Summary: The AhnLab Security Intelligence Center (ASEC) has observed a significant increase in the distribution of ACRStealer infostealer malware, often disguised as cracks and keygens for illegal software.

Cisco Talos has been tracking a widespread intrusion campaign targeting major U.S. telecommunications companies, attributed to the sophisticated threat actor Salt Typhoon. Initially reported in late 2024 and later confirmed by the U.S. government, this campaign demonstrates advanced persistence techniques, allowing the attackers to maintain access for over three years in some cases.

A leaker known as ExploitWhispers has released an archive of internal Matrix chat logs from the Black Basta ransomware operation, initially uploaded to MEGA before being removed and later shared on a dedicated Telegram channel. I

In December 2024, 18,000 devices were scanned using an application developed by iVerify, which leverages signature-based detection, heuristic analysis, and machine learning to identify Pegasus artifacts.

In January 2025, Ivanti addressed a stack-based buffer overflow flaw (CVE-2025-0282) in its Ivanti Connect Secure, Ivanti Policy Secure and Ivanti Neurons for ZTA gateways which could enable unauthenticated actors to remotely execute code.

The Darcula phishing-as-a-service (PhaaS) platform is set to launch a new version, Darcula V3, significantly enhancing its capabilities to allow anyone to create highly convincing phishing sites with no technical expertise.

U.S. authorities have released an advisory detailing the activities of Ghost, a financially motivated ransomware group originating from China, which has compromised organizations across more than 70 countries.

Cybercriminals have been observed approaching their targets under the guise of company recruiters in the past, enticing them with fake offers of employment. Cybercriminals exploit the vulnerability of an individual distracted by a potential job offer.

Microsoft recently addressed an elevation-of-privilege vulnerability in its Power Pages platform, which the vendor confirms was exploited as a zero-day in attacks in the wild. Power Pages is a low-code, Software-as-a-Service (SaaS) platform that allows organizations to build, host, and manage business websites with ease.

An unidentified threat actor has been observed targeting European organizations, notably in the healthcare sector, with an undocumented C++ ransomware strain, dubbed NailaoLocker. The campaign, tracked as Green Nailao, was uncovered by Orange Cyberdefense CERT and initiated between June and October last year.

Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft's Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection.

Exploitation attempts against CVE-2025-0108, a critical authentication bypass vulnerability affecting the management web interface of Palo Alto Networks' firewalls, have surged in recent days.

Google Threat Intelligence Group (GTIG) has observed and analyzed a significant uptick in Russian-aligned cyber operations targeting Signal Messenger to compromise accounts belonging to individuals of interest to Russian intelligence services like GRU.

Mustang Panda, a Chinese APT group also tracked as Earth Preta, has been observed abusing Microsoft's Application Virtualization Injector as a LOLBIN to stealthily inject malicious payloads into legitimate Windows processes, evading antivirus detection.

KnownHost recently conducted a study to examine the most commonly used passwords and the likelihood of these passwords being hacked based on the frequency of their appearance in recorded data breaches.

Researchers at Malwr-Analysis have uncovered details of a new campaign that is infecting end users with Arechclient2 (aka sectopRAT), a highly obfuscated .NET-based Remote Access Trojan. SectopRAT is being disguised as a legitimate Google Chrome extension, “Google Docs,” for propagation.

Recently, Proofpoint identified two new actors, TA2726 and TA2727, involved in web-based malware distribution. TA2726 functions as a TDS operator, selling traffic to other threat actors, including TA569 and TA2727.

FortiGuard Labs recently detected a new variant of Snake Keylogger (also known as 404 Keylogger) using FortiSandbox v5.0 (FSAv5), this malware has been responsible for over 280 million blocked infection attempts, with the highest concentrations in China, Turkey, Indonesia, Taiwan, and Spain.

In January 2025, the eSentire Threat Response Unit (TRU) observed the use of a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader. RedCurl APT is a highly sophisticated group known for targeting private-sector organizations with a focus on corporate data theft and persistence.

Researchers at Cyfirma have uncovered details of a new ransomware strain, dubbed Vgod, which specifically targets Windows systems with advanced encryption techniques. Similar to other ransomware families such as LockBit, Vgod employs the AES-256 encryption algorithm to lock files, with RSA-4096 encryption used for key protection.

On January 7, 2024, SonicWall released security updates to address an improper authentication vulnerability in the SSLVPN authentication mechanism, which could allow remote attackers to hijack active SSL VPN sessions without authentication.

Securonix has been tracking a cyberattack campaign being conducted by a North Korea-sponsored threat actor known as Kimsuky (APT43, Emerald Sleet). This ongoing campaign, dubbed DEEP#DRIVE has been targeting South Korean business, government, and cryptocurrency sectors.

Attackers leveraged a PostgreSQL zero-day vulnerability (CVE-2025-1094) in conjunction with two BeyondTrust flaws (CVE-2024-12356 and CVE-2024-12686) and a stolen API key to breach BeyondTrust's network in December 2023. BeyondTrust later revealed that 17 of its Remote Support SaaS instances were affected.

Microsoft Threat Intelligence Center has identified an ongoing and highly effective device code phishing campaign attributed to Storm-2372, a suspected Russian state-affiliated threat actor.

A recent report from Group-IB reveals that RansomHub emerged as the most active ransomware group of 2024, targeting over 600 organizations across various sectors, including healthcare, finance, government, and critical infrastructure. RansomHub initiated operations in early February 2024, shortly after coordinated law enforcement efforts dismantled the infrastructure of the BlackCat and LockBit ransomware groups, both of which were among the most active at the time.

Recorded Future's Insikt Group has uncovered details of a campaign exploiting unpatched internet-facing Cisco network devices, primarily associated with global telecommunications providers and a handful of universities.

Astaroth, a newly emerged phishing tool, is rapidly gaining traction on cybercrime platforms due to its advanced ability to bypass two-factor authentication. First advertised in January 2025, it employs session hijacking and real-time credential interception to compromise accounts on major platforms like Gmail, Yahoo, and Office 365.

Symantec researchers have identified a China-based threat actor, Emperor Dragonfly, leveraging RA World ransomware in a financially motivated attack against an Asian software and services company in late 2024.

According to researchers at Hunt.io, hackers have been exploiting the open-source Pyramid pentesting tool to establish stealthy command-and-control (C2) communications. Pyramid, which was first released on GitHub in 2023, is a Python-based post-exploitation framework that is capable of evading endpoint detection and response tools by leveraging Python's widespread presence in many environments.

Netskope Threat Labs has uncovered details of a widespread phishing campaign aimed at stealing credit card information for financial fraud. The campaign has been ongoing since mid-2024 and exploits search engines to direct victims to PDF documents containing CAPTCHA images that are embedded with phishing links.

Microsoft has recently released research they conducted into a subgroup within the Russian state APT Seashell Blizzard (Sandworm) and the details of their initial access campaign that Microsoft dubbed BadPilot.

North Korean threat actor Kimsuky has been observed employing a new social engineering tactic to trick victims into running malicious PowerShell commands as administrators. The attackers impersonate South Korean government officials, gradually building rapport with targets before sending a spear-phishing email containing a PDF attachment.

The United States, Australia, and the United Kingdom have jointly sanctioned Zservers, a Russia-based bulletproof hosting provider, for facilitating ransomware attacks by supplying critical infrastructure to the LockBit gang.

Ivanti released an advisory detailing multiple vulnerabilities affecting its Connect Secure, Policy Secure, and Secure Access Client products. Some of the flaws allow for RCE and unauthorized data access. The vulnerabilities range from medium to critical severity and impact various versions of Ivanti products.

Although QR codes have transformed digital interactions by providing quick access to websites, services, and adding a layer of security to applications, their ubiquity has made them a prime target for threat actors. In "quishing" attacks, fraudsters use fake QR codes to redirect users to counterfeit websites, enabling them to steal personal data, login credentials, or financial details.

As part of the February Microsoft Patch Tuesday, Microsoft addressed 55 flaws, including 4 zero-day flaws, two of which are actively being exploited in attacks in the wild. Of the 55 flaws, there was 19 elevation of privilege vulnerabilities, 2 security feature bypass vulnerabilities, 22 remote code execution vulnerabilities, 1 information disclosure vulnerability, 9 denial of service vulnerabilities, and 3 spoofing vulnerabilities. 3 flaws have been rated critical in severity, all of which can lead to remote code execution.

The Russian military cyber-espionage group Sandworm (APT44), also tracked as UAC-0113 and Seashell Blizzard, has been actively targeting Windows users in Ukraine using trojanized Microsoft Key Management Service activators and fake Windows updates.

Beginning in early January 2025, eSentire Threat Response Unit observed an increase in the number of incidents involving the NetSupport Remote Access Trojan (RAT). The RAT was originally developed as a remote IT support tool in 1989 and was known as NetSupport Manager but has been weaponized by cybercriminals in recent years.

In 2024, ransomware groups such as Lynx, Akira, and RansomHub refined their techniques, prioritizing agility and speed over high-profile targets. According to the 2025 Cyber Threat Report by Huntress, these groups adopted a quantity-over-quality strategy, executing a larger number of attacks at an accelerated pace.

Four suspected European hackers were recently arrested in Phuket, Thailand, in connection with cyberattacks targeting over 1,000 victims worldwide. Dubbed, “Operation Phobos Aetor,” the arrest was carried out by Thai authorities after an urgent request for international cooperation from Swiss and US law enforcement.

Apple has issued out emergency security updates to address a zero-day vulnerability that it says has been exploited in the wild. Tracked as CVE-2025-24200, the flaw pertains to an authorization issue which could enable a malicious actor to disable the USB Restricted Mode on a locked device as part of a physical cyber attack.

Facebook is the third-most visited website on the internet, following Google and YouTube, which makes attacks abusing the brand have a consequential impact. Check Point researchers have recently discovered a new phishing campaign luring unwitting victims by utilizing Facebook-themed copyright infringement emails to harvest credentials.

A large-scale brute force password attack is currently underway, utilizing nearly 2.8 million IP addresses to target a variety of networking devices, including those from Palo Alto Networks, Ivanti, and SonicWall.

CISA has added a new vulnerability to its KEV catalog, impacting Trimble's Cityworks, a GIS-centric asset management software used by local governments, utilities, and public works organizations, to manage public assets, work orders, permitting, licensing, capital planning, and budgeting.

Microsoft has issued a critical warning about a growing security risk in which developers are unknowingly incorporating publicly disclosed ASP.NET machine keys from online sources, making their applications vulnerable to cyberattacks.

Cybercriminals are leveraging scalable vector graphics files in phishing attacks to evade detection by traditional security tools, according to a recent report from Sophos. SVG files, commonly used for rendering vector-based images, contain Extensible Markup Language (XML)-like instructions that allow for the embedding of interactive elements such as hyperlinks and scripts.

Field Effect thwarted a cyberattack where an threat actor exploited newly discovered vulnerabilities in the SimpleHelp Remote Monitoring and Management (RMM) client to gain unauthorized access to a targeted network.

Linwei Ding, a 38 year old Chinese national and former software engineer at Google, has been been indicted for illegally transferring over 500 confidential AI files from Google to his personal accounts. The stolen data, which includes critical hardware and software designs, was allegedly shared with Chinese companies in the AI sector.

This new activity cluster leverages deceptive LinkedIn job offers and is a part of the North Korea-sponsored Contagious Interview operation, primarily targeting individuals in the cryptocurrency and travel industries, to deploy cross-platform malware capable of compromising Windows, macOS, and Linux systems.

Cybercriminals are increasingly leveraging legitimate HTTP client tools, such as Axios and Node Fetch, to facilitate account takeover attacks on Microsoft 365 environments. According to enterprise security company Proofpoint, these tools, often sourced from public repositories like GitHub, are being repurposed for sophisticated attack techniques, including Adversary-in-the-Middle and brute-force tactics.

A new report from Chainalysis highlights a promising shift in the ransomware landscape from 2023 to 2024: more victims are refusing to pay ransoms. As a result, total ransomware payments dropped by approximately 35%, from $1.25 billion in 2023 to $813.55 million in 2024.

Cisco has disclosed several high-severity vulnerabilities in the Simple Network Management Protocol (SNMP) subsystem of its IOS, IOS XE, and IOS XR software. Tracked as CVE-2025-20169, CVE-2025-20170, and CVE-2025-20171, these flaws could allow authenticated, remote attackers to trigger a Denial of Service (DoS) on affected devices.

Palo Alto Network's Unit 42 has observed a growing number of attacks targeting macOS users with infostealer malware. Infostealer malware is typically designed to exfiltrate sensitive credentials, financial records, and intellectual property, which often leads to data breaches, financial losses and reputational damage.

Cybersecurity researchers at Morphisec Threat Labs have investigated a series of indicators of attacks in a campaign that deploys a new version of ValleyRAT malware. Attacks utilizing this malware are frequently attributed to Silver Fox APT.

Five Eyes cybersecurity agencies (UK, Australia, Canada, New Zealand, and the U.S.) have issued guidance urging network device manufacturers to enhance forensic visibility, helping defenders detect and investigate breaches. Network edge devices—such as firewalls, routers, VPN gateways, OT, and IoT systems—are prime targets for both state-sponsored and financially motivated attackers.

In September 2024, the Trend Micro's Threat Hunting team identified CVE-2025-0411, a zero-day vulnerability in 7-Zip, exploited in a SmokeLoader malware campaign targeting Ukrainian entities.

Apple recently updated its XProtect malware tool to block several variants of the macOS Ferret family—FROSTYFERRET_UI, FRIENDLYFERRET_SECD, and MULTI_FROSTYFERRET_CMDCODES.

The Forcepoint X-Labs research team recently uncovered an AsyncRAT malware campaign that leverages malicious payloads delivered via TryCloudflare quick tunnels and Python packages.

According to Security Scorecard STRIKE researchers, North Korea-nexus Lazarus Group has compromised hundreds of victims in multiple countries in a large-scale data harvesting supply chain attack campaign which is ongoing as of mid-January 2025.

Researchers at Trend Micro have uncovered details of a campaign where actors leveraged a zero-day vulnerability in 7-Zip (CVE-2025-0411), to deploy SmokeLoader malware, a modular loader first identified in 2011. SmokeLoader primarily serves as a downloader for secondary payloads but also has capabilities for credential theft, data exfiltration, establishing backdoors, and using obfuscation and sandbox evasion techniques to evade detection.

While the compromise of user credentials and phishing are popular tactics employed in cyberattacks, the widespread adoption of multi-factor authentication has led adversaries to focus more on exploiting vulnerabilities to gain initial access to organizational networks.

SentinelOne researchers have detailed an active phishing campaign targeting “high-profile” X accounts endeavoring to hijack and exploit them to conduct malicious and fraudulent activity. SentinelOne observed this campaign targeting a variety of individual and organization accounts including U.S. political figures, leading international journalists, an X employee, large technology organizations, cryptocurrency organizations, and owners of valuable, short usernames.

On January 29, 2025, two malicious Python packages, deepseeek and deepseekai, were uploaded to the PyPI repository, masquerading as legitimate client libraries for interacting with the DeepSeek AI API.

Brazilian Windows users are the target of an evolving malware campaign deploying the Coyote Banking Trojan, a sophisticated banking malware designed to steal financial credentials and sensitive information.

Last Friday, Meta-owned WhatsApp, a popular messaging platform, stated it disrupted a spyware campaign back in December 2024, targeting journalists and civil society members. In total, 90 individuals were targeted and possibly compromised in the latest campaign, which WhatsApp asserts with high confidence.

Security researchers at Malwarebytes have uncovered a malvertising campaign targeting Microsoft advertisers with fake Google ads that lead to phishing sites designed to steal login credentials.

The Cybereason Security Team has recently published an analysis of a new attack campaign involving the Phorpiex botnet. In this campaign, the botnet is being used to automatically deploy LockBit Black Ransomware. This differs from previous attacks, which often relied on human interaction from LockBit operators, by making the attacks faster and more difficult to detect via the botnet.

DeepSeek, a Chinese AI company known for its open-source large language models (LLMs), launched its chatbot app in January 2025, quickly becoming the most downloaded free app on the U.S. iOS App Store, surpassing OpenAI's ChatGPT.

Google's Threat Intelligence Group conducted an in-depth analysis of how cyber threat actors interacted with Google's AI assistant, Gemini, to assess AI's role in cybersecurity threats. While AI has revolutionized cybersecurity by enhancing secure coding, vulnerability detection, and operational efficiency, it has also raised concerns about its misuse by cybercriminals and state-sponsored actors.

Europol, in coordination with law enforcement from eight countries, successfully dismantled the world's two largest cybercrime forums, Cracked and Nulled. Together, these platforms boasted over 10 million users and served as hubs for cybercrime discussions and marketplaces for illicit goods, including stolen data, malware, and hacking tools.

A critical unauthenticated Remote Code Execution vulnerability has been discovered in DSL-3788 routers, allowing attackers to remotely gain full control of the targeted device. The flaw impacts firmware versions v1.01R1B036_EU_EN and earlier and was reported by Max Bellia of SECURE NETWORK BVTECH.

A new attack technique dubbed Browser Hijacking was uncovered by security researchers at SquareX that enables a seemingly benign Chrome extension to take over a victim's device. This involves several steps, including Google profile hijacking, and browser hijacking, which eventually lead to device takeover.

POISONPLUG.SHADOW, also known as Shadowpad, is a highly sophisticated malware that leverages a custom obfuscating compiler to evade detection and analysis. Its complex obfuscation techniques make it particularly challenging for security researchers to identify and mitigate.

SecurityScorecard's investigation into Lazarus Group's recent cyber attacks on cryptocurrency entities and software developers uncovered a hidden administrative layer, dubbed Phantom Circuit, used to centrally manage the group's command-and-control infrastructure.

Researchers at SlashNext have uncovered a new SMS phishing tool, dubbed Devil-Traff, which features advanced capabilities like sender ID spoofing and automated messaging, allowing cybercriminals to send thousands of fraudulent messages in a short time.

A new variant of the Mirai-based botnet malware, Aquabotv3, has been observed exploiting a command injection vulnerability (CVE-2024-41710) in Mitel SIP phones.

Lynx ransomware has emerged as a highly structured and sophisticated Ransomware-as-a-Service operation, demonstrating an industrial-scale approach to cybercrime. The group operates through a well-organized affiliate program, providing cybercriminals with access to a centralized panel that facilitates ransomware deployment, victim management, and data leak coordination.

One of the most common methods cybercriminals use involves exploiting open redirects, a vulnerability that allows attackers to manipulate website links to redirect users to malicious destinations without proper validation. Cofense found that multiple .gov domains were primarily used for credential phishing, with some hosting as many as nine different phishing campaigns simultaneously.

Rapid advancements in AI are revealing new possibilities for the way humans work and accelerating innovation in science, technology, and more. AI is at the cusp of revolutionizing security and defense. With capabilities to sift through complex telemetry, secure coding, improve vulnerability discovery, and modernize operations.

In December, 2024, PowerSchool, a K-12 cloud-based software provider serving over 60 million students and 18,000 customers worldwide, experienced a breach where attackers were able to gain unauthorized access to its customer support portal, PowerSource.

CVE-2024-40891 is a critical command injection vulnerability impacting Zyxel CPE Series devices. The vulnerability was initially disclosed by VulnCheck back in August 1, 2024. However, the vulnerability has not been officially published by Zyxel, nor have patches been released.

Cisco Talos researchers have released a new report detailing a surge in the number of email phishing threats leveraging “Hidden Text Salting” techniques which they observed in the second half of 2024. Hidden Text Salting refers to poisoning the HTML source of an email.

Salt Labs researchers have uncovered details of a now-patched account takeover vulnerability affecting a popular online travel service used for booking hotels and car rentals.

Since its inception in March 2023, the Akira has grown to be one of the most prolific ransomware groups out here. Akira operates under a Ransomware-as-a-service model wherein affiliates or other cybercriminals are hired to gain initial access to victim environments and deploy the group's ransomware strain, in exchange for a portion of the ransom paid by victims.

Apple has patched a use-after-free zero-day vulnerability (CVE-2025-24085) in the Core Media component that could enable a malicious application already installed on the device to elevate privileges.

In early January 2025, threat hunters from eSentire detected and analyzed an ongoing threat campaign that utilizes the malware loader, MintsLoader, to deliver secondary payloads that include the StealC information stealer and BOINC, a legitimate open-source network computing platform.

A newly discovered phishing campaign is targeting mobile users with advanced social engineering techniques and malicious PDF files, aiming to compromise sensitive information on a global scale.

Ransomware actors have increasingly targeted VMware ESXi bare-metal hypervisors, exploiting SSH tunneling to establish persistence, move laterally, and deploy ransomware payloads without detection.

Such a sophisticated intrusion was initiated in January 2024 with a user downloading and executing the malicious file named setup_wm.exe, masquerading as the Windows Media Configuration Utility, with an almost legitimate-looking filename and icon.

A malware campaign has specifically targeted low-skilled hackers, or "script kiddies," to steal data and take control of systems. CloudSEK researchers report that a threat actor distributed a trojanized XWorm RAT builder through platforms like GitHub, file hosting sites, Telegram channels, YouTube, and various websites, promoting it as a free tool.

Almost 1000 fake websites, discovered by the Sekoia researcher, “crep1x”, are being distributed by a threat actor to deliver malware that leads to the deployment of Lumma Stealer malware on the victim's machine.

Over the past six months, ransomware activity has escalated significantly, marked by the rise of new groups such as FunkSec, Nitrogen, and Termite, alongside the reappearance of Cl0p and the introduction of LockBit 4.0.

Threat actors are capitalizing on the recent news about Ross Ulbricht, founder of the infamous Silk Road marketplace, to trick users into downloading malware. Using fake, verified accounts on X (formerly Twitter), these actors direct unsuspecting users to Telegram channels masquerading as official portals for Ulbricht.

Cybercriminals have introduced a new malicious AI chatbot named GhostGPT, which is specifically designed to assist in creating malware, developing exploits, and crafting phishing emails. Researchers from Abnormal Security discovered that GhostGPT has been actively marketed and sold through Telegram since late 2024.

The FBI has warned that North Korean IT worker schemes are stealing data to extort their victims as part of efforts to generate revenue for the Democratic People's Republic of Korea (DPRK). The US intelligence agency confirmed it has observed North Korean IT workers engaging in this tactic over recent months.

CYFIRMA's Research and Advisory team uncovered a new ransomware strain while monitoring various underground forums. Dubbed “Nnice,” the strain is designed to target Windows systems and comes with advanced encryption techniques.

Salt Typhoon is identified by the United States Cybersecurity and Infrastructure Security Agency (CISA) as a state-sponsored threat actor that has successfully compromised at least nine telecommunications companies with headquarters in the United States, thus prioritizing government and political figures and very high-profile targets.

Cisco Product Security Incident Response Team (PSIRT) recently released patches for a critical privilege escalation vulnerability in Meeting Management, CVE-2025-20156, and a heap-based buffer overflow flaw, CVE-2025-20128, that can terminate the ClamAV scanning process on endpoints running a Cisco Secure Endpoint Connector.

SonicWall has released patches for a pre-authentication of untrusted data vulnerability impacting its SMA1000 Appliance Management Console and Central Management Console, which in specific conditions could enable remote unauthenticated actors to execute arbitrary OS commands.

Cybersecurity researchers at Specops are delivering a new report regarding a major password-related security issue. According to them, over 1 billion passwords were stolen by malware in 2024.

Cyble Threat Intelligence has discovered thousands of account credentials belonging to some major cybersecurity vendors on the dark web. Cyble researchers shared their findings on January 22nd, 2025, noting they found credentials for at least 14 security providers.

PlushDaemon, a newly identified China-aligned advanced persistent threat (APT) group, has been linked to a supply chain attack targeting a South Korean VPN provider in 2023, as revealed by ESET.

In 2024, 84% of healthcare organizations (HCOs) experienced cyber-attacks or intrusions, with account hijacking and phishing being the most prevalent threats, according to a Netwrix study.

Asif William Rahman, a 34-year-old former CIA analyst from Vienna, admitted to leaking highly classified information to people who didn't have clearance to see it.

The Ukrainian government's Computer Emergency Response Team (CERT-UA) has received several reports of unidentified actors falsely claiming to represent CERT-UA in an attempt to connect to victims' systems via AnyDesk.

On January 13, the Biden administration proposed the "Framework for Artificial Intelligence Diffusion," a landmark rule with far-reaching implications for global AI development. It threads a difficult needle: encouraging U.S. AI technology globally,

Researchers at Sophos have raised concerns about two ransomware groups employing social engineering tactics to gain remote access to corporate machines for data theft and extortion.

Trend Micro uncovered an IoT botnet in late 2024 and has been continuously monitoring its activity as it conducts large-scale distributed denial-of-service (DDoS) attacks. The attack commands sent from its C2 server have mainly targeted Japan, but Trend Micro has observed these attacks targeting various companies in different countries as well.

The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on two individuals and four entities tied to North Korea's extensive revenue-generation schemes that directly fund its weapons programs.

Cybersecurity researchers have uncovered a sophisticated phishing kit called Sneaky 2FA, specifically engineered to compromise Microsoft 365 accounts by stealing credentials and bypassing two-factor authentication (2FA). First identified in December 2024 by the French cybersecurity firm Sekoia, this adversary-in-the-middle (AitM) phishing kit has been linked to nearly 100 domains, reflecting its growing use among cybercriminals.

Consequently, it was found that GoDaddy, one of the major hosting service providers, had not taken proper security measures to protect the services since 2018. The FTC ordered GoDaddy to increase its security practices.

The Russian threat group Star Blizzard, formerly known as SEABORGIUM, has been linked to a new spear-phishing campaign targeting victims' WhatsApp accounts, marking a shift from its usual tactics to likely avoid detection.

A recently patched vulnerability, CVE-2024-7344 (CVSS 6.7), highlights a critical flaw in the Secure Boot mechanism for UEFI systems, potentially allowing attackers to bypass protections and execute unsigned malicious code during the boot process.

On Wednesday, 27 November 2024, Russian President Putin was on a 2-day state visit in Kazakhstan to discuss with local representatives the implementation of energy projects and to counter Chinese and Western influence. P

The North Korea-nexus APT, Lazarus Group, has been observed conducting a new cyber attack campaign dubbed Operation 99. This campaign targets software developers who are searching for freelance Web3 and cryptocurrency work to ultimately embed malware into the victim's environment.

On January 15, 2025, GuidePoint Security published findings from a Q4 2024 incident response involving a Python-based backdoor used by threat actors to maintain access to compromised systems. This access was leveraged to deploy RansomHub encryptors across the targeted network.

The U.S. Cybersecurity and Infrastructure Security Agency has released a new playbook providing detailed guidance for AI developers, providers, and adopters on how to voluntarily share cybersecurity information with federal agencies, private industry partners, and international stakeholders.

A new malvertising campaign is underway targeting individuals and businesses that use Google Ads for advertising. According to researchers at Malwarebytes, the scheme involves impersonating Google Ads to direct victims to fake login pages in an effort to capture as many advertiser accounts as possible.

As part of the January Microsoft Patch Tuesday, Microsoft addressed 159 flaws, including 8 zero-day flaws, 3 of which are actively being exploited in attacks in the wild.

According to the U.S. Department of Justice (DoJ), thousands of computers in the U.S. have been cleaned of a version of the "PlugX" malware, a sophisticated tool that has been used by Chinese state-sponsored hackers since 2014.

Fortinet revealed a security lag in one of its FortiOS and FortiProxy systems, CVE-2024-55591. Attacks began in November 2024, attacking before the vendor released fixes. Remote attackers can take control of the systems with super admin privileges by sending specially crafted requests to exploit the Node.js websocket module.

The ReliaQuest report stated that in the last quarter of 2024, ransomware had grown excessively, with 2024 showing a record high in victim counts of all months in December.

Cybersecurity researchers have identified infrastructure links between North Korean threat actors behind fraudulent IT worker schemes and a 2016 crowdfunding scam, highlighting Pyongyang's long-standing involvement in illicit financial activities.

The ransomware group Codefinger has been observed exploiting compromised AWS keys to encrypt data stored in Amazon S3 buckets, using AWS's Server-Side Encryption with Customer-Provided Keys, cybersecurity firm Halcyon reports.

CVE-2024-44243 represents a significant vulnerability in macOS that allows attackers to bypass System Integrity Protection (SIP) by exploiting improperly validated third-party kernel extensions. SIP, a security mechanism that restricts root-level access to critical system components, serves as a cornerstone of macOS's security framework.

Threat actors are targeting individuals searching for pirated or cracked software by using YouTube comments and Google search results to distribute infostealing malware like Lumma Stealer, Vidar, MarsStealer, and others.

Cloud security firm Wiz is currently responding to multiple incidents involving the active exploitation of a recently disclosed critical security flaw, CVE-2024-50603 impacting Aviatrix Controller cloud networking platform.

In mid-2024, Huntress identified cyber espionage activity targeting several Canadian organizations, which was attributed to the APT group RedCurl (also known as Earth Kapre or Red Wolf).

A recent investigation has revealed a highly sophisticated credit card skimmer malware targeting WordPress websites. This malware is designed to inject malicious JavaScript into database entries rather than traditional files like themes or plugins, allowing it to avoid detection by common file-scanning tools.

CrowdStrike has issued a warning about a phishing campaign targeting job seekers by impersonating the company. Discovered on January 7, 2025, the campaign involves fake job offer emails from a supposed CrowdStrike recruiter, thanking recipients for applying for a developer position.

Hackers responsible for a December 2024 ransomware attack on RIBridges, Rhode Island's health and benefits system, have released stolen files on the dark web.

he FunkSec ransomware group emerged in late 2024, quickly gaining attention by claiming over 85 victims in December, more than any other ransomware group during that period. Despite their rapid rise, analysis reveals that much of their activity may be overstated.

n December 2024, two critical vulnerabilities in Microsoft's Windows Lightweight Directory Access Protocol (LDAP) were addressed via Microsoft's monthly Patch Tuesday release.

The Banshee infostealer, a sophisticated malware targeting macOS systems, has been leveraging a stolen Apple encryption algorithm to evade detection by antivirus solutions.

UPDATE: Ivanti has issued an urgent warning about a critical zero-day vulnerability, CVE-2025-0282, which attackers exploited to install malware on Ivanti Connect Secure appliances.

Researchers have identified a rise in sophisticated phishing and malspam campaigns employing email spoofing, neglected domains, and social engineering to bypass traditional security measures.

SonicWall released a security bulletin on January 7, 2025, warning customers to upgrade their firewall's SonicOS firmware to patch an authentication bypass vulnerability in SSL VPN and SSH management that SonicWall deemed susceptible to in-the-wild attacks.

Threat actors are actively attempting to exploit CVE-2024-52875, a critical CRLF injection vulnerability in the GFI KerioControl firewall, which can lead to 1-click remote code execution (RCE) attacks.

A Mirai botnet variant has been observed exploiting a newly disclosed security flaw impacting Four-Faith industrial routers since early November 2024 with the intention of conducting DDoS attacks.

Ivanti has issued an urgent warning regarding a critical remote code execution vulnerability, CVE-2025-0282, that is being actively exploited in zero-day attacks targeting Ivanti Connect Secure appliances.

A new phishing technique exploiting PayPal's money request feature has been identified in a recent advisory by Fortinet. This method uses legitimate-looking PayPal payment requests to deceive recipients, making them appear genuine and bypassing traditional email security checks.

Researchers at Cyfirma have discovered a new remote access trojan called NonEuclid, written in C#, which provides attackers with comprehensive control over compromised Windows systems.

The U.S. government has officially launched the U.S. Cyber Trust Mark, a cybersecurity safety label designed for Internet-of-Things (IoT) consumer devices.

In August, 2024 SonicWall addressed a critical improper access control flaw (CVE-2024-40766) in its SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.

A malicious plugin recently discovered on a Russian cybercrime forum manipulates WordPress sites into phishing pages by creating fake online payment processes that impersonate trusted checkout services. This attack masquerades as a legitimate e-commerce app like Stripe to steal customer payment data and browser metadata.

Telegram disclosed that it fulfilled 900 requests from U.S. law enforcement in 2024, resulting in the sharing of phone numbers or IP addresses of 2,253 users. This represents a sharp increase from prior years, largely attributed to a significant policy shift in September 2024.

Moxa, a provider of industrial networking solutions, has issued an urgent advisory regarding two severe vulnerabilities affecting several models of its cellular routers, secure routers, and network security appliances.

The Salt Typhoon cyber-espionage campaign continues to escalate as Charter Communications, Consolidated Communications, and Windstream have been identified as the latest U.S. telecom companies breached by Chinese state-sponsored hackers, according to a report from The Wall Street Journal.

Kaspersky researchers recently identified a campaign being deployed against ISPs and governmental entities in the Middle East following their investigation into the EAGERBEE backdoor. T

Cybersecurity researchers have uncovered a new and sophisticated malware strain, PLAYFULGHOST, which exhibits a wide array of information-gathering capabilities, including keylogging, screen and audio capture, remote shell access, file transfer, and execution.

During the end-of-year holiday season, a series of distributed denial-of-service attacks severely disrupted operations across several major Japanese organizations, including leading airlines, financial institutions, and telecommunications providers.

ASUS has released security updates to address two high severity flaws impacting several of its router models.

On December 31, 2024, Tenable Nessus vulnerability scanner agents were taken offline due to a buggy differential plugin update that impacted users globally. This issue affected Nessus Agent versions 10.8.0 and 10.8.1 across the Americas, Europe, and Asia. Tenable has since pulled these faulty versions and released Nessus Agent version 10.8.2 to resolve the problem and restore agent functionality.

A new and sophisticated variation of clickjacking attacks, termed DoubleClickjacking, has been identified by cybersecurity expert Paulos Yibelo. This novel technique exploits the timing of double-click mouse actions to deceive users into performing sensitive operations on legitimate websites.

Researchers have discovered a malicious npm package, ethereumvulncontracthandler, masquerading as a library for detecting vulnerabilities in Ethereum smart contracts.

On January 2, 2025, NTT Docomo, Japan's largest mobile operator, experienced a DDoS (Distributed Denial of Service) attack that disrupted several services for nearly 12 hours.

Symantec has uncovered a new ransomware operation, dubbed Nitrogen, which has been notably active over the past four months. This group has targeted a wide range of industries, including construction, financial services, manufacturing, and technology.

Threat actors are actively exploiting a critical remote command injection vulnerability, tracked as CVE-2024-12856, in Four-Faith routers, specifically models F3x24 and F3x36. These devices are commonly deployed in critical sectors such as energy, utilities, transportation, telecommunications, and manufacturing, making the potential impact of exploitation significant. T

A phishing campaign has compromised at least 35 Chrome extensions, including those from cybersecurity firm Cyberhaven, where actors have injected malicious code into compromised extensions to steal user data.

The Lumma Stealer malware has experienced a significant rise in usage, with ESET reporting a 369% increase in detections during the second half of 2024. First discovered in 2022, Lumma has become one of the top ten most-detected infostealers, targeting high-value assets such as two-factor authentication browser extensions, user credentials, and cryptocurrency wallets.

Threat actors are actively exploiting a critical remote command injection vulnerability, tracked as CVE-2024-12856, in Four-Faith routers, specifically models F3x24 and F3x36.

A phishing campaign has compromised at least 35 Chrome extensions, including those from cybersecurity firm Cyberhaven, where actors have injected malicious code into compromised extensions to steal user data. I

December has continued to see targeted spearphish involving compromised mailboxes across Texas and Kentucky, as well as a massive surge in USPS phishing around the holidays.

Cybercriminals are increasingly combining traditional and new tactics to steal sensitive information, using remote access tools (RATs) like AsyncRAT and SectopRAT. Recent trends show attackers exploiting SEO poisoning, typosquatting, and legitimate remote monitoring software to breach systems.

Adobe has released some emergency security updates to address a critical ColdFusion vulnerability with proof-of-concept (PoC) exploit code. The company released an advisory on Monday, December 23, 2024, stating that the flaw, tracked as CVE-2024-53961 is caused by a path traversal weakness that impacts Adobe ColdFusion versions 2023 and 2021 and can enable attackers to read arbitrary files on vulnerable servers.

Security Researchers at IProov, a biometric threat intelligence service, have urged customer-facing businesses to improve their verification checks after they uncovered a large-scale identity data farming operation conducted by an unnamed underground group on the dark web.

The developers of Rspack, a popular high-performance JavaScript bundler written in Rust, have discovered that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack. This supply chain attack granted the attacker the capability to publish malicious versions of these packages to the official package registry.

A new phishing-as-a-service platform dubbed "FlowerStorm" is quickly gaining traction, stepping in to replace the now-defunct Rockstar2FA cybercrime service. Rockstar2FA, which was first documented by Trustwave in late November 2024, enabled large-scale adversary-in-the-middle (AiTM) attacks targeting Microsoft 365 credentials.

Cybercriminals are taking advantage of a newly discovered Microsoft Office vulnerability to deliver malware and gain access to systems. Researchers have found that attackers are sending out malicious Office documents that exploit the flaw, allowing them to run harmful code without the victim realizing it.

In a detailed report from Picus Security, the Volt Typhoon cyber espionage campaign has been exposed as one of the most advanced and stealthy operations targeting critical infrastructure and government organizations.

In a significant move against cybercrime, the U.S. Department of Justice has charged an Israeli-Russian national for allegedly developing software used by the notorious LockBit ransomware gang.

The LockBit ransomware group is signaling a potential comeback after a challenging period marked by a significant takedown in February 2024. On December 19, LockBitSupp, believed to be an administrator for the group, announced the forthcoming release of "LockBit 4.0," scheduled for February 3, 2025. T

The Lazarus Group, a North Korean state-sponsored threat actor, has been linked to sophisticated cyberattacks targeting employees of a nuclear-related organization in January 2024. These attacks used a complex infection chain culminating in the deployment of a new modular backdoor, CookiePlus.

Threat actors are actively exploiting a recently patched security flaw impacting Fortinet FortiClient EMS in a campaign that installs remote desktop software like AnyDesk and ScreenConnect. The vulnerability is tracked as CVE-2023-48788 (CVSS score: 9.8) and is an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.

CISA is advising organizations to promptly patch a critical vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS).

In a report from Security Intelligence, it was found that 2024 saw several high-profile data breaches that highlighted critical vulnerabilities across industries. Among the most notable was a breach in the healthcare sector, where attackers targeted a major hospital network, compromising sensitive patient records, insurance information, and medical histories.

A report from the Canadian Centre for Cyber Security highlights the increasing sophistication of Iranian state-sponsored cyber campaigns, focusing on social engineering and spear-phishing techniques.

Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks.

Recent research by Forescout's Vedere Labs sheds light on the mechanisms driving the rise of malware targeting operational technology and industrial control systems.

Google Calendar, a widely used scheduling tool with over 500 million users in 41 languages, has become a significant target for cybercriminals exploiting its features to conduct phishing campaigns. Researchers at Check Point uncovered an ongoing campaign affecting over 300 brands, with more than 4,000 phishing emails sent in just four weeks.

In a complex threat landscape undergoing constant evolution, targeted phishing campaigns have become more sophisticated due to attackers leveraging new techniques and analyzing the platform-specific behaviors of organizations' defenses they target.

Sublime Security recently reported that it was successfully able to intercept a phishing campaign targeting end users with Xloader malware. The attack begins with the victim receiving an email designed to resemble a legitimate SharePoint file-sharing notification.

The Trend Micro Managed Detection and Response (MDR) team analyzed a recent security incident in which a user was targeted by an attacker posing as an employee of a known client on a Microsoft Teams call to gain remote access to the victim's system.

The rise of generative AI has introduced advanced capabilities but also new security vulnerabilities, including prompt injection attacks. Traditionally, these attacks exploit how AI processes inputs, often requiring permissions for external interactions.

Unit 42 researchers recently investigated a sophisticated phishing campaign targeting European companies, particularly in Germany and the UK, with a focus on the automotive, chemical, and industrial compound manufacturing sectors.

UAC-0099, a cyber-espionage threat actor linked to advanced persistent threats (APTs), has been identified targeting organizations with sophisticated campaigns. According to a recent analysis by SOC Prime, UAC-0099 employs a combination of spear-phishing emails, malicious attachments, and advanced malware to infiltrate targeted networks.

A recent scan conducted by cybersecurity firm Bishop Fox uncovered 430,363 SonicWall publicly exposed firewall appliances. Among these, 25,485 SonicWall SSLVPN devices were found to be vulnerable to critical security flaws, while an additional 94,018 were vulnerable to high-severity issues.

The Securonix Threat Research team has been monitoring a new tax-related phishing campaign where threat actors leveraged MSC files and advanced obfuscation techniques to execute a stealthy backdoor payload. Securonix is tracking this activity as FLUX#CONSOLE and the adversary employs tax-themed social engineering lures.

The Mask, also known as Careto, is a highly sophisticated cyber espionage group that has been active since at least 2007, primarily targeting high-profile organizations such as governments, diplomatic entities, and research institutions.

Earth Koshchei (APT29/Midnight Blizzard) conducted a large-scale rogue RDP campaign in October 2024, targeting governments, military, think tanks, academic researchers, and Ukrainian entities. The group used spear-phishing emails containing malicious RDP configuration files that redirected victims' connections to rogue servers via 193 RDP relays.

Firefighters have issued an urgent warning about the fire hazards associated with lithium-ion battery-powered devices, a popular category of Christmas gifts, including e-bikes, e-scooters, and hoverboards.

On Monday, the FBI released an advisory warning of a new HiatusRAT malware campaign that is actively scanning for and infecting vulnerable Chinese-branded web cameras and DVRs that are exposed online.

Dragos has released its Q3 2024 Industrial Ransomware Analysis, which highlights a continued increase in ransomware attacks targeting industrial sectors, including manufacturing, energy, and transportation.

A high-severity Windows kernel vulnerability, identified as CVE-2024-35250, is currently being exploited in the wild. This flaw, stemming from an untrusted pointer dereference in the Microsoft Kernel Streaming Service (MSKSSRV.SYS), allows local attackers to escalate privileges to SYSTEM level without user interaction.

QiAnXin XLab researchers have uncovered the use of a new PHP backdoor named Glutton they have observed in a global campaign targeting China, the United States, Cambodia, Pakistan, and South Africa. The malicious activity was discovered in April 2024 and Glutton has been attributed to the Chinese nation-state group APT41 (Winnti) with moderate confidence. To the researchers' surprise, some of these Glutton attacks are part of targeted operations against cybercrime systems.

A recent campaign exploiting fake CAPTCHA pages has been identified as a sophisticated method to deliver malware through malvertising networks. Cybercriminals use these fake CAPTCHA pages to lure users into clicking on malicious links or downloading harmful files, under the guise of proving they are not bots.

The Clop ransomware gang has claimed responsibility for a series of recent data-theft attacks targeting Cleo's managed file transfer platforms—Harmony, VLTrader, and LexiCom—leveraging vulnerabilities to breach corporate networks and steal sensitive information.

A recent campaign exploiting fake CAPTCHA pages has been identified as a sophisticated method to deliver malware through malvertising networks. Cybercriminals use these fake CAPTCHA pages to lure users into clicking on malicious links or downloading harmful files, under the guise of proving they are not bots.

Threat actor MUT-1244, tracked by DataDog, has been conducting a widespread and multifaceted campaign targeting a range of individuals, including academics, security researchers, pentesters, red teamers, and even other threat actors. The group's primary goal is to steal sensitive data such as AWS access keys, WordPress credentials, private SSH keys, bash history, and other critical system information.

Corvus Insurance reported a surge in ransomware attacks in November 2024, with 632 victims being listed on ransomware groups' data leak sites. This number is more than double the monthly average of 307 victims and exceeds the previous peak of 528 victims recorded in May 2024.

IOCONTROL is a custom-built IoT/OT malware linked to Iranian state-sponsored threat actors, specifically the CyberAv3ngers group. It targets critical infrastructure in Israel and the United States, including routers, IP cameras, firewalls, PLCs, HMIs, and fuel management systems such as Orpak and Gasboy devices.

Elastic Security has discovered a new Linux rootkit called Pumakit. This rootkit uses stealth and sophisticated privilege escalation techniques to maintain persistence on compromised systems.

Two Russian hacktivist groups, the People's Cyber Army (PCA) and Z-Pentest, have intensified their attacks on critical infrastructure in the U.S. and allied nations.

As the holiday shopping season intensifies, UK consumers are increasingly frustrated by the prevalence of bots that snap up popular items before human shoppers have a chance.

In October, Cleo patched a remote code vulnerability (CVE-2024-50623) in its LexiCom, VLTrader, and Harmony software, which is commonly used to manage file transfers. However on December 3, Huntress identified actors targeting fully patched Cleo software.

EagleMsgSpy is a newly identified Android surveillance tool reportedly employed by Chinese law enforcement agencies to conduct targeted monitoring and tracking of individuals.

Prometheus is a popular monitoring tool used extensively in DevOps and cloud-native environments. However, the default configurations often prioritize accessibility over security, leaving systems vulnerable to exploitation.

AWS Single Sign-On (SSO) access tokens are critical credentials used for authenticating users to AWS resources. If these tokens are exposed or mishandled, they can be exploited by threat actors to assume the identity of legitimate users, bypassing standard authentication mechanisms.

Zscaler's ThreatLabz team has uncovered a new version of ZLoader (2.9.4.0), that features an interactive shell for hands-on keyboard activity and a Domain Name System tunnel for C2 communications.

The Shiny Nemesis Cyber Operation highlights a highly sophisticated campaign targeting misconfigured public websites, predominantly hosted on AWS, to exploit vulnerabilities and gain unauthorized access to sensitive data, credentials, and proprietary resources.

Earlier this year, a large U.S. organization with operations in China experienced a targeted cyberattack attributed to China-based threat actors, likely for intelligence gathering.

Yesterday, Ivanti released a security advisory regarding a new maximum-severity authentication bypass flaw in Ivanti's Cloud Services Appliance (CSA) solution. The critical vulnerability is tracked as CVE-2024-11639 and was reported to Ivanti by CrowdStrike's advanced research team.

As part of the December Patch Tuesday, Microsoft addressed 71 flaws, including a zero-day vulnerability which is actively being exploited in attacks in the wild. Of the 71 flaws, there were 27 elevation of privilege vulnerabilities, 30 remote code execution vulnerabilities, 7 information disclosure vulnerabilities, 5 denial of service vulnerabilities, and 1 spoofing vulnerabilities.

Senator Ron Wyden has introduced a new bill aimed at bolstering the security of U.S. telecommunications infrastructure in the wake of recent hacks by the Salt Typhoon cyber espionage group.

AhnLab Security Intelligence Response Center (ASEC) has released a new blog post uncovering threat actors exploiting a critical Apache ActiveMQ vulnerability, CVE-2023-46604, to deploy Mauri ransomware in attacks most recently against Korean systems.

Huntress researchers have reported active exploitation of a vulnerability (CVE-2024-50623) in Cleo's file transfer software—Harmony, VLTrader, and LexiCom.

A suspected China-linked cyber espionage group targeted major business-to-business IT service providers in Southern Europe as part of a campaign known as Operation Digital Eye, according to a joint report by SentinelOne SentinelLabs and Tinexta Cyber.

A recently uncovered phishing campaign has revealed a new tactic employed by cybercriminals involving fake recruiters targeting unsuspecting victims.

Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about a new wave of phishing attacks targeting the country's defense sector, including both defense companies and security forces.

Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about a new wave of phishing attacks targeting the country's defense sector, including both defense companies and security forces.

In early October 2024, Rapid7 witnessed a resurgence of activity related to an ongoing social engineering campaign being conducted by Black Basta ransomware operators. This activity was initially reported on by Rapid7 and has been ongoing since at least May 2024.

Mandiant has identified an innovative method to bypass browser isolation technology by leveraging QR codes for command-and-control operations. Browser isolation is a security approach that routes web requests through remote browsers hosted in the cloud, virtual machines, or on-premises environments.

Researchers at Bitsight has identified a malicious botnet called Socks5Systemz, which powers the proxy service PROXY.AM. This malware enables other criminal activities by providing threat actors with anonymous proxy services, leveraging compromised systems as proxy exit nodes.

Generative Artificial Intelligence (AI) has paved the way for criminals to commit fraud at a scale larger than ever before. “Generative AI reduces the time and effort criminals must expend to deceive their targets.

U.S. authorities have arrested 19-year-old Remington Goy Ogletree, a key member of the Scattered Spider cybercrime gang, for breaching a U.S. financial institution and two telecommunications firms.

BlueAlpha, a Russian state-sponsored APT group, has recently refined its malware delivery techniques by abusing Cloudflare Tunnels to distribute its proprietary GammaDrop malware.

Cybersecurity researchers at WatchTowr Labs have released a PoC exploit that chains together a recently patched critical vulnerability impacting Mitel MiCollab, CVE-2024-41713, and an arbitrary file read zero-day vulnerability that requires authentication to exploit.

On December 4, 2024, the ransomware group Brain Cipher publicly claimed responsibility for a breach allegedly targeting Deloitte UK.

According to Citizen Lab, a concerning incident has surfaced where devices confiscated by Russian authorities were returned to their owners with Monokle-type spyware installed. Monokle, a highly advanced spyware tool, is capable of extracting sensitive data such as contact lists, messages, and login credentials, while also intercepting communications and remotely activating device cameras and microphones.

Cado Security Labs recently uncovered a DocuSign spear-phishing campaign targeting tech executives. These campaigns mimic authentic DocuSign communications, luring recipients to input their credentials on fraudulent websites.

Secret Blizzard, a Russian state-sponsored advanced persistent threat group attributed to Center 16 of the FSB, has developed a unique strategy of leveraging tools and infrastructure from other threat actors to enhance its espionage operations.

According to Symantec, they found evidence that a large US organization with a quote-unquote significant presence in China was targeted by China-nexus threat actors earlier this year and was subjected to a four-month-long intrusion where persistence was established on the organization's network seemingly for intelligence gathering purposes.

The manufacturing industry is increasingly targeted by cybercriminals leveraging sophisticated malware campaigns involving Lumma Stealer and Amadey Bot. This attack campaign primarily exploits phishing emails with malicious attachments to infiltrate organizational systems.

The Chinese cyber-espionage group known as Salt Typhoon has significantly broadened its activities, targeting U.S. telecommunications networks with a strategy that extends beyond previously understood objectives.

Microsoft has warned that a recent premature patch could cause issues with the "Recall" feature in Windows, potentially rendering it unable to function properly. The bug, which emerged after the update was rolled out, could lead to a loss of essential data recall functions, disrupting workflows for many users.

Mikhail Matveev, known in the cybercriminal world by the aliases "Wazawaka" and "Boriselcin," has been a prominent figure in several ransomware groups responsible for extorting hundreds of millions of dollars from various sectors, including healthcare, education, government agencies, and private enterprises.

Researchers have disclosed a PoC exploit for CVE-2024-8785, a critical remote code execution vulnerability in Progress WhatsUp Gold, a widely used enterprise network monitoring tool.

Researchers at Trend Micro have observed a significant evolution in the behavior of the Gafgyt malware, which has expanded its targeting scope from vulnerable IoT devices to misconfigured Docker Remote API servers.

A known threat actor in the Malware-as-a-Service business, Venom Spider, has expanded the capabilities of their MaaS platform with a new backdoor and loader malware.

SmokeLoader, which has been around since 2011, is a malware loader that's still being actively used by cybercriminals. Recently, it's been found exploiting outdated vulnerabilities in Microsoft Office documents, particularly old DOC and XLS files.

Researchers at the South Korean cybersecurity company Genians have uncovered a series of email phishing attacks originating from Russian sender addresses that they link to the North Korea-aligned APT, Kimsuky. According to Genians researchers, the phishing emails were delivered through email services in Japan and Korea up until early September.

The Social Design Agency, recently accused by the US government of operating the "Doppelgänger" malign influence campaign, is now running a parallel effort called "Operation Undercut."

Cybersecurity researchers have uncovered malicious email campaigns using a sophisticated phishing-as-a-service toolkit called Rockstar 2FA, designed to steal Microsoft 365 account credentials.

Researchers have disclosed significant vulnerabilities in Palo Alto Networks GlobalProtect and SonicWall SMA100 NetExtender VPN clients for Windows, macOS, and Linux, which could enable attackers to execute remote code and gain elevated access.

A newly uncovered malware campaign, Horns&Hooves, primarily targets private users, retailers, and service businesses in Russia to deploy NetSupport RAT and BurnsRAT.

In September 2024, Fortinet researchers observed a sophisticated phishing attack that utilized SmokeLoader malware to target organizations in Taiwan. SmokeLoader is notorious for conducting attacks against manufacturing, healthcare, information technology, and other critical sectors.

On November 21, 2024, a ransomware attack on Blue Yonder, an Arizona-based supply chain management and cloud services provider, disrupted operations for major clients, including Starbucks, U.K. grocery chain Sainsbury, and potentially Ford.

APT-C-60, the moniker assigned to a South Korea-aligned cyber espionage group, has been linked to a cyber attack targeting an unnamed organization in Japan.

CISA has received recent evidence of threat actors actively exploiting an RCE vulnerability in some SSL VPN products from Array Networks. The products affected are Array Networks AG and vxAG ArrayOS.

Trend Micro has uncovered a new spear-phishing campaign targeting individuals as well as organizations in Japan since at least June 2024.

CyberVolk, also referred to as Gloriamist, is a pro-Russian hacktivist group that emerged in May 2024 and quickly evolved from conducting distributed denial-of-service attacks and website defacements to launching ransomware campaigns.

83% of Organizations Reported Insider Attacks in 2024

The Russia-aligned threat actor RomCom has been linked to the exploitation of two critical zero-day vulnerabilities, one in Mozilla Firefox (CVE-2024-9680, CVSS 9.8) and the other in Microsoft Windows (CVE-2024-49039, CVSS 8.8), as part of a sophisticated campaign to deliver their eponymous backdoor malware.

Google has uncovered a sophisticated pro-China influence network operated by four public relations firms, collectively tracked as "GlassBridge." Active since at least 2022, this network has leveraged deceptive online tactics to spread Chinese state narratives to international audiences.

Surefire Cyber has identified SafePay as a rising ransomware operator, demonstrating advanced capabilities in infiltrating networks and encrypting data. The group is known for targeting organizations across multiple industries and operates with remarkable speed and stealth.

In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts.

In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts. Here are some examples and highlights.

Trellix researchers have discovered a new threat campaign that leverages the Bring Your Own Vulnerable Driver (BYOVD) technique to disarm security protections and perform operations on the infected system.

Two malicious Python packages, "gptplus" and "claudeai-eng," posed as tools for API integration with popular AI chatbots like OpenAI's GPT-4 Turbo and Anthropic's Claude, but instead delivered a newly documented infostealer called "JarkaStealer."

Russian state-sponsored hackers APT28 (also known as Fancy Bear, Forest Blizzard, and Sofacy) executed a sophisticated breach of a U.S. company's enterprise WiFi network, leveraging an innovative technique termed the "nearest neighbor attack."

A phishing campaign targeting telecommunications and financial sectors was identified in October 2024 by EclecticIQ analysts. The attackers utilized Google Docs to deliver phishing links, which redirected victims to fake login pages hosted on Weebly, a trusted website builder.

ESET researchers have identified multiple samples of a new Linux-based malware backdoor named WolfsBane, attributed to the Gelsemium group with high confidence by ESET. This malware acts as a Linux counterpart to the previously identified Gelsevirine, showing the group's growing interest in cross-platform capabilities.

Email attacks are intensifying in the manufacturing sector, with phishing and business email compromise attacks surging as cybercriminals exploit the industry's low tolerance for downtime.

A helpline service established to assist victims of Yakuza-related crimes has come under scrutiny following reports of a potential data breach.

According to Bitdefender, 77% of Black Friday-themed spam emails in 2024 have been identified as scams, highlighting a 7% rise in the proportion of spam emails identified as scams compared to Black Friday 2023, and a 21% increase compared to 2022.

The US and Australian governments have issued a joint advisory warning critical infrastructure organizations about evolving tactics used by the BianLian ransomware group, a Russia-linked cybercriminal organization.

Lumma Stealer is a sophisticated and fast-spreading information-stealing malware, primarily distributed through Telegram channels disguised as cracked software.

While creating an automatic credential validation system for Fortinet VPN, Pentera says it uncovered a bug that actors can exploit to potentially compromise the security of dozens of organizations. Initially, to automate the validation of credentials, Pentera attempted to use clients like OpenConnect to establish a connection, but this approach proved unreliable.

Security researchers at SentinelOne have provided a new analysis of components of the broader DPRK fake IT worker scheme. This scheme involves the Democratic People's Republic of Korea (DPRK) impersonating U.S.-based software and technology consulting businesses in order to further their financial objectives.

Apple recently released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation according to Clément Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG) who discovered the flaws.

Earth Kasha, a cyber threat group tracked by Trend Micro, has been active since 2019, leveraging the LODEINFO malware to target organizations in Japan.

The NSOCKS botnet, underpinned by the ngioweb malware, has emerged as a major player in the cybercrime ecosystem, driving criminal proxy services like VN5Socks and Shopsocks5.

CrowdStrike has identified a previously unknown Chinese cyber espionage group, Liminal Panda, which has been active since at least 2020 and is believed to be behind cyber intrusions targeting telecom providers.

According to Semperis' new report, 2024 Ransomware Holiday Risk, ransomware gangs often strike when defenses are the weakest. Semperis conducted a global study of 900 IT and security professionals.

Helldown, a ransomware strain derived from the leaked LockBit 3.0 codebase, has been expanding its operations, with researchers recently identifying a Linux variant. This development indicates the group's growing focus on targeting virtualized infrastructures, such as VMware. First documented in August 2024, Helldown has been described as an aggressive ransomware group targeting sectors like IT services, telecommunications, manufacturing, and healthcare.

Proofpoint has observed a significant rise in the use of the ClickFix social engineering technique, a deceptive method that tricks users into executing malicious PowerShell commands. Initially linked to campaigns by TA571 and the ClearFake threat cluster, the technique has now become a favorite across multiple financially motivated and espionage-focused threat actors.

In July 2024, the operational technology (OT)-centric malware FrostyGoop/BUSTLEBERM became publicly known, after attackers used it to disrupt energy infrastructure for over 600 apartment buildings, leaving people without heat for 2 days in Lviv in April 2024 due to an ICS attack on a municipal energy company.

Between November 13 and 14, 2023, researchers at Cyberint observed a significant increase in activity from the Akira ransomware group, which listed over 30 victims on its data leak site.

Today, as part of National Critical Infrastructure Security and Resilience Month, the National Counterintelligence and Security Center (NCSC) and the Cybersecurity and Infrastructure Security Agency (CISA) released new guidance to help detect and mitigate efforts by foreign intelligence entities to harm or disrupt U.S. critical infrastructure.

According to a blog post by Istvan Marton from Wordfence, over 4 million WordPress sites are exposed to a critical authentication bypass vulnerability in the Really Simple Security plugin for WordPress that can be leveraged to grant an unauthenticated adversary remote administrative access to vulnerable sites.

Palo Alto Networks is aware of active exploitation attempts in the wild leveraging an authentication bypass vulnerability impacting its PAN-OS firewall management interface.

In a recent analysis by Palo Alto Networks' Unit 42, a North Korean hacker group identified as CL-STA-0237 has been connected to a series of phishing attacks using the BeaverTail malware.

Over 1 million domains have been identified as potentially vulnerable to "Sitting Ducks" attacks, a cyber threat that exploits DNS misconfigurations, particularly lame delegation. This misconfiguration occurs when domains mistakenly point to incorrect authoritative name servers, allowing attackers to hijack domains.

Cisco Talos uncovered a new information-stealing campaign orchestrated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. The campaign leverages a novel Python-based malware dubbed PXA Stealer, designed to exfiltrate sensitive data from victims' systems.

SentinelOne's recent report, The State of Cloud Ransomware in 2024, highlights an increasing trend in ransomware actors exploiting cloud services to directly compromise their victims or exfiltrate sensitive data.

Modern communications networks, particularly those driven by 5G technology, are increasingly relying on Artificial Intelligence (AI) to boost performance, improve reliability, and ensure security. As these networks evolve, AI plays an essential role in real-time data processing, predictive maintenance, and optimizing traffic management.

Global Navigation Satellite Systems (GNSS), which include the U.S. GPS, Russian GLONASS, European Galileo, Chinese BeiDou, Indian NavIC, and Japanese Quazi-Zenith, serve as critical infrastructure providing essential positioning, navigation, and timing (PNT) services for a wide array of industries such as telecommunications, agriculture, finance, banking, transportation, and mobile communications.

On November 14, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of two critical vulnerabilities in Palo Alto Networks' Expedition firewall configuration migration tool: CVE-2024-9463 and CVE-2024-9465. These vulnerabilities, with CVSS scores of 9.9 and 9.3 respectively, pose significant risks to affected systems.

On Tuesday, Microsoft released a security patch for a NTLM hash disclosure spoofing vulnerability (CVE-2024-43451) that could exploited to steal a user's NTLMv2 hash. The vulnerability requires minimal user interaction and is exploited by generating a malicious URL file that can be activated through seemingly harmless actions.

The Hamas-affiliated threat group WIRTE, part of the Gaza Cyber Gang, has escalated its cyber operations, moving from espionage to destructive attacks aimed at Israeli entities. According to Check Point, this shift reflects WIRTE's use of recent geopolitical events, specifically the Israel-Hamas conflict, to craft targeted cyber campaigns.

In November 2024, IBM X-Force observed an ongoing Hive0145 campaign targeting Europe, specifically Spain, Germany, and Ukraine using Strela Stealer malware, a credential-theft tool delivered through highly tailored phishing emails. These emails, posing as legitimate invoice notifications, utilize previously compromised email credentials to blend seamlessly into legitimate email traffic.

CISA and the FBI released a joint statement on November 13, 2024, confirming that PRC-affiliated threat actors have compromised the "private communications" of a "limited number" of government officials after breaching multiple U.S. broadband providers in a broad and significant cyber espionage campaign.

SlashNext researchers recently uncovered a new phishing tool called GoIssue, which allows threat actors to extract email addresses from GitHub profiles and send bulk emails to users. Advertised on cybercriminal forums, GoIssue is priced at $700 for a custom build or $3,000 for full source code access.

Iranian threat actor TA455, affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been conducting a sophisticated cyber espionage campaign that mirrors North Korea's “Dream Job” tactic.

Romanian cybersecurity company Bitdefender has developed a free decryptor for ShrinkLocker ransomware victims, offering a way to recover data encrypted by the malware. This decryptor was created after Bitdefender analyzed ShrinkLocker's mechanisms and identified a recovery opportunity right after the removal of BitLocker protectors.

Perception Point researchers published a blog post on November 11, 2024, regarding an observed dramatic increase in two-step phishing attacks targeting hundreds of organizations by leveraging Microsoft Visio's .vsdx files. By weaponizing .vsdx files rarely used in phishing attacks, the adversary exploits user trust in the reputation of Microsoft and concurrently adds a new layer of deception designed to evade detection.

According to a recent report by Group-IB, the Lazarus APT group has started attempting to smuggle code utilizing custom extended attributes, which are metadata associated with files and folders in various file systems. Extended attributes allow users to store additional information beyond standard metadata like file size, timestamps, and permissions.

The US government's Consumer Financial Protection Bureau (CFPB) has advised employees to avoid using cellphones for work after China-linked APT group Salt Typhoon breached major telecom providers. The CFPB, established in 2011 to protect consumers in the financial sector and promote fair, transparent markets, issued a directive urging employees to limit phone use and rely on Microsoft Teams and Cisco WebEx for meetings involving nonpublic data.

Researchers at WatchTowr have disclosed new vulnerabilities in Citrix Virtual Apps and Desktops, particularly affecting the Session Recording component, which administrators use to monitor and record user sessions. These security flaws could potentially allow unauthenticated remote code execution, presenting a serious threat to affected systems.

Ymir, a relatively new ransomware family, has been observed by researchers at Kaspersky encrypting systems that were previously compromised by RustyStealer, an infostealer malware first documented in 2021. Ymir ransomware initiated operations in July 2024 and is known for its in-memory execution, use of PDF files as ransom notes, and extension configuration options.

North Korean-linked threat actors have started embedding malware in applications built using Flutter, a cross-platform development framework, specifically to target Apple macOS devices—a first for this adversary.

AndroxGh0st, a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services, is being utilized in a campaign exploiting a larger set of security flaws only impacting internet-facing applications.

Cybersecurity firm Malwarebytes is warning of hackers using stolen session cookies to bypass multi-factor authentication (MFA) and take over email accounts. “When you log in and the server has verified your authentication—straight away or after using MFA–the server creates a session and generates a unique session ID.

Fortinet's FortiGuard Labs recently identified a phishing campaign delivering a new Remcos RAT variant through a malicious Excel document attached to a phishing email. The attack starts with a convincing email that includes the Excel file, disguised as an order form to lure the recipient into opening it.

CosmicBeetle, also known as NoName, is a ransomware-as-a-service (RaaS) operation that has been active since 2020. This group is known for exploiting known vulnerabilities, such as EternalBlue (CVE-2017-0144), and the Zerologon vulnerability (CVE-2020-1472) to infiltrate systems.

In November 2023, a security vendor discovered that North Korean threat actors were using the Contagious Interview and WageMole campaigns to procure remote employment opportunities in Western countries, thus evading the financial sanctions against North Korea (DPRK).

On October 31, 2024, telematics provider Microlise disclosed it suffered from a cyberattack that disrupted tracking services for clients like DHL, a global logistics and shipping company, and Serco, a company that manages the transport of prisoners for the Ministry of Justice in the United Kingdom.

Since July 2024, the "CopyRightadamantys" phishing campaign has been exploiting copyright infringement themes to trick victims into downloading a new version of the Rhadamanthys information stealer. Tracked by cybersecurity firm Check Point, this large-scale operation spans the U.S., Europe, East Asia, and South America.

Cybersecurity experts recently uncovered a malicious package on PyPI, "fabrice," which has been secretly stealing AWS credentials from developers since its launch in March 2021.

SentinelLabs has identified a new multi-stage malware campaign, named "Hidden Risk", attributed to the North Korean state-backed threat actor BlueNoroff, which targets businesses in the cryptocurrency industry.

Cleafy's Threat Intelligence team witnessed a significant spike in malicious activity utilizing a new Android malware sample in late October 2024. Initially classified as TgToxic malware, this malware sample was further analyzed and although it has similar bot commands with TgToxic, the code differs greatly in that many TgToxic capabilities are absent and some commands act as placeholders for unimplemented modules, leading Cleafy to classify this malware as a new family called ToxicPanda.

The GoZone ransomware, a new strain identified by SonicWall researchers, targets victims with a relatively low ransom demand of $1,000 in Bitcoin for file decryption. Written in Go, it employs Chacha20 and RSA algorithms to encrypt files, appending a ".d3prU" extension to signal compromise.

Summary: On Tuesday, Interpol announced the takedown of more than 22,000 malicious IP addresses or servers linked to cyber threats, as part of a coordinated operation involving private sector partners and law enforcement agencies from 95 INTERPOL member countries.

ClickFix is a new social engineering tactic that uses deceptive error messages to prompt users into executing malicious code, allowing attackers to infiltrate their devices.

In the first half of 2024, ransomware activity continued to surge, with 75 active ransomware groups and 2,260 organizations falling victim—marking a 24.5% increase compared to H1 2023. LockBit's resurgence in May, following Operation CRONOS, was a significant contributor to this spike.

As part of the November Security updates, Google addressed a total of 51 vulnerabilities, two of which are actively being exploited in attacks in the wild.

Canadian authorities have detained Alexander "Connor" Moucka in connection with an extensive data breach campaign that compromised sensitive information from hundreds of millions of individuals.

Pakistan's APT36 threat group has been observed by Check Point Research utilizing a new and improved ElizaRAT malware in a growing number of successful attacks against Indian government agencies and military entities in the past year.

Researchers at Securonix recently uncovered a sophisticated phishing campaign where attackers trick Windows users into launching a custom Linux virtual machine (VM) with a pre-configured backdoor.

“In 2023, organizations were hit hard by cyberattacks, many of which exposed serious weaknesses in security practices. One of the biggest issues was how patching and vulnerability management was handled. I

LastPass, a popular password manager software, is currently facing an ongoing phishing campaign targeting its users. Cybercriminals are writing fake reviews on the Chrome Web Store for the LastPass extension, promoting a fraudulent customer support phone number: 805-206-2892.

Cybersecurity firm Rapid7 recently shed light on a Microsoft SharePoint remote code execution vulnerability (CVE-2024-38094) which is actively being exploited in attacks in the wild to gain initial access to corporate networks.

Cybercriminals have adopted a sophisticated approach by exploiting DocuSign's API capabilities to send convincing fake invoices that appear to come from reputable companies like Norton Antivirus.

The Interlock ransomware, a relatively new threat that emerged in late September 2024, has been targeting organizations worldwide with a distinctive tactic: it uses an encryptor specifically designed for FreeBSD servers.

The Passion group, which has established connections with notorious hacktivist collectives such as Killnet and Anonymous Russia, has recently emerged as a significant player in the cyber threat landscape by offering DDoS-as-a-Service specifically tailored for pro-Russian hacktivists.

Cisco Talos has identified an ongoing phishing campaign targeting Facebook business and advertising account users in Taiwan since at least July 2024. The campaign leverages social engineering tactics to deceive victims into downloading and executing malware.

The landscape of autonomous systems, particularly in the realms of drones and robotics, has undergone transformative advancements in recent years. These technologies have enhanced operational efficiency and capability across a multitude of sectors, ranging from agriculture and logistics to national defense and emergency response.

U.S. and Israeli cybersecurity agencies have recently linked the Iranian cyber group Emennet Pasargad, now operating under the alias Aria Sepehr Ayandehsazan, to sophisticated cyber operations targeting the 2024 Summer Olympics.

Microsoft has shed light on a botnet dubbed CovertNetwork-1658, aka xlogin and Quad7 (7777), which has enabled Chinese threat actors to steal credentials in highly evasive password spray attacks.

Researchers recently disclosed the Xiū gǒu phishing kit, which has been operational since at least September 2024 in campaigns targeting Australia, Japan, Spain, the U.K., and the U.S. Xiū gǒu is a sophisticated phishing toolkit responsible for over 2,000 phishing websites aimed at various industries, including government, postal services, digital services, and banking.

Trend Micro researchers identified a complex attack exploiting the Atlassian Confluence vulnerability CVE-2023-22527, allowing attackers to achieve remote code execution (RCE) to install cryptomining software on compromised systems using the Titan Network.

QNAP recently published security updates to address two critical zero-day flaws impacting its network-attached storage (NAS) devices, which were exploited by security researchers during the Pwn2Own hacking contest in Ireland last week.

French internet service provider Free has publicly disclosed a significant cyber attack that has compromised certain personal information of its customers. As the second-largest ISP in France, with over 22.9 million mobile and fixed subscribers, Free plays a crucial role in the country's telecommunications landscape.

Strela Stealer, a malware originally identified by the German cybersecurity organization DCSO in late 2022, is an information stealer primarily designed to exfiltrate email account credentials from email clients like Microsoft Outlook.

A critical Remote Code Execution vulnerability in CyberPanel exposed over 22,000 instances online, leading to a large-scale PSAUX ransomware attack that took most affected servers offline. This vulnerability affects CyberPanel versions 2.3.6 and likely 2.3.7 and includes three significant flaws: defective authentication, command injection, and a security filter bypass.

The North Korean APT group Andariel, linked to the Reconnaissance General Bureau, was found to be associated with the Play ransomware operation, likely acting as an affiliate or initial access broker. In May 2024,

Yesterday, the FBI issued an advisory warning about scammers exploiting the 2024 US General election to scam individuals across the United States. The agency has identified four different schemes employed by these fraudsters.

This is a sophisticated campaign with a large scope and it utilizes the commonly used Facebook software as an avenue for initial access. The TA has the infrastructure to impersonate ads for essentially any commonly used software. This malware has the capability to evade AV detection. The possibility of legitimate business accounts being utilized to propagate the malware further, highlights the severity of the threat.

The "EmeraldWhale" campaign, a large-scale malicious operation, has reportedly scanned for exposed Git configuration files, compromising over 15,000 cloud account credentials across thousands of private repositories.

Cybersecurity experts at Proofpoint have reported a concerning rise in online job scams targeting financially vulnerable individuals, especially those seeking remote or flexible work.

Russian threat group UNC5812 has launched a complex espionage and influence campaign targeting Ukrainian military recruits, deploying malware for both Windows and Android devices.

The Canadian Centre for Cyber Security (Cyber Centre) recently stated that a sophisticated Chinese state-sponsored threat actor has performed reconnaissance scanning against numerous domains in Canada.

Evasive Panda, a China-aligned APT group, has been observed utilizing a post-compromise toolset named CloudScout to target government and religious institutions in Taiwan between 2022 and 2023.

Several vulnerabilities have been identified in the Realtek SD card reader driver, RtsPer[.]sys, impacting a broad range of laptops from major brands.

Researchers at ReliaQuest have uncovered a new social engineering technique employed by Black Basta ransomware actors to gain an initial foothold into victim environments. Previously, these actors would overwhelm users with email spam, prompting recipients to create a legitimate help-desk ticket to resolve the issue. From here, Black Basta operators would then contact the end user, posing as the help desk to respond to the ticket. I

The notorious cryptojacking group TeamTNT is gearing up for a large-scale attack campaign targeting cloud-native environments. This new effort focuses on exploiting exposed Docker daemons to deploy the Sliver malware, cryptominers, and a cyber worm. TeamTNT uses compromised Docker servers and Docker Hub as their infrastructure to spread the malware.

Fog and Akira ransomware groups are actively exploiting a critical vulnerability, CVE-2024-40766, in SonicWall SSL VPNs to gain unauthorized access to corporate networks. This flaw, found in SonicOS, affects access controls within SSL VPNs, allowing attackers to bypass security and compromise networks remotely.

A recent surge in phishing activity has been identified by Netskope Threat Labs, with a 10-fold increase in traffic directed towards phishing pages built using Webflow. These campaigns target a range of information, including login credentials for various crypto wallets (Coinbase, MetaMask, Phantom, Trezor, Bitbuy), company webmail platforms, and even Microsoft365 credentials.

The Dutch National Police, in coordination with the FBI and other international agencies, have dismantled the network infrastructure supporting the Redline and Meta infostealer malware operations in an effort known as "Operation Magnus." This disruption serves as a direct warning to cybercriminals that their data is now in the hands of law enforcement.

LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."

In June 2024, Aqua Security discovered a security vulnerability in the AWS Cloud Development Kit (CDK), an open-source tool for building cloud infrastructure. This vulnerability could potentially allow attackers to gain administrative access to a target AWS account, allowing account hijacking for executing malicious code.

Amazon recently seized domains used by APT 29, a Russian state-backed actor, in a mass email phishing campaign targeting government agencies, enterprises, and militaries. The campaign which was initially identified and disclosed by Ukraine's Computer Emergency Team (CERT-UA),

LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."

UnitedHealth has confirmed that over 100 million individuals had their personal and healthcare data stolen in the Change Healthcare ransomware attack, marking it as the largest healthcare data breach in recent years. CEO Andrew Witty previously warned that "maybe a third" of all Americans' health data was compromised.

A newly enhanced version of the Qilin (Agenda) ransomware, dubbed 'Qilin.B,' has been detected in cyberattacks, showcasing stronger encryption techniques, improved evasion from security tools, and sophisticated methods to disrupt data recovery processes.

Summary: A new vulnerability in Fortinet's FortiManager, known as "FortiJump" and tracked as CVE-2024-47575, has been actively exploited in zero-day attacks since June 2024. The flaw has affected over 50 servers and was first revealed in a report by Mandiant.

Cisco has released security updates to address an actively exploited flaw impacting the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. Tracked as CVE-2024-20481, a successful exploitation could enable an unauthenticated, remote attacker to cause a denial of service of the RAVPN service.

In October 2024, a significant cybersecurity event involving a manufacturing firm was analyzed by ReliaQuest. The investigation attributed the breach to a group called "Scattered Spider," a collective of English-speaking cybercriminals connected to the ransomware organization "RansomHub."

In June 2024, ESET researchers identified a new ransomware group, Embargo, utilizing a Rust-based toolkit for its operations. The toolkit consists of MDeployer, a loader, and MS4Killer, an EDR killer. Both tools are designed to facilitate the deployment and execution of the Embargo ransomware.

A new blog post by Cisco Talos shed light on the activities of Akira ransomware, noting that the group is actively creating new variants of its encryptor and refining its TTPs to adapt to shifts in the threat landscape. In 2023 Akira typically employed a double-extortion tactic where victim data was exfiltrated before encryption.

Cisco Talos recently uncovered a phishing campaign leveraging the open-source Gophish toolkit, executed by an unknown threat actor. The campaign utilizes modular infection chains, either via malicious documents (Maldoc) or HTML files containing JavaScript, which lead to the deployment of two Remote Access Trojans (RATs): PowerRAT, a newly identified PowerShell-based RAT, and DCRAT, a widely recognized malware.

Cybercriminals have compromised a third-party provider linked to Verizon's Push-to-Talk systems, a service used by government agencies, first responders, and enterprises for secure internal communication. This breach, advertised on a Russian-language cybercrime forum, does not impact Verizon's core consumer network but reveals significant vulnerabilities in telecoms' security practices.

A high-severity vulnerability (CVE-2024-38094) impacting Microsoft SharePoint has been identified following the release of a public PoC and subsequently added to CISA's Known Exploited Vulnerabilities (KEV) catalog. This deserialization vulnerability allows an authenticated attacker with Site Owner permissions to inject and execute arbitrary code on the SharePoint server.

In a report from ANY.RUN, DarkComet is highlighted as a highly versatile and dangerous Remote Access Trojan (RAT) that has been a persistent threat since its creation by Jean-Pierre Lesueur in 2008.

ForcePoint has observed an increase in the use of Latrodectus malware by cybercriminals in attacks targeting the financial, automotive, and healthcare sectors. For its part, Latrodectus is a malware downloader that has been around since October 2023. The strain is believed to be developed by LunarSpider, a threat actor who developed the notorious IceID trojan, which has been used by dozens of malware families for distribution purposes.

Two Russian pro-hacker groups, NoName057 and the Russian Cyber Army Team, launched coordinated DDoS attacks against Japanese logistics, shipbuilding companies, and government agencies starting on October 14, 2024.

Attackers are exploiting exposed Docker Remote API servers to deploy the perfctl malware, utilizing a structured attack flow that begins with probing the vulnerable server and ends with payload execution and persistence. The attack starts with the attacker identifying an exposed Docker Remote API server through a ping request. Once the server is located, the attacker creates a Docker container using the ubuntu image.

On Monday, October 21, 2024, the Biden administration officially announced new proposed rules related to a February executive order designed to prevent foreign adversaries such as China and Russia from exploiting easily obtained American financial, biometric, precise geolocation, health, genomic, and other data to carry out future cyberattacks or continue to spy on Americans.

Threat groups are exploiting a critical vulnerability (CVE-2024-40711) in Veeam Backup and Replication software for ransomware attacks, according to researchers and federal authorities. This vulnerability, with a CVSS score of 9.8, was disclosed by Veeam in a security bulletin on September 4.

VMware has released a new security update for CVE-2024-38812, a critical remote code execution (RCE) vulnerability in VMware vCenter Server that wasn't fully addressed by the initial patch in September 2024. The flaw, with a CVSS score of 9.8, stems from a heap overflow issue in the DCE/RPC protocol, affecting vCenter Server and related products like vSphere and Cloud Foundation. It can be exploited without user interaction through specially crafted network packets.

APT41 (also known as Brass Typhoon, Earth Baku, Wicked Panda, or Winnti) launched a sophisticated cyberattack on the gambling and gaming industry. Over a span of six to nine months, the attackers gathered sensitive information such as network configurations, passwords, and data from the LSASS process.

The Bumblebee malware loader appears to have resurfaced after being disrupted by Europol's Operation Endgame in May 2024. A new infection chain deploying Bumblebee has been detected by Netskope Threat Labs, marking its first reappearance since the Europol-led takedown.

Last Friday, ESET announced on X (formerly known as Twitter) that it is aware of a security incident that affected its partner company in Israel. Notably, a phishing campaign initiating on October 8th was observed, where emails branded with ESET's logo were sent from eset[.]co[.]il, a legitimate domain that is operated by ESET's Israel distributor, Comsecure.

In a recent cyberattack, the North Korea-backed advanced persistent threat (APT) group known as APT37 exploited a zero-day vulnerability in Microsoft's Internet Explorer (IE) web browser to launch a zero-click supply chain campaign targeting South Korean entities.

Microsoft has urged all macOS users to update their systems due to a vulnerability (CVE-2024-44133, CVSS 5.5) patched in the September macOS Sequoia updates. The flaw may be exploited by the Adloader macOS malware family. It targets Apple's Transparency, Consent, and Control (TCC) protections, potentially allowing unauthorized access to a device's camera, microphone, and location.

Researchers at Sekoia have shed light on a new social engineering tactic called ClickFix, which involves displaying fake error messages in web browsers to trick users into copying and executing malicious PowerShell code to infect targeted systems. In the last couple of months, ClickFix has been used to distribute Windows and macOS infostealers, botnets, and remote access tools.

Microsoft has identified a vulnerability in macOS, named "HM Surf," that enables attackers to bypass the system's Transparency, Consent, and Control technology, which is responsible for managing user permissions for accessing sensitive data. This flaw, tracked as CVE-2024-44133, allows attackers to gain unauthorized access to user data, including browsing history, camera, microphone, and location.

Group-IB researchers successfully infiltrated the Cicada3301 ransomware-as-a-service group, uncovering significant details about its operations and affiliate panel. Cicada3301, which started recruiting affiliates in June 2024, has targeted approximately 30 victims, primarily in the U.S. and U.K.

The pentester encountered a session fixation vulnerability in a PHP web application, but knew it might not be taken seriously on its own. To demonstrate its severity, they combined it with an existing XSS vulnerability and a lesser-known technique called the Cookie Jar Overflow Attack. This combination allowed them to show how an attacker could bypass security measures and hijack user sessions.

In December, a new ransomware group targeting Russian businesses and government agencies was identified, dubbed “Crypt Ghouls.” Investigation revealed connections to other cybercriminal groups through shared tactics, tools, and infrastructure. The group employs a variety of utilities, including Mimikatz and LockBit 3.0 for ransomware attacks, utilizing compromised contractor credentials to gain access via VPN.