploited, threat actors could perform an NTLM relay attack that will give them domain admin privileges.
US Cyber Command (USCYBERCOM) has officially linked the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS). MOIS is the Iran government's leading intelligence agency, tasked with coordinating the country's intelligence and counterintelligence, as well as covert actions supporting the Islamic regime's goals beyond Iran's borders.
Cybersecurity researchers from SentinelOne have discovered a critical vulnerability (CVE-2021-45608) in KCodes NetUSB component that is present in millions of end-user routers from different vendors, including Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital.
A prison in New Mexico had an unplanned lockdown due to a ransomware attack. As reported by Source NM, the Metropolitan Detention Center in Bernalillo County, New Mexico, went into lockdown on January 5, 2022, after cyberattackers infiltrated Bernalillo County systems and deployed malware. Inmates were made to stay in their cells as the ransomware outbreak reportedly not only knocked out the establishment's internet but also locked staff out of data management servers and security camera networks.
Microsoft Windows systems going back to at least Windows Server 2012 R2 are affected by a vulnerability in the Remote Desktop Services protocol that gives attackers, connected to a remote system via RDP, a way to gain file system access on the machines of other connected users. Threat actors that exploit the flaw can view and modify clipboard data or impersonate the identities of other users logged in to the machine in order to escalate privileges or to move laterally on the network, researchers from CyberArk discovered recently. They reported the issue to Microsoft, which issued a patch for the flaw (CVE-2022-21893) in its security update for January this Tuesday.
Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to 29 issues patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack. The patches cover a swath of the computing giant's portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP)
A high-impact vulnerability allowing remote code execution to take place has impacted millions of end-user router devices. On Tuesday, SentinelOne published an analysis of the bug, tracked as CVE-2021-45388 and deemed critical by the research team. The vulnerability impacts the KCodes NetUSB kernel module. KCodes solutions are licensed by numerous hardware vendors to provide USB over IP functionality in products including routers, printers, and flash storage devices.
In the fourth quarter of last year, about a quarter of Cloudflare's customers that were the target of a DDoS attack said that they received a ransom note from the perpetrator. A large portion of these attacks occurred in December 2021, when almost a third of Cloudflare customers reported receiving a ransom letter. By comparison with the previous month, the number of reported DDoS ransom attacks was double, Cloudflare says in a blog post today.
There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository. That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.
AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines.
CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.
Federal officials cautioned Monday that, while the widespread Log4j vulnerability hasn’t led to any major known intrusions in the U.S., there could be a “lag” between when the flaw became known, and when attackers exploit it. Cybersecurity and Infrastructure Security Agency Director Jen Easterly said that there were months between the discovery of the vulnerability that led to the 2017 Equifax breach, which exposed the personal information of nearly 150 million Americans, and word of the breach itself, invoking one of the most notable hacks in history.
The US National Counterintelligence and Security Center (NCSC) and the Department of State have published joint guidance that provides best practices on defending against attacks carried out by threat actors using commercial surveillance tools. In the last few years, we have reported several cases of companies selling commercial surveillance tools to governments and other entities that have used them for malicious purposes
Last week, Internet appliances provider SonicWall revealed that the Y2K22 weakness has affected several of its email security and firewall products, leading to message log updates and junk box malfunctions starting January 1st, 2022. Although SonicWall didn’t give any details on what is causing the Y2K22 vulnerability in its security solutions, the tech company is not the only one dealing with this problem.
In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, JavaScript, PHP, Python, and Ruby languages and used by several web applications. With URLs being a fundamental mechanism by which resources — located either locally or on the web — can be requested and retrieved, differences in how the parsing libraries interpret a URL request could pose significant risk for users.
A Chinese national has pleaded guilty to the theft of agricultural secrets from the US, intended to reach the hands of scientists across the pond. Xiang Haitao, formerly living in Chesterfield, Missouri, assumed a post at Monsanto and its subsidiary, The Climate Corporation, between 2008 and 2017, the US Department of Justice (DoJ) said on Thursday. Monsanto and The Climate Corporation developed an online platform for farmers to manage field and yield information in a bid to improve land productivity. One aspect of this technology was an algorithm called the Nutrient Optimizer, which US prosecutors say was considered "a valuable trade secret and their intellectual property
Researchers from MalwareHunterteam first spotted a new ransomware family dubbed Night Sky that implements a double extortion model in attacks aimed at businesses. Once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names. The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.
Bernalillo County is the most populous in New Mexico and includes the cities of Albuquerque, Los Ranchos, and Tijeras. Officials report the disruption likely occurred between midnight and 5:30 a.m. on Jan. 5. They have taken affected systems offline and severed network connections, as well as notified county system vendors, which are working to solve the issue and restore system functionality.
QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks. If your organization's NAS is exposed to the Internet it is likely to be targeted if the following text is displayed on the software’s dashboard, “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP
VMware Horizon supports local, hybrid (local but managed in the cloud) and multi-cloud deployment strategies. End users can access custom virtual desktops or remote RDSH applications from company laptops, home PCs, Mac computers, thin clients, or mobile devices.
DatPiff is a popular mixtape hosting service used by over 15 million users, allowing unregistered users to download or upload samples for free. The cracked passwords for almost 7.5 million members are being sold online, and users can check if they are part of the data breach through the Have I Been Pwned notification service.
This is another example of attackers leveraging covid and a well-designed phishing page to launch a dangerous campaign. Covid-themed phishing emails have convinced users to relinquish valuable credentials throughout the last year. Phish impersonating major banking firms have been around for some time, but they constantly evolve. The pandemic is continuing to affect the lives of everyone in the world, and threat actors are attempting to hook their targets by relying on changes in banking practices related to the pandemic.
For the sixth year in a row, security researcher Patrick Wardle has released a list of all the new Mac malware threats that emerged over the course of a year. For each malware sample, Wardle identified the malware's infection vector, installation and persistence mechanisms, and other features, such as the purpose of the malware. A sample of each new Mac malware sample that surfaced last year is available on his website
The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks."The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said
A new Zloader campaign exploits Microsoft's digital signature verification to deploy malware payloads and steal user credentials from thousands of victims from 111 countries. The campaign orchestrated by a threat group known as MalSmoke appears to have started in November 2021, and it's still going strong, according to Check Point researchers who have spotted it
A team of academics (Duy-Phuc Pham, Damien Marion, Matthieu Mastio and Annelie Heuser) from the Research Institute of Computer Science and Random Systems (IRISA) have devised a new approach that analyzes electromagnetic field emanations from the Internet of Things (IoT) devices to detect highly evasive malware. The team of experts presented their technique at the Annual Computer Security Applications Conference (ACSAC) that took place in December
A security researcher has publicly disclosed a bug present in iOS 15.2 (and going back to iOS 14.7 and possibly earlier) relating to HomeKit that could be used to permanently crash an iPhone. Trevor Spiniolas found that by changing the name of a HomeKit device to a large string (Spiniolas used 500,000 characters for the testing), this would crash the associated iPhone
A financially-motivated actor dubbed 'Elephant Beetle' is stealing millions of dollars from organizations worldwide using an arsenal of over 80 unique tools and scripts. The group is very sophisticated and patient, spending months studying the victim's environment and financial transaction processes, and only then moves to exploit flaws in the operation
The decentralised darknet market, Monopoly, appears to be exit scamming. Monopoly has been open for two years and had gained a reputation for being stable. This was in large part due to its unique method of vendor verification which was believed to keep vendor scamming to a minimum.
Security experts learned a lot from the fallout of Log4Shell. Most importantly, the incident highlighted the need for organizations to “understand and manage” what code is running within their software environments. Software dependencies exist in just about every enterprise product, when flaws emerge in these dependencies, organizations are left scrambling for fixes. Third party dependencies are essential in creating modern day programs as programmers do not have to reinvent the wheel every time a new product or application is developed. By mixing and matching existing libraries and packages, software developers can build new applications more efficiently.
A possible nation-state attack on the UK’s primary defense training facility last year forced the academy to rebuild its IT infrastructure, according to a former senior officer. “Air marshal Edward Stringer served as director-general of joint force development and of the UK Defence Academy before recently retiring. The academy trains nearly 30,000 UK armed forces personnel annually, alongside civil servants and military staff from other nations. However, it was caught out by a cyber-attack last March, which had “significant” operational consequences, Stringer told Sky News
The Broward Health public health system has suffered a data breach that impacted 1,357,879 individuals. Broward Health, formally the North Broward Hospital District, is one of the 10 largest public health systems in the U.S. Located in Broward County, Florida, Broward Health currently operates more than 30 healthcare facilities
For the first time in a generation, the UK is in the middle of an unprecedented supply chain crisis, and in recent weeks, we have seen very clearly the immediate and far-reaching impacts of it. Whether it’s the shortage of truck drivers prompting panic-buying at fuel stations that required military intervention, or the ramp up of materials and goods stockpiling UK businesses are doing to cope with shortages during the festive season, never has the UK’s supply chain system been stretched so thin. There are real fears this could rip through an economy that has only just started recovering from COVID-19
A malicious Telegram for Desktop installer distributes the Purple Fox malware to install further malicious payloads on infected devices. The installer is a compiled AutoIt script named "Telegram Desktop.exe" that drops two files, an actual Telegram installer, and a malicious downloader. While the legitimate Telegram installer dropped alongside the downloader isn't executed, the AutoIT program does run the downloader.
Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised. A technologist demonstrates a simple trick that'll make you think twice before copying and pasting text from web pages” (Bleeping Computer, 2022). Recently, Gabriel Friedlander, founder of security awareness training platform Wizer demonstrated an obvious yet surprising hack that'll make you cautious of copying-pasting commands from web pages. It isn't unusual for novice and skilled developers alike to copy commonly used commands from a webpage (StackOverflow) and paste them into their applications, a Windows command prompt or a Linux terminal.
Microsoft has rolled out an emergency fix that addresses the Y2k22 bug that is breaking email delivery on on-premise Microsoft Exchange servers since January 1st, 2022. We have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it is not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue.” reads the post published by Microsoft. “The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues
The UK's National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have contributed 225 million new compromised emails and associated passwords with Have I Been Pwned (HIBP), a free service that tracks stolen credentials so people can know if theirs have been breached. During recent NCA operations, the NCCU's Mitigation@Scale team identified more than 585.5 million potentially compromised credentials (emails and associated passwords), which were in a compromised cloud storage facility. In a statement on HIBP, the NCA says analysis revealed the credentials represented an accumulation of known and unknown datasets
Cybersecurity company CrowdStrike has discovered an attempt by a China-based group to infiltrate an academic institution through the Log4j vulnerability. CrowdStrike called the group "Aquatic Panda" and said it is an "intrusion adversary with a dual mission of intelligence collection and industrial espionage" that has operated since at least May 2020
North Korea-linked APT groups are suspected to be behind some of the largest cyberattacks against cryptocurrency exchanges. According to South Korean media outlet Chosun, North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years
Christmas trees are often decorated with smart lights that are connected to Wi-Fi. Vulnerabilities in such hardware can be an entry point for attackers who want to hack Christmas. How easily such vulnerabilities can be exploited became clear in a 2018 study, in which security researchers managed to completely shut down Christmas decorations remotely. In other instances, IoT devices were hacked over the cloud and even set on fire.
Hellmann is one of the largest international logistics providers. Founded in 1871, it handles 16 million shipments per year by air, sea, road, and rail, and is active in 173 countries. The logistics giant s has issued a warning that data was stolen from the company when it was hit with a ransomware attack on December 9, 2021. It is not entirely clear what type of data was extracted, but the company says it is warning partners and customers to double check their communications with it, as a precaution. Criminals could use the leaked data to make social engineering attacks more believable, so Hellmann is asking people that do business with it to look out for fraudulent mails and calls.
Apache HTTP Server is the second most widely used web server on the internet behind Nginx, according to W3Techs, which estimates it's used by 31.4% of the world's websites. UK security firm Netcraft estimates 283 million websites used Apache HTTP Server in December 2021, representing 24% of all web servers. The Apache Software Foundation has released an update to address a critical flaw in its hugely popular web server that allows remote attackers to take control of a vulnerable system.
Chinese tech giant Alibaba has reportedly been shunned by China’s top tech regulator for failing to report the infamous Log4j vulnerability quickly enough. Local media claimed that the firm’s Alibaba Cloud business, which has a large team of security researchers, failed to report the issue to the Ministry of Industry and Information Technology (MIIT)
Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability tracked as CVE-2021-40444 (CVSS score of 8.8). The bad news is that threat actors are using it to distribute the Formbook malware.
As 2021 draws to a close, there are increasing fears around the world that Russia is planning to invade Ukraine in an effort to prevent its former ally from moving further towards the West and possibly even joining the NATO military alliance. The tensions between these two former Soviet states are now at a critical point, with the potential to evolve into further, more widespread conflict between Russia and the West.
The relatively new Pysa ransomware was the dominant strain behind file-encrypting attacks in November and saw a 400% rise in attacks on government organizations, according to an analysis by security company NCC Group. Pysa is one of the ransomware gangs utilizing double extortion to pressure victims to pay an extortion demand and dump leaks from 50 previously compromised organizations last month. Overall in November, the number of Pysa attacks increased 50%, which means it overtook Conti to join Lockbit in the top two most common versions of the malware. Conti and Lockbit have been the dominant strains since August, according to NCC Group.
The Russian national Vladislav Klyushin (41) was extradited to the United States from Switzerland to face charges for his alleged role in a scheme whose participants traded on information stolen from U.S. companies. The man was arrested in Switzerland on March 21, 2021, along with four other accomplices he conspired to gain unauthorized access to computers and to commit wire fraud and securities fraud.
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited.
CISA, in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), previously published guidance on Log4Shell for vendors and affected organizations in which CISA recommended that affected organizations immediately apply appropriate patches (or apply workarounds if unable to upgrade), conduct a security review, and report compromises to CISA or the FBI. CISA also issued an Emergency Directive directing U.S. federal civilian executive branch (FCEB) agencies to immediately mitigate Log4j vulnerabilities in solution stacks that accept data from the internet. This joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities.
These steps include:
Researchers from Positive Technologies, a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection, discovered four vulnerabilities in Microsoft Teams that could be leveraged for various malicious purposes. Microsoft Teams is a collaboration tool that helps people working in different geographic locations work together online. For this reason, Team's usage of the platform has risen during the pandemic, making it an increasingly attractive target for threat actors.
This particular dark web marketplace has grown significantly over the past few years; by automating processes, owners have increased sales volume and overall customer satisfaction. They have removed the one-on-one interaction with sellers and posters of stolen data altogether; anyone can create an account, add money to their wallet, and make purchases without interacting with the sellers directly.
The Conti ransomware gang, which became the first professional crimeware outfit to adopt and weaponize the Log4J Shell vulnerability last week, has built up a holistic attack chain. The sophisticated Russia-based Conti group – which Palo Alto Networks has called "one of the most ruthless" of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4 Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.
We received an alert from the FBI last Friday regarding a Zero-Day vulnerability in Zoho ManageEngine Desktop Central, CVE-2021-44515. ManageEngine is the enterprise IT management software division of Zoho, a company well known for its software-as-a-service products. The flaw affects Desktop Central software for both enterprise customers and the version for managed service provider (MSP) customers.
Experts spotted a backdoor in the network of an unnamed U.S. federal government commission associated with international rights. The backdoor allowed the threat actors to achieve complete control over the infected networks; experts described the compromise as a “classic APT-type operation.
No, you’re not seeing triple: On Friday, Apache released yet another patch – version 2.17 – for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug. Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch.
Hundreds of Ukrainian cyber experts have taken part in a large-scale incident response exercise against the country’s energy grid as geopolitical tensions with Russia continue to escalate. President Putin on Friday issued a series of security demands, including that NATO limits deployments of troops and weapons to Ukraine’s eastern border with Russia and that the country commits to never joining the military alliance. It warned of a military crisis in the region if its demands weren’t met. Russia has already massed 100,000 troops, alongside missiles and artillery, on its side of the border
Researchers from cybersecurity firm Blumira devised a new attack vector that relies on a Javascript WebSocket connection to exploit the Log4Shell vulnerability on internal and locally exposed unpatched Log4j applications. Experts pointed out that this new attack vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.
APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central Summary Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers. The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.
The Conti ransomware operation uses the critical Log4 Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines. The group did not waste much time adopting the new attack vector and is the first "top-tier" operation known to weaponize the Log4j vulnerability.
The holidays are an opportunity to spend time with our loved ones and enjoy some well-earned rest. Unfortunately, malicious cyber actors are not taking a holiday – and they can ruin ours if we’re not prepared and protected. Historically we have seen breaches around national holidays because criminals know that security operations centers are often short-staffed, delaying the discovery of intrusions. Beyond the holidays, though, we’ve experienced numerous recent events that highlight the strategic risks we all face because of the fragility of digital infrastructure and the ever- present threat of those who would use it for malicious purposes.
Microsoft and Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit the Log4j vulnerabilities, "MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications. In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their specific targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with the testing activity to fingerprint systems.
State-sponsored hackers from China, Iran, North Korea and Turkey have started testing, exploiting and using the Log4j bug to deploy malware, including ransomware, according to Microsoft. As predicted by officials at the US Cybersecurity and Infrastructure Security Agency (CISA), more sophisticated attackers have now started exploiting the so-called Log4Shell bug (CVE-2021-44228), which affects devices and applications running vulnerable versions of the Log4j Java library. It's a potent flaw that allows remote attackers to take over a device after compromise.
In the lead up to the holidays and in light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks. Sophisticated threat actors, including nation-states and their proxies, have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms. These actors have also demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.
Major natural gas supplier Superior Plus announced on Tuesday that it is suffering from a ransomware attack. The billion-dollar propane seller said the incident started on December 12 but did not answer questions about which ransomware group was behind the attack or which systems were affected.
Adobe has issued critical warnings for more than 60 vulnerabilities in multiple products running on Windows and macOS machines. The vulnerabilities can be exploited by threat actors for code execution, privilege escalation and denial-of-service attacks.
A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was "incomplete in certain non-default configurations." "This could allow attackers... to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack," the CVE description says.
Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild.
A new variant of the Agent Tesla malware has been spotted in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.
Attackers targeting telcos across the Middle East and Asia for the past six months are linked to Iranian state-sponsored hackers, according to researchers. The cyberespionage campaigns leverage a potent cocktail of spear phishing, known malware and legitimate network utilities that are leveraged to steal data and potentially disrupt supply-chains.
Romanian cybersecurity technology company Bitdefender on Monday revealed that attempts are being made to target Windows machines with a novel ransomware family called Khonsari as well as a remote access Trojan named Orcus by exploiting the recently disclosed critical Log4j vulnerability. The attack leverages the remote code execution flaw to download an additional payload, a .NET binary, from a remote server that encrypts all the files with the extension ".khonsari" and displays a ransom note that urges the victims to make a Bitcoin payment in exchange for recovering access to the files.
Western Digital has released updates for its SanDisk SecureAccess software to fix multiple vulnerabilities that can be exploited to access user data by carrying out brute force and dictionary attacks. The SanDisk SecureAccess software, now rebranded SanDisk PrivateAccess, allows storing and protecting critical and sensitive files on SanDisk USB flash drives. The access to the user's private vault is protected by a personal password, and all the files are automatically encrypted.
Workforce management solutions provider Kronos has suffered a ransomware attack that will likely disrupt many of their cloud-based solutions for weeks. Kronos is a workforce management and human resources provider who provides cloud-based solutions for managing timekeeping, payroll, employee benefits, analytics, and more. In 2020, Kronos merged with Ultimate Software to create a new company named UKG.
We are starting up this thread and making it available to everyone, whether a member of the CompTIA ISAO or not, due to the widespread severity of this issue.
The Apache Software Foundation has released a security advisory to address a remote code execution vulnerability (CVE-2021-44228) affecting Log4j versions 2.0-beta9 to 2.14.1. A remote attacker could exploit this vulnerability to take control of an affected system. Log4j is an open-source, Java-based logging utility widely used by enterprise applications and cloud services.
Some of the tools built into Outlook to boost productivity and collaboration could also make it easier to launch effective social engineering campaigns, researchers say.
In early December, researchers with Avanan discovered a way in which Outlook's features could be used to make an attacker appear more credible in a phishing or business email compromise (BEC) attack. Their attack started with a spoofed email. If an attacker had a private server, they could launch a domain impersonation attack with an email pretending to come from another sender
Kali Linux 2021.4 was released today by Offensive Security and includes further Apple M1 support, increased Samba compatibility, nine new tools, and an update for all three main desktops.
Kali Linux is a Linux distribution allowing cybersecurity professionals and ethical hackers to perform penetration testing and security audits against internal and remote networks.
With this release, the Kali Linux Team introduces a bunch of new features, including:
Apple M1 support for the VMware Fusion Public Tech Preview
Wide compatibility is enabled for Samba
Making it easier to switch to Cloudflare's package manager mirror
Kaboxer updated with support for window themes and icon theme
Updates to the Xfce, GNOME and KDE desktops
Raspberry Pi Zero 2 W + USBArmory MkII ARM images
Nine more tools
“CISA has released a second advisory about several Apache HTTP server vulnerabilities. In November, Cisco sent out a notice about the vulnerabilities, explaining that the Apache Software Foundation disclosed five vulnerabilities affecting the Apache HTTP Server (httpd) 2.4.48 and earlier releases on September 16.
Experts publicly disclose Proof-of-concept exploits for a critical remote code execution zero-day vulnerability, tracked a CVE-2021-44228 (aka Log4Shell), in the Apache Log4j Java-based logging library. The Chinese security researcher p0rz9 who publicly disclosed the PoC exploit code revealed that the CVE-2021-44228 can only be exploited if the log4j2.formatMsgNoLookups option is set to false.
“The new ALPHV ransomware operation, aka BlackCat, launched last month and could be the most sophisticated ransomware of the year, with a highly-customizable feature set allowing for attacks on a wide range of corporate environments.
Mandiant (previously FireEye) and Sonicwall joined forces and discovered that ransomware actors are currently leveraging previously disclosed Sonicwall vulnerabilities to deploy ransomware on networks. As in the past, threat actors are actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in and using stolen credentials.
LINE Pay, a smartphone payment provider, announced yesterday that between September and November of this year, approximately 133,000 users’ payment details were inadvertently published on GitHub. A research group employee accidentally uploaded files detailing participants in a LINE Pay promotional programme staged between late December 2020 and April 2021 to the collaborative coding crèche.
A mysterious threat actor has run thousands of malicious servers in entry, middle, and exit positions of the Tor network. Tracked as KAX17, the threat actor ran at its peak more than 900 malicious servers part of the Tor network, which typically tends to hover around a daily total of up to 9,000-10,000. Servers added to the Tor network typically must have contact information included in their setup, such as an email address, so Tor network administrators and law enforcement can contact server operators in the case of a misconfiguration or file an abuse report.
A new remote access Trojan (RAT) known as Arrow RAT has been promoted on the darknet forum XSS by the user Mega_Knight. According to @Mega_Knight, Arrow RAT contains numerous features that are typical of RATs. This includes: Keylogging, Registry modification, Extraction of passwords stored in browsers, Hide files or folders. Arrow RAT also contains a hidden virtual network computing (hVNC) module, enabling the attacker to launch a hidden virtual desktop on an infected device.
SonicWall 'strongly urges' organizations using SMA 100 series appliances to immediately patch them against multiple security flaws rated with CVSS scores ranging from medium to critical. The bugs (reported by Rapid7's Jake Baines and NCC Group's Richard Warren) impact SMA 200, 210, 400, 410, and 500v appliances even when the web application firewall (WAF) is enabled.
Officials from the Ontario Provincial Police held a press conference on Tuesday to announce the charges and Philbert's arrest in Ottawa. In a statement, US Attorney Bryan Wilson of the District of Alaska said Philbert "conspired with others known and unknown to the United States to damage computers, and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018." Wilson and Canadian officials noted that they received help in the case from Dutch authorities and Europol
Emotet malware now directly installs Cobalt Strike beacons to give the attackers immediate access to the target network and allow them to carry out malicious activities, such as launching ransomware attacks. In a classic attack chain, the Emotet malware would install the TrickBot or Qbot trojans on infected devices, which in turn would deploy Cobalt Strike on an infected system. Emotet research group Cryptolaemus recently noticed a switch in the tactics of Emotet operators, which now are directly installing Cobalt Strike beacons on infected devices without installing the above intermediate Trojans.
Multiple vulnerabilities were recently reported to Unitrends and Kaseya within the Unitrends Recovery Series and Unitrends Agent Software. Unitrends and Kaseya gave high priority to these reports, as the company does with any report of a potential security issue, and has addressed the following vulnerabilities with the 10.5.5 software release.
Since 2017, someone is running about a thousand — 10% of the total — Tor servers in an attempt to deanonymize the network: Grouping these servers under the KAX17 umbrella, Nusenu says this threat actor has constantly added servers with no contact details to the Tor network in industrial quantities, operating servers in the realm of hundreds at any given point. The actor’s servers are typically located in data centers spread all over the world and are typically configured as entry and middle points primarily, although KAX17 also operates a small number of exit points.
Zoho ManageEngine Desktop Central is a popular management tool that administrators use for automatic software distribution and remote troubleshooting across the whole network. An authentication bypass vulnerability in ManageEngine Desktop Central MSP has been discovered, allowing an attacker to overcome authentication and execute arbitrary code on the Desktop Central MSP server.
Scammers monitor every tweet containing requests for support on MetaMask, TrustWallet, and other popular crypto wallets, and respond to them with scam links in just seconds. To conduct these targeted phishing attacks, scammers abuse Twitter APIs that allow them to monitor all public tweets for specific keywords or phrases.
QNAP warned customers today of ongoing attacks targeting their NAS (network-attached storage) devices with cryptomining malware, urging them to take measures to protect them immediately The cryptominer deployed in this campaign on compromised devices will create a new process named [oom_reaper] that will mine for Bitcoin cryptocurrency.
Microsoft announced to have obtained a court warrant that allowed it to seize 42 domains used by a China-linked APT15 group (aka Nickel, Ke3chang, Mirage, Vixen Panda, Royal APT and Playful Dragon) in recent operations that targeted organizations in the US and 28 other countries.
Zoho has released a security advisory to address an authentication bypass vulnerability in ManageEngine Desktop Central and Desktop Central MSP. An authentication bypass vulnerability in ManageEngine Desktop Central that could result in remote code execution. If exploited, the attackers can gain unauthorized access to the product by sending a specially crafted request leading to remote code execution. The severity of this vulnerability to be critical.
As the one-year anniversary of the discovery of the SolarWinds supply chain compromise passes, Mandiant remains committed to tracking one of the toughest actors we have encountered. These suspected Russian actors practice top-notch operational security and advanced tradecraft. However, they are fallible, and we continue to uncover their activity and learn from their mistakes. Ultimately, they remain an adaptable and evolving threat that must be closely studied by defenders seeking to stay one step ahead.
Talos researchers spotted a series of malvertising campaigns using fake installers of popular apps and games as a lure to trick users into downloading a new backdoor and an undocumented malicious Google Chrome extension. According to Talos, the threat actor has been active at least since late 2018, experts observed intermittent activity towards the end of 2019 and through early 2020. The group resurfaced in April 2021, the malvertising campaigns targeted users in Canada, the U.S., Australia, Italy, Spain, and Norway.
Users looking to activate Windows without using a digital license or a product key are being targeted by tainted installers to deploy malware designed to plunder credentials and other information in cryptocurrency wallets. KMSPico is an unofficial tool that's used to illicitly activate the full features of pirated copies of software such as Microsoft Windows and Office suite without actually owning a license key.
Microsoft is offering discounts of up to 50% on Microsoft 365 subscriptions to those using pirated versions of Microsoft Office willing to switch to a genuine version. This promotional offer is sent to Office users if Microsoft detects the version installed is non-genuine, and it shows as an alert under the top menu as first reported by Ghacks
According to Reuters and The Washington Post, Apple informed nine U.S. Embassy and State Department staff members that their iPhones may have been targeted by an unknown attacker employing state-sponsored spyware Pegasus. The malware is developed by the Israeli tech firm NSO Group Technologies.
Since February 2021, ANSSI has dealt with a series of phishing campaigns directed against French entities. The campaigns escalated significantly in May 2021. This malicious activity is attributable to one and the same intrusion set. The intrusion set succeeded in compromising email accounts belonging to French organisations, before using these access points to send weaponised emails to foreign institutions in the diplomatic sector. The initial method of intrusion remains unknown.
IT security researchers from Ruhr-Universität Bochum (RUB) and the Niederrhein University of Applied Sciences have discovered 14 new types of 'XS-Leak' cross-site leak attacks against modern web browsers, including Google Chrome, Microsoft Edge, Safari, and Mozilla Firefox. These types of side-channel attacks are called 'XS-Leaks,' and allow attacks to bypass the 'same-origin' policy in web browsers so that a malicious website can steal info in the background from a trusted website where the user enters information.
Colorado's Delta-Montrose Electric Association (DMEA) is still struggling to recover from a devastating cyberattack last month that took down 90% of its internal systems and caused 25 years of historical data to be lost. In an update sent to customers this week, the company said it expects to be able to begin accepting payments through its SmartHub platform and other payment kiosks during the week of December 6. "We also tentatively estimate we will be able to resume member billing the week of December 6 - 10. We recognize this will result in members receiving multiple energy bills close together. As a reminder, we will not disconnect services for non-payment or assess any penalties through January 31, 2022," the company said on a page that has been updated repeatedly over the last month.
CISA and the FBI have released a joint advisory; included in the advisory is data suggesting that advanced persistent threat groups are actively exploited CVE-2021-44077, “Rated critical, is an unauthenticated remote code execution (RCE) vulnerability affecting all ServiceDesk Plus versions up to, and including, version 11305, (US-CERT, 2021).
Twitter today announced the permanent removal of more than 3,400 accounts linked to governments of six countries running manipulation or spam campaigns. The social networking company says that the accounts were used in eight distinct operations attributed to Mexico, the People's Republic of China (PRC), Russia, Tanzania, Uganda, and Venezuela
“Phishing actors have quickly started to exploit the emergence of the Omicron COVID-19 variant and now use it as a lure in their malicious email campaigns” Threat actors will quickly adjust their phishing email content to match that of hot topics and trends. Preying on people’s urgency and fear can help make phishing campaigns more successful. A user may rush to open an email without thinking it through.
CISA and the FBI have released a joint advisory; included in the advisory is data suggesting that advanced persistent threat groups are actively exploited CVE-2021-44077, “Rated critical, is an unauthenticated remote code execution (RCE) vulnerability affecting all ServiceDesk Plus versions up to, and including, version 11305, (US-CERT, 2021).
Planned Parenthood Federation of America, Inc., or Planned Parenthood, is a nonprofit organization that provides reproductive health care in the United States and globally. The organization has disclosed a data breach after suffering a ransomware attack in October that exposed the personal information of approximately 400,000 patients.
Ubiquiti Inc. is an American technology company founded in San Jose, California, in 2003. Now based in New York City, Ubiquiti manufactures and sells wireless data communication and wired products for enterprises and homes under multiple brand names. Nickolas Sharp, a former employee of the networking device maker was arrested and charged with data theft and attempting to extort his employer while posing as a whistleblower and an anonymous hacker.
Researchers have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites. Group-IB’s Hi-Tech Crime Trends 2021/2022 report covers the period from the second half of 2020 to the first half of 2021. Ransomware-as-a-Service (RaaS) groups have partnered with initial access brokers which has created a large increase in ransomware attacks. Ransomware operators have had affiliates for some time who would provide them with access to networks. Now prominent ransomware groups are leveraging initial access broker communities to improve both their attack surface and profits. Increasing profits from ransomware attacks has created an equally profitable market for criminals interested in selling initial access to various groups.
Europol has identified 18,351 money mules and arrested 1,803 of them as part of an international anti-money-laundering operation codenamed EMMA 7. The operation is the result of a joint effort of 27 countries, Eurojust, INTERPOL, the European Banking Federation (EBF), and the FinTech FinCrime Exchange. The name EMMA is an acronym for European Money Mule Action operation, the first EMMA operation led by Europol took place in 2016
Lewis and Clark Community College in Godfrey, ILL closed all their campuses this week and cancelled all extra-curricular activities, including sports. The move was made after the director of information technology noticed suspicious activity last Tuesday and shut down the school's computer network on Wednesday.
Queensland government-owned energy generator CS Energy said on Tuesday it was responding to a ransomware incident that occurred over the weekend. First reported by Energy Source & Distribution, the company said the incident has not impacted electricity generation at Callide and Kogan Creek power station, and it was looking to restore its network.
An affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage. Based on observed tactics, techniques, and procedures, the threat actor is experienced with ransomware-as-a-service (RaaS) operations and may be linked with the Five Hands group.
The rise of technologies like artificial intelligence (AI) and quantum computing is changing the world -- and intelligence services must adapt in order to operate in an increasingly digital environment, the head of MI6 has warned. In his first public speech since taking the role of "C" in October 2020, Richard Moore, chief of the UK Secret Intelligence Service (MI6), discussed the challenges posed by the rapid evolution in technology.
DNA Diagnostics Center (DDC), an Ohio-based DNA testing company, has disclosed a hacking incident that affects 2,102,436 persons. The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, but the firm discovered it only on October 29, 2021
The information that the hackers accessed includes the following:
Full names
Credit card number + CVV
Debit card number + CVV
Financial account number
Platform account password
The database contained older backups from 2004-2012 and was not linked to active systems. “DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC,” said the organization.
Japanese multinational conglomerate Panasonic disclosed a security breach after unknown threat actors gained access to servers on its network this month. "Panasonic Corporation has confirmed that its network was illegally accessed by a third party on November 11, 2021," the company said in a press release issued Friday. "As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion."
Wind turbine maker Vestas says "almost all" of its IT systems are finally up and running 10 days after a security attack by criminals, confirming that it had indeed fallen victim to ransomware. Alarm bells rang the weekend before last when the Danish organisation said it had identified a "cyber security incident" and closed off parts of its tech estate to "contain the issue.
North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering holes, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices. APT37 (aka Reaper) has been active since at least 2012 and is an advanced persistent threat group (APT) linked to the North Korean government with high confidence by FireEye.
Biopharmaceutical company Supernus Pharmaceuticals confirmed it was the victim of a data breach after a ransomware attack that hit the firm last in Mid-November. The Company states that the security breach did not impact its operations, it notified government authorities and engaged cybersecurity experts and its outside law firm to respond to the incident. Supernus Pharmaceuticals also declared to have successfully recovered the encrypted files and has taken additional security measures to prevent future incidents.
Threat actors are exploiting a recently addressed server-side request forgery (SSRF) vulnerability, tracked as CVE-2021-40438, in Apache HTTP servers. The CVE-2021-40438 flaw can be exploited against httpd web servers that have the mod_proxy module enabled. A threat actor can trigger the issue using a specially crafted request to cause the module to forward the request to an arbitrary origin server
Apple on Tuesday filed a lawsuit against mercenary spyware company NSO Group and its parent company, seeking a permanent injunction that bans NSO Group from using any Apple software, services, or devices. The complaint also provides new information on how NSO Group infected victims' Apple devices with its Pegasus spyware. State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change," said Craig Federighi, Apple SVP of Software Engineering, said in a statement. "While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we're constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.
A group of likely foreign government-sponsored hackers is behind cyberattacks on two bio-manufacturing companies that occurred this year, using a kind of malware capable of operating with independence within a network, an industry group warned. The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) dubbed the malware “Tardigrade” after the resilient micro-animal, and said it looks like the work of an advanced persistent threat group, a term that most often refers to government-backed attacker.
Researchers demonstrated that fingerprints could be cloned for biometric authentication for as little as $5 without using any sophisticated or uncommon tools. Although fingerprint-based biometric authentication is generally considered superior to PINs and passwords in terms of security, the fact that imprints can be left in numerous public places makes it ripe for abuse.
Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning Americans not to take a break from cybersecurity this holiday season.
The Federal Bureau of Investigation (FBI) warned today of recently detected spear-phishing email campaigns targeting customers of "brand-name companies" in attacks known as brand phishing.
Notorious ransomware groups such as REvil and Mespinoza exploit exposed cloud services to gain initial access to victims' environments. Using a honeypot infrastructure of 320 nodes deployed globally, researchers aim better to understand the attacks against exposed services in public clouds.
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn critical infrastructure partners of ransomware attacks during the holiday season. Government experts warn of other malicious activities such as phishing scams, fraudulent sites spoofing reputable businesses, and unencrypted financial transactions.
Imunify360 is the security solution for Linux web servers based on machine learning technology which utilizes a milti-layer approach to provide total protection against any types of malicious attacks or abnormal behavior including distributed brute force attacks.
UK government security experts have been forced to notify over 4000 domestic online businesses that their websites were infected with digital skimming code. GCHQ agency, the National Cyber Security Centre (NCSC), informed 4151 compromised online shops until the end of September. Most of these were exploited via a known bug in the popular Magento e-commerce software. The NCSC argued digital retailers needed to get their house in order ahead of the busy festive shopping period, which begins at the end of this week with the Black Friday weekend.
The Sky is a UK-based provider of broadband, Sky Broadband being a service employed by Sky UK. 6M Sky routers have been left exposed to cyberattacks for almost 18 months, meaning a year and a half while the company was trying to remediate a DNS rebinding flaw in the routers of the customers.
Founded in 1985, California Pizza Kitchen (CPK) is an American casual dining restaurant chain specializing in California-style pizza. According to Wikipedia, the chain has over 250 locations in 32 U.S. states and ten other countries, including 15 California Pizza Kitchen non-traditional franchise concepts designed for airports, universities, and stadiums.
The FBI has warned that a sophisticated group of attackers have exploited a zero-day flaw in a brand of virtual private networking (VPN) software since May. The FBI said its forensic analysis showed that the exploitation of the zero-day vulnerability in the FatPipe WARP, MPVPN, and IPVPN software, by an advanced persistent threat (APT) group, went back to at least May 2021. It did not provide any further information about the identity of the group.
Vestas Wind Systems, one of the world's largest makers of wind turbines, today confirmed company data had been compromised in a "cyber security incident" that forced the firm to isolate parts of its I.T. infrastructure. To contain the issue, I.T. systems were shut down across multiple business units and locations.
In October, Sophos researchers spotted a ransomware called Memento that adopts a curious approach to block access to a victims files. The ransomware copies files into password-protected WinRAR archives; it uses a renamed freeware version of the legitimate file utility WinRAR. The Memento ransomware then encrypts the password and deletes the original files from the victim’s system.
A point noted in this report is that insurers often will not cover the total amount of a security incident, meaning that cyber insurance payouts can help only so much. According to the report and news we have shared throughout 2021, ransomware attacks are rising. They will continue to be somewhat lucrative for those involved, especially if insurers continue to honor payouts and meet ransomware demands. According to the report, one client said that they received requests for 30+ ransomware payouts in their first year of operation.
The holidays are approaching, and there appears to be a shipping crunch. Due to supply chain concerns, many are worried that they won’t get their holiday gifts in time.
On November 16, 2021, The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published the Cybersecurity Incident & Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems.
This is a new group that I have not heard of or reported on yet; they refer to themselves as the "memento team." Like other groups, they are using Python-based ransomware that's been rewritten and reconfigured after 'set-backs,' as described by security researchers.
According to a report from NordPass, people are still using passwords such as ”123456,” ”12345,” ”password,” and ”qwerty.” Research reveals that these three are the weakest passwords nowadays and can easily make you vulnerable to hacking. The password 123456 appeared over 103 million times in NordPass’s research.
A new service known as OTPBlitz has been launched on the darknet forum XSS. OTPBlitz is designed to enable criminals to retrieve one-time passcodes (OTP) from victims by calling them directly and using text-to-speech software to impersonate platforms or services which utilise OTP. The operators target specific platforms or services, such as banks or payment providers, and then attempt to use social engineering via ‘scripts’ read by text-to-speech software to persuade victims to share their OTP.
A recent vulnerability released by Netgear could allow an attacker to leverage a pre-authentication buffer overflow in various product models. The models range from WiFi Extenders, Routers, Extenders, DSL Modems, Air Cards, and Cable Modems.
RAMP is a Russian-language forum that debuted in July 2021 and has drawn a lot of interest from researchers and cybercriminals alike. The forum was created on the same domain that previously housed the Babuk ransomware data leak site and the Payload[.]bin data leak site.
A freelance Chinese APT group is actively managing a library of compromised code-signing digital certificates to support cyber-espionage attacks targeting supply chain vendors, according to Venafi. The security vendor’s latest research report details the work of APT41, an unusual group in that it has previously been observed carrying out attacks for both traditional state-sponsored cyber-espionage and personal financial gain.
A joint advisory released by government agencies (the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)) in the U.S., U.K., and Australia warns that Iran-linked threat actors are exploiting Fortinet and Microsoft Exchange vulnerabilities in attacks aimed at critical infrastructure in the US and Australian organizations.
As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors. This vulnerability is not yet identified with a CVE number but can be located with the FatPipe Security Advisory number FPSA006. The vulnerability affects all FatPipe WARP®, MPVPN, and IPVPN® device software prior to the latest version releases 10.1.2r60p93 and 10.2.2r44p1.
One forum user in early May offered $25,000 for proof-of-concept (POC) exploit code for CVE-2021-22893, a critical-severity vulnerability in Pulse Secure VPN that Chinese hackers had leveraged since at least April. Another actor with deeper pockets claimed a budget of up to $3 million for no-interaction remote code execution (RCE) bugs, the so-called zero-click exploits, for Windows 10 and Linux. The same user offered up to $150,000 for original solutions for "unused startup methods in Windows 10" so malware would be active every time the system booted.
As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. The exploitation of this vulnerability then served as a jumping-off point into other infrastructure for the APT actors.
CISA released an alert (AA21-321A) this morning suggesting that APT groups on behalf of the Iranian government may be exploiting vulnerabilities in servers and appliances that are exposed to the internet and have not received security patches from vendors.
Security experts have warned of a surge in distributed denial of service (DDoS) attacks in the third quarter, with quantity, size and complexity all increasing in the period. The findings come from Lumen’s Q3 DDoS Report, which revealed that the firm mitigated 35% more attacks in the quarter than Q2 2021. The vendor claimed that the largest bandwidth attack it tackled during the period was 612 Gbps — a 49% increase over Q2. The largest packet rate-based attack scrubbed was 252 Mbps — a 91% increase.
Microsoft has detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have arrived every six to eight weeks since September 2020. Russia is often seen as the home of the biggest cyber-criminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown a growing interest in ransomware.
Researchers from Cleafy believe that Cleafy SharkBot utilizes ATS attack techniques to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA). However, there is one caveat, the malware must compromise Android Accessibility Services first.
Intel disclosed two high-severity vulnerabilities that affect the BIOS firmware in several processor families; both vulnerabilities have received a CVSS v3 score of 8.2. The vulnerabilities, tracked as CVE-2021-0157 and CVE-2021-0158, were discovered by researchers at SentinelOne and can be exploited by an attacker with physical access to the device to elevate privileges.
“Researchers have developed a new fuzzing-based technique called 'Blacksmith' that revives Rowhammer vulnerability attacks against modern DRAM devices that bypasses existing mitigations. The emergence of this new Blacksmith method demonstrates that today's DDR4 modules are vulnerable to exploitation, allowing a variety of attacks to be conducted”
ON SATURDAY, the U.S. Federal Bureau of Investigation (FBI) confirmed unidentified threat actors have breached one of its email servers to blast hoax messages about a fake "sophisticated chain attack." The incident, which was first publicly disclosed by threat intelligence non-profit SpamHaus, involved sending rogue warning emails with the subject line "Urgent: Threat actor in systems" originating from a legitimate FBI email address "eims@ic.fbi[.]gov" that framed the attack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, while also claiming him to be affiliated with a hacking outfit named TheDarkOverlord.
Also known by the monikers APT38, Hidden Cobra, and Zinc, the Lazarus Group was active as early as 2009 and linked to a string of attacks for financial gain and harvesting sensitive information from compromised environments. Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software.
ProxyShell is a name given to a combination of three vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker chaining the exploitation of these vulnerabilities could execute arbitrary code with SYSTEM privileges on Exchange servers.
Microsoft has released out-of-band updates to fix authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC) running Windows Server. These issues impact Windows Server 2019 and lower versions, including Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.
The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. Emotet would then use infected devices to perform other spam campaigns and install other payloads, such as the QakBot (Qbot) and Trickbot malware. These payloads would then be used to provide initial access to threat actors to deploy ransomware, including Ryuk, Conti, ProLock, Egregor, and many others.
A free and unofficial patch is now available for a zero-day local privilege escalation vulnerability in the Windows User Profile Service that lets attackers gain SYSTEM privileges under certain conditions.
According to an audit report that the Queensland Audit Office released on the 10th of November, it seems that hackers have targeted the Queensland water supplier for nine months, during which the threat actors maintained continued access to company servers.
Johnson Memorial Health is located in Indiana; they have reportedly been targeted and breached by attackers, which has impacted their ability to operate, "At this time, no appointments or surgeries have been canceled, and we ask all patients scheduled to receive services to report to JMH as normal.
Google's Threat Analysis Group (TAG) has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed, or zero-day, flaw in macOS to spy on people. Apple patched the bug, tracked as CVE-2021-30869, in a macOS Catalina update in September, about a month after Google TAG researchers found it being used.
BotenaGo is a new botnet discovered by researchers at AT&T that leverages thirty three exploits to target millions of routers and IoT devices.
Trend Micro researchers reported that TeamTNT hackers are targeting poorly configured Docker servers exposing Docker REST APIs as part of an ongoing campaign that started in October. Threat actors execute malicious scripts to deploy Monero cryptocurrency miners, perform container-to-host escape using well-known techniques, and scan the Internet for exposed ports from other compromised containers.
A new Android malware known as MasterFred uses fake login overlays to steal the credit card information of Netflix, Instagram, and Twitter users. This new Android banking trojan also targets bank customers with custom fake login overlays in multiple languages
Palo Alto Networks issued a critical security advisory for CVE-2021-3064, where a Memory Corruption Vulnerability was discovered in GlobalProtect Portal and Gateway Interfaces. The advisory states that, “A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.”
I wanted to let you know that we received information from an internal source that a company in the telecommunications industry or otherwise provides services to those in the field has confirmed a breach likely on behalf of Conti ransomware operators or its affiliates.
We reported yesterday that companies using vulnerable Solarwinds Serv-U instances should patch them right away as various global security researchers have been observing active exploitation. Several vulnerable servers were reported in the United States and China; Palo Alto attributed attacks to the FIN11, a financially motivated cybercriminal group operating out of Russia.
We have provided members with a .PDF version of this report that is intended to be distributed as widely as possible amongst business constituents. Please use the download button at the top.
In this week's Microsoft Tuesday patch update, several vulnerabilities were publicly disclosed, which varied greatly in severity. One particular vulnerability seems to be receiving quite much attention amongst organizations, cybercriminals, and adversaries.
NPM is the package manager for the Node JavaScript platform. It puts modules in place so that nodes can find them and manages dependency conflicts intelligently. It is highly configurable to support a wide variety of use cases. Most commonly, it is used to publish, discover, install, and develop node programs.
Medatixx, a German medical software vendor whose products are used in over 21,000 health institutions, urges customers to change their application passwords following a ransomware attack that has severely impaired its entire operations. The firm clarified that the impact has not reached clients and is limited to their internal IT systems and shouldn't affect any of their PVS (practice management systems)
Researchers have provided a deep dive into the activities of Lyceum, an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs). Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.
TA505, also known as FIN11, Buhtrap, Ratopak Spider, Silence, and Gold Evergreen, depending on the security vendor and or company, has a long history of breaching companies through various initial access vectors. FIN11 activity has been reported since approximately 2006 and is considered one of the most significant financially motivated threat actors because of the large volumes of messages they send to targeted organizations.
Earlier this year, the attack against Kaseya products had devastating consequences for MSPs, downstream customers, and companies alike. According to multiple sources, five individuals from various parts of the globe have been arrested since February 2021. These five are believed to have been responsible for deploying REvil on systems belonging to some 5,000 organizations.
On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, which in total pocketed half a million euros in ransom payments.
Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Web shells, NGLite Trojan, and KdcSponge Stealer
Several Nation-State attacks were reported over the weekend where attackers are leveraging CVE-2021-40539 in Zoho ManageEngine ADSelfService Plus build 6114.
ManageEngine ADSelfService Plus has integrated self-service password management and a single sign-on solution for Active Directory and cloud apps. On September 16th, 2021, we alerted members of software vulnerabilities that could be leveraged in remote attacks. We shared CISA's alert so that companies could apply patches to mitigate risks as necessary.
Initial exploitation is obtained via web shells, including the use of Godzilla, which can be obtained publicly on Github. PaloAlto also mentions in their reporting that they observed the use of a new backdoor called NGLite, which is also publicly available on Github. Both programs appear to be developed with Chinese instructions, "used for redundancy and to maintain access to high-interest networks
A Chinese intelligence officer has been convicted of cyber-espionage by a US federal jury, in the first ever case of its kind. Xu Janun, deputy division director of the Sixth Bureau of the Jiangsu Province Ministry of State Security, was found guilty of conspiring to and attempting to commit economic espionage and theft of trade secrets, according to the Department of Justice (DoJ)
Interpol announced the arrest of six alleged affiliates with the Clop ransomware operation as part of an international joint law enforcement operation codenamed Operation Cyclone. Law enforcement authorities from South Korea, Ukraine, and the United States, joined their efforts in a 30-month investigation that was coordinated by Interpol
Access to a platform operated by Oiltanking is for sale on Raid Forums. Oiltanking is a multinational logistics service provider specialising in petroleum products headquartered in Germany. The sale is being conducted by the user mont4na. According to mont4na, this access includes user emails, usernames and plaintext passwords.
The use of QR codes is becoming increasingly common because of the cost reduction; manufacturing companies realize that they can replace paper with technology. They’ve also found a place at conferences, restaurants, and other public places amid the COVID-19 pandemic as a sanitary measure to prevent sickness. Like any other piece of technology, such implementation has security risks associated with its use.
Attackers will often search public-facing appliances or exploit vulnerabilities on internal LANs after initial access is made, which could be through misconfigured remote protocols or by accessing services that lack proper authentication mechanisms.
Researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against System-on-a-Chip (SoC) security bugs impacting multiple vendors, including Intel, Qualcomm, Texas Instruments, and Cypress. Collectively known as BrakTooth, these 16 flaws impact commercial Bluetooth stacks on over 1,400 chipsets used in billions of devices such as smartphones, computers, audio devices, toys, IoT devices, and industrial equipment
The US government is targeting the DarkSide ransomware and its rebrands with up to a $10,000,000 reward for information leading to the identification or arrest of members of the operation. The US Department of Statement will reward informants who supply the identification or location of DarkSide ransomware members operating in key leadership positions.
Cisco Systems has released security updates to address vulnerabilities in multiple Cisco products that could be exploited by an attacker to log in as a root user and take control of vulnerable systems.
Yesterday, we reported on the potential closure of the prolific BlackMatter ransomware group. First reported by VX-Underground, messages shared with Bleeping Computer showed BlackMatter was going to close shop due to law enforcement pressure.
Phishing remains the most successful way to steal credentials from victims, new data shows 5.6 million phishing sites have been used this year to send 36 million malware laden email attachments.
Research into how rootkits are used by cybercriminals has revealed that close to half of campaigns are focused on compromising government systems. On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage.
Google released their Android November 2021 security updates this week. The updates address 18 vulnerabilities in the framework and 18 issues in the kernel and vendor components.
The BlackMatter ransomware is allegedly shutting down its operation due to pressure from the authorities and recent law enforcement operations. BlackMatter operates a private ransomware-as-a-service (RaaS) website that affiliates can use to communicate with the core operators, open support tickets, and receive new ransomware builds
The Federal Bureau of Investigation (FBI) warns that ransomware gangs are targeting companies involved in "time-sensitive financial events" such as corporate mergers and acquisitions to make it easier to extort their victims. In a private industry notification published on Monday, the FBI said ransomware operators would use the financial information collected before attacks as leverage to force victims to comply with ransom demands
A trusted third party to the Cybersecurity and Infrastructure Security Agency (CISA) has provided the attached information regarding Trickbot malware for your awareness and action. Trickbot is a highly modular malware, capable of performing a number of actions on a network such as steal information or drop ransomware.The attached “Trickbot” spreadsheet lists Trickbot infrastructure in use in September and October 2021. Specific dates and infrastructure are indicated on the tabs of the spreadsheet.
Blackmatter, the ransomware responsible for targeting various critical infrastructure and industry across the globe have reportedly added a new tool to their arsenal. BlackMatter uses a ransomware-as-a-service model that allows ransomware's developers to profit from cybercriminal affiliates. Researchers from Symantec have discovered a new tool that they’ve named Exmatter, the tool targets specific file types from selected directories and then uploads them to attacker-controlled servers before the ransomware is installed on networks.
Most computer code compilers are at risk of ‘Trojan source’ attacks in which adversaries can introduce targeted vulnerabilities into any software without being detected, according to researchers from the University of Cambridge. The paper, Trojan Source: Invisible Vulnerabilities, detailed how weaknesses in text encoding standards such as Unicode can be exploited “to produce source code whose tokens are logically encoded in a different order from the one they are displayed.” This leads to very difficult vulnerabilities for human code reviewers to detect, as the rendered source code looks perfectly acceptable
There's been a surge in mobile phishing attacks targeting the energy sector as cyber attackers attempt to break into networks used to provide services including electricity and gas. The energy industry is highly critical, providing people with vital services required for everyday use. That role makes it a prime target for cyber criminals
On Tuesday, Intel 471 published an analysis of current black market trends online, revealing instances of initial access brokers (IABs) offering access to international shipping and logistics companies across the ground, air, and sea.
A ransomware attack has disrupted the activities of the Toronto public transportation agency and has taken down several systems used by drivers and commuters alike. The Toronto Transit Commission said the attack was detected last week on Thursday night and was discovered by a TTC IT staffer who detected “unusual network activity.
Healthcare facilities and related industry have been targeted by criminals frequently as of late. In recent news, “A cyberattack appears to be behind a provincewide disruption of health-care services in Newfoundland and Labrador that has affected thousands of appointments and procedures, including those involving COVID-19 testing.
Security researchers have discovered a new data exfiltration tool designed to accelerate information theft for ransomware groups using the BlackMatter variant. The Symantec Threat Hunter team explained in a new blog post today that the custom tool is the third discovery of its kind, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit. The researchers claimed BlackMatter itself is linked to the “Coreid” cybercrime group, which may have also been responsible for Darkside — the variant that led to the Colonial Pipeline outage.
In a report from ESET researchers revealed that The Hive ransomware gang now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms. However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality. They also said that the Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path.
Qihoo 360’s Netlab Cybersecurity researchers discovered a huge botnet, tracked as Pink, that already infected over 1.6 million devices. The botnet was created to launch DDoS attacks and to insert advertisements in the legitimate HTTP traffic of the victims, most of which are in China (96%)
The U.S. Federal Bureau of Investigation (FBI) has sent out a flash alert warning private industry partners that the HelloKitty ransomware gang (aka FiveHands) has added distributed denial-of-service (DDoS) attacks to their arsenal of extortion tactics. The FBI said that the ransomware group would take their victims' official websites down in DDoS attacks if they didn't comply with the ransom demands
The attack chain possibly involves the Trickbot Trojan as an initial infection vector. Once executed, the malware, using hardcoded rules, will attempt to exfiltrate files from a local machine. This malware has been used to conduct ransomware attacks against medium to large sized organizations concentrated in North America, Europe, and Asia.
Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets. SEO poisoning, also known as "search poisoning," is an attack method that relies on optimizing websites using 'black hat' SEO techniques to rank higher in Google search results. Due to their high ranking, victims who land on these sites believe they are legitimate, and actors enjoy a heavy influx of visitors who look for specific keywords.
Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to address two zero-day vulnerabilities, tracked as CVE-2021-38000 and CVE-2021-38003, actively exploited in attacks in the wild
An American university is notifying thousands of former and current students that their personal information may have been compromised during a recent data breach. In a security notice issued October 25, the University of Colorado Boulder (CU Boulder) attributed the breach to an unpatched vulnerability in software provided by a third-party vendor, Atlassian Corporation Plc.
Researchers have found an unsecured database leaking over 886 million sensitive patient records online. The non-password-protected data trove was found by Jeremiah Fowler and Website Planet and traced to healthcare AI firm Deep 6 AI, which fixed the privacy snafu promptly after it was responsibly disclosed. Deep 6 AI applies intelligent algorithms to medical data to help find patients for clinical trials within minutes. The exposed data included date, document type, physician note, encounter IDs, patient ID, note, UUID, patient type, note ID, date of service, note type, and detailed note text.
The OptinMonster plugin is affected by a high-severity flaw that allows unauthorized API access and sensitive information disclosure on roughly a million WordPress sites. Tracked as CVE-2021-39341, the flaw was discovered by researcher Chloe Chamberland on September 28, 2021, with a patch becoming available on October 7, 2021
Cyber attackers aren't just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, especially account details that will give them access to other internal systems. Russian cyber actors were not only behind the SolarWinds attack that trojanized software updates, they have also been using extensive password spraying techniques to steal admin accounts for initial access.
North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities. Lazarus has been seen using a new variant of the BLINDINGCAN backdoor to target political think tanks in South Korea, and to breach a Latvian IT vendor earlier this year. The infection chain used South Korean security software to deploy a malicious payload.
The FBI published a flash alert to warn of Ranzy Locker ransomware operations that had already compromised at least 30 US companies this year. The gang has been active since at least 2020, threat actors hit organizations from various industries. The attack vector most used by the Ranzy Locker ransomware operators are brute force attempts targeting Remote Desktop Protocol (RDP) credentials. In recent attacks, the group also exploited known Microsoft Exchange Server vulnerabilities and used phishing messages to target computer networks.
Researchers discovered approximately 325,917 Remote Desktop Protocol credentials sets on the dark web from June 1st, 2021, through May 31st, 2021. This is in addition to the nearly 4.6 million endpoints and other remote protocols and systems for sale on the deep and dark web.
The same standard that allows wireless devices to remain connected and roam between access points also allows attackers to easily collect critical Wi-Fi keys that can later be hashed to find Wi-Fi network passwords, a researcher found in a wardriving experiment
This week we received news of another potential attack on a water treatment facility. Kansas man Wyatt A. Travinchek pleaded guilty to tampering with a computer system responsible for water treatment at the Post Rock Rural Water District. He was also charged with reckless damage to a protected computer system through his unauthorized access.
Microsoft recently released news regarding the Nobelium threat actors, the same ones responsible for the supply chain attack leveraging Solarwinds Orion products. Microsoft says the actors may replicate a similar approach by targeting organizations integral to the global IT supply chain. However, with this go-around, it's possible that they may be targeting "supply-chain: resellers and other technology service providers that customize, deploy, and manage cloud services and other technologies on behalf of their customers, (Microsoft, 2021)." Rather than exploiting flaws and vulnerabilities, they may use standard techniques as initial access vectors, such as password-spraying and phishing.
Discourse is a popular open-source Internet forum and mailing list management software application. CISA published a security advisory to urge administrators to fix a critical remote code execution flaw, tracked as CVE-2021-41163, in Discourse installs. The vulnerability received a CVSS v3 score of 10.0
The Commerce Department’s Bureau of Industry and Security (BIS) would introduce a new export control rule aimed at banning the export or resale of hacking tools to authoritarian regimes. The rule announced by the BIS tightens export controls on technology that could be used by adversaries to conduct malicious cyber activities and surveillance of private citizens resulting in human rights abuse
According to new research from Akamai, over 25% of malicious JavaScript code is being obfuscated using “packers” or software packaging methods that help evade signature-based detection. “Packers work by compressing or encrypting code to make that code unreadable and non-debuggable — resulting in 'obfuscated' code that is difficult for antivirus to detect”
Westmoreland, Kansas is the seat of Pottawatomie County and home to around 750 of its 25,000 residents. The town was a stop on the Oregon Trail and is littered with references to that network of covered wagons that carried hundreds of thousands of people across the American west in the mid-1800s. But in recent weeks it was the site of another modern migration—this one of data, stolen from Pottawatomie County’s computers by cybercriminals who paralyzed its systems with ransomware and left some services inaccessible to residents for weeks.
At least 19 customers were targeted and prosecutors estimate that the employee received $2,325 in bribes. Following his arrest, Defiore pleaded guilty to one count of conspiracy to commit wire fraud. US Attorney Duane Evans said that Defiore was sentenced on October 19 and will serve three months probation, a year of home confinement, and must perform 100 hours of community service. The SIM-swapper must also pay a $100 fee and $77,417.50 in restitution.
Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router. The MF971R is a portable router with Wi-Fi support and works as an LTE/GSM modem. An attacker could exploit all these vulnerabilities by sending a specially crafted HTTP request to the targeted device.
Sinclair Broadcast Group is a Fortune 500 media company (with annual revenues of $5.9 billion in 2020) and a leading local sports and news provider that owns multiple national networks. Its operations include 185 television stations affiliated with Fox, ABC, CBS, NBC, and The CW (including 21 regional sports network brands), with approximately 620 channels in 87 markets across the US (amounting to almost 40% of all US households). This is the second incident that impacted Sinclair's TV stations in July 2021, when the company asked all Sinclair stations to change passwords "as quickly as possible" following a security breach.
Cyjax analysts have analysed a long-running AgentTesla infostealer campaign targeting Dubai and the United Arab Emirates. The campaign began in at least January 2021 and the samples we gathered continued, almost daily, until May 2021. We have also seen new samples compiled in October 2021. Unlike most AgentTesla campaigns, the targeting focused heavily on the UAE, with only a handful of samples using the same C2 servers venturing outside the region into India and Italy.
Cisco Talos recently discovered multiple vulnerabilities in the ZTE MF971R LTE portable router.
Twitter has taken down two accounts – @lagal1990 and @shiftrows13 – specifically used to trick security researchers into downloading malware in a long-running cyber-espionage campaign attributed to North Korea.
The US authorities have released more details on emerging ransomware group BlackMatter, which it says has already targeted multiple critical infrastructure providers in the United States. The alert comes from the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the National Security Agency (NSA).
A new survey of 300 US-based IT decision makers found that 64% have been victims of a ransomware attack in the last 12 months and 83% of attack victims paid the ransom demand.
Symantec spotted a previously unknown nation-state actor, tracked as Harvester, that is using a custom implant, dubbed Backdoor.Graphon, in attacks aimed at telecommunication providers, IT firms, and government entities in South Asia.
Cyber-attacks against internet-connected resources have risen during the last 12 months – with distributed denial-of-service (DDoS) one of the most significant. DDoS has the power to shut down internet connectivity for an organization and act as a smokescreen for more malicious attacks such as ransomware. Yet understanding the financial impact can be challenging to calculate.
According to reports this morning, the REvil ransomware group has had it’s operations shut down again after a threat actor hijacked their Tor leak site and payment portal. The information was shared on the XSS hacking forum from one of REvil’s representatives named “0_neday.
The actors behind the campaign appear to be ‘TA505,’ an active Russian threat group that has a long history of creativity in the way they place Excel documents in malspam campaigns.
The U.S. Cybersecurity Infrastructure and Security Agency (CISA) on Thursday warned of continued ransomware attacks aimed at disrupting water and wastewater facilities (WWS), highlighting five incidents that occurred between March 2019 and August 2021.
Security researchers were able to crack the malwares encryption algorithm and produce a decryptor victim organizations can use for file and system recovery, “Trustwave, a Chicago-based cybersecurity and managed security services provider owned by Singaporean telecommunications company Singtel Group Enterprise, on Friday announced the release of the free decryptor, available for download from GitHub
HP released its latest Wolf Security Threat Insights Report, finding evidence that cybercriminals are moving even faster in taking advantage of zero-day vulnerabilities and exploiting specific problems like CVE-2021-40444 -- the remote code execution vulnerability targeting the MSHTML browser engine through Microsoft Office documents.
A prominent botnet known as MyKings has made $24.7 million using it’s network of compromised computers to mine and steal cryptocurrency.
MyKings, also known as Smominru and Hexmen, is the world's largest botnet dedicated to mining cryptocurrencies by free-riding off its victims desktop and server CPUs. It's a lucrative business that gained attention in 2017 after infecting more than half a million Windows computers to mine about $2.3 million of Monero in a month.
Some 93% of global organizations have suffered a direct breach due to weaknesses in their supply chains over the past year, according to BlueVoyant.
BlueVoyant surveyed 1200 IT and procurement managers responsible for supply chain and cyber risk management. Their research found that the number of breaches experienced in the past 12 months grew from “2.7 in 2020 to 3.7 in 2021, a 37% increase.
A joint cybersecurity advisory published today by the FBI, NSA, CISA, and the EPA revealed three more attacks launched by Ransomware gangs against US water and wastewater treatment facilities (WWS) this year.
The advisory marks the first time these attacks have been publicly disclosed. The three facilities hit by ransomware were located in Nevada, Maine, and California in March, July, and August respectively. The attacks were the result of compromised SCADA industrial control systems.
A Chinese speaking threat actor called IronHusky has been exploiting a zero-day vulnerability in the Windows Win32k driver to deploy a new remote access trojan (RAT). The RAT is called MysterySnail and was discovered by Kaspersky researchers in August and September of 2021 after being seen on multiple Microsoft servers. The researchers found an elevation of privilege exploit tracked as CVE-2021-40449 being used to install MysterySnail. The vulnerability was patched in this month’s Patch Tuesday.
Microsoft announced that its Azure cloud service mitigated a 2.4 terabytes per second (Tbps) DDoS attack at the end of August, it represents the largest DDoS attack recorded to date. The attack was aimed at an Azure customer in Europe, but Microsoft did not disclose the name of the victim. This is the largest DDoS against an Azure customer since August 2020 when experts observed a 1 Tbps attack
CISA has released the most common three bad practices that can potentially expose organizations to cyber attacks. After reviewing them, they correlate directly to large-scale breaches that we typically see and share every week. Devices and infrastructure impacted by some of these misconfigurations or ‘bad-practices,’ per se, range from products and platforms that are both cloud-based or locally maintained on-prem.
CVE-2021-41773 is described as a path traversal flaw in version 2.4.49, which was itself only released a few weeks ago. An attacker could use a path traversal attack to map URLs to files outside the expected document root,” a description of the bug noted. “If files outside of the document root are not protected by ‘require all denied’ these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.
A new strain of Python-based malware has been used in a "sniper" campaign to achieve encryption on a corporate system in less than three hours. The attack, one of the fastest recorded by Sophos researchers, was achieved by operators who "precision-targeted the ESXi platform" in order to encrypt the virtual machines of the victim
According to its site, Karakurt is a “hacking team” that compromises an organisation's data and then extorts them for its return. It is unclear if Karakurt utilises ransomware or if it only steals data. Based on Karakrut's claims, organisations will be notified of the compromise, and will then have to choose whether to pay an unspecified fee or have their data leaked via the Karakurt site.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Insider Risk Mitigation Self-Assessment Tool, a new tool that allows organizations to assess their level of exposure to insider threats
Bandwidth is a voice over Internet Protocol (VoIP) services company that provides voice telephony over the Internet to businesses and resellers. Recent reporting suggests that they have become the latest victim of distributed denial of service attacks targeting VoIP providers this month, as a result there have been nationwide voice outages across the globe.
Nobelium is believed to be linked to the Russian government and has been attributed to the 2020 attack on Solarwinds, Orion IT Monitoring platforms. They pivoted from Solarwinds to infiltrate US government networks – including United States Court Systems.
We reported last week that VMware had released updates to address critical vulnerabilities in their vSphere and Cloud Foundation software where a remote attacker could take control of an affected device over port 443. These types of platforms often store mission-critical data in the form of virtual machines, which could include domain controllers, proprietary applications, as well as data centers.
A security notice related to a SonicWall critical vulnerability in SMA 100 series devices has been issued by the company. The flaws are classified as CVE-2021-20034. If successfully exploited, it could allow a cybercriminal to delete random files from (SMA 200, 210, 400, 410, 500v) products and achieve administrative rights. The company is urging users to patch it as soon as possible.
State-sponsored hackers affiliated with Russia are behind a new series of intrusions using a previously undocumented implant to compromise systems in the U.S., Germany, and Afghanistan.
FBI, CISA, and the NSA released an advisory last week that we shared with everyone advising companies that they noticed a spike in Conti ransomware attacks. “The attack took place on Saturday, September 18th. It is a ransomware CONTI, whose main objective is the encryption of information.
Cybersecurity researchers from Morphisec have spotted a new version of the Jupyter infostealer that continues to be highly evasive. In November 2020, researchers at Morphisec spotted Russian-speaking threat actors that have been using a piece of .NET infostealer, tracked as Jupyter, to steal information from their victims.
Advanced persistent threat attackers are leveraging a vulnerability in Zoho ManageEngine ADSelfService Plus, according to a joint advisory from the FBI, the United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA).
Researchers at Guard discovered a vulnerability in approximately 100 million devices across 10,000 enterprises vulnerable to attacks. NanoMQ, an open-source platform from EMQ that monitors IoT devices in real-time, acts as a “message broker” to deliver alerts that detect unusual activity. EMQ’s products are used to monitor the health of patients leaving a hospital, to detect fires, monitor car systems, smartwatches, smart-city applications, and more.
It has been a pretty busy week for vendors of networking equipment. Netgear this week disclosed several vulnerabilities in their product line of home and office routers. Now, Cisco is advising everyone that they have addressed three critical vulnerabilities impacting their IOS XE operating system used to power multiple products, including routers and wireless controllers.
Attackers often rely on varying behaviors between different systems to gain access. Attackers may bypass filtering by convincing a mail gateway that a malicious document is legitimate, so the computer thinks it is an executable program.
CISA, FBI, and the NSA released a joint advisory today warning companies of Conti Ransomware targeting organizations worldwide. The alert suggests that operators are attempting to steal sensitive information from the United States and International Organizations.
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI) and the National Security Agency (NSA) announced the release of an advisory today on the Conti ransomware threat, including technical details about cyber actors’ behavior mapped to MITRE ATT&CK and recommended mitigations.
Networking equipment company Netgear has released patches to remediate a high-severity remote code execution vulnerability affecting multiple routers that could be exploited by remote attackers to take control of an affected system.
Bugs were discovered in Microsoft Exchanges’s Autodiscover feature, researchers believe that 100,000 user credentials including usernames and passwords have been leaked as a result.
VMware has released security updates to address multiple vulnerabilities in vCenter Server and Cloud Foundation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to access restricted endpoints.
After a run of ransomware attacks in the first half of the year, President Joe Biden in July warned his Russian counterpart, Vladimir Putin, that Russia-based hacking groups should steer clear of 16 critical sectors of the U.S. economy.
OpenOffice.org, commonly known as OpenOffice, is a discontinued open-source office suite. It was an open-sourced version of the earlier StarOffice, which Sun Microsystems acquired in 1999 for internal use.
Threat actors are compromising Windows IIS servers to add expired certificate notification pages that prompt visitors to download a malicious fake installer. While the method used by the attackers to compromise IIS servers is not yet known, attackers can use various ways to breach a Windows IIS server.
We reported a while ago that company CMA CGM had suffered from an attack that impacted several servers and websites. The company immediately disconnected systems from networks and powered off equipment to prevent the Ragnar Locker, Windows-Based ransomware from spreading throughout their network, "The Marseille headquartered firm is understood to have been hit by ransomware which paralysed much of its IT infrastructure.
A report published today clearly highlights the importance of patch management and securing devices exposed directly to the internet -- ones used for digital communications or applications that store mission-critical data, including VPN appliances, Networking Devices, Exchange Servers, Microsoft Office products, as well as Hypervisors. Over the past year, several vulnerabilities have been disclosed where proof of concept code was made available to the public. This essentially means that anyone with a moderate skill set and even nation-state actors can use the code to carry out attacks and study them for further enhancement.
Microsoft has issued additional guidance on securing Azure Linux machines impacted by recently addressed critical OMIGOD vulnerabilities. The four security flaws (allowing remote code execution and privilege escalation) were found in the Open Management Infrastructure (OMI) software agent silently installed on more than half of Azure instances
The FBI, CISA, and the Coast Guard Cyber Command (CGCYBER) today warned that state-backed advanced persistent threat (APT) groups are actively exploiting a critical flaw in a Zoho single sign-on and password management solution since early August 2021
Recently released September 2021 Patch Tuesday security updates have addressed four severe vulnerabilities, collectively tracked as OMIGOD, in the Open Management Infrastruc
Microsoft warned today that multiple threat actors, including ransomware groups and affiliates are taking advantage of the recently patched MSHTML remote code execution vulnerabilities.
Cyjax analysts have uncovered a large credential harvesting campaign targeting multiple government departments in APAC and EMEA countries. Over 50 hostnames were analysed, many of which were posing as the Ministry of Foreign Affairs, Ministry of Finance, or Ministry of Energy, in various countries such as Uzbekistan, Belarus, and Turkey; as well as the Main Intelligence Directorate of Ukraine and the Pakistan Navy.
Threat actors impersonated the U.S. Department of Transportation (USDOT) in a two-day phishing campaign that used a combination of tactics – including creating new domains that mimic federal sites so as to appear to be legitimate – to evade security detections.
As you might know, Microsoft Defender Antivirus is the anti-malware solution that usually comes pre-installed on systems that are running Windows 10. The attackers have modified the malware distribution mechanism from spam or phishing emails to TeamViewer Google adverts, which link users to fraudulent download sites through Google AdWords.
As mentioned in previous reporting, Google has had its fair share of Zero-Day discoveries this year. A few of which have been actively exploited in the wild and leveraged in attacks. Yesterday, the company announced fixes for 11 different bugs, including two zero-days, "Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,
Patches were just realized Microsoft MSHTML vulnerability that we have produced reporting on throughout the last few weeks. Please see the message below with updated mitigation measures:
The new advanced persistent threat (APT) activity has been discovered by EST Security in a press release from Kumsong 121 that was disclosed on Tuesday by the security firm. Instead of sending an email, the offenders utilized an innovative method in which they became friends with the victim on social media and then sent them an infected file to infect them. Having successfully hacked into a social media account, the attackers went on to find their next targets by contacting the victims' social media acquaintances. After taking advantage of the target's lack of knowledge, the hackers made friends with them by sending them text messages that were full of warmth and topics of similar interest, such as gossip, to make them feel welcome
This is a great report for malwarebytes, “The NSO Group says that its spyware is used against criminals and terrorists, but journalists and human rights activists are known to have been targeted by Pegasus attacks, along with political dissidents and business executives at the highest levels. The software can be used to collect all manner of personal data from devices, intercept calls and messages, and much more. If your work is particularly sensitive, it isn’t something you want anywhere near your phone
Apple has released security updates to fix two zero-day vulnerabilities that have been seen exploited in the wild to attack iPhones and Macs. One is known to be used to install the Pegasus spyware on iPhones
On Wednesday, GitHub said the company received reports from Robert Chen and Philip Papurt, between July 21 and August 13, of security flaws impacting the packages via one of GitHub's bug bounty programs, which give researchers credit and financial rewards for responsibly disclosing vulnerabilities to the vendor.
IOS XR is a train of Cisco Systems' widely deployed Internetworking Operating System, used on their high-end Network Convergence System, carrier-grade routers such as the CRS series, 12000 series, and ASR9000 series. It provides a unique self-healing and self-defending operating system designed for always-on operation while scaling capacity and adding new services or features.
Last Tuesday, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim's computer remotely.
CyberNews researchers identified more than 2 million web servers worldwide still running on outdated and vulnerable versions of Microsoft Internet Information Services software. These legacy versions are no longer supported by Microsoft, which makes millions of web servers easy targets for threat actors and cybercriminals.
Windows Zero-day CVE-2021-40444 is being actively exploited in attacks. The vulnerability was disclosed on Tuesday with little details and is still awaiting an official patch. The vulnerability uses malicious ActiveX controls to exploit various Windows programs including Microsoft Office 365 and Office 2019, and can be used to install malware on an impacted computer.
Hackers have broken into the computer network of the United Nations and made off with data, according to researchers at cybersecurity firm Resecurity. Bloomberg reports that the unidentified cyber-criminals behind the theft appear to have gained access simply by using login credentials stolen from a UN employee. Entry was gained by logging in to the employee’s Umoja account. Umoja, which means “unity” in Kiswahili, is the enterprise resource planning system implemented by the UN in 2015
Fortinet has become aware that a malicious actor has recently disclosed SSL-VPN access information to 87,000 FortiGate SSL-VPN devices. These credentials were obtained from systems that remained unpatched against FG-IR-18-384 and CVE-2018-13379. "While they may have since been patched, if the passwords were not reset, their devices vulnerable"
We can not emphasize enough that ransomware attacks are not going to go away anytime soon and are typically the most devastating of all cyber-attacks against corporate infrastructure -- especially if the ransomware strain used in attacks can spread laterally, worming its way through networks.
The US Department of Justice has indicted a Ukrainian man for using a malware botnet to brute force computer logon credentials and then selling them on a criminal remote access marketplace. The indictment alleges that Glib Oleksandr Ivanov-Tolpintsev operated a malware botnet that collected login credentials for multiple computers simultaneously using brute force techniques.
In a survey conducted by HP Wolf Security, statistics have shown that "that the majority of IT staff have felt pressured to ignore security concerns in favor of business operations
This joint advisory is the result of analytic efforts between the Federal Bureau of Investigation (FBI), United States Coast Guard Cyber Command (CGCYBER), and the Cybersecurity and Infrastructure Security Agency (CISA) to highlight the cyber threat associated with active exploitation of a newly identified vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus—a self-service password management and single sign-on solution. CVE-2021-40539, rated critical, is an authentication bypass vulnerability affecting REST API URLs that could enable remote code execution. The FBI and CISA assess that advanced persistent threat (APT) cyber actors are likely among those exploiting the vulnerability.
According to Kaspersky, “attacks targeting IoT devices have almost doubled from the second half of 2020 to the first six months of this year” (Info Security Magazine, 2021). The company uses a network of honeypots to mimic vulnerable devices and collects data from potential attacks.
“Microsoft warns of a zero-day vulnerability (CVE-2021-40444) in Internet Explorer that is actively exploited by threat actors to hijack vulnerable Windows systems. Microsoft did not share info about the attacks nor the nature of the threat actors. The vulnerability was exploited by threat actors in malspam attacks spreading weaponized Office docs”
The criminals behind the Ragnar Locker ransomware have issued a warning to victims via their own website not to go to the police or hire companies to negotiate the ransom, as all stolen data will be published immediately. According to the criminals, they increasingly have to deal with professional negotiators, which does not make the negotiation process easier or safer, the group said. It states that such negotiators work for or are associated with the police and are not interested in the commercial interests of their customers or the security of their data,
Threat actors are actively scanning and exploiting vulnerable Microsoft Exchange servers that have not applied security patches released earlier this year. ProxyShell, the name given to a collection of vulnerabilities for Microsoft Exchange servers, enables an actor to bypass authentication and execute code as a privileged user.
The Cybersecurity & Infrastructure Security Agency (CISA) is sharing the attached ransomware-related threat alerts from a trusted industry partner for network defense purposes. The first alert details a threat actor mounting attacks using the Nefilim and Hive payloads and the second alert details possible pre-ransomware activity.
Going into the Holiday we are unfortunately expecting the inevitable, a large-scale cyber attacks against infrastructure and mission-critical assets. Given the current trend and attacks observed during previous Holidays, we are suspecting attacks this weekend but have fingers crossed that it is a quiet one for everyone.
“Software vendor SolarWinds did not enable ASLR anti-exploit mitigation that was available since the launch of Windows Vista in 2006, allowing the attackers to launch targeted attacks in July. Microsoft, which investigated the incidents, said the attacks against SolarWinds file transfer servers were carried out by a Chinese hacking group tracked as DEV-0322”
“The FBI says ransomware gangs are actively targeting and disrupting the operations of organizations in the food and agriculture sector, causing financial loss and directly affecting the food supply chain. These ransomware attacks can potentially impact a wide range of businesses across the sector, from small farms, markets, and restaurants to large-scale producers, processors, and manufacturers”
CLFS is a general-purpose logging subsystem in Windows that's accessible to both kernel-mode as well as user-mode applications such as database systems, OLTP systems, messaging clients, and network event management systems for building and sharing high-performance transaction logs. "Because the file format is not widely used or documented, there are no available tools that can parse CLFS log files," Mandiant researchers explained in a write-up published this week. "This provides attackers with an opportunity to hide their data as log records in a convenient way, because these are accessible through API functions."
The Conti ransomware gang is hacking into Microsoft Exchange servers and breaching corporate networks using recently disclosed ProxyShell vulnerability exploits. ProxyShell is the name of an exploit utilizing three chained Microsoft Exchange vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) that allow unauthenticated, remote code execution on unpatched vulnerable servers.
“Threat actors were spotted exploiting the CVE-2021-26084 vulnerability in Atlassian’s Confluence enterprise collaboration product a few days after it was patched by the vendor” Atlassian released security patches to address CVE-2021-26084 last week; the vulnerability impacts Confluence, the company's enterprise collaboration product. The flaw is an OGNL (Object-Graph Navigation Language) injection issue, which allows an authenticated attacker to execute arbitrary code on Confluence Servers and Data Centers
NFVIS is the software platform that implements full life cycle management from the central orchestrator and controller (APIC-EM and ESA) for virtualized services. NFVIS enables connectivity between virtual services and external interfaces as well as supporting the underlying hardware. NFVIS is often thought of as a virtual software platform and has the following key capabilities; Platform management, A virtualization layer, a Programmable API interface, and a Health monitoring system.
A former credit union employee is facing a decade behind bars after pleading guilty to destroying large amounts of corporate data in revenge for being fired. Two days after being fired on May 19 2021, they accessed the file server of the New York-based credit union, opened confidential files and deleted 21.3GB of data, including 20,000 files and almost 3500 directories. The deleted files apparently related to mortgage loan applications and the company’s anti-ransomware software.
Native English speakers are being recruited in their droves by criminals trying to make Business Email Compromise (BEC) more effective. BEC schemes can be simple to execute and among the most potentially devastating for a business, alongside threats such as ransomware. If a scam is to succeed, the target employee must believe communication comes from a legitimate source -- and secondary language use, spelling mistakes, and grammatical issues could all be indicators that something isn't right.
“CISA and the FBI have released an advisory warning of potential cyberattacks that may occur over the coming Labor Day weekend, noting that in recent years hackers have launched dozens of devastating attacks on long weekends” CISA is also urging organizations to take additional steps to secure their systems and reduce their exposure to attacks. Specifically, they recommend proactive threat hunting on their networks to locate potential threat actors.
Cybercriminals have been increasingly turning to “proxyware”, an attack where the victim's internet connection is secretly used to generate additional revenue following a malware infection. “Proxyware, also known as internet-sharing applications, are legitimate services that allow users to portion out part of their internet connection for other devices, and may also include firewalls and antivirus programs. Other apps will allow users to 'host' a hotspot internet connection, providing them with cash every time a user connects to it”
By crafting believable looking fake Office 365 alerts, “phishers used fake alerts to trick admins into thinking that their Office 365 licenses had expired, (SecurityIntelligence, 2021).” The messages instructed the admins to click on a link so that they could sign into the Office 365 Admin Center and review the payment details. Instead, that sign-in page stole their account credentials.
Bangkok Airways, the second oldest and the third biggest airline company in Thailand, has admitted last week that hackers stole passenger information during a security breach following a ransomware attack.
In a technical analysis researchers discovered that an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users. This can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.
In a technical analysis from Palo Networks, they disclosed a command injection vulnerability affecting WebSVN. . A proof of concept was released, and within a week, attackers exploited the vulnerability to deploy variants of the Mirai DDoS malware.
The data released was claimed by the "Vice Society'' ransomware gang, according to researchers. While relatively new to the ransomware scene, Vice Society has adopted a common double-extortion technique to target victims. Once the ransomware gang has encrypted files and systems, it then exfiltrates sensitive data and threatens to publish the information unless the victim pays the ransom, according to researchers. The Vice Society ransomware gang appears to have used similar techniques earlier this month against Indianapolis, Indiana-based Eskenazi Health, which operates a public healthcare system in the U.S.
Cloudflare said it's system managed to stop the largest reported DDoS attack in July, explaining in a blog post that the attack was 17.2 million requests-per-second, three times larger than any previous one they recorded. Cloudflare notes that the attack was carried out by a botnet targeting the financial industry. The attack hit the Cloudflare edge with over 330 million attack requests within a second. "The attack traffic originated from more than 20,000 bots in 125 countries around the world. Based on the bots' source IP addresses, almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined. Indicating that there may be many malware infected devices in those countries”
CISA this week is urging organizations using Microsoft Azure CosmosDB (ChaosDB) to patch a recently released vulnerability as soon as possible. The news comes after “researchers from Cloud security company Wiz disclosed technical details of a now-fixed Azure Cosmos database vulnerability, dubbed ChaosDB, that could have been potentially exploited by attackers to gain full admin access to other customers’ database instances without any authorization. The flaw was trivial to exploit and impacts thousands of organizations worldwide”
“U.S. technology firm Kaseya has released security patches to address two zero-day vulnerabilities affecting its Unitrends enterprise backup and continuity solution that could result in privilege escalation and authenticated remote code execution. The two weaknesses are part of a trio of vulnerabilities discovered and reported by researchers at the Dutch Institute for Vulnerability Disclosure (DIVD) on July 3, 2021”
The identified OpenSSL vulnerabilities could lead to remote code execution (RCE) and DoS attacks (denial-of-service). These were dubbed CVE-2021-3711 and CVE-2021-3712.
The impacted devices by these OpenSSL vulnerabilities include:
Synology DiskStation Manager (DSM, version 7.0, 6.2 and UC),
“BIG-IP application services company F5 has fixed more than a dozen high-severity vulnerabilities in its networking device, one of them being elevated to critical severity under specific conditions. The issues are part of this month’s delivery of security updates, which addresses almost 30 vulnerabilities for multiple F5 devices. Of the thirteen high-severity flaws that F5 fixed, one becomes critical in a configuration “designed to meet the needs of customers in especially sensitive sectors” and could lead to complete system compromise”
VMware fixed four high severity flaws in vRealize today. “The most severe flaw, tracked as CVE-2021-22025 (CVSS score of 8.6), is a broken access control vulnerability in the vRealize Operations Manager API. An attacker could exploit the vulnerability to gain unauthenticated API access. The vRealize Operations Manager API contains a broken access control vulnerability leading to unauthenticated API access. VMware has evaluated the severity of this issue to be in the Important severity range with a maximum CVSSv3 base score of 8.6.“ reads the advisory published by the virtualization giant. “An unauthenticated malicious actor with network access to the vRealize Operations Manager API can add new nodes to an existing vROps cluster” (Security Affairs, 2021).
Another ransomware attack has been confirmed, this time by a clinic in Singapore that exposed “personal data and clinical information of nearly 73,500 patients of a private eye clinic, (Straitstimes, 2021).” The third such reported incident in a month. The information included names, addresses, identity card numbers, contact details and clinical information such as patients’ clinical notes and eye scans, said Eye & Retina Surgeons (ERS) on Wednesday (Aug 25).
Cyjax analysts have detected a new Raccoon Stealer campaign that is leveraging live streaming platform, Twitch, and online community application, Discord. The Raccoon Stealer operators are pushing malicious links, shortened with Bitly, in the chat during live streams. If clicked, the user downloads a ZIP file called “Installer.zip” from the Discord content delivery network (CDN). Inside the ZIP file are over a dozen decoy rich text files (RTFs) and an executable called “Setup.exe”.
The FBI has learned of a cyber-criminal group who self identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting.
Ransomware is a serious and increasing threat to all government and private sector organizations, including critical infrastructure organizations. All organizations are at risk of falling victim to a ransomware incident and are responsible for protecting sensitive and personal data stored on their systems.
A healthcare employee was the subject of a phishing email attack that exposed some medical records for approximately 12,000 patients, including patients of cardiology practice in St. George, according to a press release sent out by healthcare company Revere Health on Friday The employee’s
“The FBI has learned of a cyber-criminal group who self-identifies as the “OnePercent Group” and who have used Cobalt Strike to perpetuate ransomware attacks against US companies since November 2020. OnePercent Group actors compromise victims through a phishing email in which an attachment is opened by the user. The attachment’s macros infect the system with the IcedID1 banking trojan. IcedID downloads additional software to include Cobalt Strike. Cobalt Strike moves laterally in the network, primarily with PowerShell remoting. OnePercent Group actors encrypt the data and exfiltrate it from the victims’ systems. The actors contact the victims via telephone and email, threatening to release the stolen data through The Onion Router (TOR) network and clearnet, unless a ransom is paid in virtual currency. OnePercent Group actors’ extortion tactics always begin with a warning and progress from a partial leak of data to a full leak of all the victim’s exfiltrated data”
“Industrial cybersecurity firm Claroty published its third Biannual ICS Risk & Vulnerability Report that analyzes the vulnerability landscape relevant to leading automation products used across the ICS domain. The company reported that during the first half of 2021, 637 vulnerabilities affecting industrial control system (ICS) products were published, affecting products from 76 vendors,
CISA's fact sheet includes best practices for preventing ransomware attacks and protecting sensitive information from exfiltration attempts. The federal agency issued these recommendations in response to most ransomware gangs using data stolen from their victims' networks as leverage in ransom negotiations under the threat of publishing the stolen info on dedicated leak sites.
A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard. Razer is a very popular computer peripherals manufacturer known for its gaming mouses and keyboards. When plugging in a Razer device into Windows 10 or Windows 11, the operating system will automatically download and begin installing the Razer Synapse software on the computer. Razer Synapse is software that allows users to configure their hardware devices, set up macros, or map buttons,
Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.
Cisco is warning their customers of a vulnerability in Server Name Identification (SNI) request filtering for multiple products (Cisco Web Security Appliance (WSA), Cisco Firepower Threat Defense (FTD), and the Snort detection engine). Cisco is investigating the issue to determine affected products; Cisco stated that the following products are under active investigation to decide whether or not they are impacted:
The operators behind LockBit have released a newer version of their crypto-locking malware that contains new capabilities, some of which they have borrowed from other cyber-criminal groups. The newly unsophisticated being referenced as "Hive" by security researchers has launched a data-leak (Titled: HiveLeaks) site where they have claimed to have successfully breached various organizations.
"The FDA, in its warning that specific medical devices may be affected by BlackBerry QNX cybersecurity vulnerabilities, points to the CISA alert. CISA mentions CVE-2021-22156, which describes an integer overflow vulnerability in the calloc() function of the C runtime library of affected versions of BlackBerry® QNX Software Development Platform (SDP) version(s) 6.5.0SP1 and earlier, QNX OS for Medical 1.1 and earlier, and QNX OS for Safety 1.0.1 and earlier that could allow an attacker to potentially perform a denial of service or execute arbitrary code.
Cybersecurity researchers have disclosed details about an early development version of a nascent ransomware strain called Diavol that has been linked to threat actors behind the infamous TrickBot syndicate,
In a security advisory published on Wednesday, Cisco said that a critical vulnerability in Universal Plug-and-Play (UPnP) service of multiple small business VPN routers would not be patched because the devices have reached end-of-life. The zero-day bug (tracked as CVE-2021-34730 and rated with a 9.8/10 severity score) is caused by improper validation of incoming UPnP traffic and was reported by Quentin Kaiser of IoT Inspector Research Lab. Unauthenticated attackers can exploit it to restart vulnerable devices or execute arbitrary code remotely as the root user on the underlying operating system,
The nightmare fiasco is still ongoing; some companies have realized that the safest solution at this point is to disable the printer service altogether and to also prevent users from installing drivers via Microsoft's native Point and Print function. "Since June, Microsoft has announced seven vulnerabilities in Print Spooler as researchers have continued to analyze the service and reverse engineer the patches, finding more flaws. To date, none of the solutions from Microsoft have fully addressed the issues in the Print Spooler service,
Cloud security risks, in this case referencing AWS specifically, range from lack of security controls, vulnerabilities that could allow privilege escalation, and misconfigurations that could leave data accessible to prying eyes. These security implications are no different than ones for environments that are stored on-premises. Proprietary solutions like AWS require some fine tuning and due diligence just like operating systems, services, and software kept in IT closets on-site.
"Perhaps the most far-reaching supply chain attack conducted by a non-state actor in the history of the tactic took place this July. This time, Kaseya, one of the world's largest IT management platforms, was compromised by the Russia-based hacking group REvil. Unlike in the SolarWinds and Codecov, this attack included a ransomware stage meant to deliver financial rather than intelligence returns for the attackers." REvil targeted Kaseya's remote monitoring and management (RMM) solution, known as Kaseya VSA, which is used to manage client machines from afar. Again, targeting was indiscriminate, but unlike with espionage actors, the ransomware gang could focus on maximizing financial returns of the attack rather than trying to avoid detection.
Back in June, Microsoft patched a vulnerability affecting the Microsoft Windows Print Server that was tracked as CVE-2021-1675. Initially, it was described as an elevation of privilege vulnerability - EOP vulns could result in an attacker bypassing access restrictions on a machine/system. Access restrictions typically include ones that are enforced through domain-based group policies or local ones. The simplest subset of access restrictions applied on machines typically have preset groups;
• Administrator
• Power User
• Standard
These are predefined ACL's including Microsoft OS's ranging from XP to current OS versions. Of course, restrictions can be more granular/refined than what Microsoft provides us out of the box. What makes this vulnerability so dangerous is that any restrictions placed on a user's machine can be bypassed. An attacker could essentially do whatever they want to a targeted machine. They could install malware/ransomware or remote access tools to access devices without a user's knowledge.
An employee working for the department attempted to move data from one location to another. Reporting suggests the migration was to centralize data access on a single server. In a disclosure notice released last Wednesday, defense attorneys noticed that 22TB of data, approximately 22,528GB, had disappeared and possibly been deleted. After data recovery efforts, IT Teams restored approximately 14TB with around 8TB missing and unrecoverable.
Comparitech, a company that we mentioned in previous report, has discovered another cloud misconfiguration resulting in data leakage. A list containing Terrorist Screening records was found on July 19th, when Censysand ZoomEye search engines indexed an exposed elastic search server. The list was left online without a password or any other authentication to secure it. It contained 1.9 million records, including full name, TSC watchlist ID, citizenship, gender, date of birth, passport number, and more,
CISA released an Alert today on devices incorporating older versions of multiple BlackBerry QNX products affected by a BadAlloc vulnerability. A malicious actor could exploit this vulnerability to take control of an affected system or cause a denial-of-service condition.
The subject in question, a Massachusetts man, Declan Harrington charged with his alleged involvement in a series of SIM swapping attacks two years ago, has admitted to stealing cryptocurrency from multiple victims and hijacking the Instagram account of others, "Harrington was charged with Eric Meiggs in November 2019 for targeting the owners of high-value ('O.G.' or 'Original Gangster') Instagram and Tumblr accounts,
Cortex XSOAR is a "detection and response platform used to unify case management, automation, real-time collaboration and threat intel management to serve security teams across incident lifecycles." Researchers discovered a vulnerability in the platform that could allow unauthenticated threat actors to execute arbitrary code over the Internet on fully integrated endpoints. The flaw exists due to insufficient validation of user input in .NET Core, which would allow remote threat actors to pass specially crafted entries into the vulnerable application(s).
FINRA is a government-authorized not-for-profit organization that oversees U.S. broker-dealers. In ongoing phishing attacks, hackers are targeting U.S. Brokerage firms/brokers by impersonating FINRA officials threatening penalties against them. The company is primarily responsible for investigating potential securities violations and, when appropriate, bringing formal disciplinary actions against firms and their associated persons.
According to Tenable researchers, “Threat actors actively exploit a critical authentication bypass vulnerability, tracked as CVE-2021-20090, impacting home routers with Arcadyan firmware to deploy a Mirai bot. “A path traversal vulnerability in the web interfaces of Buffalo WSR-2533DHPL2 firmware version <= 1.02 and WSR-2533DHP3 firmware version <= 1.24 could allow unauthenticated remote attackers to bypass authentication” (Security Affairs, 2021).
According to researchers, threat actors have begun actively scanning for the Microsoft Exchange ProxyShell remote execution flaws. “ProxyShell is the name of three vulnerabilities that could be chained by an unauthenticated remote attacker to gain code execution on Microsoft Exchange servers” (Security Affairs, 2021).
“The Australian Cyber Security Centre (ACSC) warns of an increase of LockBit 2.0 ransomware attacks against Australian organizations starting July 2021” (Bleeping Computer, 2021). The organization has seen a heavy increase in LockBit 2.0 activity in Australia. In their alert, they warn that victims of the ransomware have also seen their data stolen and leaked online, a double extortion technique seen by other ransomware operators. Attacks have really risen since July and continue to do so.
Synology, a NAS storage device maker from Taiwan, warned this week that the StealthWorker botnet has been targeting their devices through ongoing brute force attacks that may lead to ransomware infection. The botnet uses already infected devices to try and guess common admin credentials on NAS devices. If the botnet guesses a password correctly it will attempt to download malware including ransomware. The devices may also be able to carry out additional attacks against other Linux based devices.
As the title states, these phishing attacks are a little bit different. Phishing attacks that we've reported -- usually on a weekly basis contain malicious attachments in the form of Excel, PDF, or executables, to name a few. They typically contain malware or beacons so that threat attacks can remote into infected machines and control them. Depending on what type of access restrictions are applied on the targeted device during initial infection, it can either prevent an attacker from installing additional components or allow them to carry out further malicious activity/exfiltrate sensitive information. Even if a user account has access restrictions in place, an attacker could still leverage one of the several vulnerabilities disclosed right now to elevate privileges (if unpatched).
Ever hear the story of the disgruntled Network Administrator? One that leaves a company upset, who once (or still has) the keys to the kingdom - Domain Administrative Credentials, External I.P. Addresses to VPN appliances/Firewalls, and probably knows more about the network than anyone else within the organization? After leaving a company, it's likely at some point in time they've come back using the information acquired while employed or by installing backdoor software on servers or workstations before departure.
Black Hills produced a report outlining an attack scenario requiring user interaction for the attack to work (unsalted MD4 encryption), "an adversary would need to entice a remote user or system to authenticate back to the adversary-controlled host to relay the credential to the certificate server. If you recall, the Hive/SAM vulnerabilities could result in an attacker obtaining administrative rights on a machine by obtaining password hashes stored using a weak encryption algorithm. After obtaining the hashes from Windows Databases, using tools like MimiKatz and John the Ripper, an attack easily cracks the hash revealing passwords.
Security researchers released details this week of a new type of DNS vulnerability which could allow attackers to target sensitive information on corporate networks. The vulnerabilities impact major DNS-as-a-Service (DNSaaS) providers who lease their services to organizations who do not want to manage and secure their DNS records on their own. “As revealed at the Black Hat security conference by cloud security firm Wiz researchers Shir Tamari and Ami Luttwak, these DNS flaws provide threat actors with nation-state intelligence harvesting capabilities with a simple domain registration”
Google Chrome has had a tough year so far! Several vulnerabilities have been identified and disclosed, resulting in IT-Teams and staff updating their browsers quite frequently. In April, Google had to quickly patch multiple zero-days (or previously unknown flaws in Chrome's V8 JavaScript engine). The company openly admitted that the high severity bug was being exploited in the wild. In an advisory released by Google today, they’re urging everyone to update to version 92.0.4515.107 as soon as possible. Several High to Medium vulnerabilities were discovered, yet technical details have been withheld to prevent exploitation:
In a 47 page report titled, “Federal CyberSecurity: America’s Data at Risk,” by the staff of the Senate Committee on Homeland Security and Governmental Affairs, which was released Tuesday (August, 3rd), states that the "Inspectors general identified many of the same issues that have plagued federal agencies for more than a decade, (BankInfoSecurity, 2021).” State, Housing and Urban Development, Agriculture, Health and Human Services and Education - and the Social Security Administration - are still failing to meet even basic cybersecurity standards,
Cisco has released multiple security updates to address several security vulnerabilities impacting Cisco Small Business products: CVE-2021-1574 and CVE-2021-1576 vulnerabilities affect the following Cisco Small Business Routers if they are running a firmware release earlier than Release 1.0.03.22: RV340 Dual WAN Gigabit VPN Router RV340W Dual WAN Gigabit Wireless-AC VPN Router RV345 Dual WAN Gigabit VPN Router RV345P Dual WAN Gigabit POE VPN Router CVE-2021-1602 vulnerability affects the following Cisco Small Business RV Series Routers if they are running firmware releases earlier than 1.0.01.04: RV160 VPN Routers RV160W Wireless-AC VPN Routers RV260 VPN Routers RV260P VPN Router with PoE RV260W Wireless-AC VPN Routers CVE-2021-1572 vulnerability affects the following Cisco products and releases: Cisco Network Services Orchestrator CLI Secure Shell Server ConfD CLI Secure Shell Server Releases 5.4 through 5.4.3.1 Releases 7.4 through 7.4.3 Releases 5.5 through 5.5.2.2 Releases 7.5 through 7.5.2
The attackers were able to access the organization's systems with administrator privileges where they then installed a "crypto-locker" malware that encrypted the data on the system. As a result of the attacks, systems were taken offline, preventing the organizations from accessing resources used in COVID-19 distribution in Lazio, Italy; "A "powerful" attack had hit the region's databases on Sunday and that all systems are disabled, including the Salute Lazio portal and the system that managed the COVID-19 vaccine bookings,
Remote Desktop Protocol continues to be leveraged in attacks. Honeypot activity observed by various companies and researchers shows that hackers are constantly attempting to brute-force their way into networks by trying to guess usernames and passwords combinations on RDP ports exposed to the Internet, "While you read these words, the chances are that somebody, somewhere, is trying to break in to your computer by guessing your password. If your computer is connected to the Internet, it can be found quickly, and if it can be found, somebody will try to break in,
Security researchers this week disclosed several flaws in PyPI. “Python Package Index (PyPI) is the official third-party software repository for Python. PyPI as an index allows users to search for packages by keywords or by filters against their metadata, such as free software licenses or compatibility with POSIX” (Security Affairs, 2021). The most severe flaw could potentially lead to the compromise of the entire PyPI infrastructure. The flaw affects the combine-prs.yml workflow in pypa/warehouse, which includes the current source code of PyPI.
Microsoft warned this week of a phishing email using spoofed sender addresses. “Microsoft put out an alert after observing an active campaign targeting Office 365 organizations with convincing emails and several techniques to bypass phishing detection, including an Office 365 phishing page, Google cloud web app hosting, and a compromised SharePoint site that urges victims to type in their credentials. An active phishing campaign is using a crafty combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters," the Microsoft Security Intelligence team said in an update.”
Using a remote print server, a researcher was able to gain complete control over a device by installing a print driver. “In June, a security researcher accidentally revealed a zero-day Windows print spooler vulnerability known as PrintNightmare (CVE-2021-34527) that allowed remote code execution and elevation of privileges. While Microsoft released a security update to fix the vulnerability, researchers quickly figured out ways to bypass the patch under certain conditions. Since then, researchers have continued to devise new ways to exploit the vulnerability, with one researcher creating an Internet-accessible print server allowing anyone to open a command prompt with administrative privileges”
According to reports this week, The DarkSide ransomware gang may have rebranded as a new ransomware operation called BlackMatter, and has been seen in ongoing attacks against corporate entities. Back in May of this year, DarkSide operators suddenly lost access to their servers and their cryptocurrency wallets were seized by an unknown third party. It was later revealed that the FBI had recovered 63.7 Bitcoins from the Colonial Pipeline attacks.
BleepingComputer was made aware of multiple victims targeted by the BlackMatter ransomware group. So far ransom demands have ranged from $3-4 million dollars. “While researching the new ransomware group, BleepingComputer found a decryptor from a BlackMatter victim and shared it with Emisosft CTO and ransomware expert Fabian Wosar. After analyzing the decryptor, Wosar confirmed that the new BlackMatter group is using the same unique encryption methods that DarkSide had used in their attacks.”
Staff is continuing to work from, and companies have realized that employees are just as efficient, if not more so, while traveling and working remotely from their home office or sofa. There are cybersecurity risks associated with teleworking, and we've explained and mentioned some of them quite frequently in our daily reporting and during our calls.
Wireless security is often overlooked, and public networks should be considered 10/10 if they could be rated on the CVSS scale in terms of severity. As staff travel and continue to work remotely, it's apparent that they will need internet access to access corporate information and resources. The WFH transition has placed some of the cybersecurity burdens directly on employees as the confines of enterprise security products no longer secure them.
The use of a new wiper malware caused complications for a widely used transportation system in Iran. The attack took place on July 9th,2021, text on display panels throughout transit stations commonly used to showing schedules for arrival and departure times was changed to "long delay".
Attackers are targeting Linux, ESXi (VMware), as well Unix variants. As outlined in a McAfee Advanced Threat Research report, the Babuk Ransomware gang is exploiting CVE-2021-27065 in Microsoft Exchange Servers. After initial access, the actors place a Cobalt Strike backdoor on the system, maintaining persistence, so they can come and go as they please. "Using a custom version of zer0dump, the attacker gained domain administrator credentials and used Mimikatz to get access to credentials. They are then using standard protocols like SSH/SCP to move files to and from systems (McAfee, 2021). "
PunkSpider is a tool that pretty much anyone could use to identify weaknesses in websites. It can scan the internet, identifying ones that may have backend vulnerabilities. Depending on what type of vulnerabilities are discovered, an attacker could then exploit them. "The new and improved version is a "completely re-engineered" system that also expands the capabilities of the tool to find vulnerabilities,
In a recent report from PaloAlto, researchers reiterate the importance of identifying/preventing phishing messages targeting companies and is the most effective way for criminals to deliver malware -- especially ransomware. Broken down by protocol, SMTP accounted for most attacks, with IMAP following close behind as the second delivery protocol. At an astounding 80.8%, PaloAlto notes that ransomware was delivered using the . P.E. (Portable Executable) extension/file type observed in attacks.
A new version of the LockBit 2.0 ransomware has been found that automates the encryption of a Windows domain using Active Directory group policies. The LockBit ransomware operation launched in September 2019 as a ransomware-as-a-service, where it can be purchased and used to attack companies. Affiliates earn 70-80% of a ransom payment, and the LockBit developers keep the rest.
REVil, the group responsible for the recent supply-chain attacks targeting MSPs and their customers, recently went offline. At this time, it is unknown whether Law-Enforcement/Government intervened in a coordinated effort taking them offline or they decided to close shop on their own free-will. Previously takedowns, raids, and seizures of 'underground' cybercriminal operations have been reported to be conducted and carried out by universal efforts from various agencies both government and private.
We've observed some pretty significant cyber-attacks over the past year, ones that will be referenced for decades to come. Ones that halted business operations for various industries and sectors across the globe and resulted in a declining quality and, in some instances, loss of life.
The company released several updates for its various operating systems:
"Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems. (Microsoft, 2018)." "NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the wire. Instead, the system requesting authentication must perform a calculation that proves it has access to the secured NTLM credentials. (Microsoft, 2018).
A recent study is suggesting that 1 in 16 home routers are configured with a default admin username/password combination, typically admin/admin or admin/password, which are easily guessable. By scanning the internet researchers uncovered that, "out of the total of 9,927 routers that they tested, they found that 635 were susceptible to default password attacks, (Comparitech, 2021)."
The operating systems are being infected with the LemonDuck crypto-mining malware, which is being distributed via traditional phishing tactics, removable media (flash drives), brute force attacks and internet-facing vulnerabilities (Exchange Server), "[LemonDuck] continues to use older vulnerabilities, which benefit the attackers at times when focus shifts to patching a popular vulnerability rather than investigating compromise, (Microsoft, 2021)."
On July 2nd, the REvil ransomware operation launched a massive attack by exploiting a zero-day vulnerability in the Kaseya VSA remote management application to encrypt approximately sixty managed service providers and an estimated 1,500 businesses.
Researchers at Intezer have detected a new attack vector against Kubernetes (K8s) clusters via misconfigured Argo Workflows instances. The company reported that they've observed attackers dropping cryptominers using this method in the wild. They've detected hundreds of misconfigured environments that belong to companies from various sectors, including technology, finance, and logistics.
Back on July 2nd, the REvil ransomware group launched a massive attack on Kaseya by exploiting a zero-day in their VSA remote management product. They used that vulnerability to encrypt sixty managed service providers (MSPs) and then using the MSPs access to customers, encrypted an estimated 1,500 businesses.
Cybercriminals have repurposed a piece of Windows malware to target macOS devices. The malware called XLoader is based off FormBook, a common malware strain over the past five years. This new variant is widespread and inexpensive. FormBook was so common research shows it has impacted 4% of organizations worldwide. The original FormBook was offered for just $29 per week and was designed “as an information stealer to steal credentials from different Web browsers, collect screenshots, monitor and log keystrokes, and download and execute files according to instructions from an attacker's command-and-control server” (Dark Reading, 2021).
Raid Forums user, @Axil, is giving away data belonging to GunTrader (guntrader.uk) a legal gun retail website in the UK.
Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893 The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.
Researchers at Qualys discovered another vulnerability that could allow an unprivileged attacker to gain privileges by exploiting a local privilege escalation vulnerability in default configurations of the Linux Kernel's filesystem layer on vulnerable devices. Qualys researchers have give the flaw the name of Sequoia which impacts all Linux kernel versions released since approximately 2014.
The company has released patches for its FortiManager and FortiAnalyzer network management solutions. The vulnerabilities could’ve allowed an attacker to execute code against targeted devices with root privileges. The bug was disclosed by Cyrille Chatras of the Orange Group. The company has since released a workaround and patches to correct the software deficiencies.
There were several publications that were shared and released yesterday regarding malicious activity determined to be originating from China in Nation-State attacks against the United States. APT40, also known as Bronze Mohawk, FeverDream, G0065, Gadolinium, GreenCrash, Hellsing, Kryptonite Panda, Leviathan, MudCarp, Periscope, Temp.Periscope, and Temp.Jumper have determined to be located in Haikou, Hainan Province (People’s republic of China PRC) and have been active since approximately 2019.
HP this week patched a severe vulnerability tracked as CVE-2021-3438. The vulnerability received a CVSS score of 8.8 and has resided in a printer driver for the past 16 years. “The security issue is described as a "potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege" (ZDNet, 2021). HP, Xerox, and Samsung printer models likely contained the vulnerable driver software since 2005.
On February 27th, 2021 the company became aware of a breach impacting their systems. The attackers were able to access, "certain individuals' names, dates of birth, driver's license numbers / state identification numbers, financial account information, Social Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials (i.e. usernames and passwords),
Microsoft released a security update to fix the vulnerability but researchers determined that the patch could be bypassed under certain conditions. Since the incomplete fix, security researchers have been heavily scrutinizing the Windows printing APIs and have found further vulnerabilities affecting the Windows print spooler. Researchers discovered that by executing a malicious dynamic link library via 'Queue-Specific Files' feature of Windows Point and Print Capability could enable an attacker to move laterally through a network. When the DLL is executing on a target machine, it will run with SYSTEM privileges and could be used to run any command on the target computer.
D-Link manufactures networking equipment that can be utilized in home or enterprise environments. Equipment can be purchased in stores as well and online and are typically cost effective solutions for consumers. Cisco security teams discovered a vulnerability in the DIR-3040 model firmware, which contains hardcoded passwords, command injection vulnerabilities and information disclosure bugs.
On Friday, July 2, we reported that attackers were actively exploiting a Zero-Day vulnerability in Kaseya VSA Software via a supply-chain attack -- as the attacks were ongoing. Primary targets were Managed Service Providers and Managed Security Service Providers; during the attack, little details were known, like the initial attack vector (entry point) and how the attackers were accessing internal networks and ultimately encrypting systems.
A misconfiguration was discovered in an Amazon S3 bucket resulting in the personally identifiable information, including customers' names, phone numbers, email addresses, city and country, and company affiliation.
D-BOX Technologies is headquartered in Montreal, Canada, with offices in Los Angeles, USA, and Beijing, China. D-BOX[.]com. "The company redefines and creates realistic, immersive and haptic entertainment experiences by providing whole-body feedback and stimulating the imagination through movement,
Yet another Print Spooler vulnerability was announced and tracked as CVE-2021-34481. If exploited, an attacker could achieve elevated rights/privileges as a SYSTEM on a local machine. Microsoft devs are currently in the process of creating a patch to correct the deficiencies in the service.
Earlier this year the TrickBot botnet was dismantled by global law enforcement, after a brief hiatus, the botnet has reemerged in recent attacks. “The authors recently implemented an update for the VNC module used for remote control over infected systems” (Security Affairs, 2021). Despite actions from law enforcement, the botnet continues to see revisions.
Researchers from Google’s Threat Analysis Group (TAG) and Project Zero spotted exploits abusing zero-days in Google Chrome, Internet Explorer, and WebKit, an engine used in Apple’s Safari.
Yesterday we reported that attackers were leveraging a Zero-Day vulnerability (now patched) in the SolarWinds Serv-U software; at the time, attribution was not known. Today, Microsoft followed up, stating that attacks are attributed with high confidence to a China-based threat group tracked as 'DEV-0322.'
In the directive, CISA states that they have "Become aware of active exploitation, by multiple threat actors, of a vulnerability (CVE-2021-34527) in the Microsoft Windows Print Spooler service. The exploitation of the vulnerability allows an attacker to remotely execute code with system-level privileges enabling a threat actor to quickly compromise the entire identity infrastructure of a targeted organization, (CISA, 2021)."
The list of July 2021 Patch Tuesday updates looks endless. One hundred seventeen patches with no less than 42 CVEs assigned to them that have FAQs, mitigations details or workarounds listed for them.
For the third time this year, threat actors have scraped data from LinkedIn. The archive contains data from hundreds of millions of LinkedIn profiles. It is currently being sold on a dark web forum. The actor involved in the attack “claims that the data is new and “better” than that collected during the previous scrapes. Samples from the archive shared by the author include full names, email addresses, links to the users’ social media accounts, and other data points that users had publicly listed on their LinkedIn profiles.”
The files used for DLL side-loading technique are also dropped in the same path as the wallpaper bmp file, Python > Lib
A recent report from Proofpoint researchers suggests that TA453 is a state-sponsored actor-operator acting on behalf of Iran, supporting the Revolutionary Guard Corps (IRGC) in their collection of information. The actors illegally obtained access to a website belonging to a world-class academic institution to leverage the compromised infrastructure to harvest the credentials of their intended targets. Initial communications were established through an email message appearing to be from a “Dr.Hanns Bjoern Kendel, Senior Teaching and Research Fellow at SOAS University in London (ProofPoint, 2021).” The email address was registered on Gmail as hannse.kendel4@gmail[.]com, which was used to engage in conversation with intended targets.
Yesterday, we reported that Microsoft had discovered vulnerabilities in SolarWinds Serv-U software. To recap, the vulnerabilities exist in the Serv-U Managed File Transfer and Serv-U Secured FTP platforms. Impacted versions included the latest release on May 5, version 15.2.3 HF1, and all previous versions of the software. A proof of concept exploit provided by Microsoft to the company directory displayed how an attacker could “install programs; view, change or delete data; or run programs on the affected systems (Microsoft, 2021)” via remote code execution where SSH is enabled on Serv-U products.
"Microsoft's Threat Intelligence center, also known as MSTIC/Microsoft Offensive Security Research Teams, found a bug in the SolarWinds latest version of the Serv-U (15.2.3 HF1) software impacting all prior versions.
MVNO stands for Mobile Virtual Network Operator. MVNOs do not own the infrastructure to facilitate communications, instead they have contracts with larger carriers who grant smaller companies access to resources for resale. Mint mobile, is an upcoming MVNo operating off of T-Mobile networks based in the United States. Because of their low priced cellular plans the company has been growing pretty steadily in terms of subscribers
The Kaseya attacks against numerous Managed Service Providers (MSP) and Managed Security Service Providers (MSSP's) resulting in REvil ransomware affiliates encrypting company systems has released patches to address a series of vulnerabilities. Critical vulnerabilities included credential leaks and cross-site scripting vulnerabilities in the company's VSA software. At this time, it is unclear which vulnerabilities the attackers leveraged explicitly, but it is suspected that they were chained together, bypassing the software authentication mechanisms.
CISA released a report last week which highlights findings from the organizations Risk and Vulnerability Assessments (RVAs) conducted in 2020 across all industries.
Trend Micro researchers this week spotted a new malware strain called BIOPASS. The malware abuses Open Broadcaster Software (OBS) Studio and uses malicious JavaScript to redirect visitors to malicious websites.
Attacks similar to those perpetrated in Ukraine have later been observed in other countries, notably Germany—suggesting that Russia learns from the attacks it conducts in Ukraine and conducts further attacks in more strategic countries. Examining Russian attacks in Ukraine can thus potentially provide hints to Russia’s thinking about future attack plans.
Over the last several months Flashpoint analysts have observed an increase in activity by the “IcedID” trojan. The activity includes multiple campaigns that have been publicly observed, indicating an increase in proliferation of IcedID. The initial infection vector is commonly spear-phishing or malicious document macros. Once installed, the trojan drops other malware, leading to further access after the initial infection.
REvil attempts to encrypt data and delete shadow copy backups to make data recovery more difficult. It then demands a ransom from victims to recover the data. REvil ransomware is usually installed directly by a threat actor who has either accessed an unprotected RDP port or exploited common vulnerabilities such as CVE-2019-2725 and CVE-2018-8453 to gain access to a network and escalate privileges.
The Russian ransomware extortionist threat group "REvil" conducted a supply-chain ransomware attack on July 2, 2021, that has affected “fewer than 60” managed service providers (MSPs) and “fewer than 1,500” downstream businesses in at least seventeen countries.
Security researchers from AT&T Alien Labs shared new intelligence surrounding Lazarus Group and their continued targeting of security experts. In their newest campaign the group is targeting engineers working in the defence industry. Using emails and social media platforms the group has created fake job offers to target defence contractors in the United States and Europe. “Attached to the emails are Word documents containing macros that plant malicious code onto a victim’s computer, and make changes to the targeted computer’s settings in an attempt to avoid detection”
A popular form of phishing involved the use of Microsoft Office documents loaded with malicious macros. Using social engineering tricks and business email compromise, cybercriminals would convince users to download a malicious file which requires macros to view, upon enabling the macros, the documents communicate with the attacker’s server to download malware onto the machine.
Navigating the PrintNightmare vulnerabilities this week has been a challenge. An out-of-band patch released earlier this week was found to be incomplete, with various security experts sharing details of how to bypass the patch. “Microsoft says the emergency security updates released at the start of the week correctly patch the PrintNightmare Print Spooler vulnerability for all supported Windows versions and urges users to start applying the updates as soon as possible. Our investigation has shown that the OOB security update is working as designed and is effective against the known printer spooling exploits and other public reports collectively being referred to as PrintNightmare," the Microsoft Security Response Center explains. "All reports we have investigated have relied on the changing of default registry setting related to Point and Print to an insecure configuration.”
We reported earlier this week that threat actors were using fake Kaseya update emails as a lure to trap victims. Kaseya today confirmed our reports and warned of an additional phishing campaign that attempts to breach networks by spamming malicious attachments and embedded links. The emails pretend to be legitimate security updates for Kaseya VSA.
The US-based insurance company CNA Financial Corporation began notifying customers of a data breach following attacks by Phoenix CryptoLocker ransomware that occurred back in March of this year. CNA is one of the largest commercial insurance firms in the US, assisting businesses in the US, Canada, Europe, and Asia. The company said a limited amount of data was copied before the threat actors deployed their ransomware
“Four vulnerabilities afflict the popular Sage X3 enterprise resource planning (ERP) platform, researchers found – including one critical bug that rates 10 out of 10 on the CVSS vulnerability-severity scale. Two of the bugs could be chained together to allow complete system takeovers, with potential supply-chain ramifications”
Microsoft released an out-of-band update to fix the PrintNightmare vulnerabilities. Unfortunately, researchers have discovered that it is possible to bypass the emergency patch and still achieve both remote code execution (RCE) and Local Privilege Escalation (LPE) on systems who have installed the new patch.
The White House has issued another warning to Russia after cybercriminals continue to attack American organizations and critical infrastructure. REvil ransomware operators as well as other cybercriminals are reportedly residing in Russia, where the Putin administration has historically done nothing to curb cyber attacks coming from Russian soil.
Last May, SonicWall asked customers to immediately patch CVE-2021-20026, a post-authentication vulnerability in the vendor's Network Security Manager (NSM) product. The company released further details this week, highlighting a command injection vulnerability. The vulnerability received a CVSS score of 8.8 and could be exploited without any user interaction. An authenticated attacker could perform command injection by using specially crafted HTTP requests.
Threat actors are pushing a fake Kaseya VSA security update in an attempt to capitalize on the current ransomware situation impacting the vendor. Cobalt Strike is the payload delivered in this active spam campaign. “Cobalt Strike is a legitimate penetration testing tool and threat emulation software that's also used by attackers for post-exploitation tasks and to deploy so-called beacons that allow them to gain remote access to compromised systems”
Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service. According to the CERT Coordination Center (CERT/CC), “The Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers, which can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system.”
Group-IB created Operation Lyrebird which helps in the identification and apprehension of high profile threat actors. This week Group-IB assisted INTERPOL in the arrest of Dr. HeX, a cybercriminal responsible for multiple attacks against French telecommunications companies, major banks and multinational corporations. Following a two-year investigation, Morroccan police arrested the alleged criminal through data on his cybercrimes provided by Group-IB.
REvil ransomware operators attacked MasMovil, one of the largest Spanish telecommunication providers last week. In addition to encrypting their networks, the group claims to have also stolen sensitive data from the company. The group has shared screenshots of the allegedly stolen documents to it’s leak site and includes a list of folders.
QNAP this week addressed a critical vulnerability in their NSA storage devices. CVE-2021-28809 impacted HBS Hybrid Backup Sync which is QNAP’s disaster recovery and backup solution. The vulnerability allowed attackers to escalate privileges and execute commands remotely.
In a statement released by Kaseya yesterday, the vendor shared further details of the recent cyberattacks against customers using Kaseya VSA on-premise products. According to Kaseya, the ransomware was able to breach the systems of roughly 60 of it’s direct customers, and at least 1,500 downstream victims were impacted through Kaseya remote management tools.
Kaseya says the attack has a “limited impact” with only 50 of their more than 35,000 customers being breached, and of their small business customers 800-1,500 of their approximately 800,000-1,000,000 have been compromised.
CISA and the Federal Bureau of Investigation (FBI) continue to respond to the recent supply-chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple managed service providers (MSPs) and their customers.
Considering the severity of this, and the possibly of it being a supply-chain attack companies may want to consider uninstalling Kaseya agents or powering off machines where they are installed.
CISA has described the recent attacks against the Kaseya VSA platform as a supply-chain attack. In addition to powering off management servers completely, companies may want to power off and thoroughly examine machines where endpoint agents may be installed. Additionally, if using RapidFire products, companies want to consider stop services for them as well.
The U.S. government has stepped in to offer mitigation for a critical remote code execution (RCE) vulnerability in the Windows Print Spooler service that may not have been fully patched by Microsoft's initial effort to fix it.
In contrast with previously observed ransomware threat actors, Babuk’ operators advertise in English on more visible hacking forums. This new ransomware also lacks « kill-switches » that is a common feature usually tailored by the top-tier ransomware ecosystem when detecting languages of the Commonwealth of Independent States (CIS) set as default.
The supposed no-logs VPN service that has encountered a massive data breach putting 69,400 users at risk. Unfortunately, there was no leak from a team member but an actual security breach that a hacker exploited.
"Microsoft warns of a critical .NET Core remote code execution vulnerability in PowerShell 7 caused by how text encoding is performed in .NET 5 and .NET Core. PowerShell provides a command-line shell, a framework, and a scripting language focused on automation for processing PowerShell cmdlets. It runs on all major platforms, including Windows, Linux, and macOS, and it allows working with structured data such as JSON, CSV, and XML, as well as REST APIs and object models".
Spain's 4th largest telecom operator MasMovil Ibercom or MasMovil is the latest victim of the infamous Revil ransomware gang (aka Sodinokibi), "The telecom operator is big in Spain. The Group's fixed network reaches 18 million households with ADSL and closes to 26 million with optical fiber. Its 4G mobile network covers 98,5% of the Spanish population."
The company experienced a ransomware attack on or around September 26, 2020, impacting its business operations. The company reported that they immediately took their systems offline to prevent further intrusion and initiated response protocols, notified law enforcement, launched an investigation with the assistance of third-party cybersecurity and forensic specialists, and implemented its business continuity plans to minimize disruption to its customers.
Google is working on adding an HTTPS-Only Mode to the Chrome web browser to protect users' web traffic from eavesdropping by upgrading all connections to HTTPS. This new feature is now being tested in the Chrome 93 Canary preview releases for Mac, Windows, Linux, Chrome OS, and Android. While no official announcement has been made yet, HTTPS-Only Mode [1, 2] will likely start rolling out on August 31, when Chrome 93 is expected to reach stable status. Google has previously updated Chrome to default to HTTPS for all URLs typed in the address bar if the user specifies no protocol.
Cybersecurity researchers have released a decryption tool that allows Lorenz ransomware victims to decrypt their files for free – and crucially, without the need to pay a ransom demand to cybercriminals.
Two members from the hacking community of Detectify, discovered a vulnerability in the Adobe Experience Manager, Adobe's content management tool used in websites, forms, and mobile apps building.
Researchers have published a write-up and a demo exploits to demonstrate a vulnerability that has been dubbed PrintNightmare. Only to find out they had alerted the world to a new 0-day vulnerability by accident.
A proof-of-concept (PoC) exploit related to a remote code execution vulnerability affecting Windows Print Spooler and patched by Microsoft earlier this month was briefly published online before being taken down.
An international law enforcement operation has seized the servers, data, and customer logs for DoubleVPN, a double-encryption service commonly used by threat actors to evade detection while performing malicious activities, "DoubleVPN was heavily advertised on both Russian and English-speaking underground cybercrime forums as a means to mask the location and identities of ransomware operators and phishing fraudsters (EuroPol, 2021)."
According to a report released by Accenture Security on Tuesday, it appears that Hades Ransomware group has taken further steps in an apparent bid to confuse investigators who have tried to work out who exactly the operators are.
Western Digital had initially reported that the attacks were being conducted through a 2018 vulnerability tracked as CVE-2018-18472, which was not fixed as the device has been out of support since 2015.
Russian state hackers compromised Denmark's central bank (Danmarks Nationalbank) and planted malware that gave them access to the network for more than half a year without being detected
On April 3, 2021, the National College of Ireland (NCI) released a notice that it was hit by a ransomware attack. The college has suspended access to its IT systems and classes, and all planned assessments and induction sessions have been postponed to be rescheduled for a later date.
We reported a few weeks ago that a new strain of the REvil ransomware was modified to infect not only Windows-based systems but also Linux. VMWare's ESXi hosts have actively been targeted attacks, "The REvil ransomware operators are now using a Linux encryptor to encrypt VMWare ESXi virtual machines which enterprises widely adopt,
The cyberattack took place on May 14 and caused significant IT disruptions across the Ireland East Hospital Group, with many patient appointments either being canceled or rescheduled.
The company inadvertently signed a malicious driver that was later distributed within gaming environments in China, "One of the drivers signed by the IT giant, called Netfilter, was a malicious Windows rootkit that was spotted while connecting to a C2 in China".
A recent breach of Mercedes-Benz exposed credit card information, social security numbers, and driver license numbers of approximately 1,000 Mercedes-Benz customers and potential buyers via a cloud storage platform.
The builder for the Babuk Locker ransomware was leaked online this week, allowing easy access to an advanced ransomware strain to any would-be criminal group looking to get into the ransomware scene with little to no development effort.
Attacks against educational sectors and students are steadily increasing. A few weeks ago we reported that the University of Iowa was hit with ransomware, and as a result students were unable to complete their assignments. This week a pro-Palestinian Malaysian hacker group known as "DragonForce" claimed that it hacked into AcadeME last week resulting in a substantial data leak. The details of approximately 280,00 students were compromised including, emails, passwords, first/last names, addresses, phone numbers of students who were registered on AcadeME.
The Cisco ASA vulnerability that we reported on last week is being targeted and successfully leveraged by hackers in attacks. The vulnerability is tracked as CVE-2020-3580 and was patched and disclosed by Cisco. However it seems that the initial patch was incomplete, with a further fix being released in April 2021.
Fortinet Labs reports that there are phishing emails targeting the aviation industry specifically, delivering a remote access trojan, “The infection cycle begins with phishing emails sent to aviation companies that contain malicious links disguised as pdf attachments. The link in the email directs the user to VB Script hosting sites, from which the initial payload (.vbs) is delivered. The .vbs script then drops the second stage payload, an xml file containing inline C# .NET assembly code that acts as a RAT loader. The loader hollows and injects the final payload, AsyncRAT, into the victim process (RegSvcs.exe). AsyncRAT, also known as RevengeRAT, connects to its C2 server, takes control of the compromised machine, and introduces additional payloads.”
According to experts attackers used a malicious driver that was certified by Microsoft to deliver the Netfilter rootkit malware. Rootkits are particularly dangerous pieces of malware because they are able to remain hidden in infected machines, they typically contain various tools capable of stealing passwords, banking information, disabling security controls, and keylogging features.